Conjur .NET API Example Usage

Secrets Management - Conjur, Secrets Hub & CP Guides and HowTo's
, ,
1

The Conjur .NET API is a powerful tool for integrating Conjur into your .NET projects. Here’s a small example I put together to demonstrate it locally.

1. Set Up Conjur Server

First, you need to set up a local Conjur OSS server. You can either set the server up manually by following to Conjur Quick Start Tutorial, or you can use the repo I made for quickly setting up Conjur instances for projects like this HERE and run ./setup.sh.

Next, give the variable we defined a secret:

docker-compose exec client conjur authn login -u admin -p <admin_API_KEY>
docker-compose exec client conjur variable values add test/secret secretValue

<admin_API_KEY>: Stored in admin_data

Note: This repo is a really rough script I use with a lot of room for improvement. Feel free to use it as just a guide if you want. The main reason I use this repo is to grab the cert from the Conjur server automatically for testing locally

2. Set Env Variables

export CONJUR_ACCOUNT: myConjurAccount
export CONJUR_AUTHN_LOGIN: host/test/myApp
export CONJUR_AUTHN_API_KEY: <myApp_API_KEY>
export CONJUR_APPLIANCE_URL: https://127.0.0.1:8443
export CONJUR_SECOND_USER: admin
export CONJUR_SECOND_API_KEY: <admin_API_KEY>
export CONJUR_CERT_PATH: <path_to_cert>

<myApp_API_KEY>: Stored in user_data
<admin_API_KEY>: Stored in admin_data
<path_to_cert>: The direct path to the conjur-myConjurAccount.pem cert in conjur-for-testing after running ./setup.sh

3. Setup .NET App

First follow the guide in the README on building the repo, and then import this into your project.

Then copy in this small sample app I created for this demo.

using System;
using System.Text;
using Conjur;

namespace TestingConjur
{
    class MainClass
    {
        static String VariableID = "test/secret",
            OriginalSecret = "secretValue",
            NewSecret = "ChangedByDotNetAPI";

        public static void Main(string[] args)
        {
            String conjurAccount = Environment.GetEnvironmentVariable("CONJUR_ACCOUNT");
            String userLogin = Environment.GetEnvironmentVariable("CONJUR_AUTHN_LOGIN");
            String userAPIKey = Environment.GetEnvironmentVariable("CONJUR_AUTHN_API_KEY");
            String applianceURL = Environment.GetEnvironmentVariable("CONJUR_APPLIANCE_URL");
            String secondUser = Environment.GetEnvironmentVariable("CONJUR_SECOND_USER");
            String secondUserAPIKey = Environment.GetEnvironmentVariable("CONJUR_SECOND_API_KEY");
            String CERT_PATH = Environment.GetEnvironmentVariable("CONJUR_CERT_PATH");

            // Import cert
            Client client = new Client(applianceURL, conjurAccount);
            client.TrustedCertificates.ImportPem(CERT_PATH);

            // Log into first user
            Console.WriteLine("Logging into user: " + userLogin);
            client.LogIn(userLogin, userAPIKey);
            // Retrieve variable
            Variable conjurVariable = client.Variable(VariableID);
            String value = conjurVariable.GetValue();
            Console.WriteLine(VariableID + ": " + value);
            printLine();

            // Log into admin
            Console.WriteLine("Logging into user: " + secondUser);
            client.LogIn(secondUser, secondUserAPIKey);
            // Set variable to new value
            Console.WriteLine("Setting '" + VariableID + "' to: " + NewSecret);
            conjurVariable.AddSecret(Encoding.ASCII.GetBytes(NewSecret));
            printLine();

            // Log back into user
            Console.WriteLine("Logging into user: " + userLogin);
            client.LogIn(userLogin, userAPIKey);
            // Retrieve new secret
            String newValue = conjurVariable.GetValue();
            Console.WriteLine(VariableID + ": " + newValue);

            reset(client, conjurVariable, secondUser, secondUserAPIKey);
        }

        private static void reset(Client client, Variable variable, String admin, String adminAPIKey)
        {
            client.LogIn(admin, adminAPIKey);
            variable.AddSecret(Encoding.ASCII.GetBytes(OriginalSecret));

        }

        private static void printLine()
        {
            Console.WriteLine("--------------------------");
        }
    }
}

4. Run

After importing the API and code into your project, you should be able to run the project and watch the magic happen!

Thank you for reading If you have any questions, feel from to ask!

3 Likes
2

I’m trying to access Conjur using the .NET API. To set up the environment I used the setup.sh script and I followed all other steps as explained.
The creation of the certificate worked as expected.
However, when I’m trying to run the project, I keep getting exceptions stating that the SSL connection could not be established.
I’m running Ubuntu 20.04 on a VM and had to change host.docker.internal:8443 to 172.17.0.1:8443 or localhost:8443 to make the certificate creation work.
Any ideas what causes the SSL exceptions?

Help would be much appreciated, thank you!

Screenshot from 2022-07-01 17-09-15
Screenshot from 2022-07-01 17-09-151610×515 92.2 KB

3

Hi @devnicole,

I’m sorry to hear that you’re encountering SSL errors! It’s interesting to me that it worked when using an IP or localhost but not with host.docker.internal. I wonder if it has to do with the domain name not matching the common name in the certificate.
You mentioned you’re running it on a VM. Are the Conjur server and the .NET app being run on the same VM?

4

Hi @szh,

so creating the cert actually does work using host.docker.internal without specifying a port, but not when using host.docker.internal:8443, then I get a message saying:
“error: Unable to retrieve certificate from host.docker.internal:8443”
Is it possible that I additionally need to add the certificate to etc/ssl/certs or usr/share/local/share/ca-certificates? Or that something is blocking the port?

Yes the Conjur server and .NET app are being run on the same VM.

5

If you used IP address or localhost to make the certificate creation work, then I’d expect those names would be in the certificate subject. If you then try to connect with host.docker.internal, then the name you provide is different from the name in the certificate and will fail SSL validation. Take a look at your certificate with openssl:
openssl x509 -text -noout -in <certificate.pem> and look at the Subject CN. Ensure this matches the URL for the Conjur server that is in your call.

HTH!

Regards,
Nate

1 Like
6

Hi @nathan.whipple,

thanks for your help, I actually figured out what the problem was:
The .NET app is not communicating directly with the conjur server, CONJUR_APPLIANCE_URL (https://127.0.0.1:8443) is actually the nginx proxy, so that’s where the requests first go to.
The problem was not the certificate that was created by conjur but the nginx certificate. I had to add it to the Ubuntu host’s trusted certificates and then everything worked fine!