Ok , this is a little off . I have a XMPP sever that supports XEP-00178 (SASL-External)(namely : openfire) and I am using Gajim client to test it. Now I created a .p12 file(using openssl) for the registered user on the server with the common name equal to the user name. The .p12 file is encrypted. But when I use the Gajim to add the user's corresponding encrypted .p12 file , it prompts for the pass phrase , which I supply correctly but it just fails with the error :
Unknown error while loading certificate from file /root/sslCA/alice.p12
I tried opening the same alice.p12 using OpenSSL and everything works just great. Would it be wise to remove the password from the .p12 file? or Is there something that I am doing wrong with regards to Gajim?
Related
I am following this link for a test. But I receive
451 Authentication failed: Could not authenticate
at step 4:
4.Enter your Base64 converted API key in the next line as the password.
Does it mean I entered a wrong Base64 converted API key? But I have double checked the key. What's going on?
By the way, I am also using Postfix, and in /var/log/maillog it says
certificate verification failed for smtp.sendgrid.net[198.37.144.225]:587: untrusted issuer /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
Then I followed this link to add the certificate, but I still cannot send the email by Postfix, perhaps the reason is 451 Authentication failed: Could not authenticate?
Another cause of '451 Authentication failed: Could not authenticate'
- because IP not whitelisted
You need to whitelist your NAT or the Public IP of the instance in the Sengrid site then the steps described here would work -
https://sendgrid.com/docs/API_Reference/SMTP_API/getting_started_smtp.html
I've had the same issue. Run the TELNET test again (following the instructions here),
but instead of using the API username apikey and your API key, use your base64 converted login username and password for Step 3 and step 4.
This should return a 235 Authentication successful response. This will mean you've successfully connected.
Given that the username/password test is successful, consider opening your API key Permissions to Full Access and try sending and email. If that works, you can use this link to adjust your permissions for your application.
I am trying to send a SOAP request(signed) using HTTP Request Sampler along with SOAP Message Signer plugin. Request works fine with SOAPUI. It seems to fail through JMeter if i use same parameters(for SOAP Message Signer).
As a part of SOAP Request, Header needs to be signed. I am getting the below error while Signing. Could anyone please let me know the reason for failure?
n.c.b.j.m.AbstractWSSecurityPreProcessor: Building WSS header
o.a.w.d.m.WSSecSignature: Beginning signing... ERROR
n.c.b.j.m.AbstractWSSecurityPreProcessor:
org.apache.wss4j.common.ext.WSSecurityException: No certificates for
user "cert_alias" were found for signature
Did you add in jmeter keystore the certificate under alias cert_alias?
That's what message is saying:
No certificates for user "cert_alias" were found for signature
Keystore is located in jmeter/bin folder
You may want to try this plugin:
https://github.com/tilln/jmeter-wssecurity/blob/master/README.md
Finally i was able to send a successful request using the plugin.
I was using the Signed Header as a part of SOAP request.
Plugin Config:
Keystore File : Path to .jks file
Keystore Password : password
Cert Alias - cert_alias
Cert Password - cert password
After removing the Signed Header from the SOAP request, it worked. Thanks you.
If your SOAP endpoint expects the message to be encrypted with a client-side certificate you can configure JMeter to use it by adding the next lines to system.properties file:
javax.net.ssl.keyStoreType=pkcs12 or jks
javax.net.ssl.keyStore=/path/to/your/jsk keystore or .p12 certificate
javax.net.ssl.keyStorePassword=your certificate or keystore password
JMeter restart will be required to pick the properties up.
You can also pass them via -D command line argument like:
jmeter -Djavax.net.ssl.keyStoreType=pkcs12 -Djavax.net.ssl.keyStore=your-certificate.p12 -Djavax.net.ssl.keyStorePassword=secret
More information:
Customizing the Default Key and Trust Stores, Store Types, and Store Passwords
How to Set Your JMeter Load Test to Use Client Side Certificates
FOR DEVELOPMENT: I configured my site to run without SSL for my development box and it all works great.
Now I am moving this to our dev testing server so I can test it there.
I first ran it as a non ssl intranet site to confirm configuration and etc....
It works perfectly.
Now I am in the process of creating a cert for the site and plan to use self signed certs for developer testing.
I have read many post ( google search ) on the topic related to the error I am getting.
Basically, I am 110% sure I am not creating this cert correctly for the site to which I need to bind it to.
The error:
The remote certificate is invalid according to the validation procedure.
So I am trying to understand what they mean by answers like this:
When working with self-signed certificates: add them to the trusted root authorities & use the hostname instead of localhost. ]
So if your computer name is "mypc", the uri should be "https://mypc/..." instead of "https://localhost/...".
This is what is confusing to me...
For example , if computer name is: svr-d-web-003
So the uri: https: //svr-d-web-003/?????
Looking at the advanced settings Bindings could I extrapolate the uri as: https: //svr-d-web-003/webhost.oauth.xyz.org ?? This seems wrong to me...
Site settings and etc....
Used these steps to create the cert:
1. C:> certlm.msc
2. Right-click on Certificates, then click All Tasks/Request New Certificate
Click Next, Next
Click on link as shown under the template you need.
Select Common Name from drop down
Enter the machine name dns name (example: svr-v-wus-001), then click Add button
Click OK,
In the Requests Certificates window check the box for xyz, click Enroll
Look in the certificates store and it’ll be there – you may need to click Refresh button
Follow up In IIS – you’ll bind the certificate there to your site. Remember the name needs to match the url. (This might be my issue here...)
See attachment...
I finally got it to work.
When creating the cert I had to match the name of the cert (common name) to the site.
For example: the site is https://identService.oauth.xyz.org so the cert name needed to be identService.oauth.xyz.org.
Then it all worked. I was confusing the site name with the machine name. Doh...
We are trying to implement the following workflow:
generate private key in browser, using window.crypto
create a PKCS10 certificate signing request in the browser
send the PKCS10 to a server
the server signs the request and returns an x509 certificate in PEM format
the browser stores the certificate for itself
The same thing already works using the keygen tag in the browser and using SPKAC instead of pkcs10. Now, however the browser does not store the certificate returned, just wants to save them. When we try to import the certificate to the browser by hand, we got "the private key for the certificate is missing or invalid".
We suspect that the private key generated by window.crypto.generateKey() does not get stored in the browser's keystore. How to get the private key stored in the keystore?
The implementation of the first two steps is based on http://blog.engelke.com/2014/08/23/public-key-cryptography-in-the-browser/
Update: As some browsers use the OS keystore, I am also looking into the possibility to save the key into the OS keystore through some other way.
What I have figured out so far:
Java cannot be used according to this question: Tell Java to use Windows keystore
In Windows one can use ActiveX controls.
Summary: Found no standard cross-browser and cross-OS way to generate and meaningfully use X509 certificates. There are combinations (new chrome versions (dropping keygen support) on non-windows OS) where there is no way to do this.
It may seem to be asked several times, but I could not find answers to my doubts.
As one needs to setup an MDM server, what are the things that need to be available or installed on this server. Is there a specific configuration?
Is SCEP (which I think needs to be available on the server) required to setup MDM. If yes, how to go about with it.
When I set the Server URL inb the MDM config profile to any of the servers I have, the profile fails to install with the error in console as "The identity certificate for com.abc.mdm.mdm1 could not be found."
It'll be helpful if anyone could redirect me to the detailed steps to setup MDM server. I could not find any such thing in Apple's WWDC 2010 video.
Edit: Some more stuff I've tried
I'm trying to configure MDM server for iPhone and have tried the following steps till now.
I have installed a trial certificate from RapidSSL. When I open my site as https://example.com, I can see a lock at the address bar - hence I believe that the certificate is valid and working.
In iPCU, I create a credentials payload and select my certificate from the list.
In the MDM payload, when I try to select an Identity, the dropdown list is disabled with a message as Add credentials in the credentials payload.
In the credentials payload when I select any other certificate from the list - VeriSign for example - in the MDM payload I get the Identity dropdown list enabled and can select the configured credential, but this is an Invalid certificate.
Edit: Images added
Edit: Moved further more
With some hits here and there, I'm now able to get the 'Identity' field enabled. But when I try to install the profile, I get an error as 'Profile failed to install' with the message in console as
Nov 22 15:15:11 Apple-iphone-4 profiled[1320] <Warning>: MDM|Cannot Authenticate. Error: NSError 0x1ddb8f50:
Desc : A transaction with the server at https://example.com has failed with the status 405.
US Desc: A transaction with the server at https://example.com has failed with the status 405.
Domain : MCHTTPTransactionErrorDomain
Code : 23001
Type : MCFatalError
Params : (
"https://example.com",
405
)
Nov 22 15:15:11 Apple-iphone-4 profiled[1320] <Warning>: MC|Cannot install MDM com.example.ota.mdm2. Error: NSError 0x1ddb9120:
Desc : The payload com.example.ota.mdm2 could not be installed.
Sugg : A transaction with the server at https://example.com has failed with the status 405.
US Desc: The payload com.example.ota.mdm2 could not be installed.
US Sugg: A transaction with the server at https://example.com has failed with the status 405.
Domain : MCInstallationErrorDomain
Code : 4001
Type : MCFatalError
Params : (
"com.example.ota.mdm2"
)
Edit: Continuing after a long break
Here's a summary of what I've done till now.
Configured a Windows 2008 server with an SSL certificate from a CA. ie. The server can be accessed as https://example.com
Hosted a .Net webservice that listens to PUT.
Generated an MDM certificate from the iOS Developer portal.
Generated a Push certificate from Apple. The topic is something like com.apple.mgmt.External.035e7xxxxx
Added the server certificate to the Credentials payload of iPCU. This was done by
- Exporting the server side SSL as a .pfx file
- Adding this file to the Windows Certificate store
- Selecting this certificate in the credentials payload.
I've hosted this profile on the server. When I download it on the device, I'm presented with Profile Installation on the device. When I install this profile, I end up with an error saying "The profile MDM could not be installed". On looking at the device logs, I found
<Notice>: (Error) MDM: Cannot Authenticate. Error: NSError:
Desc : A transaction with the server at “https://example.com” has failed with the status “400”
IMP: I noticed that the Push certificate generated says "This certificate was signed by an unknown authority". There's also no private key associated with it.
I suspect something wrong is selecting the certificate in the Credentials payload (Step 5).
Also when the Profile Installation screen is presented, I get "Not Verified" just below the the profile name.
Solved
For the "unknown authority" issue I installed Apple's Application Integration certificate.
I'm now able to execute the MDM commands.
Complete Steps
https://drive.google.com/file/d/0B9vJDmfd2qb9RmdGNlp4OUR3eVk/view?usp=sharing
https://drive.google.com/file/d/0B9vJDmfd2qb9eGlkUk44ajZrWjg/view?usp=sharing
You need just 3 things
1) mdm payload with mdm url starting with https://
2) certificate which you download using apple developer portal. This is detailed on apple site
3) Link this certificate (.p12) file in the identity section of the mdm payload
Your server needs to have the necessary ports open - this is also documented. The server needs to listen on PUT method and not GET or POST.
If you do above - you will see that your device sends the deviceToken, pushMagic etc.
First up, the 405 status from the server means that you are attempting to POST to a URL that does not accept the POST method. It has nothing to do with the certificates at this point. The certificate in MDM is only used for signing the MDM messages so anything that is put in there is unused if you are not signing your MDM messages from the device (I would recommend not signing your MDM messages while you are testing/setting up) which is configured using the 'Sign Messages' tick-box in the iPCU.
The general idea with MDM is that you tell the device to 'phone home' to the 'Server URL' configured in the configuration profile when it receives an MDM APNS message. You will either have to write or purchase the code that lives on this server to respond to the device and do the right thing. You can also configure the 'Check In' and 'Check Out' URLs to talk to different URLs and, therefore, different code components on the server to handle the different messages.