I have got my private key and certificate from sslforfree.com.I have not created from a CSR or private key from WSO2.
I have gotten directly private key and certicate from sslforfree.com
I have installed certificate and key in WSO2 and SSL is working fine.But i am getting an exception like
[2017-02-22 06:35:20,018] ERROR {org.wso2.carbon.user.mgt.UserRealmProxy} - Error while encrypting the Credential for User Name asasa
org.wso2.carbon.user.core.UserStoreException: Error while encrypting the Credential for User Name asasa
at org.wso2.carbon.user.core.common.AbstractUserStoreManager.callSecure(AbstractUserStoreManager.java:168)
Caused by: org.wso2.carbon.user.core.UserStoreException: Error while encrypting the Credential for User Name asasa
at
Can WSO2 accept private key from another party?Could it be the reason for this error?
Related
I was facing issue while login to Carbon Management Console
Version; WSO2 IS 5.10. 0 as Key Manager
Changes:
I have made Mysql database changes for WSO2AM_DB, WSO2Shared_DB,WSO2User_db in deployment.toml file.
When i tried login Management Console with default admin/admin credentials, I am getting error in UI:
Login failed! Please recheck the username and password and try again.
ERROR {org.wso2.carbon.core.services.authentication.AuthenticationAdmin} - System error while Authenticating/Authorizing User : com.mysql.cj.jdbc.exceptions.CommunicationsException: Communications link failure
Also user store changes in deployment.toml cause error
Changes:
[user_store]
type = "database"
[user_store.properties]
TenantManager="org.wso2.carbon.user.core.tenant.JDBCTenantManager"
ReadOnly=false
ReadGroups=true
WriteGroups=true
scim_enabled = true
[realm_manager]
data_source = "WSO2USER_DB"
com.mysql.cj.jdbc.exceptions.CommunicationsException: Communications link failure normally means the configured database is not accessible.
Did you define the database.user configuration in the deployment.toml according to WSO2 jdbc user configuration guidelines? If this is already configured, check the configured connection url and network connectivity from WSO2-IS to userstore database.
I am trying to get App Service to connect with Azure Sql database. I can git is nicely work with System Assigned Identities with the same code, but I prefer to use User Assigned Identities (UAI), but I cannot get it work.
Steps which I do:
Created a UAI via the portal, name of the UAI "uai-dev-appname-001"
At the Identity tab of the Azure App Service I selected 'User Assigned Identity' and selected the UAI made in the previous step.
Ran the following SQL CMD
CREATE USER [uai-dev-appname-001] FROM EXTERNAL PROVIDER
ALTER ROLE db_datareader ADD MEMBER [uai-dev-appname-001]
ALTER ROLE db_datawriter ADD MEMBER [uai-dev-appname-001]
Set Connectionstring in the ASP.NET to:
Data Source=sqlsrv-name-dev-001.database.windows.net; Initial Catalog=sqldb-name-dev-001;
Using the following code in mine ASP.NET Core:
SqlConnection connection = new SqlConnection
{
ConnectionString = configuration.GetConnectionString("nameDatabase")
};
AzureServiceTokenProvider provider = new AzureServiceTokenProvider();
var token = provider.GetAccessTokenAsync("https://database.windows.net/").Result;
connection.AccessToken = token;
Deploy to Azure App Service and watched the URL. The result is: error 500.30
Looking in the Application Event Log:
Unhandled exception. System.AggregateException: One or more errors occurred. (Parameters: Connection String: [No connection string specified], Resource: https://database.windows.net, Authority: . Exception Message: Tried the following 3 methods to get an access token, but none of them worked.
Parameters: Connection String: [No connection string specified], Resource: https://database.windows.net, Authority: . Exception Message: Tried to get token using Managed Service Identity. Access token could not be acquired. Received a non-retryable error. MSI ResponseCode: BadRequest, Response: {"StatusCode":400,"Message":"No MSI found for specified ClientId/ResourceId.","CorrelationId":"a68bf757-518a-42e1-85a9-342320d39b5a"}
Parameters: Connection String: [No connection string specified], Resource: https://database.windows.net, Authority: . Exception Message: Tried to get token using Visual Studio. Access token could not be acquired. Visual Studio Token provider file not found at "D:\local\LocalAppData.IdentityService\AzureServiceAuth\tokenprovider.json"
Parameters: Connection String: [No connection string specified], Resource: https://database.windows.net, Authority: . Exception Message: Tried to get token using Azure CLI. Access token could not be acquired. 'az' is not recognized as an internal or external command,
operable program or batch file.
The most interesting part in IMO is:
Response: {"StatusCode":400,"Message":"No MSI found for specified ClientId/ResourceId.","CorrelationId":"a68bf757-518a-42e1-85a9-342320d39b5a"}
Mine question are:
Does User Assigned Identies work with Azure SQL?
If so what do I do wrong?
Does someone has a working example.
User-assigned Managed Identity is supported from version 1.2.1 of Microsoft.Azure.Services.AppAuthentication.
So, please update the version of Microsoft.Azure.Services.AppAuthentication to the latest.
Then set AzureServicesAuthConnectionString in the Appsettings of the AppService to RunAs=App;AppId={ClientId of user-assigned identity}
E.g.
RunAs=App;AppId=587f16c8-81ed-41c7-b19a-9ded0dbe2ca2
Documentation can be found here.
Once you do these steps, your code should be using user-assigned managed identity.
I have an ASP.NET Core 1.1 project, with authentication using Azure AD OpenID. Authentication works fine on my dev box (windows 10), both on IIS express and full IIS. However, when I deploy the project to my server (Server 2008R2), after the after logging into the Microsoft redirect site, the server throws this error:
Microsoft.IdentityModel.Tokens.SecurityTokenInvalidSignatureException: IDX10503: Signature validation failed. Keys tried: 'Microsoft.IdentityModel.Tokens.X509SecurityKey , KeyId: VWVIc1WD1Tksbb301sasM5kOq5Q
Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: An internal error occurred
at Internal.Cryptography.Helpers.OpenStorageProvider(CngProvider provider)
at System.Security.Cryptography.CngKey.Import(Byte[] keyBlob, String curveName, CngKeyBlobFormat format, CngProvider provider)
at System.Security.Cryptography.CngKey.Import(Byte[] keyBlob, CngKeyBlobFormat format)
at Internal.Cryptography.Pal.X509Pal.DecodePublicKey(Oid oid, Byte[] encodedKeyValue, Byte[] encodedParameters, ICertificatePal certificatePal)
at Internal.Cryptography.Pal.CertificateExtensionsCommon.GetPublicKey[T](X509Certificate2 certificate, Predicate`1 matchesConstraints)
at Microsoft.IdentityModel.Tokens.X509SecurityKey.get_PublicKey()
at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.IsSupportedAlgorithm(String algorithm, SecurityKey key)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(Byte[] encodedBytes, Byte[] signature, SecurityKey key, String algorithm, TokenValidationParameters validationParameters)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)
When I take the token received from Azure, and plug it into JWT.io, it verifies the signature successfully.
To recap:
dev box (iis express and iis) token signature verifies successfully
JWT.io debug site, token and signature verifies successfully
deployed on server (iis 7.5) signature verification fails
Does it have anything to do with the https cert I have on the server? On my dev box I am using a self-signed cert created with powershell. On the server, we have a cert issued from go-daddy.
Thanks for any help.
This exception can also occur when the 'CNG Key isolation' Windows service is not running.
See https://blogs.msdn.microsoft.com/dsnotes/2012/08/17/cngkey-import-throws-an-exception-saying-an-internal-error-occurred-when-importing-a-key-blob-under-a-non-admin-user-from-a-wcf-web-service/
The issue was the identity running the application pool. Not high enough rights.
I am creating Platform Application for that I am providing following details:
Application Name = "TestNotification"
Push Application Platform = Apple Development
Push Certificate Type = iOS Push Certificate
Choosing P12 file
Loading Credential from file
Certificate Key
Private Key
And Finally Clicking on Create Platform Application
But I am getting following error:
The AWS Access Key Id needs a subscription for the service (Service: AmazonSNS; Status Code: 403; Error Code: OptInRequired; Request ID: a0b89f4e-f34b-51f2-b4ae-ce136d8b1fe1).
I google out but not able to solve the issue.. Please help.
In my case, Account verification was not completed.
complete the account registrations or varication process by going to
https://portal.aws.amazon.com/billing/signup?type=resubscribe#/resubscribed.
I have a common use case to implement a web service (WCF) and a web client which is consuming this web service. Both Client and Service are sending and receiving Signed and Encrypted messages (Message Level Security).
I can have multiple clients those are using my service, hence multiple client certificate need to be installed on Server where Service project is running.
I have installed 2 Certificates (Service Certificate and Client Certificate) in local machine store under personal and trusted root certification authorities.
makecert -sr LocalMachine -ss My -a sha1 -n "CN=WCFServer" -len 2048 -sky exchange -pe
makecert -sr LocalMachine -ss My -a sha1 -n "CN=WCFClient" -len 2048 -sky exchange -pe
Although Certificate give me error of "integrity of licence can not be guaranteed" but now i dont care about this issue.
Web Client need to Sign the request message through its own Private Key and Encrypt message through Service Certificate Public key.
Service receive the request and verify the signature of message through client Public Key and Decrypt the contents through own Private Key
Than process the request and create a response object.
Now Service must sign the response by own private key and encrypt the message through client public key.
Now client get Signed and Encrpted response. Now it verify the response through Service Public Key and Decrypt the message by its own private key.
This is whole Szenerio . I have installed both(Client and Service) X.509 Certificates on my local development machine. I am using wsHttpBinding and communication is working fine.
I am using [ServiceContract(ProtectionLevel=ProtectionLevel.EncryptAndSign)] for ServuceContract and [OperationContract(ProtectionLevel = ProtectionLevel.EncryptAndSign, IsOneWay = false)] for OperationContract.
I have following question:
do i need to Sign and Encrypt/Decrypt Request or Response message in my Code (once in client and once in service code) or Configurations in web.config on Service Project and Client project are enough to do all this stuff?
I go through following code project and its working fine.
http://www.codeproject.com/Articles/36683/simple-steps-to-enable-X-certificates-on-WCF
My Source code (Visual Studio Project) Including both certificates is available on Bitbucket for download here
Can any one tell me, do i need to do all this stuff in code or its done through my current configurations.
Thanks in advance.
i got following answer from MSDN forum.
do i need to Sign and Encrypt/Decrypt Request or Response message in my Code (once in client and once in service code) or Configurations in web.config on Service Project and Client project are enough to do all this stuff?
If we have configured the service to use the certificate authentication in the config file, then as you said all the response and request message will be Encrypted/Decrypted by the client certficate's private key/ public key and service certificate's private key/ public key. So in my mind it is enough to do all the stuff in the configure file.
For more information, please try to refer to the following articles:
Certificate authentication:
https://msdn.microsoft.com/en-us/library/ff648360.aspx .
Message and Transport Security:
https://msdn.microsoft.com/en-us/library/ff648863.aspx .
i have few more questions which may be any one can answer me.
I have multiple clients (external web applications ) which will access my service. do each client need to create their own certificate? client will deliver us certificate without private key which need to be install on Service Host server? is this a correct way?
Each client certificate need to be configured in web.config ?
I need to export my service certificate without private key and send to clients. clients must install and configure certificate on their application server? is this correct?
here i got another ver good answer (step by step guide) from MSDN Team.
https://social.msdn.microsoft.com/Forums/vstudio/en-US/a9d85e9f-6d35-425c-ac6d-b3cd883760e4/wcf-message-level-security-using-certificate-x509-message-signed-and-encrypted?forum=wcf&prof=required