On one computer I have 2 projects - a client application and another that holds the identity server and identity manager. When I run the client site on this computer everything works. I am able to sign in, register etc. This project was already set up and working.
I made a copy of the projects and put them on another computer. I have set the sites up in IIS and created a self signed certificate.
When I run the client site and attempt to sign in I get the yellow asp.net error page with the message "The remote certificate is invalid according to the validation procedure". When stepping through with the debugger I also see: "The underlying connection was closed: could not establish trust relationship for the ssl/tls secure channel"
I figure the errors have to do with the certificate so in MMC I made sure that the certificates are installed in the trusted root certification authorties folder.
The other thing I did was check the web.config files in the projects.
In the client site I have something like:
<oidcClient clientId="codeclienthere"
clientSecret="secrethere"
signingCertificate="keythatmatches_certificate_hash_here"
issuerName="https://identityurlhere/issuer"
...
Then in the identity server and identity manager web.config files I have something like:
<appSettings>
<add key="owin:AppStartup" value="startup" />
<add key="Issuer" value="identity_url_here/issuer" />
<add key="Thumbprint" value="keythatmatches_certificate_hash" />
<add key="WebClientId" value="codeclienthere"/>
<add key="WebClientSecret" value="secrethere"/>
...
I changed the signing certificate and thumbprint values to match the certificate hash. For the attribute "issuerName" and key "Issuer" I tried leaving it the same, setting it the name of the certificate and prepending "CN=" to the name of the certificate. I am unsure what value should go here. I am also unsure what other things I should check.
The problem here was that there were hidden characters in the thumbprint that I did not notice. I had pasted in a text editor to compare or something and they got removed so when I pasted them back in the config file they did not match as needed.
Related
I’m using asp.net framework 4.8
I’m trying to use the membership class with Active directory provider.
security team insists to use LDAPS protocol with ca certificate, so I set the config in this way:
web.config
<connectionStrings>
<add name="ADService" connectionString="LDAPS://ipaddress:636/OU=ou,DC=dc,DC=dc"/> (censored)
</connectionStrings>
<system.web>
<membership defaultProvider="AspNetActiveDirectoryMembershipProvider">
<providers>
<add name="AspNetActiveDirectoryMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider"
connectionStringName="ADService"
connectionUsername="MYUSERNAME"
connectionPassword="MYPASSWORD "
connectionProtection="Secure"/>
</providers>
</membership>
</system.web>
When I try to use Membership.GetUser() I get the following exception:
{"Error HRESULT E_FAIL has been returned from a call to a COM
component. (C:\Projects\ \project\web.config line 83)"}
I tired to do the steps in:
Error HRESULT E_FAIL has been returned from a call to a COM component VS2012 when debugging
I was able to connect to the active directory using LDAP browser but no through my code.
When I try to connect to another active directory on my local domain, which is not secured (LDAP on port 389) it does work.
any suggestions?
LDAP over SSL follows all the same rules as HTTP over SSL (HTTPS). The two most important parts are:
The domain name you use to connect must match one of the domains names on the certificate.
The SSL certificate must be issued by an entity that your computer trusts, and
Rule #1 means that you cannot use an IP address to connect, which it seems you are trying to do. You must use a domain name. That might be your only problem.
For rule #2, you can check the certificate by downloading it to your computer using this PowerShell script:
$webRequest = [Net.WebRequest]::Create("https://example.com:636")
try { $webRequest.GetResponse() } catch {}
$cert = $webRequest.ServicePoint.Certificate
$bytes = $cert.Export([Security.Cryptography.X509Certificates.X509ContentType]::Cert)
set-content -value $bytes -encoding byte -path "certificate.cer"
Change example.com to your domain name (you can actually use the IP address here since it's just downloading the cert, not evaluating whether it will be trusted). After running it, you will have a certificate.cer file that you can double-click on and inspect. It will tell you obviously whether the certificate is not trusted. If that's the case, you will have to install the root certificate as a Trusted Root Certificate on your computer.
To help with rule #1, you can also look at all the domains listed in the certificate by looking at the Details tab and looking at "Subject Alternative Name" in the list. There may only be one, but there might be more. If there are more than one, just make sure you use on that DNS resolves to the right IP address.
I've received an email from Amazon Web Services regarding certificate rotation. I need to know whether I should make any changes to my EC2 or Web.config to make it support the new database certificate.
Rotating your SSL/TLS certificate: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html
Updating Applications to Connect to Microsoft SQL Server DB Instances Using New SSL/TLS Certificates: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/ssl-certificate-rotation-sqlserver.html
A sample connection string from the Web.config that I use (sensitive data omitted).
<add name="temp" connectionString="Server=someaddress.us-east-3.rds.amazonaws.com;
Port=3306;Database=somedatabase;Uid=someuserid;Pwd=somepassword" providerName="MySql.Data.MySqlClient" />
All my websites have a similar connection string that connects to the RDS database server.
Is there any change needed to be made to the web.config or the EC2 server to make my websites support the new certificate rotation.
You don't need to make any changes since you are not using SSL certificate to connect to RDS. your website will continue to work as it is now without making any changes to your config. But you can consider using SSL to connect to your RDS in order to improve security in the future.
As long as you aren't using an SSL connection to your database, the certificate won't be used and you can update the certificate without any side effect.
This would have been the case if your connectionString included an sslmode as required:
<add
name="mySql"
providerName="MySql.Data.MySqlClient"
connectionString="...;SslMode=Required;" />
Since this is not the case, you can update your certificate right away.
Yes Web.config needs to changed definitely.The changes required are listed below.There might be additional changes based on the security group and vpc setup you have done.
You need to add SslMode=Required parameter to the connectionString
Also add a parameter SslCa=ca.pem
Download the https://s3.amazonaws.com/rds-downloads/rds-ca-2019-root.pem file from aws.
I have a working Azure web role which I've been using over an http endpoint. I'm now trying to switch it over to https but struggling mightily with what I thought would be a simple operation. (I'll include a few tips here for future readers to address issues I've already come across).
I have created (for now) a self-signed certificate using the powershell commands documented by Microsoft here and uploaded it to the azure portal. I'm aware that 3rd parties won't be able to consume the API while it has a self-signed certificate but my plan is to use the following for local client testing before purchasing a 'proper' certificate.
ServicePointManager.ServerCertificateValidationCallback += (o, c, ch, er) => true;
Tip: you need upload the .pfx file and then supply the password you used in the powershell script. Don't be confused by suggestion to create a .cer file which is for completely different purposes.
I then followed the flow documented for configuring azure cloud services here although many of these operations are now done directly through visual studio rather than by hand-editing files.
In the main 'cloud service' project under the role I wanted to modify:
I imported the newly created certificate. Tip: the design of the dialog used to add the thumbprint makes it very easy to incorrectly select the developer certificate that is already installed on your machine (by visual studio?). Click 'more options' to get to _your_ certificate and then check the displayed thumbprint matches that shown in the Azure portal in the certificates section.
Under 'endpoints' I added a new https endpoint. Tip: use the standard https port 443, NOT the 'default' port of 8080 otherwise you will get no response from your service at all
In the web.config of the service itself, I changed the endpoint binding for the service so that the name element matched the new endpoint.
I then published the cloud project to Azure (using Visual Studio).
At this point, I'm not seeing the results I expected. The service is still available on http but is not available on https. When I try to browse for it on https (includeExceptionDetailInFaults is set to true) I get:
HTTP error 404 "The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is temporarily unavailable"
I interpret this as meaning that the https endpoint is available but the service itself is bound to http rather than https despite my changes to web.config.
I have verified that the publish step really is uploading the new configuration by modifying some of the returned content. (Remember this is still available on http.)
I have tried removing the 'obsolete' http endpoint but this just results in a different error:
"Could not find a base address that matches scheme http for the endpoint with binding WebHttpBinding. Registered base address schemes are [https]"
I'm sure I must be missing something simple here. Can anyone suggest what it is or tips for further trouble-shooting? There are a number of stack-overflow answers that relate to websites and suggest that IIS settings need to be tweaked but I don't see how this applies to a web-role where I don't have direct control of the server.
Edit Following Gaurav's suggestion I repeated the process using a (self-signed) certificate for our own domain rather than cloudapp.net then tried to access the service via this domain. I still see the same results; i.e. the service is available via http but not https.
Edit2 Information from csdef file... is the double reference to "Endpoint1" suspicious?
<Sites>
<Site name="Web">
<Bindings>
<Binding name="Endpoint1" endpointName="HttpsEndpoint" />
<Binding name="Endpoint1" endpointName="HttpEndpoint" />
</Bindings>
</Site>
</Sites>
<Endpoints>
<InputEndpoint name="HttpsEndpoint" protocol="https" port="443" certificate="backend" />
<InputEndpoint name="HttpEndpoint" protocol="http" port="80" />
</Endpoints>
<Certificates>
<Certificate name="backend" storeLocation="LocalMachine" storeName="My" />
</Certificates>
We currently have an application which is used against multiple regional databases. The codebase is exactly the same but it is rolled out on the webserver in 3 different directories each with its own web.config (to hit the correct database and get correct app settings). Each with its own IIS environment.
However, my manager wants this changed i.e. One IIS application which will dynamically load up the correct web.config file for each region.
I will attempt to load the correct web.config file based on a query parameter when logging in but I have no idea on how to load the web.config file when logging in.
Anyone with experience doing this .... is there a better solution?
Based on your comment here's a different approach. You have a little work to do.
Routing all the domains to the same web site
I'm assuming you have one domain name per region (e.g. Region1.WebSite.com, Region2.WebSite.com, etc.) Combining these into one physical web site is a little tricky because of SSL certificate required. Has to match.
Two options:
Drive all three domains to the same web server via three different internal IP addresses. This means three sets of bindings in IIS and three different certs.
Use SSL offloading and terminate SSL at the load balancer. Direct all three sites to the same internal IP address on IIS. Make sure you have configured the LB to forward the original host header.
Detect where the request came from
In ASP.NET code, you can use the host header to see what domain the request was submitted over, e.g.
var siteRequested = Request.Headers["Host"];
Use the host header to pick a connection string
You will need several entries in web.config, one for each connection string. Format the name of the connection string to include the host name, so that you can obtain the right string by using something like this:
var configItemName = "ConnectionString." + Request.Headers["Host"];
var connectionString = System.Configuration.ConfigurationManager.ConnectionStrings[configItemName].ConnectionString;
Your web.config connection strings should look something like this:
<connectionStrings>
<add name="ConnectionString.Region1.WebSite.com" connectionString="Data Source=serverNameForRegion1;Et Cetera" />
<add name="ConnectionString.Region2.WebSite.com" connectionString="Data Source=serverNameForRegion2;Et Cetera" />
<add name="ConnectionString.Region3.WebSite.com" connectionString="Data Source=serverNameForRegion3;Et Cetera" />
</connectionStrings>
Store any remaining region-specific configuration in the database
Each database will have its own copy of configs, so you just need to retrieve them using the correct connection string and you'll get the right configs.
You can keep a common web.config, but then move a portion of it to a separate file, using ConfigSource. See this question for details.
Once you have some configs in a separate file, you can choose a different file at runtime:
In ASP.NET applications, at run time you can assign to the ConfigSource property the name of an alternative configuration file.
Link
I would like to hand over a webapplication to some people but these people should not allowed to has access to the database with some tools. Using the webapplicaton and in the background the database is ok.
Wildfly has a config with these code:
<xa-datasource jndi-name="java:jboss/datasources/ExampleXADS" pool-name="ExampleXADS">
<driver>h2</driver>
<xa-datasource-property name="URL">jdbc:h2:mem:test</xa-datasource-property>
<xa-pool>
<min-pool-size>10</min-pool-size>
<max-pool-size>20</max-pool-size>
<prefill>true</prefill>
</xa-pool>
<security>
<user-name>sa</user-name>
<password>sa</password>
</security>
</xa-datasource>
As you can see, there is also the username and password available. How is it possible to exclude / encrypt these, so only the administrator know the password for the database.
The same also for the whole application server - there are also users and password.
How can I do this?
EDIT:
The "customer" will get the whole application inclusive the webserver configuration. (Wilfly and .war - file)
It´s only for saving the software key in the database.
The first time if the "customer" start the web application, he will be prompted so enter the licence key.
After entering the license key a Webservice will be called. The return code is "false" or "true" (is key valid or is key not valid)
My first idea was to store the flag in the database. But if a user has access to the database, he can manipulate this flag on his own.
Is there any other possibility to set a flag for "the software key is valid" instead saving the flag in the database.
Any ideas?
You can use security domain to get over this, there could be some specific changes for Wildfly but for JBoss 7.1.1 here is what you need to do.
Find the location of jboss-logging-3.1.0.GA.jar in your JBoss/Widlfy server. In case of JBoss 7.1.1 it should be something like - modules\org\jboss\logging\main\jboss-logging-3.1.0.GA.jar
Find the location of picketbox-4.0.7.Final.jar
Check if the picketbox jar has org.picketbox.datasource.security.SecureIdentityLoginModule class.
Run the following command from JBoss server root folder to encrypt your datasource connection password
java -cp modules\org\jboss\logging\main\jboss-logging-3.1.0.GA.jar;modules\org\picketbox\main\picketbox-4.0.7.Final.jar org.picketbox.datasource.security.SecureIdentityLoginModule PasswordXYZ
Get the output text and in the standalone.xml add following security domain under elements:
<security-domain name="encrypted-ds-WASM2" cache-type="default">
<authentication>
<login-module code="org.picketbox.datasource.security.SecureIdentityLoginModule" flag="required">
<module-option name="username" value="WASM2"/>
<module-option name="password" value="89471a19022f8af"/>
<module-option name="managedConnectionFactoryName" value="jboss.jca:service=LocalTxCM,name=MySqlDS_Pool"/>
</login-module>
</authentication>
</security-domain>
Use this security domain in the datasource element as follows:
<datasource jta="false" jndi-name="java:jboss/jdbc/JNDIDS" pool-name="OFS1" enabled="true" use-ccm="false">
<connection-url>jdbc:oracle:thin:#x.x.x.x:1521:xxxx</connection-url>
<driver-class>oracle.jdbc.driver.OracleDriver</driver-class>
<driver>oracle</driver>
<security>
<security-domain>encrypted-ds-WASM2</security-domain>
</security>
<validation>
<validate-on-match>false</validate-on-match>
<background-validation>false</background-validation>
<background-validation-millis>1</background-validation-millis>
</validation>
<statement>
<prepared-statement-cache-size>0</prepared-statement-cache-size>
<share-prepared-statements>false</share-prepared-statements>
</statement>
</datasource>
Reference Link: http://middlewaremagic.com/jboss/?p=1026
It is not possible. If the web application has to be able to decrypt the password to use the database, anyone on the server can do the same.
If you want to restrict access, keep the server under your control and let them access it only through a web front end.
(And even if it was possible to usefully encrypt, if they have server access they can trivially copy the database files onto their workstations, or add new user accounts to the database server).