I am not able to Sign in to the application as it is throwing the following exception:
com.ibm.wsspi.channel.framework.exception.ChannelException: java.io.IOException: Keystore was tampered with, or password was incorrect
at com.ibm.ws.webservices.engine.xmlsoap.builders.WebServicesFaultProcessor.createFault(WebServicesFaultProcessor.java:415)
at com.ibm.ws.webservices.engine.xmlsoap.SOAPFault.getFault(SOAPFault.java:486)
at com.ibm.ws.webservices.engine.SOAPPart.getFault(SOAPPart.java:1090)
at com.ibm.ws.webservices.engine.SOAPPart.getFault(SOAPPart.java:747)
at com.ibm.ws.webservices.engine.Message.getFault(Message.java:883)
at com.ibm.ws.webservices.engine.Message.ifFaultThrowSelf(Message.java:863)
at com.ibm.ws.webservices.engine.PivotHandlerWrapper.invoke(PivotHandlerWrapper.java:279)
......
How to solve this issue?
Copy the newly added Cert data to a file and save it as “rsa.cert” or get the cert and name it as "rsa.cert"
Then open “ikeman.bat”
Open Key file(jks format) and then look for that certificate which you want to update (may be expired or near to expiry date or changed cert). Save the name of the cert which you want to change (for example these are the names of the certificates). Then click on that Cert and press the Delete button. Then Click on Add button and open the “rsa.cert” file which you save previously. Then give the name same as the name of the cert which you deleted.
Repeat the same process for the Trust File(jks format)
Restart the app server and run the application
Related
I have owncloud version 9.1.8 running on a synology. Now I installed onlyoffice on a local server with a self signed certificat. It is important to know, that the onlyoffice server is running locally in a network. So I cannot access the server like e.g. with lets encrypt, because I only have a local server name and not a public server name. Lets Encrypt therefore cannot verify the server. However if I want (and if you have a solution doing that), I can access the internet using the server.
Now i have the problem, that owncloud delivers me the following error message
"Error while downloading the document file to be converted."
when I want to save the url in the onlyoffice configuration in owncloud. I guess the problem is, that I am using a self signed certificat. Do you know what I can do? Google does not really help me.
"Error while downloading the document file to be converted."
means that DocumentServer cannot validate your storage's self-signed certificate (OC in your case)
There are 2 possible workarounds:
1) Change "rejectUnauthorized" to false in the /etc/onlyoffice/documentserver/default.json config file
2) Change the default Node.js CAstore:
Edit the files:
/etc/supervisor/conf.d/onlyoffice-documentserver-converter.conf
/etc/supervisor/conf.d/onlyoffice-documentserver-docservice.conf
Add a flag --use-openssl-ca to the parameters in this line
Then you need to add your certificate to the the default CA store and restart ONLYOFFICE services:
supervisorctl restart all
I am trying to import an RSA Key.
I open cmd prompt in Admin mode, go to C:\Windows\Microsoft.NET\Framework64\v4.0.30319 and my command is as follows: aspnet_regiis - pi "Key" "S:\RSAKeys\Key.xml" -pku
This is the exact same command that my coworker used and it worked perfectly for him. When I try it though, I get "Importing RSA Keys from file..Unable to find the specified file. Failed!"
What could be different between our machines?
I have also tried different things (removing the -pku, trying it not as admin, etc.) but in the end it doesn't fully work.
Trying it not as admin with -pku will say succeeded (but then when I try to use the service, it errors with "The RSA key container could not be opened"). Trying it not as admin without -pku will error with "Access is denied."
Edit 1: Looks like a read perms issue between S drive and C drive maybe. Putting the file on the C drive was able to succeed the import but still receiving an error from the service that uses the import saying the rsa key container could not be opened.
Final Edit: After some research, I discovered that I needed to change permissions. I used these documents to help: https://serverfault.com/questions/293416/the-rsa-key-container-could-not-be-opened-windows-server-2008-r2 http://austrianalex.com/rsaprotectedconfigurationprovider-not-recommended-for-children-under-5.html The RSA key container could not be opened
Unfortunately, none of them fixed the problem. Somehow, the RSA key was imported where even the Admin group didn't have the permissions it needed to change permissions. So I went and found the RSA key under the C:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys folder. I had originally tried giving the Administrator group (which was only me anyways) full permissions but received a Safe Handle Error and had to remove that.
Finally, I added myself (not the administrator group) with full permissions and it worked. Thanks #Thymine for pointing me in the right direction!
i want to create a debug token for my dev device with the native SDK (momentics), but it fails without any error message (just: "error creating debug token).
Now i use the command line tools.
But:
1. If i want to request a token:
./blackberry-debugtokenrequest -storepass xxxxx -devicepin xxxxx -csjpin xxxxx client-RDK-00000.csj
i get:
Error: Not yet registered to request debug tokens
2. So i want to register (i'm already registered, but ok...):
./blackberry-debugtokenrequest -register -storepass xxxxx -csjpin xxxxx client-PBDT-00000.csj
Error: Error: Unable to register client '00000' because there are no
more registration attempts. If you have already registered with this
server, then you should restore your signing keys from backup. If you
don't have a backup of the keys, then you can order a new set of keys
at www.blackberry.com/go/codesignin
I have a backup, but what should i do with it?
I want to create a debug token, but the message says: not yet registered.
So i want to register, and it says: already registered...
First things first, you only need the CSJ files to register with RIM, which you only need to do once. You can then safely delete them and your CSJ PIN.
If you have a backup file it means you have already registered which means you shouldn't be using the -register flag when attempting to create a debug token.
To restore your backup code signing key follow these instructions: http://supportforums.blackberry.com/t5/Testing-and-Deployment/Backup-and-Restore-BlackBerry-Code-Signing-Keys/ta-p/837925
Once you have restored your code signing key you can create a debug token using the following command:
blackberry-debugtokenrequest -storepass developercertpass -devicepin 50F2D211 dt.bar
You can use the CSJ files to register only one time. After that it cannot be used. Can you try getting new set of CSJ Files from blackberry server? I think it might solve the issue.
If you know Spanish I recommended this post.
In the pdf, in page 9, you´ll found a bat to get a debug token of blackberry 10. This is the code:
set LOCAL_DATA_PATH="c:\Users\<user>\AppData\Local\Research In Motion"
set CSK_PASSWORD=Pass of CA
set CERT_STORE_PASSWORD=Pass of web key
set DEVICE_PIN=PIN of device
E:
cd "eclipse\plugins\net.rim.ajde_1.5.2.201302260701\blackberry.tools.SDK\bin"
blackberry-debugtokenrequest -cskpass %CSK_PASSWORD% -keystore %LOCAL_DATA_PATH%\author.p12 -storepass %CERT_STORE_PASSWORD% -devicepin %DEVICE_PIN% %LOCAL_DATA_PATH%\debugtoken.bar
pause
I am trying to install a certificate on my local machine (Win Server 2003) with the X509Certificate2 class in a C# test console application. When I install the certificate with the following code, everything is fine:
var serviceRuntimeMachineCertificateStore = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
serviceRuntimeMachineCertificateStore.Open(OpenFlags.ReadWrite);
cert = new X509Certificate2(certificatePath);
serviceRuntimeMachineCertificateStore.Add(cert);
serviceRuntimeMachineCertificateStore.Close();
Problem is, that the private key of the certificate is not persisted, when installed without the X509KeyStorageFlags.PersistKeySet. So I tried to instanciate the certificate like this (the private key has no password, so I pass in an empty string):
var serviceRuntimeMachineCertificateStore = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
serviceRuntimeMachineCertificateStore.Open(OpenFlags.ReadWrite);
cert = new X509Certificate2(certificatePath, "", X509KeyStorageFlags.PersistKeySet);
serviceRuntimeMachineCertificateStore.Add(cert);
serviceRuntimeMachineCertificateStore.Close();
But trying to instanciate the certificate throws a System.Security.Cryptography.CryptographicException "Failed to load certificate: The specified network password is not correct.", even though the private key has no password.
If I import the certificate in the Microsoft Management Console without specifying a password it works great.
Does anybody know how to do this programmatically?
If you try to create an instance of X509Certificate2 with an empty password on Windows XP or Windows 2003, the "Failed to load certificate: The specified network password is not correct." exception will be thrown.
If you can, try to create a certificate with a password which is not empty. Then everything should be fine.
Hopefully this will help somebody (and to expand on uGeeen's answer:
User "S C" points out the following requirement for certificate passwords on Windows XP and Windows Server 2003.
0 < password.Length < 32
I have seen conflicting reports on whether 32 is allowed. I can confirm that I was using a 32 character password (an MD5 hash), and truncating it to 30 characters fixed the issue.
are you doing it from worker process or some other impersonated process? it may be just that the identity your process uses is initialized WITHOUT loading the identity user's profile, what seems to result with no access to the user's cerificate store.
i've had similar problem when loading a x509 cert with private keys from within ASP.Net/IIS proces, and turning on profile-loading for worker processed did the trick
In case anybody has a similar problem: I managed to install the certificate and persist the private key in another fashion. I found the WinHttpCertCfg command line tool that you can get from here: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winhttp/http/winhttpcertcfg_exe__a_certificate_configuration_tool.asp
I then call this command line tool programmatically to install the certificate. This site gave me a hint on how to use it: weblogs.asp.net/hernandl/archive/2005/02/09/…
Cheers, Chris
Upon installation of a client side certificate, I am getting the exception "Object contains only the public half of a key pair. A private key must also be provided". My application is a VC#.NET application running over an ASP.NET platform. The application also uses WSE 2.0 to import certificates into making SOAP requests.
Upon research, I've found that this exception is of type System.Security.Cryptography.CryptographicException.
I am pretty positive all my WSE settings are configured correctly, since I was able to find a similar certificate by subject-distinguished-name. Any ideas will be greatly appreciated.
I was recently having the same problem. I found one explanation here that worked for me. Specifically, the permissions for the private key. The full info is copied below.
There are a couple things that I would
look at first:
Do you have a private key for this certificate?
Have you given permission for youf application to access the private
key?
You can establish whether you have a
private key by viewing the certificate
through the Windows Certificate Store.
To get to this, follow these steps:
From the Windows Start menu, select Run.
Type mmc in the Open: field. Click OK
Select "Add/Remove Snap-in" from the File menu.
Click the Add button.
Select "Certificates" from the list of Available Standalone Snap-ins.
Click the Add button.
Select "Computer account." Click Next.
Select "Local Computer". Click Finish.
Click Close.
Click OK.
Expand the Certificates node under the Console Root and open the
Personal store.
Double-click the Certificate you're using. If you have a private
key, the dialog will display a message
at the bottom that says "You have a
private key that corresponds to this
certificate".
If you have a private key, then ensure
that your application has permission
to access the key:
Open Windows Explorer.
Navigate to the C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys
folder.
Select the files containing the keys that the WSE will need to
retrieve.
From the File menu, select Properties.
On the Security tab, add the ASPNET account and select th e Full
Control option.
Notes:
1. Determining which key file in the MachineKeys folder is
associated with a certificate can be
difficult. One easy method is to note
the creation date and time when
creating a new certificate. When you
view the files in the MachineKeys
directory, check the Date Modified
field for the corresponding date and
time.
2. If you have configured your system to run under a different
account than ASPNET, use that account
when granting permissions to access
the certificate.
As per my experience it could be failing because of two reasons.
Check if your cert has private key available.
If that is .net application then check if you have given permission to cert to make sure your application has permission to access the cert. In my case adding the "iis_iusrs" and given read permission does work for me.
Thanks.
After encountering the same exception: System.Security.Cryptography.CryptographicException, Object contains only the public half of a key pair, I proofed an alternative, but less optimal solution.
Situation: Certificate / key look up worked great inside of Visual Studio IIS Express, but while the Web Application was running under the proper IIS service, I always received the 'Contains only public half of key pair' exception.
I used the WSE3 CertificateTool to locate the private key section on the filesystem and attempted at length to adjust the user permission settings to give the ASP user permissions as per the above answer.
My eventual fix, which was not pretty, was to create a new IIS Application Pool specific to my Web service code and set the user Identity the pool runs as the Local machine owner of the certificate + private key.
The final location I installed the certificate in was "Local Computer / Trusted People".
Using WSE3 CustomPolicyAssertion, C# .NET:
clientToken = X509TokenProvider.CreateToken(StoreLocation.LocalMachine,
StoreName.TrustedPeople, "soap.partnersite.com", X509FindType.FindBySubjectName);
After updating the App Pool Identity, no private key file overrides were necessary when changing the application pool owner.