Hi,
I want to genarate JWT token and I’ve kept privateKey in KVM but when I use GenerateJWT policy it throws an error. Details are as mentioned below;
KVM :-
{ “encrypted”: true, “entry”: [{ “name”: “privateid”, “value”: “123456789” }, { “name”: “privatekey”, “value”: “U2lkZGhlVGVzdGluZw==” } ], “name”: “JWTTestConfiguration” }
Error Message :- cannot instantiate private key
Below are the screen shots of the policies
Hi @siddhesh.malvankar1, this is a known issue. Today, it’s not possible to load a multi-lined value like the contents of a PEM file, into the KVM using the Apigee Edge administrative user interface. There’s a bug in handling newlines in the textarea (reference b/64808634).
More info here,
https://community.apigee.com/articles/57541/how-to-retrieve-keys-for-jwt-from-kvm.html
Articles suggest that we can upload KVM values using JavaScript. But I’m still unable to upload it, Could you please suggest what should I do if I want PrivateKey in key value maps.
Thanks in advance.
I haven’t tried Dino’s approach. But for testing purpose, you can use an Assign Message policy to Assing a private.key variable with the certificate in the value.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AssignMessage async="false" continueOnError="false" enabled="true" name="Assign-privatekey">
<DisplayName>Assign-privatekey</DisplayName>
<Properties/>
<AssignVariable>
<Name>private.privateKey</Name>
<Value>
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,1BFD44A98CAAF56A
nprtxjYSl8bGYc0B15ZWxDa5XvCPuQx+OaTT9o1wtlq1QxUNfm8yCHwxq+n7KgBm
CAgAZ11M3f+NlMS76+yZOeKzf55y7332IqsEZIjZpN2OXb6lg1ICM3D0UcN3lHdk
AsC4bBPddFCNmYcWpPXtXRQyaTraNep6tjRItj8gsaTaZEYPLY6Yes1SuBNGlSkL
w8s2dWyTY/wxfsyW1LJtYscLnh7XIHqv03JakUgpSsl2PDzxsEHFgC01BtG2WpWM
/D+h4i/Q/oa6VosEke48IgJQSvCwGvqc0QAE5TQv7c2oZURbZbS1MXKILFsfak9Q
3CML9P+HveQ+MahJwjlwNEVZRmjTOyfFsthSRxZwhYpxxfsqHLjnYLHCBRhtLg5i
b6MLbwXpOTuYwvPVfxEI5lT6ZdHnxhspjQoV95SQebj+5NZf2xhO3jNIgORTM5AM
n9a4s3HnLoo1thN2lAuoZymWLMITVQbw4jElfcFMHog3sssIpKS/tMgeKtMs6Yxf
jhMhac2IOPDVx5v/6y9eDnQlCimLSm5uDNV4+m/sOso2Zh6YFUp6ByPoK1x9Hv5h
kewOI70d/p22iOhW/YzVktNwUcYk548tsUCdWXYjTxzSKG2RZhNMvCggQRUM3qoH
9tlMVBjIHzH5Mh+ko6WugCOfN22x0uvl2YAnkgT7oCWZ0a1ZK9iVDb1kSjjpFu+1
M0t0D4oqeVtnmA+9RQYV4TahadJtj71v+EjKJtRh+CpJeYwRSE6uSv8zlHwcR/Y5
nWReJBs0cSGWYJPXqw2yYTVZv7Rzdw/h0A5HK7MCkHFf/BRqbrVMaeFYJuPHwZOH
svnqyHpnkHgfCAwBXhcLHQLh4uZC1LF4Qfs6y8fb/mEQMFZRakut7yBdzh9dHt1a
tuN64iXydn+kyzbBIcLxCIs4cS9QfUvWtXwS0w9eidx4cqs02046SZC6uYV1agxF
2MEG4i1FCyRXJLOQpa0WcWrHzPMGLBpCPHe0NgDm1hgSj7HLkLuYkEL4WAcZ5gPU
60pa6og1WolmLgqYOH+blypB/gxRSxFB0cCir/09S7ppd9FX8n1pQSt8D22xZ6is
42hR4Fu4JBQaxCBunkgaAU/ozwE/fEstTB+BdPuid8wsCTtd9QyHJ60ZjYTm2dF0
+0nED8Oj5N3dcAX8YHZWBo+DT2+n7WcViTR3Q1tNG4bjE1+krJyYcGSeLFWcxaZp
+Zh6/bxV/+oV2uM2Q0tWZaoyTwz65iQ1QeTZzqj3vEVM8peXZDVFb6AA8buu6jFq
4/pAe4RqUH0zumnXBnDmW/fDUPSIbHCCn+aeqNDOTVYtzWiwZegHmcGR3mc+brfv
Pa3MGXsMQPhqHW+tVSc6jn8sxCaFS5vYkweDUTNZMfoCLG9ajQOMQksicv+pTLrH
uKIfciKPYAgBM4IG1Q9TG+7LR2DMCnbg0fuzrqldX/07DsdVX270JphLAidsqTNq
+1xaZOXvSn7mnHW8Syjf5dK2dBSbhp8WCTVOj4B+huKhS+qcnxSMyS2QjVh1Qpq1
cxPb0DpiPJ49ZNwW5x+GpB71W0rCAuk19/ZIIeTg7rqvc/tOwd0kFAoCAcfyjYYf
-----END RSA PRIVATE KEY-----
</Value>
<Ref/>
</AssignVariable>
<IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
<AssignTo createNew="false" transport="http" type="request"/>
</AssignMessage>
Maybe you need to remove the index=“1” from the KVM policy.
This
<KeyValueMapOperations name='KVM-GetPrivateKey' mapIdentifier='secrets'>
<Scope>environment</Scope>
<ExpiryTimeInSecs>15</ExpiryTimeInSecs>
<Get assignTo='private.privatekey'>
<Key>
<Parameter>key1</Parameter>
</Key>
</Get>
</KeyValueMapOperations>
And not this:
<KeyValueMapOperations name='KVM-GetPrivateKey' mapIdentifier='secrets'>
<Scope>environment</Scope>
<ExpiryTimeInSecs>15</ExpiryTimeInSecs>
<Get assignTo='private.privatekey' index='1'> <<<< NO
<Key>
<Parameter>key1</Parameter>
</Key>
</Get>
</KeyValueMapOperations>
This repo shows you how to load private keys from the encrypted KVM. It includes a set of sample proxies. The one you want is jwt-generate. Look at the proxy flow; some of the JWT generation uses a key set with AssignMessage. Some use a key retrieved via KVM Get. There is also a command-line tool to load a private key into .a KVM. Siddharth is correct that the KVM UI is broken and doesn’t handle lengthy values elegantly. But it’s a matter of display; the command line tool will load in the key nicely.
We can add multiline KVM using directly through Environment configuration user interface which converts it into single line value.
Thanks @Siddharth Barahalikar and @Dino-at-Google 