--First a little background:--
I have already managed to connect to a Microsoft web service using C#. To use this web service, I have to supply a username and a password in the C# code. I also have to install a certificate (in .cer format) into the "Root Certificate Authorities" section of the system's certificates.
(By the way, the C# class I use to connect to the service was automatically generated for me with the command line tool "svcutil.exe https://address.of.service")
--Here is my question:--
How can I connect to this web service using Axis2/C? The example in the documentation is of a completely different nature -- it asks for a certificate, key file, and a passphrase. In my case, it is username, password, and a .cer file.
So I'm not sure where to even begin. I don't know where my .cer file, username and password should go exactly. Any ideas?
If at all possible stay away from Axis2, perhaps use gSOAP instead.
That said, figure out which of the HTTP libraries you are building Axis2 with (I believe it can use a number of different ones depending on which OS you are building etc).
Also you might want to update your question with the reference to the sample program you are talking about and relevant excerpt from the C# client for reference.
Related
I am using libcurl for a small c application. The project uses https and requires a validation of both, server and client certificates. I cannot use an option to suppress the verification, since I work in an insecure environment.
I am currently trying to get the server side certificate validated. First attempts gave me an expected error:
Peer certificate cannot be authenticated with given CA certificates
As said an expected error, I understand what the message means. I dug into the documentation of libcurl and found that it supports "certificate bundles", and that younger versions do not come with a bundle all. All options I found (and also all explanations) refer to certificate files read at runtime and obviously suggest to include the required CA certificate in the local bundle.
Instead I would prefer to include a single certificate inline into the application, so compiled in. This does make sense for this special case, since the application only tries to access a single, hard coded url, so server. I accept that I'd have to replace all deployed copies of the application if the server certificate gets changed. However I do not find any options for that in the documentation. I would prefer this strategy, since it allows a much more compact deployment of the application: a single file instead of a structure and runtime configuration.
So my question is: does libcurl offer to include a CA certificate at compile time which can be used at runtime without having to rely on an external bundle?
In libcurl the part that verifies certificates is handled by openssl. You could use SSL_CTX_use_certificate to install your certificate at runtime or use SSL_CTX_set_verify to overwrite the SSL verification function with your own.
Check curlx.c for an example.
I am using the variables to configure the same "connection string" between two applications, since the two do access the same database of users.
Can I set the same SQL Server (Nano 10GB) in more than one application to use transformation for web.config?
This is not currently possible since there is no way to have the connectionsstring injected into other applications than the one that has the add-on provisioned. Feel free to add this as a feedback suggestion.
It is possible, but requires some legwork. Basically you need to have one app with a known location (URL is fine) that the others can ask for the Connection String. The hard part is doing it securely enough. I'm partway there...
I've rigged up a system where you have a password that both of your Apps know in AppSettings, and then have the Secondary Website send a Public Key to the Primary Website with the password. Who then encodes the connection string, and sends it back.
The password CAN be injected by Appharbor when it does a deploy. And the connection string is also setup on the deploy. Ideally you'd use SSL but I don't have that setup and it makes life hard when working locally.
Proof Of Concept: https://bitbucket.org/Rangoric/database-coordination/overview
It does work, just start both of the website projects in there, and go to http://localhost:4002/Database and you will see what is in the connection String of the Primary website.
EDIT: I just realized that since you can piggyback the SSL Cert of appharbor with the free subdomain they give you, you can use that URL for added security if you don't have your own SSL cert.
Does anybody have any experience with libcurl (C/C++) and Kerberos authentication?
I am able to set everything up and post data - however, now we have switched on SSO (via SPNEGO on a JBoss server) I am unable to authenticate properly, with authorization being downgraded to Basic.
At this stage I am using curl_easy_setopt(curl,CURLOPT_HTTPAUTH, CURLAUTH_GSSNEGOTIATE) and have also set the CURLOPT_KRBLEVEL to "private".
Looking at the headers in wireshark, the response from curl doesn't provide any credentials - which is throwing an EncryptionKey exception on the JBoss server. I am able to authenticate on the server via .NET using cached credentials and a httprequest object. Only problem is we can't use .NET on this project.
Thanks in advance for any help.
As an additional point. I have just seen that under libcurl Kerberos is only supported for ftp. I am trawling the source to try and confirm if this is the case. Anybody know of any other libraries that we might be able to use to perform our POST?
Ok - for anybody that reaches this point...
I downloaded this version: http://curl.haxx.se/download.html win 32 generic.
It is compiled to run under ssh, ntlm and kerberos etc. The download includes the relevant DLL's you will need to create apps for any environment that requires cached credentials.
If you want specific code - pertaining to using callbacks, chunking etc, drop me a line and I can forward it to you. Given the flexibility of the curl library - it would be a bit much to just drop a ton of code here. Once you have the curl.exe up and running, there is a cmd line switch that can output the equivalent code to a text file (although it doesn't include information regarding any writecallback functions etc - just the easy setup options required). Thanks to n.m for your help - much appreciated. G
I'm doing https web requests in silverlight using "WebRequest"/"WebResponse" framework classes.
Problem is: I do a request to an url like: https://12.34.56.78
I receive back a versign signed certificate which has as subject a domain name like: www.mydomain.com.
Hence this results in a remote certificate mismatch error.
First question: Can I somehow accept the invalid certificate, and get the WebBresponse content ? (even if it involves using other libraries, I'm open to it)
Additional details: (for those interested on why I need this scenario)
I'm trying to give a client access to a silverlight app deployed on a test server.
Client accesses the silverlight app at: www.mydomain.com/app
Then I do some rest requests to: https://xx.mydomain.com
Problem is I don't want to do requests on https://xx.mydomain.com, since that is on our productive server. For this reason I use https://12.34.56.78 instead of https://xx.mydomain.com.
Client has some firewalls/proxies and if I simply change his hosts file and map https://xx.mydomain.com to 12.34.56.78, web requests don't resolve to the mapped IP.
I say this because on his network webrequests fail if I try that, on my network I can use the hosts changing without problems.
UPDATE: Fixed the problem by deploying test releases to an alternative: https://yy.domain.com and allowing the user to configure for test purposes, the base url to which I do requests to be: https://yy.domain.com.
Using an certificate that contained the IP in the subject or an alternative subject would've probably worked too, but would have cost some money to be issued by a certified provider and would not be so good because IP's might change.
After doing more research looks like Microsoft won't add this feature too soon, unless there's a scenario for non-testing/debugging uses.
See: http://connect.microsoft.com/VisualStudio/feedback/details/368047/add-system-net-servicepointmanager-servercertificatevalidationcallback-property
I'm using common database code between a web and WinForms app. I've researched and worked out how to encrypt the connection strings section of a web.config and app.config file. That part is ok. I have also worked out how to decrypt the connection strings in my Azure web app, that's ok. I can also read the connection strings in my WinForms app after loading the .pfx file into the machine's certificate store, but after I reboot it fails, because it can't find a private key in the pfx file.
I am using a certificate created with these commands:
makecert -r -pe -n "CN=myconfig" -sky exchange "myconfig.cer" -sv "myconfig.pvk"
pvk2pfx -pvk "myconfig.pvk" -spc "myconfig.cer" -pfx "myconfig.pfx" -pi
This gives me 3 files: myconfig.pvk, myconfig.cer, myconfig.pfx
I assume the problem is the private key isn't stored in the pfx file, and needs to be re-authenticated each time after a reboot- but I don't know enough about encryption to know how to do that. Further, the WinForms app is for very limited distribution onto controlled machines, so I'd like to install each certificate manually.
I'm an newbie to encryption and am stuck. Can I load a .pfx file onto a machine, enter the private key (which I know but won't tell the user) & have that stored persistently? Am I missing something- is there a different certificate file I should install, or way of generating it? I don't want to leave the private key accessible. If someone steals the app.config, I don't want them to be able to decrypt it.
Note: I have read about the RsaProtectedConfigurationProvider and DPAPIProtectedConfigurationProvider. I have chosen to use PKCS12ProtectedConfigurationProvider because it works with Azure, ref: http://blogs.msdn.com/b/sqlazure/archive/2010/09/07/10058942.aspx
I stumbled on the answer when I deployed the app to my local IIS & got the error "Failed to decrypt using provider 'CustomProvider'. Error message from the provider: Keyset does not exist"
There was a permissions problem with the private key, resolved with the help of this article:
CryptographicException 'Keyset does not exist', but only through WCF
The article includes a number of possible causes, the one which fixed my issue was fixing the permissions in 'Manage Private Keys' from the MMC Certificates snap-in (see link, the steps are well laid out).