I've a wcf service with basicHttpBinding, message security mode and certificate client credential type. I can consume this service via wcf client, but this service has to be used also in another system with a java client. I'm testing with soapui, but I obtain empty response or a security message error. I've tried variuos soapui configuration to load client certificate, but none of these worked. I exposed the service via http (non https) and this is the server wcf configuration:
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="basicEndPoint" closeTimeout="00:01:00" openTimeout="00:01:00"
receiveTimeout="00:10:00" sendTimeout="00:01:00" allowCookies="false"
bypassProxyOnLocal="false" maxBufferSize="2147483647" maxBufferPoolSize="2147483647"
maxReceivedMessageSize="2147483647" messageEncoding="Text" textEncoding="utf-8"
transferMode="Buffered" useDefaultWebProxy="true">
<readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647"
maxArrayLength="2147483647" maxBytesPerRead="2147483647"
maxNameTableCharCount="2147483647"/>
<security mode="Message">
<message clientCredentialType="Certificate" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<behaviors>
<endpointBehaviors>
<behavior name="customBehavior">
<clientCredentials>
<clientCertificate findValue="ClientSide" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My"/>
<serviceCertificate>
<defaultCertificate findValue="ServerSide" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My"/>
<authentication certificateValidationMode="PeerOrChainTrust"/>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<client>
<endpoint address="http://localhost:8080/WebServices/ExternalServices.svc"
behaviorConfiguration="customBehavior" binding="basicHttpBinding"
bindingConfiguration="basicEndPoint" contract="ServiceReference1.IExternalServices"
name="BasicHttpBinding_IExternalServices" >
<identity>
<certificateReference findValue="ServerSide" storeName="My" storeLocation="LocalMachine" x509FindType="FindBySubjectName" />
<dns value="ServerSide"/>
</identity>
</endpoint>
<endpoint address="mex"
binding="mexHttpBinding"
contract="IMetadataExchange"/>
</client>
</system.serviceModel>
What's wrong in this settings?
Thanks in advance
I'm not an WCF expert (even not a user :P) but based on configuration:
<endpointBehaviors>
<behavior name="customBehavior">
<clientCredentials>
<clientCertificate findValue="ClientSide" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My"/>
<serviceCertificate>
<defaultCertificate findValue="ServerSide" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My"/>
<authentication certificateValidationMode="PeerOrChainTrust"/>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
Seems that in order to hit your server endpoint you must present certificate client credentials.
So to invoke your service from SOAPUI you could do two things, first expose your service using https in order to be available for a client to present the certificate credentials. And second configure SOAPUI as follow to send the client certificate to the endpoint:
From the menu select File > Preferences, and then the SSL settings. In this panel select a keystore which contains the client key and certificate valid for the service and put the keystore password, optionally mark the required client authentication:
NOTE: Based on your configuration:
<clientCertificate findValue="ClientSide"
x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My"/>
A valid client certificate must be an end entity certificate issued by on the certificate authorities located in the Windows local keystore of your server.
I had hard time setting up SOAPUI for WCF testing with Client Certificate Authentication. Finally I got it work.
Faced different issues like: SNI support issues, unsigned 'To' Header Getting WCF to accept unsigned 'To' Header and other.
I would recommend to switch on WCF tracing and you can get detailed error information on the server: https://msdn.microsoft.com/en-us/library/ms732023(v=vs.110).aspx so it can be easily troubleshooted.
Related
From last few Days we are facing some problem because of Firefox 93(latest version) protects against Insecure Downloads and due to this
Mozilla Firefox block insecure HTTP downloads on a secure HTTPS page,
so we can not download our report which was based on HTTP(without SSL) from our Production Site which is based on SSL Certified HTTPS
Here is I have shown how our report is generated from our Production site
whereas the user sending the request to fetch or downloading the report that time one request goes to the report Server via Java Code and then the report server gives a response for report downloading or fetching a reports
sample response URL Report Server: http//report.abc.com/mycertificate.doc
so whenever we request a downloading a report at that time we get security-related warning from the Mozilla browser while downloading the report
We try some tackle points as follows:
we were trying to make the report server SSL enable but did not work for us because our report server is based on windows server 2003 so all supports from this windows server its almost not good enough for making SSL enable.
2)Reverse Proxy: we also used the concept of reverse proxy in our project which was deployed on JBoss (Wildfly version 9) for that we did configure some code in the standalone.xml file which follows:
Here is the some configuration changes which was we made but no luck for this:
<subsystem xmlns="urn:jboss:domain:undertow:2.0">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="https"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<location name="/myservices/services" handler="myproxy"/>
</host>
</server>
<handlers>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
<reverse-proxy name="myproxy">
<host name="http://www.example.com" instance-id="myRoute" outbound-socket-binding="https-remote"/>
</reverse-proxy>
</handlers>
</subsystem>
<outbound-socket-binding name="https-remote">
<remote-destination host="http://www.example.com" port="${jboss.https.port:8443}"/>
</outbound-socket-binding>
above code snippet I have made changes to the JBoss standalone configuration file but did not get help out from this configuration setting so, What I am looking for is a reverse proxy in Wildfly 9 to handle insecure HTTP downloads on a secure HTTPS page
Any help would be appreciated.
Thanks
The ActiveMQ SSL documentation states:
ActiveMQ includes key and trust stores that reference a dummy self signed cert
As per configuring SSL on ActiveMQ it is mentioned to provide the file url of broker keystore file.
<bean id="SecureConnector" class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
<property name="port" value="8162" />
<property name="keystore" value="file:${activemq.conf}/broker.ks" />
<property name="password" value="password" />
</bean>
I have purchased an SSL certificate. How can i use that with ActiveMQ? The files I have are a .cer file and a .key file.
Should I first convert the .cer files to .jks file format and then configure it in ActiveMQ Jetty?
Is that how it is supposed to be done? Maybe I am missing something completely due to lack of knowledge in this area.
I cannot use the method explained by ActiveMQ because it requires both client and broker handshake and in this case the client is the 3rd party app and we have no control there.
The certificate definitely must be in JKS format as that is the format which Java uses (and ActiveMQ is written in Java). Once the certificate is converted just reference it in the ActiveMQ configuration as described in the documentation. It should be really straight-forward.
If your certificate is signed by a trusted authority then the client will trust it implicitly and won't need to import it into a truststore of some kind. Using a truststore is necessary for "self-signed" certificates (which are used in the ActiveMQ documentation) since they are not signed by a trusted authority.
I am consuming a SOAP service using Apache camel Spring-ws component. Things are working fine till the time service was hosted with HTTP protocol.
To work with HTTPS, i tried setting keystore and truststore jks as below
System.setProperty("javax.net.ssl.keyStore",keyStorePath);
System.setProperty("javax.net.ssl.keyStorePassword",keyStorePassword);
System.setProperty("javax.net.ssl.trustStore",trustStorePath);
System.setProperty("javax.net.ssl.trustStorePassword",trustStorePassword);
it fails with the error unable to find the certificate.
Whereas the same properties and jks are working fine when i consume a RESTFull service using Http component.
I could see that the only option currently available is
<camel:sslContextParameters id="sslContextParameters">
<camel:keyManagers keyPassword="password">
<camel:keyStore type="JKS" resource="C:\keystore.jks"
password="changeit" />
</camel:keyManagers>
<camel:trustManagers>
<camel:keyStore type="JKS" resource="C:\keystore.jks"
password="password" />
</camel:trustManagers>
Is there way i can configure it pragmatically, i followed the link below
http://camel.apache.org/http4.html#HTTP4-UsingtheJSSEConfigurationUtility
KeyStoreParameters ksp = new KeyStoreParameters();
ksp.setResource("/users/home/server/keystore.jks");
ksp.setPassword("keystorePassword");
KeyManagersParameters kmp = new KeyManagersParameters();
kmp.setKeyStore(ksp);
kmp.setKeyPassword("keyPassword");
SSLContextParameters scp = new SSLContextParameters();
scp.setKeyManagers(kmp);
HttpComponent httpComponent = getContext().getComponent("https4", HttpComponent.class);
httpComponent.setSslContextParameters(scp);
Supported components are
HTTP4
Jetty
AHC
Netty
Cometd
FTP2
IRC
Mail
MINA 2
But how do i set it for camel-spring-ws component ? Is it currently a limitation with Camel?
if I create a trust-store and keystore for https inbound endpoints, my other https outbound endpoints start throwing exceptions.
An example is, if I create a HTTPS inbound enpoint connector like below,
<https:connector name="MuleHTTPS" cookieSpec="netscape"
validateConnections="true" sendBufferSize="0" receiveBufferSize="0"
receiveBacklog="0" clientSoTimeout="${APP.TIMEOUT}" serverSoTimeout="${APP.TIMEOUT}"
socketSoLinger="0" doc:name="MuleHTTPS">
<https:tls-key-store path="${HONDA.HTTPS.KEYSTORE}"
keyPassword="${HTTPS.KEYSTORE.PASSWORD}" storePassword="${HTTPS.KEYSTORE.PASSWORD}" />
<https:tls-server path="${HONDA.HTTPS.KEYSTORE}" explicitOnly="true" storePassword="${HTTPS.KEYSTORE.PASSWORD}"/>
</https:connector>
The sqs inbound starts throwing peer not authenticated error. The config is
<sqs:config name="ReceiverAmazonSQS" accessKey="${AMAZON.ACCESS.KEY}"
secretKey="${AMAZON.SECRET.KEY}" queueName="${AMAZON.QUEUE.NAME}"
doc:name="SenderAmazonSQS" queueUrl="${AMAZON.QUEUE.URL}">
</sqs:config>
<sqs:receive-messages config-ref="ReceiverAmazonSQS"
doc:name="Receive Messages"/>
What am I missing?
If there is only one HTTPS connector defined in a mule application, by default all the https endpoints, which do not have any connector defined, use the same connector. (Unless you define one more HTTPS connector and specify it in endpoint). This is the case with any transport in mule.
I am trying to build a SSL secured Web Service client using CXF Spring configuration and I wonder how is it possible to tell to CXF to use this client certificate in my keystore.
This should exists because if my keystore holds plenty of certificate how does CXF is supposed to do to find the good one?
Here is my configuration:
<http-conf:conduit name="{urn:ihe:iti:xds-b:2007}DocumentRepositoryPortType.http-conduit">
<http-conf:client AutoRedirect="true" Connection="Keep-Alive"/>
<http-conf:tlsClientParameters secureSocketProtocol="SSL">
<sec:keyManagers keyPassword="storepass">
<sec:keyStore type="JKS" password="storepass" file="src/main/resources/keystore.jks" />
</sec:keyManagers>
<sec:trustManagers>
<sec:keyStore type="JKS" password="storepass" file="src/main/resources/truststore.jks" />
</sec:trustManagers>
<sec:cipherSuitesFilter>
<sec:include>.*_EXPORT_.*</sec:include>
<sec:include>.*_EXPORT1024_.*</sec:include>
<sec:include>.*_WITH_DES_.*</sec:include>
<sec:include>.*_WITH_NULL_.*</sec:include>
<sec:exclude>.*_DH_anon_.*</sec:exclude>
</sec:cipherSuitesFilter>
</http-conf:tlsClientParameters>
</http-conf:conduit>
In the
<sec:keyManagers keyPassword="
<sec:keyStore type="JKS" password="storepass" file="src/main/resources/keystore.jks" />
</sec:keyManagers>
section, is there a way to write something like
alias="mycertificate"
?
I searched on several Web sites but no result for the moment.
Actually my problem is that when my CXF client communicates with a SSL secured server there is a Certificate Request coming from the server in order to identify myself with a certificate. The server tells me which are the cert authorities it is waiting for, in my keystore I do have a certificate which has been certified by one of these authorities but there is no certificate transmission from my client...
Here is how it looks in the SSL logs:
CertificateRequest:
*** CertificateRequest
Cert Types: RSA, DSS,
Cert Authorities:
<CN=****, DC=****, DC=****>
Others authorities...
Empty client certificate chain:
*** Certificate chain
***
Do you guys have any idea?
Thanks in advance!
It's likely the "name" attribute on the http-conduit is wrong. It should be the Endpoint name (from within the Service element), not the PortType name.
However, I would recommend using a URL for the name.
<http-conf:conduit name="http://localhost:8080/.*" .....>
...
</http-conf>
Note the wildcard (.*) at the end to match all URL's.