This document describes a sample usage of the Trust Services for a Data Hub scenario where the Publisher publishes a blob of data to Azure to be accessed by another party, the Data Consumer. The Publisher & Consumer are in their trusted environments and the Azure blob is untrusted for storing the data being shared.  Trust Services is used to enable this scenario by encrypting the publisher’s data using Trust Services SDK in his trusted environment first prior to him storing it in Azure. The Consumer in his trusted environment then downloads this encrypted data from Azure and decrypts it to retrieve the publisher’s data. 

Usage Overview document states the problem domain and provides a usage description. Visit Trust Services Samples Download page to download samples.

The demo scenario involves 4 parties:

1. Trust Services Administrator (TSA)
2. Trust Services Policy Administrator (TSPA)
3. Data Publisher
4. Data Consumer

In this scenario, the steps are as called out in the Usage Overview document:

1. The TSA creates a Trust Services Server in the Trust Services Portal 
2. The TSPA defines the data policy
3. The Data Publisher publishes sensitive data and
4. The Data Consumer reads this data

The TSPA, Publisher and Consumer perform their actions in their PCs using the Trust Services SDK. The sample solution implements these actions. In this sample, the sensitive data is a blob of data that is stored in an Azure blob.

Link to download SDK: Trust Services SDK MSI. For specifics on the C# API, open "Trust Services SDK Help" from Start Menu once SDK is installed.

Prerequisites

The pre-requisites to run this sample are:

Self-Signed Certificates

You must have self-signed certificates for the TSPA, Publisher and Consumer available. You can create your own certificates.

Run the following commands from a Visual Studio command prompt to create a self-signed certificate:

makecert -r -pe -n "CN=Alice" -sky exchange "Alice.cer" -sv "Alice.pvk"

You will be prompted for a password to secure the private key three times. Enter a password of your choice.

Then enter the following command to create the .pfx file. After the –pi switch, enter the password you chose.

 pvk2pfx -pvk "Alice.pvk" -spc "Alice.cer" -pfx "Alice.pfx" -pi password-entered-in-previous-step

You can verify that the certificate has been created by looking in the current directory in the Visual Studio command prompt. You should have three files: (1) Alice.cer – the file with only the Public Key (2) Alice.pvk – the file with the Private Key (3) Alice.pfx – the file with both the Private & Public Keys.

For this sample, you will need the .cer file and the .pfx file. Repeat the above steps for the three roles: TSPA, Publisher and Consumer.

Windows Azure Storage

As this sample uses the Windows Azure Blob store, the Windows Azure SDK is required.

• Install the Windows Azure SDK.
• Start the Windows Azure Storage emulator.

Note: This sample has been tested with Version 1.4 but should work with the latest SDK as well.

Portal Steps for the TSA

This is the “Create a Trust Services Server” step described in the Trust Services Usage Overview document.

1. Visit the Trust Services Portal https://trustservices2.cloudapp.net/ and sign in with your Windows Live Id. This will take you to the Registration Page.
2. Check the Terms and Conditions box, and then complete the Name and E-mail fields.
   Click the Register button. Upon successful registration, you will be re-directed to the Windows Azure Trust Services home page.
3. To add a Trust Server, click Create. This will create a new Trust Server and auto-generate a name.
4. To assign the TSPA for the Trust Server, select the new Trust Server, and then click Set TSPA.
   Upload the .cer file for the TSPA.

Tip: Make a note of the Trust Server name. This will be needed in subsequent actions on the client machines.

Prepare the Client Computer

• Install the Trust Services SDK and Management Tool Labs msi. By default, this installs to C:\Program Files\Microsoft\Trust Services Lab SDK and Shell\. The dlls are placed in the bin directory.

Sample usage

The sample solution is a Visual Studio 2010 solution. The TSAzureBlobConsoleSample.sln can now be loaded in Visual Studio. Add references to the Trust Services SDK DLLs, and do “Build solution” (F6 button). On successful build completion, the executable can be used to perform the following steps described in the Trust Services Usage Overview document.

Note: The app.config file in the TSAzureBlobConsoleSample Project contains the Service URL for Trust Services (key is TSSvc) https://trustservicesapi2.cloudapp.net/.  

Create Data Policy (Admin Role)

1. To invoke the TSPA role, execute the statement TSAzureBlobConsoleSample.exe -a
2. Type 'l' to login. You will be prompted to load a .PFX file. Type in the path of the TSPA's certificate.
3. Type 't' and Set the Trust Server name (the name generated at the portal).
4. Type 'a' and add certificates. You will be prompted for a .CER certificate. Perform this step twice - once for the data publisher and again for data consumer.
5. Type 'c' and create a data policy for the blob of data shared between publisher and consumer. Note: in this sample, the blob of data being shared is considered sensitive and the data policy defines that this blob is to be encrypted.
6. Type 'p' to print out the current state of the Trust Server.

Encrypt data based on data policy (Data Publisher Role) 

1. To invoke the data publisher role, execute the statement TSAzureBlobConsoleSample.exe -p
2. Type 'l' to login. You will be prompted to load a .PFX file. Type in the path of the data publisher's certificate.
3. Type 't' and set the Trust Server name (the name generated at the portal).
4. Type 'o' to set the TSPA. You will be prompted for a .CER certificate. Add the TSPA's .CER file.
5. Type 's' to write data and store this data in protected form in Windows Azure blob storage. This will prompt you to type in a string. Type the text that you want to share with the Data Consumer.
6. Type 'p' to get the output of the encrypted data.

Decrypt data based on data policy (Data Consumer Role) 

1. To invoke the data consumer role, execute the statement TSAzureBlobConsoleSample.exe -c
2. Type 'l' to login. You will be prompted to load a .PFX file. Type in the path of the data consumer's certificate.
3. Type 't' and set the Trust Server name (the name generated at the portal).
4. Type 'o' to set the TSPA. You will be prompted for a .CER certificate. Add the TSPA's .CER file.
5. Type 'g' to get the protected data from Windows Azure storage and decrypt it.
6. Type 'p' to get the output of the decrypted data. This will print out the string that the Data publisher encrypted (protected) and placed in Azure.

You can also verify the data is protected by viewing the blob storage in the development storage using the Azure Storage Explorer. The blob container name is tscontainer (refer to initBlobStore method in the RoleHandler class).

Note: These three roles (Admin, Data Publisher and Data Consumer) can be executed on different machines.

Quick Links

• Learn More

• Getting Started Tutorial

• Request Registration Code

• Download "Trust Services" SDK

• Access "Trust Services" Portal

• Samples

• Troubleshooting

• SQL Azure Labs Forums