Encryption is happening successfully in soap ui it is reaching server and server is replying with proper response without any issue. However while upon receiving in soap the encrypted response is not getting decrypted and in error log I'm getting the following error.
ERROR:org.apache.ws.security.WSSecurityException: General security
error (No certificates were found for decryption (KeyId))
org.apache.ws.security.WSSecurityException: General security error (No
certificates were found for decryption (KeyId))
at org.apache.ws.security.processor.EncryptedKeyProcessor.getCertificatesFromEncryptedKey(EncryptedKeyProcessor.java:313)
In incoming configuration , I configured the jks file which consists my keypair and server public key.
( the same jks file is working fine when using in java client code , So I assume this is a problem in soap ui configuration. )
Any help would be appreciated
Related
I have created a UWP application for testing purposes in which my purpose is to be able the application to connect to a ASP.NET Web API with a certificate for Indivual User Accounts, I've hosted the db into localhost, after ensuring the connection its correct and everything its ok I have deployed my UWP app, the problem is that when I execute a call to a method inside the Account controller (api/Account), the compiler throws me an exception which is the following:
System.Net.Http.HttpRequestException
Message=An error occurred while sending the request.
Source=System.Net.Http
...
Inner Exception 1:
COMException: The text associated with this error code could not be found.
The certificate authority is invalid or incorrect
I have searched for the problem but there's not a "specific" or "correct" answer I've found, could anyone help me with this issue please?
if code snippets are required, let me know!
I have a common use case to implement a web service (WCF) and a web client which is consuming this web service. Both Client and Service are sending and receiving Signed and Encrypted messages (Message Level Security).
I can have multiple clients those are using my service, hence multiple client certificate need to be installed on Server where Service project is running.
I have installed 2 Certificates (Service Certificate and Client Certificate) in local machine store under personal and trusted root certification authorities.
makecert -sr LocalMachine -ss My -a sha1 -n "CN=WCFServer" -len 2048 -sky exchange -pe
makecert -sr LocalMachine -ss My -a sha1 -n "CN=WCFClient" -len 2048 -sky exchange -pe
Although Certificate give me error of "integrity of licence can not be guaranteed" but now i dont care about this issue.
Web Client need to Sign the request message through its own Private Key and Encrypt message through Service Certificate Public key.
Service receive the request and verify the signature of message through client Public Key and Decrypt the contents through own Private Key
Than process the request and create a response object.
Now Service must sign the response by own private key and encrypt the message through client public key.
Now client get Signed and Encrpted response. Now it verify the response through Service Public Key and Decrypt the message by its own private key.
This is whole Szenerio . I have installed both(Client and Service) X.509 Certificates on my local development machine. I am using wsHttpBinding and communication is working fine.
I am using [ServiceContract(ProtectionLevel=ProtectionLevel.EncryptAndSign)] for ServuceContract and [OperationContract(ProtectionLevel = ProtectionLevel.EncryptAndSign, IsOneWay = false)] for OperationContract.
I have following question:
do i need to Sign and Encrypt/Decrypt Request or Response message in my Code (once in client and once in service code) or Configurations in web.config on Service Project and Client project are enough to do all this stuff?
I go through following code project and its working fine.
http://www.codeproject.com/Articles/36683/simple-steps-to-enable-X-certificates-on-WCF
My Source code (Visual Studio Project) Including both certificates is available on Bitbucket for download here
Can any one tell me, do i need to do all this stuff in code or its done through my current configurations.
Thanks in advance.
i got following answer from MSDN forum.
do i need to Sign and Encrypt/Decrypt Request or Response message in my Code (once in client and once in service code) or Configurations in web.config on Service Project and Client project are enough to do all this stuff?
If we have configured the service to use the certificate authentication in the config file, then as you said all the response and request message will be Encrypted/Decrypted by the client certficate's private key/ public key and service certificate's private key/ public key. So in my mind it is enough to do all the stuff in the configure file.
For more information, please try to refer to the following articles:
Certificate authentication:
https://msdn.microsoft.com/en-us/library/ff648360.aspx .
Message and Transport Security:
https://msdn.microsoft.com/en-us/library/ff648863.aspx .
i have few more questions which may be any one can answer me.
I have multiple clients (external web applications ) which will access my service. do each client need to create their own certificate? client will deliver us certificate without private key which need to be install on Service Host server? is this a correct way?
Each client certificate need to be configured in web.config ?
I need to export my service certificate without private key and send to clients. clients must install and configure certificate on their application server? is this correct?
here i got another ver good answer (step by step guide) from MSDN Team.
https://social.msdn.microsoft.com/Forums/vstudio/en-US/a9d85e9f-6d35-425c-ac6d-b3cd883760e4/wcf-message-level-security-using-certificate-x509-message-signed-and-encrypted?forum=wcf&prof=required
I tried following links to generate server side SignalR trace on my production environment:
http://www.asp.net/signalr/overview/testing-and-debugging/enabling-signalr-tracing#server_text
https://github.com/SignalR/SignalR/wiki/Tracing-on-the-server-side
But, trace is not getting saved on disk as mentioned in the links(e.g., "default_traces.txt" or "transports.log.txt" respectively).
Please suggest where trace log file get saved?
I also checked following folders mentioned in first tutorial:
C:\inetpub\logs\LogFiles\W3SVC1
C:\inetpub\logs\FailedReqLogFiles\W3SVC1
But nothing related with SignalR found there. Any idea?
In my environment (VS2015 + IIS Express) log files are stored in web application folder (folder with web.config).
Be sure that your application pool has write permission on logs folder.
Also check SignalR error on client side. It can direct you to the cause of the problem.
For example, if client receives response 401 (Not authorized) (for example, on $.connection.hub.start()) it could mean that authentication middleware can not authenticate the client and responds with 401 without passing the request further through OWIN pipeline to SignalR. In this case SignalR does not emit any logs (it doesn't know about any request).
I am testing my application with PayPal sandbox.
The URI I use for the transaction is https://sandbox.paypal.com/cgi-bin/webscr?cmd=_xclick.
In my return page I read the data from PayPal then I form a new string to send back with cmd = _notify-validate.
When I make a call to https://sandbox.paypal.com/cgi-bin/webscr I am getting error saying "The remote certificate is invalid according to the validation procedure."
I tried making a call to https://www.paypal.com/cgi-bin/webscr instead and it always return t "INVALID".
This appears to be an SSL issue: This error message is caused because the process is not being able to validate the Server Certificate supplied by the Server during an HTTPS (SSL) request. The very first troubleshooting step should be to see if the server supplied certificate and every certificate in the chain is trouble free.
I have an ASP NET web server application that calls another process running on the same box that creates a pdf file and returns it. The second process requires a secure connection via SSL.
The second process has issued my ASP NET application with a digital certificate but I still cannot authenticate, getting a 403 error.
The code is a little hard to show but here's a simplified method ...
X509Certificate cert = X509Certificate.CreateFromCertFile("path\to\cert.cer");
string URL = "https://urltoservice?params=value";
HttpWebRequest req = HttpWebRequest.Create(URL) as HttpWebRequest;
req.ClientCertificates.Add(cert);
req.Credentials = CredentialCache.DefaultCredentials;
req.PreAuthenticate = true;
/// error happens here
WebResponse resp = req.GetResponse();
Stream input = resp.GetResponseStream();
The error text is "The remote server returned an error: (403) Forbidden."
Any pointers are welcome.
Finally fixed (wasted 6 hours on this *&%$##&)
I needed to grant access to the private keys on the digi cert to the account that the calling ASP.NET application runs under. This account is NETWORK SERVICE by default although you may want to run under a more restricted account.
Access is granted with the winhttpcertcfg tool, here's what got it working for me:
winhttpcertcfg -g -s "cert name" -c "LOCAL_MACHINE\MY" -a "NETWORK SERVICE"
where "cert name" is the CN of the digi cert.
More info at http://support.microsoft.com/kb/901183
Thanks to all who helped out with pointers on how to get this working :)
A 403 sounds like an authorization problem, not an authentication problem. It might be caused by the NTFS security settings on the files and folders accessed by your PDF service. Maybe it doesn't have permission to create the PDF file in the output folder?
Can you install the client certificate into your browser, and then access your PDF service through the browser? When you do that, do you still get a 403 or does it work?
Can you temporarily configure the PDF service to allow unencrypted HTTP connections? Does that make the problem go away?
From Windows Explorer, can you grant the "Network Service" account full control over the physical folder corresponding to the root of the PDF service site? Also grant it full control over any other directories it accesses. You should lock things down later after you've figured things out.
Or you can change the application pool to run under a different account - e.g. your own account.
Finally: if you're running IIS 7, you can turn on failed request tracing, which should give you a lot more info about why it failed.