I have a sysem where I want to minimise outbound network communication to the internet. However, I need to ensure communication between local network clients and the local server is secure. I can't use HTTPS as an IP address is used. Also the locations where the servers are installed, the users will be non-technical, so no DNS configuration etc.. etc..
I'm hoping the following will be secure and only requires access to the internet on server/client initialization.
Is this open to attackers? (assuming the local server is secured and private key can not be extracted)
Server initializes, generates Pub/Private key pair. User signs
into account with remote server which issues access token (JWT) for remote server (HTTPS). User creates local server account (Username/Password)
Local server uploads public key to remote server (HTTPS) using remote server access token.
Client initializes and discovers server
Server responds with server id
Client hits remote server with the server id (HTTPS) and gets the public key and stores it.
Client generates Pub/Private key.
Signs into local server account sending username/password/public-key envcypted with local server public key
Local Server issues access token (JWT) and stores
client public key with that token. Any response to this access token is encrypted (body/headers) with client public key.
Client now communicates to local server with accesstoken and encryped headers/body with Local server public key.
Server responds to requests with body/headers encrypted with access token public key
Related
I want to integrate service on my website, but the requirement from the service provider is that, data transfer must be performed using Tunneling, could you tell me detailed process how to connect remote server and send requests there. I have all credentials: remote server IP, ISAKMP key and stuff like that.
I tried configuring strongswan on my VPS, but I was not able to complete process due to some errors.
I have a WCF-BasicHTTP send port configuredas follows:
Security tab Security mode:Transport;
Transport client credential type: Certificate;
Client certificate: (thumbprint of our client cert);
Service certificate: (thumbprint of the service's public key cert).
General tab, Endpoint Identity: everything is left blank.
There is a send pipeline component that substitutes alternative endpoint addresses depending on the interaction type (all endpoints share the same base URL).
Recently, our trading partner has renewed their server certificate, and failed to notify us in advance. The send port continues working (good). However, the behaviour leads me to believe that even though BizTalk forced me to specify some service certificate thumbprint, the adapter then does not actually verify the service certificate thumbprint against what's set in the binding. I can't figure out if this is a bug or by design?
I want to secure the communication between a server and multiple clients.
The communication goes this way:
The client connects to a specific page at the server and checks for a software version.
If the version on client is not the latest, the client
connects to specific page and downloads the software update
I want to secure the 3rd part, so this connection must be over https. What I have done is to install m2crypto to the client and the server and with a python script, generate a pair of private/public keys.
The point is the server to use the client's public key to sign the data to send.
How do I configure my server (apache) so that the connection is over https?
I want to send a request to HTTPS adapter through BizTalk server 2009. My BizTalk adapter is dynamic and it's takes configuration details from database instead of directly mentioning it on server.
I have installed X509 certificate in my browser and imported it in MMC.
I am getting following error in my BizTalk
A message sent to adapter "HTTP" on send port "sndHL7" with URI "https://xxxxxxxxx/imm/test (https://xxxxxxxxxxxxx/imm/test)" is suspended.
Error details: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel
I searched for this error, but every where I got following response only :
Error: – Details: “The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
Solution: The error message normally occurs if the client certificate is not configured correctly. You should check that you have configured your client certificate in certificate store under BizTalk service account that hosts the HTTP adapter.
I am not getting how to configure that certificate in proper certificate store. I have 3 files wih extension .cer, .cer and .pfx. The file with extension .pfx requires password to install it in any store.
Also, how to configure certificate under BizTalk service Account? Should I select "Service Account" while adding snap in in MMC and then select BizTalk service from the list of services.
I don't know about biztalk but if you are presenting a cert you need the associated private key. A cert is like a photo ID. It is hard to forge, but it still doesn't prove your identity unless you can present your face for someone to compare with the ID. Assuming the file extensions match the actual format of the files, the cer files are either DER, BER or PEM encoded certificates without the private key. So you need the pfx file. So if the proposed solution from the error message is correct, you need to find that password and install the certificate and private key from the PFX file into the store.
The two .cer files must be the root authority and server certificates and you must trust them.so you need to place them in your LOCAL MACHINE- Trusted Root Certification store. (use MMC)
Now the .pfx file will have the client authentication certificate that you will be passing into get authenticated. Import this certificate to LOCAL MACHINE,Personal (or MY certificate store if using command line) check private key as exportable.
Now allow BizTalk service account access to the private key of this certificate.
MMC use add snap in and add local machine.
select the client certificate in Personal right click- AllTasks- Manage private keys. Now add your BizTalk service account as a user and give access.
Or else use winhttpcertcfg tool in command line
I am developing a WCF service and Windows forms client and using message security (authenticate with user name, password, and certificate (public and private key) at server, server public key at client). Verified with temporary certificate using makecert.
Now I need to publish my application in GoDaddy.
Can I use the SSL Certificate from GoDaddy for WCF message security (WS-Security) or do we need to buy a different type of certificate?
It is possible, but it means you would have to have the GoDaddy SSL certificate installed on every client. Normally you would not expect the SSL certificate itself to be installed on a client, instead you would have a certificate from somewhere higher in the certificate issuer chain installed and verify the GoDaddy SSL certificate by chaining.
However, if you are able to distribute the GoDaddy cert (minus the private key, obviously) with your client application then you should be able to do it. Certificates generally have Purpose, which is the intended use of them. I imagine your GoDaddy certificate would have an intended use of SSL only, but I don't think that really matters.