Taswar Bhatti
The synonyms of software simplicity
Redis

In this blog post I wanted to cover how to use Redis with AspNetCore WebAPI. Most of my examples have been covering using console application since I wanted to explain the core concepts of Redis and the functionality. Now lets see how you can use it in a Web Application.

Create the webapi

To start we will create webapi using command line dotnet new

Now that we have our skeleton created, we need to add some of the dependency for Redis. I have used dotnet command line again to add the dependencies. I am also using Message Pack for my serialization, there are other options also like Newtonsoft etc.

If you want to learn more about Message Pack https://msgpack.org/index.html

Running Redis in Docker

I am using Docker to run my Redis server, the command to execute to run my redis server as below

If you want to know more about docker and redis read my previous blog post http://taswar.zeytinsoft.com/redis-running-in-docker/

Now we will need our aspnetcore information on how to connect to redis, the best option is to use your appsettings.json file to have the information. For production you will probably like to store it in some external configuration management like Hashicorp Vault or Azure Vault.
Open up your appsettings.json file and add the Redis configuration information. One can add multiple Hosts in the array, for us we only have 1 server running on localhost.

Redis AspNetCore WebApi

Now we need to configure our webapi to start using redis, we will modify our Startup.cs file and use the build in IoC (Dependency Injection) container that it provides to hook things up in our ConfigureServices method.

Create a Controller

Lets add a new controller and call it RedisController, we will use the controller to call redis to store some values and to get some values out of redis. The sample below shows a HttpGet, HttpPost and a HttpDelete method decorated attribute. As you may also notice that the IRedisCacheClient was injected into the constructor by the IoC Container when we configured our services in Startup.cs

Testing the methods

I used curl to test out the method, first I used the POST method to create the data I wanted. I am using the -k prefix since I wanted to ignore the cert and I just posted some random json data into the method, even though in the method I don’t use it as above, but just to give an example of how you would pass in data.

Now I can call the get call to get the data, one can use curl or just use chrome to call the get call. The result are show below.

Calling StackExchange.Redis Api

What if we want to call Redis StackExchange calls directly? We can do so like below I am using the SetAdd method and SetMembers to get values out of Redis Sets

Summary

I hope this explain how to use redis with your aspnetcore application, you can get the source code for this project on github. https://github.com/taswar/RedisForNetDevelopers/tree/master/14.RedisAspDotNetCore. Also feel free to comment on it and ask questions, if there is something missing feel free to reach out.

Taswar-Bhatti-Austin-Texas-NodeJS-Meetup-May-2019

I had a work workshop to attend in Austin Texas and though it would be fun to speak at a meetup group on Using Hashicorp Vault for your NodeJS. I tired the Microsoft group first but was not successful due to their schedule and mine. Fortunate for me the Austin NodeJS Meetup was perfect with my schedule, plus it was right in downtown (Near dirty six). I was able to speak on one of my favorite security topic on using Vault for your nodejs application. Again thanks to Matt Walters and Proof Technologies to organizing the meetup and free pizza.
Here is the link to the meetup if you are in Austin definitely check the out, a nice crowd to join. https://www.meetup.com/austinnodejs/events/srwjzqyzhbtb/

There was also a recording or live stream if I get a chance to get the recording I will post it up.

Slides of Austin Meetup

Taswar_Bhatti_VS2019_With_Python

I had a talk on Getting productive with Python on Visual Studio 2019, at the Ottawa .NET User Group (https://www.meetup.com/ottawaitcommunity/events/259081628/). Thanks to all the people who came to the talk, I wish my demo worked properly unfortunately sometimes things just dont work 🙂

Nevertheless here are the slides for the talk.

8 Cloud Design Patterns Update Conference

Here is the youtube recording for my 8 Cloud Design Pattern you ought to know talk at update conference in Prague Nov 2018. Hope you like it.

Javascript

Thanks to the organizers of ForwardJS Ottawa to let me speak on Cloud Design Patterns using Nodejs, I had a great time at the conference for anyone who is looking for my sides there are located right below.
If anyone wants to view the demo code I showed please look at this blog post on using Promise in Nodejs for Retry Pattern.

retry-pattern-nodejs-with-promise

One of the easiest cloud design pattern that one can try out is the Retry Pattern. I wanted to show how to use an Retry Pattern in Node.js using Promise as a example. So what does the Retry Pattern achieves?

Problem Statement – What is the issue the pattern solves?

When building applications you always have some sort of outside/external service including another MicroService that you have to consume or call. Sometimes there could be momentary loss of network connectivity, or a temporary unavailability, or timeouts that occur when that service is busy. You may be calling a database or a restful service that may be busy and fail but if you try back again it will pass. These types of faults are usually self-correcting, and most of the time require some type of delay in calling it again, which will have a success response.

Retry Pattern

  • Enable an application to handle transient failures
  • When the applications tries to connect to a service or network resource
  • By transparently retrying a failed operation
  • Improves the stability of your application
  • Typical Application

    Below is a typical application diagram, where you a service or web app.

    TypicalApplication

    TypicalApplication

    But when the connection to the service fails we usually get an error on our application.

    TypicalApplication-Network-Failure

    Typical-Application-Network-Failure

    When to use Retry Pattern

    • Use retry for only transient failure that is more than likely to resolve themselves quickly
    • Match the retry policies with the application
    • Otherwise use the circuit break pattern

    When not to use Retry Pattern

    • Don’t cause a chain reaction to all components
    • For internal exceptions caused by business logic
    • Log all retry attempts to the service

    Sample Code

    Below is a sample in node.js that shows the usage using Promise in Node.js. The code tries to call https://httpbin.org/status/200,408 with a POST which gives us a status of 200 or 408 randomly. First, lets create our code and add the package fetch into it.

    Without Promise

    We will write a sample application that will call the the web service without retry to get 408 errors.

    I am just using a console logger but you should be using a proper logger when you do retry pattern.

    After couple of runs you will see it response back with 408 RequestTimeout

    Using Retry with Promise

    Now we will introduce the retry pattern with using Promise into our code with an incremental delay of 1 second to 3 seconds and lastly 9 seconds.

    Output

    Below you will see three runs of the application with sample output.

    Summary

    As you can see Retry Pattern is quite useful for transient and self correcting failure, not to mention it is quite simple to implement in NodeJS with the help of Promise.

update_conference_taswar_bhatti

Here is the youtube version of my presentation that I did in Prague at Update Conference. You can now watch my entire presentation. Thanks to Update Conference for doing such a fantastic job.

Enjoy.

DevTeach Mntreal Speaker

I will be speaking at forwardjs Ottawa on April 10th and 11th 2019. I will be doing 8 Cloud Design Pattern you ought to know but more specific to using Node.js. There should be a video for it months later that I hope to share.

If you wish to watch my last year talk on Using Vault for your Nodejs Secrets

To purchase tickets for the session check out https://ti.to/forwardjs/forwardjs-ottawa-2019

Microsoft Ignite Tour - Taswar Bhatti

On January 11 2019, I had the opportunity to speak at Toronto Microsoft Ignite Tour – 8 Cloud Design Patterns you ought to know. It was a great seeing that over 700+ people registered to my talk, it was pretty much full house session over 500+ attended. Unfortunately Microsoft did not record any session in Toronto. I have had people ask me of a recording, although I do remember a gentleman who had his camera and was recording all my slides. (If someone knows him please feel free to ask him to get in touch with me, I would also love a copy of it also).

Attendees Review

One benefit of speaking at Ignite is they have a good evaluation system where users can give feedback.
So far the feedback has been very good. Here are the result of the evaluation score.

Ignite - Taswar Bhatti Review

Ignite – Taswar Bhatti Review

Attendee Comments

Some comments that I received are below. I actually wanted to speak slower but knowing the fact that I have 8 topics to go through and 90 slides in total with 2 demos, would rather like to cover all topics than missing any. In fact I covered 9 patterns with a bonus pattern,

Ignite - Taswar Bhatti Review Comments

Ignite – Taswar Bhatti Review Comments

Attendee Suggested Improvements

Its sometimes hard to satisfy all people in a talk, with over 500 people there will be someone who doesn’t like your talk. You cannot make everyone happy but I think I did make it clear sometimes patterns are like “Duh” moments where it is just common sense. Overall I still think people learned something new and enjoyed the talk. Below are some of the improvements.

Ignite - Taswar Bhatti Review Improvement

Ignite – Taswar Bhatti Review Improvement

Slides 8 Cloud Design Patterns you ought to know

Last but not least here are the slides from the talk. Enjoy…..

update_conference_managing_cloud_secrets

In November I did a presentation at the Update Conference 2018 on Managing your secrets in a cloud environment using Azure Key Vault and Hashicorp Vault. Comparing both products and demo on using Key Vault to store your keys and secrets. It was excellent at Prague and once again thanks Update Conference inviting me to speak there.

Transcript

1. Managing your Secrets in a Cloud Environment Taswar Bhatti System/Solutions Architect at Gemalto (Canada) Microsoft MVP
2. Is your personal data important?
3. Who am I • Taswar Bhatti – Microsoft MVP since 2014 • Global Solutions Architect/System Architect at Gemalto • In Software Industry since 2000 • I know Kung Fu (Languages)
4. Good old days robbery
5. Today’s Robbery
6. Data breach……
7. Consequences
8. System with no Trust
9. Salesman
10. Data breach??
11. Delivery
12. Agenda • Intro • What are we trying to solve with KeyVault? • What is Azure Key Vault • Using Azure Key Vault with your application • Managed Service Identity • Demo • HashiCorp Vault • Best practices • Questions
13. So what are secrets? • Secrets grants you AuthN or AuthZ to a system • Examples • Username & Passwords • Database credentials • API Token • TLS Certs
14. Typical Application
15. Storing Configuration in file
16. Multiple application
17. Secret Sprawl • Secrets ends up in • Source Code • Version Control Systems (Github, Gitlab, Bitbucket etc) • Configuration Management (Chef, Puppet, Ansible etc)
18. Problems • Configuration becomes part of deployment • Multiple applications share the same configuration • Hard to have access control over the configuration
19. Issues • How do we know who has access to those secrets • When was the last time they accessed it? • What if we want to change/rotate the secrets
20. Desire secrets • Encryption in rest and transit • Only decrypted in memory • Access control • Rotation & Revocation
21. What is Azure Key Vault? • Secrets Management – Azure Key Vault can be used to Securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets. • Key Management – Azure Key Vault can also be used as a Key Management solution. Azure Key Vault makes it easy to create and control the encryption keys used to encrypt your data. • Certificate Management – Azure Key Vault is also a service that lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with Azure and your internal connected resources. • Store secrets backed by Hardware Security Modules – The secrets and keys can be protected either by software or FIPS 140-2 Level 2 validates HSMs.
22. Gemalto Luna HSM (New)
23. PKCS11 Interop • Managed .NET wrapper for unmanaged PKCS#11 libraries • https://pkcs11interop.net/
24. Typical Application • In web.config
25. With Key Vault
26. Azure Key Vault • Register your app with Active Directory • Associated credential, and using that credential to get a token • Retrieve your secrets from Key Vault • PROBLEM SOLVED
27. Adding it back to web.config •
28. Code that looks like this ClientCredential clientCred = new ClientCredential( WebConfigurationManager.AppSettings[“ClientId”], WebConfigurationManager.AppSettings[“ClientSecret”]);
29. But???? • Confused?? • Isn’t that still in web.config?
30. Security doesn’t have to be like this
31. Managed Service Identity (MSI) • MSI gives your code an automatically managed identity for authenticating to Azure services, so that you can keep credentials out of your code • You create an identity for your application in Azure Active Directory using Managed Service Identity
32. Benefits • No need to authenticate to Azure Key Vault to get secrets • No client id and client secret is needed in the code • Easier to configure comparing to Azure Key Vault • You can authenticate to any service that supports Azure AD authentication
33. Demo
34. HSBC Hong Kong PayMe Hack
35. HashiCorp Vault • Centralized Secret Management • Encrypted at rest and transit • Lease and Renewal • ACL • Audit Trail • Multiple Client Auth Method (Ldap,Github, approle) • Dynamic Secrets • Encryption as a Service
36. Secure Secrets • AES 256 with GCM encryption • TLS 1.2 for clients • No HSM is required • One could also integrate with Azure Key Vault
37. Unsealing the Vault • Vault requires encryption keys to encrypt data • Shamir Secret Key Sharing • Master key is split into multiple keys
38. Shamir Secret Sharing
39. Unseal • Unseal Key 1: QZdnKsOyGXaWoB2viLBBWLlIpU+tQrQy49D+Mq24/V0B • Unseal Key 2: 1pxViFucRZDJ+kpXAeefepdmLwU6QpsFZwseOIPqaPAC • Unseal Key 3: bw+yIvxrXR5k8VoLqS5NGW4bjuZym2usm/PvCAaMh8UD • Unseal Key 4: o40xl6lcQo8+DgTQ0QJxkw0BgS5n6XHNtWOgBbt7LKYE • Unseal Key 5: Gh7WPQ6rWgGTBRSMecuj8PR8IM0vMIFkSZtRNT4dw5MF • Initial Root Token: 5b781ff4-eee8-d6a1-ea42-88428a7e8815 • Vault initialized with 5 keys and a key threshold of 3. Please • securely distribute the above keys. When the Vault is re-sealed, • restarted, or stopped, you must provide at least 3 of these keys • to unseal it again. • Vault does not store the master key. Without at least 3 keys, • your Vault will remain permanently sealed.
40. How to unseal • vault unseal -address=${VAULT_ADDR} QZdnKsOyGXaWoB2viLBBWLlIpU+tQrQy49D+Mq24/V0B • vault unseal -address=${VAULT_ADDR} bw+yIvxrXR5k8VoLqS5NGW4bjuZym2usm/PvCAaMh8UD • vault unseal -address=${VAULT_ADDR} Gh7WPQ6rWgGTBRSMecuj8PR8IM0vMIFkSZtRNT4dw5MF
41. Writing Secrets • vault write -address=${VAULT_ADDR} secret/hello value=world • vault read -address=${VAULT_ADDR} secret/hello • Key Value • — —– • refresh_interval 768h0m0s • Value world
42. Policy on secrets • We can assign application roles to the policy path “secret/web/*” { policy = “read” } • vault policy write -address=${VAULT_ADDR} web-policy ${DIR}/web-policy.hcl
43. Reading secrets based on policy • vault read -address=${VAULT_ADDR} secret/web/web-apps • vault read -address=${VAULT_ADDR} secret/hello • Error reading secret/hello: Error making API request. • URL: GET http://127.0.0.1:8200/v1/secret/hello • Code: 403. Errors: • * permission denied
44. Docker and Secrets • Docker does not have good integration with secrets • If you use env variables, it will show in docker inspect
45. Mount Temp File System into App • docker run –v /hostsecerts:/secerts …. • To mitigate reading from Env • Store your wrap token in the filesystem to use with vault • Have limit time on wrap token
46. Wrap Token for App Secrets • Limit time token • Used to unwrap some secrets • vault read -wrap-ttl=60s -address=http://127.0.0.1:8200 secret/weatherapp/config • Key Value • — —– • wrapping_token: 35093b2a-60d4-224d-5f16-b802c82de1e7 • wrapping_token_ttl: 1m0s • wrapping_token_creation_time: 2017-09-06 09:29:03.4892595 +0000 UTC • wrapping_token_creation_path: secret/weatherapp/config
47. Kubernetes with Vault • Read Service Account JWT • App Sends Jwt and Role Name to Vault • Vault checks the signature of Jwt • Sends to TokenReviewer API • Vault sends back valid token for app
48. Token Reviewer in K8s
49. Best Practices or Patterns • Cache Aside Encryption Key • Tag version of encryption
50. Cache Aside Encryption Key • Use Key Vault to Encrypt your Generated AES Key • For all encryption of your data you can use the AES Key rather than going back and Key Vault to encrypt • Allows you to penny pinch KeyVault
51. Tag Version of Encryption Level • Each Row of your database is tagged with the encryption version • This allows you when you rotate keys or change encryption level for example moving to a new Encryption Key to eventual encryption of data that gets updated or new.
52. New and Updated Data
53. Advantages • You do not have to go through all the records to re-encrypt them • Eventual Encryption of all data to new encryption • Mitigates the risk of all data or updating all records
54. Questions? • taswar@gmail.com • @taswarbhatti • http://taswar.zeytinsoft.com
55. Credits • For the background • www.Vecteezy.com

UA-4524639-2