I am currently working on a project that has the following components (all .NET 2.0)
Client Application
Web Service Invocation API
Web Service
In summary the Client Application creates and instance of the API and this calls the Web Service. Nice and simple and this all works exactly as I want it to.
The next stage of the project was to secure the Web Service with SSL. So I have created a "Self Signed CA" and from this signed a server certificate for IIS. Again, nice and simple and this all works exactly as I want it to.
The next stage of the project is to secure the Web Service by requiring the invoker to supply a client certificate. So I have created a client certificate (via the Self Signed CA). I am then adding this to the Web Service invocation call in the API:
WSBridge.Processor processor = new WSBridge.Processor();
processor.Url = this.endpoint;
processor.ClientCertificates.AddRange(this.clientCertificates);
processor.Timeout = (int)Settings.Default["DefaultTimeout"];
In debug I can see that this.clientCertificates contains the certificate I created. So in theory it is being presented to the web server.
However, when I attempt to call the Web Service I get the following exception in the API:
The request failed with HTTP status 403: Forbidden.
Fairly self explantory, but I have no idea what is causing the problem.
Other relevant information:
In my dev environment Client, API & Web Service are all running on the same machine
If I attempt to access the Web Service Description in IIS I get the following error (I am not prompted to choose a client certificate):
HTTP Error 403.7 - Forbidden
The page you are attempting to access requires your browser to have a Secure Sockets Layer (SSL) client certificate that the Web server recognizes.
The client certificate is loaded into the Personal store for the current user, the CA root is in trusted root for the local machine and current user.
If I switch off "Require SSL" and put "Client Certificates" on accept in IIS I can make my request. However when I look at HttpContext.Current.Request.ClientCertificate.Count in the Web Service this comes back as 0.
I need to be able to run my development with client certificates as portions of the service code use the CN of the client certificate to perform various actions. I could hack it in but it would be nice to be able to do a real end to end.
All the certificates mention here were generated using OpenSSL. I am developing on Windows 7 so I do not have the facility to install Microsoft CA
So, does anybody have any ideas as to the cause of this problem?
As an aside (not worth creating a new question for this) - for some reason when I enable SSL for the Web Service Visual Studio is no longer able to debug the service.
EDIT : Some more information
The client certificate has an intended purpose of <All>
Although I am working on localhost the server certificate for the web server was issued to devserver.xyz.com so I have changed my hosts file to point that to localhost. As such I can now browse (with client certs switched off in IIS) to my service descriptor page without seeing any SSL certificate warnings.
Well I have solved the problem, in summary this was due to the format of the client certificate this should have been PKCS12.
More Detail
Although the MMC Certificate plugin was showing the client certificate in the personal store for the current userm I noticed that when viewing the same store via Internet Explorer (Tools -> Internet Options -> Content -> Certificates) the certificate was not present.
After a little Googling it seems that IE will only accepts PKCS12 format for client certificates, so I convert the certificate with the following OpenSSL command:
openssl pkcs12 -export -in client_alpha.cer -inkey client_alpha.key -out client_alpha.p12
I then imported the p12 file into IE which allowed me to browse to the Web Service description page with full client/server certificated TLS.
Once I had made this change, I then retried by client application and this now works aswell. This is due to the fact that IIS, like IE, will only accept client certificates in PKCS12 format.
Related
Please suggest on the issue which we are facing while accessing SSRS Secured web services and web portal URL Error Message
"Your connection is not private Attackers might be trying to steal
your information from <> (for example, passwords, messages, or credit
cards). Learn more NET::ERR_CERT_REVOKED"
We have got the SSL certificate reinstalled and restarted the SSRS services , but still no luck .
Could anyone please guide us in this regard Server configuration details are as follows -
-Microsoft SQL Server Version 17
-SSRS product version of 14.0.600.490
-WINDOWS SERVER 2016 DATACENTER
The SSL certificate is configured on Windows server .Also the SSL is configured in Web services and Web portal SSL configuration in SSRS is with (ALL IPV4) and (ALL IPV6),SSL certificate and validity till 2019
There was a patch update last week and post that we are unable to access secured urls
https://<>/reports/
https://<>/reportserver/
but we can access non secured urls
http://<>/reports/
http://<>/reportserver/
If the site is publicly accessible, please check the certificate served by your web server via SSL Checker.
Compare the certificate serial number and expiration date with the data of the certificate you installed in your web server or hosting control panel. In many cases, I saw that the server uses an old or invalid certificate.
(Source)
If you are sure that the correct certificate is served, clear the CRL and OCSP cache:
certutil -urlcache CRL delete
certutil -urlcache OCSP delete
You can also try disabling certificate revocation in browsers. It fixes ERR_CERT_REVOKED on the client side.
I have been working with web services connecting to URLs provided by different clients and so far it has all been done using one-way authentication. Now I'm asked to enable 2-way (mutual) authentication for one of the clients. I did a lot of research and reading but still confused about a lot of things.
I could test successfully on my local machine following instructions from various different articles. But the problem is now to deploy it in production.
Here's what I did for testing: I created a test Web service Host and assigned it a self-signed certificate and created a client to test this. After this I created a client certificate using makecert and verified that this is installed via MMC. I then modified my Host app to only allow clients with certificate and tested from client to see the connection refused due to not providing the client certificate. Then I modified the bindings in the client application to include the certificate name and I was able to connect to the Host successfully. So this completes local hosting.
Now the real problem. The tech team is going to create a certificate in "cert store" on the server. And I need to test again to make sure everything works as expected. We have a few different developers who all want to test on their machines on their local code. Can we all use the same certificate somehow? I don't think we would be allowed to import the certificate but what suggestions could I give them so all of us can use the same certificate?
I'm also confused about issues like difference between windows certificate and IIS certificate. What advantages would the IIS certificate provide?
Thanks for help!
Edit: Could one of the differences between installing on IIS be so that the hosted sites be accessed via SSL connection? This would mean we don't really need to install on IIS if it's just a client certificate. Is this correct?
Having some trouble with Domino server as client to a Web Service
Hope someone can answer a pretty easy question, but the easy question dont have a answer some I can find.
There is lots of Root Certificates in NAB
and there is also some common Root Certificates in every *.kyr file you create in certsrv.nsf for your seerver certificates.
I get an error from SSL_DEBUG that says
[108C:005C-0D8C] 2015-12-15 19:07:19,34 SSLCheckCertChain> Invalid certificate chain received
[108C:005C-0D8C] Cert Chain Evaluation Status: err: 3659, Cannot establish trust in a certificate or CRL.
It is pretty obvious what is the problem, I need to include a missing Certificate.
But I like to know if Domino is using the *.kyr file or if it is using the Certificates in the NAB when establishing the connection to the remote server.
Anyone know how Domino acts here ?
/Stefan
You have to find out the TLS certificate chain and add all public TLS certificates as trusted internet certificates to you domino directory.
Find out Certificate Chain
Use on of this Tools:
For internal and external server SSLyze
sslyze.exe <servername>:443 --certinfo=basic
Take a look at Certificate Chain Received:
For external server SSL Labs
Go to the section "Certification Paths"
Download public certificates from CA-Webpage or get from your internal CA responsible person.
Step-by-Step Domino Configuration
Import Certificates
Importing an Internet certifier into the Domino Directory
Cross Certificate Certificates
Server: Choose your Admin Server or server where the Domino CA (not SSL CA) is hosted.
Certifier: Choose your certifier ID or your Domino CA
Creating an Internet cross-certificate in the Domino Directory from a certifier document
Java/LotusScript Side
The Java or LotusScript Consumer has to be told to accept CA security (stub.setSSLOptions(PortTypeBase.NOTES_SSL_ACCEPT_SITE_CERTS);)
Examples based on Creating your first Web Service provider and consumer in LotusScript and Java.
Java
HwProvider stub = new HwProviderServiceLocator().getDomino();
stub.setSSLOptions(PortTypeBase.NOTES_SSL_ACCEPT_SITE_CERTS);
String answer = "" + stub.HELLO("world");
System.out.println("The answer is : " + answer);
LotusScript
Dim stub As New HwProvider()
stub.setSSLOptions(NOTES_SSL_ACCEPT_SITE_CERTS)
MessageBox stub.Hello("world")
Further Information
Question "Create cross certificate for Domino Java agent?" is similar but not a duplicate. It shows further aspects.
Thanks for your input, but that did not solve the problem.
I got solved trough
- downloading KYRtool
- install in /Domino folder
- include the Root certificate(SHA2) from Web Service domain into existing .kyr file
- restart http task
So conclusion is that it is the the .kyr file that is handling all stuff in outgoing connections
I'm having a Windows Store App (Metro App) which I want to connect a web service I built through HTTPS. And I am using a self-signed certificate for my web service. But when I tried to connect it from my App through System.Net.HttpClient.PostAsync I got an exception said
"The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel."
Inner exception said
"The remote certificate is invalid according to the validation procedure."
I know this is because I'm using a self-signed certificate. I remembered in .NET I can use System.Net.ServicePointManager.ServerCertificateValidationCallback so that my application can pass the validation if the thumbprint is mine.
But I cannot find the relevant class/method in Windows Store runtime. How can I do that?
First, you should ideally be using Windows.Web.HttpClient. On that API, you can use httpClient.HttpBaseProtocolFilter.IgnorableServerCertificateErrors to set the cert errors that you're willing to accept. You can choose to ignore the Untrusted error, for example, but you should then manually check the thumbprint before actually sending any data.
I am using some of the local machine's resources using COM interop functionality provided in Silverlight 4.0. Hence, naturally I need OOB with elevated permissions. However, in my case I am consuming the WCF services hosted on HTTPS channel. Here is where I am facing the problem. The OOB with elevated permissions applied, doesn't allow me consuming the HTTPS service hosted on either different or the same domain, giving me a NotFound exception. Please note that I have used the self-signed certificate for the development environment. The same is also installed in the Trusted Root folder of the client machine on which I am testing.
Interestingly, when I set the Fiddler options (in Fiddler session, Toos -> Fiddler Options -> HTTPS tab) to intercept the HTTPS traffic, with Decrypt HTTPS traffic checkbox set, I am able to use the same HTTPS service without any exception. But for that, I was told by Fiddler to store a temporary certificate inside my user profile's Fiddler directory, and I must have at least one Fiddler session at that time. Hence, it seems to be a certification issue. But does it relate in anyway to signing of the XAP file with the required certificate ? I am not sure. I tried with a self-signed certificate and bind my layer service URL to use that certificate. Then I install the same certificate to Trusted root folder of the client. But i was not successful in signing the XAP with that certificate.
Please let me know if you have any work-around.
If the code is running in a different user's context, you need to put your "Self-signed" certificate into the Machine Trusted Root store. Start mmc.exe. On the File menu, choose to Add a Snap-in. Add the Certificates snap-in. Pick Local Machine. Import the Self-signed root into the Trusted Root store.
I had the same problem and found out, that the SSL settings in IIS were wrong.
I configured IIS 7.5 to SSL only and to accept client certificates. With this settings, I ended up with the service not found error in OOB. After setting IIS to ignoring client certificates the OOB Application works fine.