How to change security policy in milo example server? I've tried to connect to milo's opc server with UaExpert, and set the security policy. No matter what security policy I choose, the result is the same error:
ERROR o.e.m.o.s.s.t.u.UascServerAsymmetricHandler - [remote=/127.0.0.1:33762] Exception caught; sent ErrorMessage{error=StatusCode{name=Bad_SecurityChecksFailed, value=0x80130000, quality=bad}, reason=certificate path validation failed}
io.netty.handler.codec.DecoderException: UaException: status=Bad_SecurityChecksFailed, message=certificate path validation failed
How can I configure it correctly?
Second question: The example server seems quite complicated. What is the simplest way to create a server and connect to it? Is there a minimal example for that?
Welcome to stackoverflow
I do not know the Milo server and I have not almost used UAExpert but:
The client must trust the server certificate and the server must do the same with the client's certificate and of course both sides must have their certificate, sometimes the client and the server automatically create one if it doesn't exist but sometimes it should be created previously by external ways.
Help about UAExpert http://documentation.unified-automation.com/uaexpert/1.4.3/html/first_steps.html
If you don't want to deal with certificates then choose then endpoint with SecurityPolicy None when connecting:
Otherwise, note the security directory the example server logs on startup. Something like:
INFO o.e.m.examples.server.ExampleServer - security temp dir: /var/folders/1v/2pxlxd_x4bsdxz25_fv7r0940000gn/T/security
Navigate to the security directory and you'll find the UaExpert client certificate in the pki/rejected folder. You can move it to pki/trusted/certs and then connect with security from UaExpert.
Related
I am creating a Linked Service to connect to BigQuery with Service Account authentication and p12 file has already been placed in IR VM directory.
Receiving following error:
ERROR [HY000] [Microsoft][DriverSupport] (1160) Cannot enable SSL for the connection when connecting to a server that has not enabled SSL. If the server has SSL enabled, please check if it has been configured to use a SSL protocol version that is lower than what is allowed for the connection. The minimum SSL protocol version allowed for the connection is: TLS 1.2.
But when i place p12 file in another IR VM, linked service is working correctly.
Tried to check TLS version in both VM's and everything looks same.
Please suggest ways to check SSL and TLS version in VM's and how to resolve this issue.
Based on the error message it seems the issue might be w.r.t SSL certificate so 1st step would be to compare the SSL/TLS across both the servers
In case if they are same, would suggest to monitor the traffic across both the server when trying to access GCP Big Query.
You might get the exact cause of failure which can be like :
Firewall blockage
some missing set up like Big query need Google_base set up as a signature
etc.
You could create a PowerShell script that checks the TLS & SSL registry entries mentioned in the following documentation:
https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings
Even if after enabling TLS/SSL settings the same issue arises then please try re-installing IR in the VM
I am trying to access the repository from a standalone java application using JcrUtils.
**repository = JcrUtils.getRepository("http://localhost:4502/crx/server"); this works**
**repository = JcrUtils.getRepository("https://localhost:4502/crx/server"); this doesn't work**
Exception in thread "main" javax.jcr.RepositoryException: Unable to
access a repository with the following settings:
org.apache.jackrabbit.repository.uri: https://localhost:4502/crx/server The following
RepositoryFactory classes were consulted:
org.apache.jackrabbit.commons.JndiRepositoryFactory: declined
org.apache.jackrabbit.core.RepositoryFactoryImpl: declined
org.apache.jackrabbit.jcr2dav.Jcr2davRepositoryFactory: declined
org.apache.jackrabbit.jcr2spi.Jcr2spiRepositoryFactory: declined Perhaps the repository you are trying to access is not available at
the moment. at
org.apache.jackrabbit.commons.JcrUtils.getRepository(JcrUtils.java:223)
at
org.apache.jackrabbit.commons.JcrUtils.getRepository(JcrUtils.java:263)
at com.hero.jcr.util.CqHelper.getSession(CqHelper.java:20) at
com.hero.jcr.commandline.CheckConnection.getDamAssets(CheckConnection.java:36)
at
com.hero.jcr.commandline.CheckConnection.main(CheckConnection.java:29)
Thanks in advance
The problem can have different causes.
HTTPS configured and on which port
It looks like you're trying to access http and https in the same situation on the same port. Http and Https don't run on the same port in parallel.
Please use the SSL Wizard as hinted by ronnyfm to check if SSL is activated and on which port it is used: https://docs.adobe.com/content/help/en/experience-manager-65/administering/security/ssl-by-default.html
For instance the default port for https in AEM is 8443, so try https://localhost:8443 to access it, if you have configured it there.
Untrusted Certificate
Also connecting to https might not work if you use an untrusted certificate, which you need to add to the Java security keystore first. In my case I got the same "Unable to access" message, because the original exception regarding the certificate got silently swallowed in the JCR library I was using.
Wrong certificate
When you added the certificate to the keystore and it still doesn't work, check if the certificate was created for them same host you request. If you created it for bla.host, but try to access it via localhost, it also gives you the same exception, while the original message is silently swallowed.
I am trying to wrap my head around how this should be set up correctly. I have two certificates, a client certificate and a service certificate. I've placed these in the MMC, on the service account for the host instance that handles the send port. So the client certificate is placed in the Personal folder and the service certificate is placed in the Trusted People folder.
I've tried using several "Find" methods to locate these certificates, such as thumbrprint and serial number, but I always get a "Certificate not found" exception back.
My current settings on the adapter.
Client certificate:
Service certificate:
My settings for Authentication:
SSL Certificate Authentication settings:
What is the correct way to add the certificates to the different stores, so that they can be located by Biztalk? I've found the MSDN documentation on the topic, but it doesn't really provide any answers: https://learn.microsoft.com/en-us/dotnet/framework/configure-apps/file-schema/wcf/clientcertificate-of-clientcredentials-element
You have to be logged in as the BizTalk Service Account to manage Certificates. Run As doesn't typically work.
Other than that, the instructions should be correct.
I need to setup a cron job to run a SOAP client. The customer insists that I connect to their web service (on an https address) from an https address. They insist that if I don't their response to me can't be encrypted.
My first question is, is that true? I thought that as long as I'm connecting to their SOAP service over https, the response back would automatically be encrypted.
If that's true, how can I run a cron job to be as https? My site is on a LAMP setup with cPanel access.
Thank you in advance for your help!
Your customers statement seems to be a little bit unclear in what he/she specifically means by "... connecting from an https adress" as there isn't any notion of the term "https adress" in the specs and https URLS only seem to make sense in the context of Request-URI s given in a https request.
Given this unclarity I'm only wild guessing. Nevertheless to me it seems your clients requirements might most probably not be connected to the http protocol but rather to establishing your TLS connection.
If your client is very sensitive in respect to the security of his system - which in fact if he intends to offer RPC requests might be a very good idea - he might not want to the whole world to be able to connect an encrypted connection to his machines and rely on any secondary authentication mechanism once the connection has been established.
As most users of the public internet don't have any certificates signed by a trusted authority this feature it isn't used out in the open wild but besides server authentication the TLS handshake protocol also provides a means of client authentication via client certificates (the relevant part being section 7 in RFC 5246 here. see: https://www.rfc-editor.org/rfc/rfc5246#section-7)
While in the absence of widely used client certificates web services usually rely on establishing an encryted connection to first to authenticate users by some kind of challange response test like querying for username and password your client might want to either additionally secure access to his machines by additionally requiring a valid client certificate or even - probably not the best idea - replace a second authorization like the one already mentioned above.
Nevertheless all this are nothing but some ideas that I came along with given the riddle in your question.
Most probably the best idea might be to just ask your client what he/she meant when saying "... connecting from an https adress"
I am trying to consume a HTTPS based SOAP WebService via ColdFusion, but it is returning "Connection Failure".
On dumping the result variable, it showed:
Error Detail: "I/O Exception: Name in certificate 'subdomain1.domain.com' does not match host name 'subdomain2.domain.com'"
I can ignore such warning if I browse the HTTPS wsdl in browser, But the Question is; How can I bypass this warning using <CFHTTP>?
Thanks
Better solution is to have the host of the service. Get a proper SSL certificate for that subdomain or a wildcard certificate that will allow them to have as many subdomains as needed with a single certificate.
I have been looking for a solution to this as well (a well-known payment gateway provider has an SSL issue on their server I have to work around). One solution I came up with was to put an entry into the server's hosts file and set it to the IP address of the hostname the SSL certificate was using. Fortunately their web server just accepts connections based on IP rather than hostname, so I was able to fool my server into thinking that I was connecting to the "proper" hostname published in the SSL cert and override the IP for that hostname in the public DNS. A way to tell Java that the name mismatch is "okay" would be nice though.