Good Morning,
So i have this error that you can see in the title when the department of development tries to a sendRequestBillingDocNotification.
We have 3 enviroments, QLT, PRD and TST. PRD and TST are working fine with the same certificate
Steps that i already made to throubleshoot this error:
Copy exacly the same certificates that are in the enviroment PRD and TST to QLT.
Check the BW_GLOBAL_TRUSTED_CA_STORE that is with the value: [Path of the certificates]
Is there something that i'm not seeing or doing wrong?
Thanks for the help in advance!
Please follow the next steps from the tibco documentation:
Create a folder in your file system in the location where you wish to store the trusted certificates. You must copy this folder to each machine where your process engines are deployed, or the location can be a shared network area accessible by all process engines.
In your TIBCO BusinessWorks project, create a global variable named BW_GLOBAL_TRUSTED_CA_STORE. See Global Variables for more information about global variables.
Set the value of BW_GLOBAL_TRUSTED_CA_STORE to the location of the trusted certificates folder on your file system. The location can either be the same for all deployed engines (that is, you copied it to the same location on each machine or it is a shared network drive), or you can change the value of the global variable when you deploy the project to the location on the machine where you place the trusted certificates.
The value you set for BW_GLOBAL_TRUSTED_CA_STORE must be a file URL, for example, file:///c:/tibco/certs.
You can leave the Trusted Certificates field empty when specifying the trusted certificate location in a SSL Configuration dialog. When the project runs, the value of BW_GLOBAL_CA_STORE overrides any value specified in the Trusted Certificate field.
https://docs.tibco.com/pub/activematrix_businessworks/5.11.0-november-2012/doc/pdf/tib_bw_process_design_guide.pdf
Create a folder and put all the certificates which will be used in your EAR/application. (Along with the chain of the certificate)
Create a GV named BW_GLOBAL_TRUSTED_CA_STORE at the root level and provide path of the certificate as file:///d:/opt/tibco/certs
If you are using a SOAP Request Reply Option , Go to Advance tab and select SSL.
Related
While trying to install on other machines I get the following exceptions:
[12:22:33] Shekhar Pandey: Name: OutlookAddIn1
From: https://www.emailcipher.com/outlook/OutlookAddIn1.vsto
Exception Text
System.Security.SecurityException: Customized functionality in this application will not work because the certificate used to sign the deployment manifest for OutlookAddIn1 or its location is not trusted. Contact your administrator for further assistance.
at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInTrustEvaluator.VerifyTrustPromptKeyInternal(ClickOnceTrustPromptKeyValue promptKeyValue, DeploymentSignatureInformation signatureInformation, String productName)
at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInTrustEvaluator.VerifyTrustUsingPromptKey(Uri manifest, DeploymentSignatureInformation signatureInformation, String productName)
at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInDeploymentManager.VerifySecurity(ActivationContext context, Uri manifest, AddInInstallationStatus installState)
at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInDeploymentManager.InstallAddIn()
The Zone of the assembly that failed was: MyComputer
[12:22:48] Shekhar Pandey:
Exception Text
System.Security.SecurityException: Customized functionality in this application will not work because the certificate used to sign the deployment manifest for OutlookAddIn1 or its location is not trusted. Contact your administrator for further assistance.
at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInTrustEvaluator.VerifyTrustPromptKeyInternal(ClickOnceTrustPromptKeyValue promptKeyValue, DeploymentSignatureInformation signatureInformation, String productName)
at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInTrustEvaluator.VerifyTrustUsingPromptKey(Uri manifest, DeploymentSignatureInformation signatureInformation, String productName)
at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInDeploymentManager.VerifySecurity(ActivationContext context, Uri manifest, AddInInstallationStatus installState)
at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInDeploymentManager.InstallAddIn()
The Zone of the assembly that failed was: MyComputer
The URL of the deployment manifest is: https://www.emailcipher.com/outlook/OutlookAddIn1.vsto
How can I enable the deployment of my VSTO Addin?
By looking at your deployment manifest I assume that your certificate with the identity CN=Abc\Dell is not signed with Authenticode and that you use the posted URL to deploy it to the other machines. (But I'm not 100% sure about the latter because you say ftp in the title but https in the posted URL.)
First you have to add your URL on the client machines to the Trusted sites list using the options here. You can check this by opening your .vsto in Internet Explorer and looking at the page properties. Zone should now be Trusted sites and not Internet. If you cannot change the Trusted sites list you can alternatively add your URL to the Local intranet zone as well.
If it still fails with the same error message you have to add your certificate to the Trusted Publishers on the client machine using the commands here. If you don't want to use the command line you can do the same in the GUI using the Certificates snap-in in the MMC or using the method here. If you don't have the permission to add a certificate to the Trusted Publishers because a Group Policy of the client domain is restricting the access then you also have to check the Group Policy settings here.
If your client is using a Windows Server OS you may also have to deactivate the Internet Explorer Enhanced Security Configuration (IEESC) using the settings here. (At least for the duration of the deployment.)
At last you can also check the registry for the settings of the Inclusion Lists using the registry keys here.
I guess that adding your URL to the Trusted sites should be enough to make your VSTO deployment work. If it isn't, adding your certificate to the Trusted Publishers will most likely do the trick.
The background
We have been using certificates to access a third party service from a windows 2003 box. The certificate recently expired so we went about getting a new one from the third party(Experian). We were provided with two certs to be installed in the "Trusted Root Certication Authorities" and two to be installed in the "Intermediate Certification Authorities" and then the main one that gets installed to the Personal\Certificates.
I know the certs are working when I can access a URL. If I install the certs allowing the cert decide where to install themselves (local Computer or Current User) they install to the current user store. I can then access the URL ... all is well.
The Issue
However I need the certificates to work on a computer level rather than a user level. So I move the certs to the relative Local Computer store locations however this does not work. I now cannot access the URL as any user. I tried deleting them all out and importing them directly into the required local computer cert location... still no joy. I tried installing them as the local admin .... still no joy. Tried granting access to the certs via winhttpcertcfg to everyone/specific users etc, still no joy.
Is it possible that the cert is designed to work for only one user? Is there something I am missing to make this work? Any suggestions would be greatly appreciated.
As admin you should:
run mmc
add snapin for certificates (for local computer)
add root CAs to "Trusted Root Certication Authorities"
add intermediate CAs to "Intermediate Certification Authorities"
add end entity certificate with private key (it should be a .p12 or .pfx file) to Personal\Certificates
grant rights to user that can access the private key using winhttpcertcfg utility
and it should work (at least it did for me every time).
If you don't have private key corresponding to end entity certificate (because you deleted them all) then you need to get a new one from third party(Experian).
I want to add a certificate to the CAs that Firefox trusts, before any user profile exists, on RHEL 6 (or CentOS, or Scientific Linux... would expect it to be the same).
I know how to add a certificate to an existing user profile. I don't need to do that at all. I want to do this during a kickstart (unattended, don't want to start X), so I can't really start up Firefox for the user, create a profile, and add it the normal way. I need the certificate to be there the first time a user on the system opens Firefox.
I know that there is no system store of CAs that Firefox reads in addition to the user profile (though it evidently has an internal store somewhere as it trusts way more than what's in the user profile). That's OK, I just want the user profile to be created with the certificate already added.
I have seen some indication that this is possible, or was possible. E.g. https://support.mozilla.org/en-US/questions/967376 indicates where to put the cert8.db under Windows; https://askubuntu.com/questions/244582/add-certificate-authorities-system-wide-on-firefox/369858#369858 indicates that /etc/firefox-3.0/profile worked on Ubuntu (there is no such location under RHEL).
I can't determine where to do this under RHEL 6. I've tried adding a certificate database using certutil under the following directories, which were owned by the firefox RPM and seemed promising:
/usr/lib64/firefox/browser
/usr/lib64/firefox/browser/defaults
/usr/lib64/firefox/defaults
... but still, when a user profile is created, certutil indicates the same contents:
certutil -L -d .mozilla/firefox/*.default/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
VeriSign Class 3 Secure Server CA - G3 ,,
DigiCert High Assurance EV CA-1 ,,
Google Internet Authority G2 ,,
I can't even tell where those certificates are coming from; it might be helpful to do even that much.
I do not think that you can do what you are trying to do without altering a user's defaults. The reason why I say this is because of how Mozilla bundles their default set of Root CA's. see How Mozilla Products Respond to User Changes of Root Certificates
the Mozilla Foundation and its wholly-owned subsidiary the Mozilla Corporation include with such software a default set of X.509v3 certificates for various Certification Authorities (CAs).
However with that said you could use Skeleton Files to define a set of defaults for all of your users, and follow the same process that Mozilla outlines, by simply providing your defaults as a thing each user already has when their profile is created.
I have a certificate that has to be imported into Certificates/Trusted Root Certification Authorities and has a corresponding private key.
To actually access the key from code you need to set private key permissions to grant full access to particular IIS application pool. I totally understand that but the problem is that this can only be set on personal certificates and not trusted root ones.
I've tried adding the same certificate to Personal store and the following code doesn't break:
X509Store store = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
foreach (X509Certificate2 cert in store.Certificates)
{
if (cert.HasPrivateKey)
{
// access private key here
}
}
store.Close();
Setting permissions on certificate in personal store works if I change StoreName.Root to StoreName.My. I'm able to access it there. But I'm not able to access it in root. It just says:
Keyset does not exist
Any suggestions?
Additional information
If I set my application pools identity to Local System (which has total permissions over my machine) I can successfully access private key. So the main question is how do I set permissions on my application pool identity to have access to private keys for certificates in the Trusted Root store.
Why trusted root store and not personal?
I have a pre-built assembly that accesses this certificate in this particular store, so simply placing the certificate in Personal store won't do the trick for me. That's why setting trust permissions on private keys of trusted root certificates is imperative.
I haven't tried this with the Trusted Root Certification Authorities but what I have found is the simplest thing to do with other Certificate Stores is to drag and drop the certificate into the Personal Store and then set permissions and then drag and drop back to the original certificate store. In your case the Trusted Root Certification Authorities.
Steps using Certificates MMC:
Import certificate to the store you want it and mark keys as exportable. (You might be able to bypass this and import directly to the Personal Store, but I haven't tried.)
Drag and drop the imported cert to the Personal Store.
Right click the certificate in the Personal Store and in the context menu, click "All Tasks", then in the submenu click on "Manage Private Keys". Set the appropriate permissions according to your app pool as referenced in step 1.
After permissions have been set, drag and drop the certificate back to the original store (in your case the Trusted Root Certification Authorities).
Solution
It is possible to set trust permissions on certificates other than those in Personal certificate store, but you can't set permissions via MMC. At least not directly on the store that is. Accepted answer shows a simplified approach with moving certificates around to achieve the same result.
You have to do it this way...
Getting the tool
Get WF_WCF_Samples file from Microsoft. This is a self extracting archive, but you won't need to extract everything. So...
Open the file with any archiver tool and only extract FindPrivateKey solution/project
Open in Visual Studio and compile it.
Finding your private key
Open MMC and add Certificates snap-in. Make sure you select Computer and Local Machine when adding it.
Select the store that has your certificate with private key.
Open private key and copy its Thumbprint
Open command prompt and navigate to the folder where you compiled your FindPrivateKey tool
Enter this command
FindPrivateKey YourStoreName LocalMachine -t "ThumbprintWithSpaces" -a
ie.
FindPrivateKey Root LocalMachine -t "83 45 22 ..." -a
Copy file along with path (it will liekly span over two lines so copy to Notepad and concatenate)
Grant certificate trust
open command prompt and enter:
icacls "FullPathOfYourPrivateKey" /grant:r "UserFQDN":f
ie.
icacls "c:\ProgramData..." /grant:r "IIS AppPool\ASP.NET v4.0":f
Done.
This will grant certificate private key full trust to your user (in my case above it's application pool identity) so you can use the key to sign data or do whatever you need to do with it.
In case you don't want full permissions, you can easily change the last part after colon. It can have many different settings, so I urge you to check icacls command help.
If you are using Windows Server 2003, you'll notice that you don't get the Manage Private Keys task under your certificate.
If you install Microsoft WSE 2.0 on to your machine, you can use a tool called X509 Certificate Tool. Just search for your cert, its more than likely in (or should be) in Local Machine / Personal Store.
NOTE: if you have your cert in Current User / Personal Store (which often is the default), it will only be accessible to the user that is currently logged in, which means if you want your webserver to access it, it can't without changing permissions to your AppPool.
You should be able to change the permissions to the private key very easily, by default, your AppPool on your webserver will be using NETWORK SERVICE to run your web application. So just add NETWORK SERVICE to the security and by default it will set the Read and Read / Execute permissions which is sufficient for your BouncyCastle, etc, to read the private key so you can sign your document.
Hope this helps.
I'm testing a ClickOnce application deployment. I have setup a virtual directory on my machine (running IIS). I have specified http://localhost/SampleApplication as the Installation Folder URL in the Publish tab of Visual Studio. However, when I publish the application I get the following error:
Warning: Files could not be downloaded
from http://chrish/SampleApplication/.
The remote server returned an error:
(407) Proxy Authentication Required.
Publish success.
Warning: Unable to
view published application at
http://chrish/SampleApplication/publish.htm.
http://chrish/SampleApplication/publish.htm
Notice how it has changed my url from Localhost to my login name. Why? This wasn't happening a week ago.
ClickOnce installation involves verifying that the server name matches the expected name. Thus localhost always gets translated under the covers to the computer name [not the username as you suggest in your question] (one of many confusing things ClickOnce does - one side effect of this is that if you want to set up 3 download servers, you need to do 3 separate publishes and/or script the publish like this) or like this. So this is not a surprise - it's always doing that under the covers.
The 407 error relates to proxy auth. This implies downloading is being diverted via a proxy such as Microsoft ISA Server. Have a look in your IE Internet Options Connections Proxy Settings and make sure its bypassing for local addresses [such as chrish].
The reason it's reporting success is that the upload likely uses an alternate mechanism than the verification does and isn't being routed via / blocked by the proxy. (The underlying problem is that the .NET framework does not by default pass proxy credentials and you'd need to either apply a config entry for devenv or whatever does the publish or have the build process call a test step with extra code that does send the proxy credentials](http://blogs.msdn.com/jpsanders/archive/2009/03/24/httpwebrequest-webexcepton-the-remote-server-returned-an-error-407-proxy-authentication-required.aspx). See also How should I set the default proxy to use default credentials?)
ClickOnce doesn't like "localhost", but you can work around that.
If you set the Publishing Folder Location to:
C:\inetpub\wwwroot\SampleApplication\
and the Installation Folder URL to:
http://chrish/SampleApplication/
(where "chrish" is the network name of your computer) then you can publish locally.