I have a question regarding soapUI:
I'm trying to add a ws-security header to my soap-requests containing a signature. To do that I used the soapUI-dialog "WS-Security Configurations" in the project preferences. It works as expected, but my server application requires a Thumbprint-SHA1-Id as the KeyInfo//SecurityTokenReference Element.
I found out that soapUI provides this option in the WSS Entry "Encryption" but not for "Signature". So my question is: How can I use the Key Identifier Type "Thumbprint SHA1 Identifier" for the Signature Element?
I thought about replacing the key identifier created by soapUI via a groovy script. But this script would have to be executed after the creation of the security header and before the sending of the soap-request, and I'm not sure, how to achieve that.
Thanks in advance!
Key Identifier Type "Thumbprint SHA1 Identifier" for the Signature is added in SoapUI 5.0.0 that is release tomorrow (2014-04-09). It is also included in a maintenance release of 4.6.4 that can be downloaded at http://www.soapui.org/Downloads/soapui-nightly-builds.html.
Related
I am supporting a Classic ASP application that connects to a payment gateway via HTTPS. Up until recently there have been no issues. A few days ago the latest updates were installed on the server (Windows Server 2003) and caused the site to break. A code snippet is below.
Dim oHttp
Dim strResult
Set oHttp = CreateObject("MSXML2.ServerXMLHTTP")
oHttp.setOption(2) = 13056
oHttp.open "POST", SOAP_ENDPOINT, false
oHttp.setRequestHeader "Content-Type", "application/soap+xml; charset=utf-8"
oHttp.setRequestHeader "SOAPAction", SOAP_NS + "/" & SOAP_FUNCTION
oHttp.send SOAP_REQUEST
Below is a dump of the error object :-
Number: -2147012852
Description: A certificate is required to complete client authentication
Message: A certificate is required to complete client authentication
At first I thought it was because the Payment Gateway's SSL certificate was not being authenticated or they needed a client certificate. I tested the URL in a browser on the server and it displayed correctly without errors and confirmed that the Payment Gateway server did not require a client certificate.
I am at a loss. All the research I have done has lead me nowhere. I even tried the following found on Stackoverflow :-
Getting XMLHTTP to work with HTTPS
xmlHttp, XML request,asp
The last one stated that a client certificate is required by XMLHTTP even though the server does not need it and pointed to a KB article on how to install one, but that is outdated and does not work.
Try adding oHttp.setOption 2, 13056
Just found the solution to this which has passed testing on:
Windows 10 (IIS 10)
Windows 2012 R2 (IIS 8.5)
It's a client problem. MSXML2.ServerXMLHTTP does indeed require you to use a client certificate when calling an endpoint secured with SSL (even if the endpoint doesn't require it), as the OP noted.
On the webserver, you need to:
Create a client certificate
Assign permissions to the certificate
Set the certificate on the ServerXMLHTTP object
In detail:
1. Create a client certificate
Use the following PowerShell command to create a new self-signed certificate:
New-SelfSignedCertificate -DnsName "ServerXMLHTTP", "ServerXMLHTTP" -CertStoreLocation "cert:\LocalMachine\My"
Note that the certificate created by this command will only be valid for 1 year.
2. Assign permissions to the certificate
Using MMC, view the certificate store for the computer account:
How to: View Certificates with the MMC Snap-in
The certificate created above can be found in Certificates (Local Computer)\Personal\Certificates (the "Issued By" and "Issued To" columns display "ServerXMLHTTP").
Right click the ServerXMLHTTP certificate, select "All Tasks" -> "Manage Private Keys" and the permissions dialog will display.
Add the user that the ASP website app pool is running as. By default it will be running as "ApplicationPoolIdentity", but your setup may be using a specific user account. If the app pool is using ApplicationPoolIdentity, the username to add is "IIS AppPool\APP POOL NAME", e.g. IIS AppPool\DefaultAppPool
The user will be added with "Full Control" which can be deselected. Only "Read" permission seems to be required. Click "OK" to confirm the permissions.
3. Set the certificate on the ServerXMLHTTP object
In your ASP code, set the ServerXMLHTTP object to use the certificate created above. For example calling PayPal for an access token:
Dim strAuthToken: strAuthToken = "<Base64 encoded version of ClientId:Secret>"
Dim oHttp: Set oHttp = Server.CreateObject("MSXML2.ServerXMLHTTP")
With oHttp
Call .Open("POST", "https://api.sandbox.paypal.com/v1/oauth2/token", False)
Call .SetOption(3, "LOCAL_MACHINE\My\ServerXMLHTTP")
Call .SetRequestHeader("Content-Type", "application/x-www-form-urlencoded")
Call .SetRequestHeader("Authorization", "Basic " & strAuthToken)
Call .Send("grant_type=client_credentials")
End With
Hopefully this is still of assistance.
I know it is an old question. This issue could be because of unsupported cipher suites.
Try adding
- TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA
- TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA
That means you have to follow this kb: http://support.microsoft.com/kb/948963
This update is also interesting if you are still using windows 2003. Which will allow connecting to site using SHA2 - http://support.microsoft.com/kb/968730
Please note that Windows Server 2003 support is ending July 14, 2015
This is probably a ServerFault.com question really, after all if the code is working fine then its not a programmatic problem.
However I would try a couple of things. First try using a the ProgID "MSXML2.ServerXMLHTTP.3.0", in some circumstances MSXML3 will behave differently depending on which ProgID was used to instantiate the component. Also update from other sources like your anti-virus supplier (Sophos had this problem) can break MSXML installs.
Another ProgID to try is "MSXML2.ServerXMLHTTP.6.0" after having installed MSXML6. If the problem is with an update to the MSXML3 core then perhaps the MSXML6 core doesn't have the same problem.
Can you try with oHttp.setOption(3) = "certificate store name/friendlyname of certificate"
as below. I hope this will works.
Dim oHttp
Dim strResult
Set oHttp = CreateObject("MSXML2.ServerXMLHTTP")
oHttp.setOption(2) = 13056
oHttp.setOption(3) = "certificate store name/friendlyname of certificate"
oHttp.open "POST", SOAP_ENDPOINT, false
oHttp.setRequestHeader "Content-Type", "application/soap+xml; charset=utf-8"
oHttp.setRequestHeader "SOAPAction", SOAP_NS + "/" & SOAP_FUNCTION
oHttp.send SOAP_REQUEST
I've been trying to configure play framework 2.5.8 to use keystore on custom location with custom purchased certificate. Configuration is as follows (under play section):
"server":{
"https":{
"keyStore": {
"path": "/Users/...some_path.../keystore.jks",
"type": "JKS",
"password": "some_pass"
}
}
Everything is local, path reachable, keystore in place.
However, I constantly get debug message:
[warn] p.c.s.s.DefaultSSLEngineProvider - Using generated key with self signed certificate for HTTPS. This should not be used in production.
Keystore is prepared properly since everything works just fine if I supply keystore and password params as JVM arguments.
Is there anything else that needs to be configured? I even C/P-ed with slight modifications
def createSSLContext(applicationProvider: ApplicationProvider): SSLContext
method from DefaultSSLEngineProvider for testing purposes into one of my controllers to see if execution will reach line 44 (logger.debug("Using HTTPS keystore at " + file.getAbsolutePath)) which shouldn't happen in case of wrong configuration, weird keystore file, etc. To my surprise, everything worked properly. However, why Play isn't taking into account configuration from application.conf is beyond me. Unfortunately, supplying keystore params through JVM params is not an option for me in this particular scenario.
A few weeks ago this error started popping up.
Set-PSRepository : The specified Uri 'http://*****' for parameter
'SourceLocation' is an invalid Web Uri.
Please ensure that it meets the Web Uri requirements.
I'm not sure how to fix this short of uninstalling Powershell. There is a workaround available on StackOverflow but it's clunky and will not work for me long term.
Frankly I'd rather just find where the PSRepositories are stored and edit the files manually when I need to.
The answer to this other question should help: Invalid Web Uri error on Register-PSRepository
It involves registering the repository using a local path first, then updating it to point to the URL.
Had the same issue,
for me it was an expired certificate at my own repostitory. Exchanged the certificate and the error was gone.
First of all I have spent considerable time searching this site for the specific questions I have. So in case you find this duplicate , it means I could not locate those so pls share the link.
I have to set up an SP in an IdP(Siteminder) initiated SAML2 post binding in JBOSS EAP 6 and picket link.I am asked to provide metadata.I found this site where I could plug in values and get the meta Data.
1 ] Now if I want to sign SPSSODescriptor in the metadata XML , how do I do it ? I cant use the public site to encrypt a production file.
2] Also would you know of an enterprise standard mechanism of generating SP metadata and sign them ?
I don't think you can do from PicketLink (already some discussions available from other forums).
You can sign the metadata using JDK Security API or other Java Security API and place the generated signature in metadata between <Signature>Signature elements</Signature>.
Other easy solution is: (didn't try this before, but seems worth to try)
Generate metadata by from SAML-Tool site and save it.
Download XMLSec Tool from Shibboleth site.
Unzip and run xmlsectool.sh as follows,
$ xmlsectool.sh --sign --inFile <LOCATION_OF_METADATA_TO_BE_SIGNED> --outFile <TO_BE_LOCATION_OF_SIGNED_METADATA> --keystore <LOCATION_OF_JKS_KEYSTORE> --keystorePassword <JKS_KEYSTORE_PASSWORD> --key <PRIVATE_KEY_ALIAS> --keyPassword <PRIVATE_KEY_PASSWORD>
I'm trying to generate a Perl library to connect to a WebService. This webservice is in an HTTPS server and my user has access to it.
I've executed wsdl2perl.pl several times, with different options, and it always fails with the message: Unauthorized at /usr/lib/perl5/site_perl/5.8.8/SOAP/WSDL/Expat/Base.pm line 73.
The thing is, when I don't give my user/pass as arguments, it doesn't even asks for them.
I've read [SOAP::WSDL::Manual::Cookbook] (http://search.cpan.org/~mkutter/SOAP-WSDL-2.00.10/lib/SOAP/WSDL/Manual/Cookbook.pod) and done what it says about HTTPS: Crypt::SSLeay is instaleld, and both SOAP::WSDL::Transport::HTTP and SOAP::Transport::HTTP are modified.
Can you give any hint about what may be going wrong?
Can you freely access the WSDL file from your web browser?
Can someone else in your network access it without any problems?
Maybe the web server hosting the WSDL file requires Basic or some other kind of Authentication...
If not necessary ,I don't recommend you to use perl as a web service client .As you know ,perl is a open-source language,although it do support soap protocol,but its support do not seem very standard.At first,its document is not very clear.And also ,its support sometimes is limited.At last,bug always exists here and there.
So ,if you have to use wsdl2perl,you can use komodo to step into the code to find out what happened.This is just what I used to do when using perl as a web service client.You know ,in the back of https is SSL,so ,if your SSL is based on certificate-authorized,you have to set up your cert path and the list of trusted server cert.You'd better use linux-based firefox to have a test.As I know ,you can set up firefox's cert path and firefox's trusted cert list.If firefox can communicated with your web service server succefully,then,it's time to debug your perl client.
To debug situations with Perl and SOAP, interpose a web proxy so you can see exactly what data is being passed and what response comes back from the server. You were getting a 401 Not authorized, I expect, but there may be more detail in the server response.
Both Fiddler http://docs.telerik.com/fiddler and Charles proxy https://www.charlesproxy.com/ can do this.
The error message you quote seems to be from this line :
die $response->message() if $response->code() ne '200';
and in HTTP world, Unauthorized is clearly error code 401, which means your website asks for a username and password (most probably, some website may "hijack" this error code to cater for other conditions like a filter on the source IP).
Do you have them?
If so, you can
after wdsl2perl has run, find in the created files where set_proxy() is called and change the URL in there to include the username and password like that : ...->set_proxy('http://USERNAME:PASSWORD#www.example.com/...')
or your in code, after instantiating the SOAP::WSDL object, call service(SERVICENAME) on it (for each service you have defined in your WSDL file), which gives you a new object, on which you call transport() to access the underlying transport object on which you can call proxy() with the URL as formatted above (yes it is proxy() here and set_proxy() above); or you call credentials() instead of proxy() and you pass 4 strings:
'HOSTNAME:PORT'
the realm, as given by the webserver but I think you can put anything
the username
the password