I was asked to secure my stateless api endpoint using cert based authentication. I read about the subject, and realized I needed to create a middleware to inspect the request, and then check for the x-ARR-ClientCert header, to check whether the certificate is valid or not, based on some thumbprint. So far, so good.
The problem is that I can't test the middleware, because I don't have idea on how to send such a header. I already have a self signed certificate(.crt) and a key(.key). I tried with postman, but I can't see the x-ARR-ClientCert being sent while debugging on VS2017.
Any Help?
Edit 1
I'm following this tutorial: https://blogs.msdn.microsoft.com/kaevans/2016/04/13/azure-web-app-client-certificate-authentication-with-asp-net-core-2/
I know it's a bit old, but at the end the writer shows the browser asking for a certificate, but I just can't manage for the browser to ask for the certificate.
One thing I forgot to mention here, is that my API is on a local Service Fabric Cluster, so that might be the problem
Edit 2
For Postman, I've followed this tutorial: Postman Tutorial, but had no luck: first I had to turn off ssl check, and then when added the certificate to Postman, the x-ARR-ClientCert header wasn't being sent.
I've also tried curl: > curl --cert cert.crt --key client.key https://localhost/api/values --insecure but still the x-ARR-ClientCert isn't being sent.
I am not sure what you are trying to accomplish...
In a mutual certificate authentication, the browser handles the authentication\certificate exchange, and when the user tries to access an endpoint secured by client certificate, the server tells the client(browser) that it requires a certificate to accept the connection and the browser popup a message to the user asking for a certificate to be used, there is a nice write about it here.
If the plan is to do it for automation, the postman blog has an article on how you setup client certificates for this scenario. The other option is trying to send the certificate using CURL as described here.
Secondly, you are reinventing the wheel, there are already some ready to use implementations in kestrel using HttpsConnectionAdapterOptions.ClientCertificateMode = RequireCertificate and some authorization middlewares here and here.
And finally, make sure that there is no proxy in the middle or that the proxy or gateway is not removing the certificate from the client connection.
Related
I just created an REST API in API Connect and the endpoint works when I test it in the APIC assemble tab. It requires a client id and client secret. When I send a request through Postman, I currently get a “Could not get any response” message from when I try to add them as header values or OAuth authorization. I’m using the request endpoint that’s displayed when I hit the debug button from the successful response on the Assemble tab. Is this the correct endpoint to use? How do I properly include the client id and client secret in a Postman request?
If you get a "Could not get any response in Postman", that means that Postman can't reach the destination of the request.
There are several reasons for that:
Is it an intranet or internet endpoint?
Are you using a proxy? (check proxy config)
Is the hostname resolvable? (try ip)
If it is an https
endpoint, with a self signed certificate, check if you have SSL
Certificate verification enabled (Settings-> general)
On the other hand, to send the client-id and client-secret headers, just click on Headers tab and add both (see the following picture)
Please check the below things to get access to API Connect published services.
Service needs to be allowed to invoke from postman(System from which you are invoking.)
Please check the web-api MPGW service titled in DataPower default domain created when you configure your API connect with DataPower have you created an access control list in the front-side-handler.
Please disable the SSL configuration in the postman, sometime this may create a problem(since the service exposed from API Connect will be with SSL)
From the error you are getting, I suspect there is no connection or only one-way traffic is enabled which means you are blocking response. If there is an issue with the request parameters you are sending, an error will be different saying, wrong client id or client secret.
Testing API which is on-boarded from API Connect will be straightforward or same we invoke other rest services.
Thx Srikanth
I needed to include the client id and client secret in the headers using the correct name for them, which is specified when creating/editing the api under the 'Security Definitions' category as 'Parameter Name'.
I was also hitting the wrong endpoint. To find the correct endpoint click the hamburger icon in the upper left of api connect website, select dashboard, click on the environment you want such as sandbox or dev, click settings, click gateway, then you'll see the endpoint.
I need to configure an application to accept connection only from client with a certificate, the client should be ApiGateway.
I followed this step by step tutorial. But when I should upload a certificate and enable a checkbox called "Enable request of client certificate" in upload dialog box it disappear.
I tried with many browser (Chrome, Firefox, Safari) on a Mac. I'm quite that this not depend on browser, so now how can do the same thing?
Thanks for every answer.
From my understanding, the given task needs to be separated into two activities.
Client with certificate
A client with DNS APIgateway
Client with Certificate
In general, when we create an API, we expose with a gateway via HTTP protocol which has some signed certificate (Production). Please provide that public certificate to the consumer of your API. And you can test this using postman, we have an option of SSL certificate upload in Postman, make a use of it for testing.
Client with DNS Name
For this, in Datapower (API Gateway), you can create an Access control list following this IBM documentation. Access control list is something, we allow or restrict the host that we consume the services exposed using Datapower.
I have deployed liberty app on IBM cloud. I have setup custom domain and selected "request client certificate" so that clients have to send certificate to access app over TLS. I see client authentication does work, but I do not get any client certificate information in my app. This makes client certificate authentication a bit useless, as I would want to know the id of client which accessed my app. Any help/pointers appreciated.
I looked at attributes of request. Two attributes are passed in request _com.ibm.websphere.servlet.uri_non_decoded_ with value /dummyRelPath and _javax.servlet.request.cipher_suite_ with value of ECDHE-RSA-AES256-GCM-SHA384 There's no attribute with name javax.servlet.request.X509Certificate passed in request.
Does:
X509Certificate[] certs = (X509Certificate[])
request.getAttribute("javax.servlet.request.X509Certificate");`
not return any certificates?
In cloud foundry on bluemix, your client should be handshaking with a DataPower proxy. That proxy adds a custom header to indicate the TLS client cert that was provided, then it is passed through the CF gorouter, then finally passed to the JVM.
WebSphere Liberty then surfaces that through the API above.
This is communicated through the $WSCC request header. If the API returns null, it's most likely that header was dropped or never set by the infrastructure, rather than making it all the way there and the API mysteriously losing track of it. You could dump the request headers, looking for this one in particular, and maybe something will stand out (some surprise hop/proxy).
Is there a reason why Facebook doesn't allow LetsEncrypt signed certificates in their "app development" section?
I keep getting this error:
(For the untrained eye, this is me trying to setup a webhook for new messages notifications)
Blurred out the host, but it's a valid host and using chrome or firefox on Linux and Windows doesn't give any errors.
SSLLabs also says the site is perfectly valid.
Running curl https://... on my own host, sure enough I get the same error,
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
So my question is, why have Facebook (that openly supports LetsEncrypt) decided to use default curl CA bundle to verify the callback-url of an app? If that doesn't allow LetsEncrypt?
It appears to be counterproductive to me.
Is there a way around this?
SSLLabs also says the site is perfectly valid.
It shows a warning in orange, that the certificate chain is incomplete.
Your server should present all necessary intermediate certificates as well, in addition to the certificate issued for your domain. (Which was simply forgotten here by mistake.)
I have a PowerShell script that uploads a batch of files to lingq.com.
I created it the following way: I logged in to the site via browser, and made an upload manually through the web page. I grabbed the request in Fiddler, then duplicated it in PowerShell, including the authentication cookies. I'd just swap out the content of the request and send it. It wasn't pretty, but it worked and saved me an immense amount of time. The only downside was every time I had to log in to the site again, my authentication cookies got invalidated and I had to grab them again. But that I could live with.
They seem to have changed all their communication to https, because now instead of a request to
http://www.lingq.com/learn/ja/import/contents/?add
all I see in Fiddler is
"Tunnel to www.lingq.com/443"
Fiddler also gives me a warning that HTTPS decryption is disabled. When I enable it, and start capturing, Firefox gives me a certificate error when I try to access the site (or any other site that uses certificates, including Google):
www.lingq.com uses an invalid security certificate.
The certificate is not trusted because no issuer chain was provided.
(Error code: sec_error_unknown_issuer)
My script is now completely useless, every request I send returns the login page. And because of Fiddler messing up the certificates, I can't further reverse engineer the site to mimic the requests correctly.
How can I make https decryption work in Fiddler? Alternatively, is there a way my script can properly authenticate itself on the site? I have tried the steps described here:
How to make an authenticated web request in Powershell?
It didn't work at all. My guess is some sort of federated authentication is in place, but frankly I'm completely out of my depth here.