I am using websphere's AdminTask.importSAMLIdpMetadata() function to import SAML IdP metadata into my server.
AdminTask.importSAMLIdpMetadata('-idpId 1 -ssoId 1 -idpMetadataFileName ' + idpMetaDataFile + ' -signingCertAlias ' + idpCertificateAlias + securityDomainParam);
It is working fine.
Problem is that if same certificates is already imported under some other alias then, it does not create new alias for same certificate.
To achieve this I need to write custom logic that will do all tasks of importSAMLIdpMetadata() and in always create alias
My questions:
How to extract certificate from IdP Metadata. ( In Java, Jython or Ant )
How to check if this certificate is already present in Websphere "signer certificates". ( In Java, Jython or Ant )
I tried doing above task myself
1) certificate can be extracted from IdP Metadata in java, like normal XML pasring and reading
2) To check if certificate is already present in Websphere "signer certificates" :-
Use jython to get all the certificates
AdminTask.listSignerCertificates('[-keyStoreName NodeDefaultTrustStore -keyStoreScope (cell):cell_name:(node):node_name ]')
It will give you a big string with each key value pair in square brackets []
Pass it to java and parse it as required.
Related
We are getting the below error in Wildfly/Jboss when we are trying to encrypt the DB password using Vault. Can you provide a solution for this?
Caused by: org.jboss.security.vault.SecurityVaultException: PB00027: Vault Mismatch:Shared Key does not match for vault block:bea_interface and attributeName:password
There are three possible causes:
1). There is just a mismatch between the passwords. Check what you used when setting up the vault.
2). The encrypted password files are missing:
Aside of the keystore, you should not forget to put the two other files that vault.sh generates
vault.keystore
ENC.dat
Shared.dat
You need to copy all three files to the desired location, for example to the "standalone/configuration/" directory.
In the vault definition, these are the two paramaters that will tell JBoss where to find them:
<vault-option name="KEYSTORE_URL" value="${jboss.server.config.dir}/vault.keystore"/>
<vault-option name="ENC_FILE_DIR" value="${jboss.server.config.dir}/"/>
3). You are using a keystore alias name longer then 10 characters.
First of all I have spent considerable time searching this site for the specific questions I have. So in case you find this duplicate , it means I could not locate those so pls share the link.
I have to set up an SP in an IdP(Siteminder) initiated SAML2 post binding in JBOSS EAP 6 and picket link.I am asked to provide metadata.I found this site where I could plug in values and get the meta Data.
1 ] Now if I want to sign SPSSODescriptor in the metadata XML , how do I do it ? I cant use the public site to encrypt a production file.
2] Also would you know of an enterprise standard mechanism of generating SP metadata and sign them ?
I don't think you can do from PicketLink (already some discussions available from other forums).
You can sign the metadata using JDK Security API or other Java Security API and place the generated signature in metadata between <Signature>Signature elements</Signature>.
Other easy solution is: (didn't try this before, but seems worth to try)
Generate metadata by from SAML-Tool site and save it.
Download XMLSec Tool from Shibboleth site.
Unzip and run xmlsectool.sh as follows,
$ xmlsectool.sh --sign --inFile <LOCATION_OF_METADATA_TO_BE_SIGNED> --outFile <TO_BE_LOCATION_OF_SIGNED_METADATA> --keystore <LOCATION_OF_JKS_KEYSTORE> --keystorePassword <JKS_KEYSTORE_PASSWORD> --key <PRIVATE_KEY_ALIAS> --keyPassword <PRIVATE_KEY_PASSWORD>
I'm trying to deploy a VSTO solution, which are 2 addins for Word and for Outlook, using ClickOnce. Due to our deployment infrastructure/practices, I cannot publish it using Visual Studio, it is instead built on a build server and deployed via a deployment server.
For local development, a self-signed certificate is used. The deployment worked with this self-signed certificate (if the the self-signed certificate was installed on the machine), but now I want to add a real company certificate so that the application can be deployed to the users.
During deployment, after the configuration files are poked, they are updated and re-signed with the real certificate. However, this produces the following error during installation:
System.Security.SecurityException: Customized functionality in this application will not work because the certificate used to sign the deployment manifest for <app name> or its location is not trusted. Contact your administrator for further assistance.
at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInTrustEvaluator.VerifyTrustPromptKeyInternal(ClickOnceTrustPromptKeyValue promptKeyValue, DeploymentSignatureInformation signatureInformation, String productName, TrustStatus status)
at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInTrustEvaluator.VerifyTrustUsingPromptKey(Uri manifest, DeploymentSignatureInformation signatureInformation, String productName, TrustStatus status)
at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInTrustEvaluator.VerifyTrustUsingPromptKey(Uri manifest, DeploymentSignatureInformation signatureInformation, String productName)
at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInDeploymentManager.ProcessSHA1Manifest(ActivationContext context, DeploymentSignatureInformation signatureInformation, PermissionSet permissionsRequested, Uri manifest, ManifestSignatureInformationCollection signatures, AddInInstallationStatus installState)
at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInDeploymentManager.VerifySecurity(ActivationContext context, Uri manifest, AddInInstallationStatus installState)
at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInDeploymentManager.InstallAddIn()
The Zone of the assembly that failed was:
MyComputer
The only lead I have is that, after re-signing, the values in publisherIdentity element are not changed (both .vsto and .manifest), only the Signature element has values corresponding to the new certificate.
Following commands are used to sign the .vsto and .manifest files (as far as I can see from the deployment scripts):
mage.exe -Update "[path to .vsto/.manifest]"
mage.exe -Sign "[path to .vsto/.manifest]" -CertHash [certificateHash]
where [certificateHash] is the thumbprint of the real certificate and is used to look up the certificate in certificates stores. I'm told this is security measure so that the certificate file doesn't have to be distributed along with the deployment package.
After signing, the files have their Signature values changed, but the publisherIdentity still has the name and issuerKeyHash of the self-signed certificate.
I tried poking these two values prior to re-signing, but I'm don't know how to calculate the issuerKeyHash.
Any advise on how to proceed would be much appreciated!
Edit:
I was trying out other mage.exe parameters, like '-TrustLevel FullTrust' (which didn't have any effect) or '-UseManifestForTrust True' along with Name and Publisher parameters, which yielded this error message (which is different than the one mentioned above).
************** Exception Text **************
System.InvalidOperationException: You cannot specify a <useManifestForTrust> element for a ClickOnce application that specifies a custom host.
at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInDeploymentManager.GetManifests(TimeSpan timeout)
at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInDeploymentManager.InstallAddIn()
.
The certificate that the app is signed with isn't trusted by Windows. As a work around,
Right click on setup.exe,
Select properties then the Digital Signatures tab
Select Vellaichamy/user then click Details
Click View Certificate and Click Install Certificate.
Do not let it automatically choose where to store the sert, install the certificate in the Trusted Root Certification Authorities Store. Once the cert is installed the app should install...
Take a look at the Granting Trust to Office Solutions article which states the following:
If you sign the solution with a known and trusted certificate, the solution will automatically be installed without prompting the end user to make a trust decision. After a certificate is obtained, the certificate must be explicitly trusted by adding it to the Trusted Publishers list.
For more information, see How to: Add a Trusted Publisher to a Client Computer for ClickOnce Applications.
Also you may find the Deploying an Office Solution by Using ClickOnce article helpful.
We have found what the problem was. We used a version of mage.exe tool from Windows SDK from a folder named 7A (I don't remember the full paths, sorry). A colleague then found another folder with versions 7A, 8 and 8A. Once we took the .exe from 8A folder, the installation works as expected.
Try copying all the necessary files to the client computer then install. If you can avoid installing from the network drive you might be able to avoid this exception.
I have a question regarding soapUI:
I'm trying to add a ws-security header to my soap-requests containing a signature. To do that I used the soapUI-dialog "WS-Security Configurations" in the project preferences. It works as expected, but my server application requires a Thumbprint-SHA1-Id as the KeyInfo//SecurityTokenReference Element.
I found out that soapUI provides this option in the WSS Entry "Encryption" but not for "Signature". So my question is: How can I use the Key Identifier Type "Thumbprint SHA1 Identifier" for the Signature Element?
I thought about replacing the key identifier created by soapUI via a groovy script. But this script would have to be executed after the creation of the security header and before the sending of the soap-request, and I'm not sure, how to achieve that.
Thanks in advance!
Key Identifier Type "Thumbprint SHA1 Identifier" for the Signature is added in SoapUI 5.0.0 that is release tomorrow (2014-04-09). It is also included in a maintenance release of 4.6.4 that can be downloaded at http://www.soapui.org/Downloads/soapui-nightly-builds.html.
I am trying to install a certificate on my local machine (Win Server 2003) with the X509Certificate2 class in a C# test console application. When I install the certificate with the following code, everything is fine:
var serviceRuntimeMachineCertificateStore = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
serviceRuntimeMachineCertificateStore.Open(OpenFlags.ReadWrite);
cert = new X509Certificate2(certificatePath);
serviceRuntimeMachineCertificateStore.Add(cert);
serviceRuntimeMachineCertificateStore.Close();
Problem is, that the private key of the certificate is not persisted, when installed without the X509KeyStorageFlags.PersistKeySet. So I tried to instanciate the certificate like this (the private key has no password, so I pass in an empty string):
var serviceRuntimeMachineCertificateStore = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
serviceRuntimeMachineCertificateStore.Open(OpenFlags.ReadWrite);
cert = new X509Certificate2(certificatePath, "", X509KeyStorageFlags.PersistKeySet);
serviceRuntimeMachineCertificateStore.Add(cert);
serviceRuntimeMachineCertificateStore.Close();
But trying to instanciate the certificate throws a System.Security.Cryptography.CryptographicException "Failed to load certificate: The specified network password is not correct.", even though the private key has no password.
If I import the certificate in the Microsoft Management Console without specifying a password it works great.
Does anybody know how to do this programmatically?
If you try to create an instance of X509Certificate2 with an empty password on Windows XP or Windows 2003, the "Failed to load certificate: The specified network password is not correct." exception will be thrown.
If you can, try to create a certificate with a password which is not empty. Then everything should be fine.
Hopefully this will help somebody (and to expand on uGeeen's answer:
User "S C" points out the following requirement for certificate passwords on Windows XP and Windows Server 2003.
0 < password.Length < 32
I have seen conflicting reports on whether 32 is allowed. I can confirm that I was using a 32 character password (an MD5 hash), and truncating it to 30 characters fixed the issue.
are you doing it from worker process or some other impersonated process? it may be just that the identity your process uses is initialized WITHOUT loading the identity user's profile, what seems to result with no access to the user's cerificate store.
i've had similar problem when loading a x509 cert with private keys from within ASP.Net/IIS proces, and turning on profile-loading for worker processed did the trick
In case anybody has a similar problem: I managed to install the certificate and persist the private key in another fashion. I found the WinHttpCertCfg command line tool that you can get from here: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winhttp/http/winhttpcertcfg_exe__a_certificate_configuration_tool.asp
I then call this command line tool programmatically to install the certificate. This site gave me a hint on how to use it: weblogs.asp.net/hernandl/archive/2005/02/09/…
Cheers, Chris