aws web service not available on the internet - amazon-web-services

In unix using putty I am able to get a result:
curl http://localhost:8080/products-ut-wo-db/rest/products
In security group I have inbound: 8080
In /home/ec2-user/java/tomcat9/webapps/manager/META-INF/context.xml I comment out the valve following:
I tried these url nothing come:
http://ec2-18-236-111-143.us-west-2.compute.amazonaws.com:8080/products-ut-wo-db/rest/products
http://ec2-18-236-111-143.us-west-2.compute.amazonaws.com:8080
Here is my netstat -nat:
Here is the /home/ec2-user/java/tomcat9/conf/server.xml:
Here is my /home/ec2-user/java/tomcat9/conf/server.xml:
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!-- Note: A "Server" is not itself a "Container", so you may not
define subcomponents such as "Valves" at this level.
Documentation at /docs/config/server.html
-->
<Server port="8005" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.startup.VersionLoggerListener" />
<!-- Security listener. Documentation at /docs/config/listeners.html
<Listener className="org.apache.catalina.security.SecurityListener" />
-->
<!--APR library loader. Documentation at /docs/apr.html -->
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
<!-- Prevent memory leaks due to use of particular java/javax APIs-->
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
<!-- Global JNDI resources
Documentation at /docs/jndi-resources-howto.html
-->
<GlobalNamingResources>
<!-- Editable user database that can also be used by
UserDatabaseRealm to authenticate users
-->
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
<!-- A "Service" is a collection of one or more "Connectors" that share
a single "Container" Note: A "Service" is not itself a "Container",
so you may not define subcomponents such as "Valves" at this level.
Documentation at /docs/config/service.html
-->
<Service name="Catalina">
<!--The connectors can use a shared executor, you can define one or more named thread pools-->
<!--
<Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
maxThreads="150" minSpareThreads="4"/>
-->
<!-- A "Connector" represents an endpoint by which requests are received
and responses are returned. Documentation at :
Java HTTP Connector: /docs/config/http.html
Java AJP Connector: /docs/config/ajp.html
APR (HTTP/AJP) Connector: /docs/apr.html
Define a non-SSL/TLS HTTP/1.1 Connector on port 8080
-->
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
<!-- A "Connector" using the shared thread pool-->
<!--
<Connector executor="tomcatThreadPool"
port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
-->
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
This connector uses the NIO implementation. The default
SSLImplementation will depend on the presence of the APR/native
library and the useOpenSSL attribute of the
AprLifecycleListener.
Either JSSE or OpenSSL style configuration may be used regardless of
the SSLImplementation selected. JSSE style configuration is used below.
-->
<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
type="RSA" />
</SSLHostConfig>
</Connector>
-->
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
This connector uses the APR/native implementation which always uses
OpenSSL for TLS.
Either JSSE or OpenSSL style configuration may be used. OpenSSL style
configuration is used below.
-->
<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150" SSLEnabled="true" >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig>
<Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
certificateFile="conf/localhost-rsa-cert.pem"
certificateChainFile="conf/localhost-rsa-chain.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
-->
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
<!-- An Engine represents the entry point (within Catalina) that processes
every request. The Engine implementation for Tomcat stand alone
analyzes the HTTP headers included with the request, and passes them
on to the appropriate Host (virtual host).
Documentation at /docs/config/engine.html -->
<!-- You should set jvmRoute to support load-balancing via AJP ie :
<Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
-->
<Engine name="Catalina" defaultHost="localhost">
<!--For clustering, please take a look at documentation at:
/docs/cluster-howto.html (simple how to)
/docs/config/cluster.html (reference documentation) -->
<!--
<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
-->
<!-- Use the LockOutRealm to prevent attempts to guess user passwords
via a brute-force attack -->
<Realm className="org.apache.catalina.realm.LockOutRealm">
<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Realm>
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<!-- SingleSignOn valve, share authentication between web applications
Documentation at: /docs/config/valve.html -->
<!--
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />
-->
<!-- Access log processes all example.
Documentation at: /docs/config/valve.html
Note: The pattern used is equivalent to using pattern="common" -->
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log" suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" />
</Host>
</Engine>
</Service>
</Server>
Any help or hint will be greatly appreciated it.

It seems that tomcat is not binding to a IPv4 address (according to netstat output, it is only bound to IPv6 - check first column).
In order to configure tomcat to bind to IPv4, refer to this answer. It describes the proper way to configure your tomcat JVM to preferIPv4Stack and preferIPv4Addresses.

Related

Hosting Django web application on IIS error

My organization has implemented a web application in Django, and we need to host it on a Windows system. We are using Django 3.2.8 and Python 3.8.8.
The Django project is currently stored here:
C:\inetpub\wwwroot\CED_HRAP
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<handlers>
<add name="Python FastCGI" path="\*" verb="*" modules="FastCGIModule" scriptProcessor="c:\python38\python.exe|c:\python38\lib\site-packages\wfastcgi.py" resourceType="Unspecified" requireAccess="Script" />
</handlers>
<defaultDocument>
<files>
<clear />
<add value="Default.htm" />
<add value="Default.asp" />
<add value="index.htm" />
<add value="index.html" />
<add value="iisstart.htm" />
<add value="base.html" />
</files>
</defaultDocument>
<directoryBrowse enabled="false" />
</system.webServer>
<appSettings>
<add key="PYTHONPATH" value="C:\inetpub\wwwroot\CED_HRAP" />
<add key="WSGI_HANDLER" value="CED_HRAP.wsgi.application" />
<add key="DJANGO_SETTINGS_MODULE" value="CED_HRAP.settings" />
</appSettings>
</configuration>
Our settings.py file is located at
C:\inetpub\wwwroot\CED_HRAP\CED_HRAP\settings.py
We are currently seeing this error message:
HTTP Error 403.14 - Forbidden The Web server is configured to not list
the contents of this directory.
Most likely causes:
A default document is not configured for the requested URL, and
directory browsing is not enabled on the server.
How should we configure the default documents in the web.config file so that it links to Django's internal routing (urls.py)?
We followed the instructions here:
https://github.com/Johnnyboycurtis/webproject
(youtube: https://www.youtube.com/watch?v=APCQ15YqqQ0)
You can see that the web.config file in the above repository does not have any default documents specified. We added them to web.config in an effort to resolve the current error.
Have also looked at several other tutorials and documents on this process, but have not been able to resolve the problem.
Thanks!
This problem occurs because the website doesn't have the Directory Browsing feature enabled. Also, the default document isn't configured. To resolve this problem, use one of the following methods:
Method 1: Enable the Directory Browsing feature in IIS
To resolve this problem, follow these steps:
Start IIS Manager. To do it, select Start, select Run, type inetmgr.exe, and then select OK.
In IIS Manager, expand server name, expand Web sites, and then select the website that you want to change.
In the Features view, double-click Directory Browsing.
In the Actions pane, select Enable.
Method 2: Add a default document
To resolve this problem, follow these steps:
Start IIS Manager. To do it, select Start, select Run, type inetmgr.exe, and then select OK.
In IIS Manager, expand server name, expand Web sites, and then select the website that you want to change.
In the Features view, double-click Default Document.
In the Actions pane, select Enable.
In the File Name box, type the name of the default document, and then select OK.

Why is LTPA Cookie missing in my WAS Liberty environment?

I have configured OIDC authentication (external OP) with WAS Liberty Profile version WebSphere Application Server 21.0.0.7/wlp-1.0.54.cl210720210629-1900.
While testing, the OIDC authentication is successful and I see the following cookies set by WAS on my browser:
JSESSIONID
WASReqURLOidcp1059877004
WASReqURLOidcp825245628
WAS_n1263819336
WAS_n1832376351
WAS_p2129763847
WASOidcStaten765589445
WASOidcCode
I do see these messages in my messages.log during server startup:
0000003b com.ibm.ws.security.token.ltpa.LTPAKeyInfoManager I CWWKS4103I: Creating the LTPA keys. This may take a few seconds.
0000003b com.ibm.ws.security.token.ltpa.LTPAKeyInfoManager A CWWKS4104A: LTPA keys created in 0.337 seconds. LTPA key file: jv-ltpa.keys
0000003b com.ibm.ws.security.token.ltpa.internal.LTPAKeyCreateTask I CWWKS4105I: LTPA configuration is ready after 0.341 seconds.
Also, in my server.xml I have NOT explicitly disabled LTPA token or cookie generation.
disableLtpaCookie="false"
Why isn't there an LTPA cookie being set in my browser?
Here is my server.xml
<?xml version="1.0" encoding="UTF-8"?>
<server description="Default Server">
<!-- Enable features -->
<featureManager>
<feature>javaee-8.0</feature>
<feature>microProfile-3.0</feature>
<feature>adminCenter-1.0</feature>
<feature>appSecurity-2.0</feature>
<feature>openidConnectClient-1.0</feature>
<feature>transportSecurity-1.0</feature>
</featureManager>
<openidConnectClient id="oidcBridge" clientId="removed"
clientSecret="removed"
discoveryEndpointUrl="https://my-op.com/.well-known/openid-configuration" signatureAlgorithm="RS256"
jwkEndpointUrl="https://my-op.com/.well-known/jwks.json" disableLtpaCookie="false"
allowDefaultSsoCookieName="true">
</openidConnectClient>
<basicRegistry id="basic">
<user name="admin" password="admin" />
<user name="user1" password="user1" />
<user name="user2" password="user2" />
<group name="users">
<member name="user1" />
<member name="user2" />
</group>
</basicRegistry>
<administrator-role>
<user>admin</user>
</administrator-role>
<!-- To allow access to this server from a remote client host="*" has been added to the following element -->
<httpEndpoint id="defaultHttpEndpoint" host="*" httpPort="9080" httpsPort="9443" />
<!-- Automatically expand WAR files and EAR files -->
<applicationManager autoExpand="true" />
<keyStore id="defaultKeyStore" password="removed" location="${server.config.dir}/jv-trust.p12" type="PKCS12" />
<ltpa keysFileName="jv-ltpa.keys" keysPassword="removed" expiration="1200" />
<webAppSecurity singleSignonEnabled="true" ssoDomainNames="app1.com" allowFailOverToBasicAuth="true"
ssoRequiresSSL="false" />
<application context-root="snoop" id="DefaultApplication"
location="${server.config.dir}/apps/DefaultApplication.ear" name="DefaultApplication" type="ear">
<application-bnd>
<security-role name="All Role">
<special-subject type="ALL_AUTHENTICATED_USERS" />
</security-role>
</application-bnd>
</application>
</server>

There was and error downloading 'https://$metadata'. The request failed with http status 403: Forbidden - XAMARIN WEB REFERENCE WITH HTTPS

I managed to create a web service with self signed SSL through IIS. It's settings at first are set to Client Certificate to none and none required SSL. It is accessible by that time threw web browser and mobile web reference.
Web Browser
Xamarin Web Reference
But when I set the SSL settings to required, it is now forbidden in both. What am I missing in settings for SSL Configuration?
SSL Settings Thru IIS
Web Browser Forbidden Access
Xamarin Web Reference Forbidden Access
WebConfig
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<connectionStrings>
<add name="constring" providerName="System.Data.SqlClient" connectionString="Data Source = source;Initial Catalog = dbname; User ID = user; Password = pw" />
</connectionStrings>
<appSettings>
<add key="aspnet:UseTaskFriendlySynchronizationContext" value="true" />
</appSettings>
<system.web>
<compilation targetFramework="4.5" />
</system.web>
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding maxReceivedMessageSize="10485760" name="SecureHttpBinding">
<readerQuotas maxStringContentLength="10485760"></readerQuotas>
<security mode="Transport">
<transport clientCredentialType="None"></transport>
</security>
</binding>
</basicHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior>
<!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
<!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
</system.serviceModel>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
</system.webServer>
</configuration>
To access web service via HTTPS in web browser, I followed this link for creating temporary client certificate but I changed the step #5 to this command
makecert -sk MyKeyName -iv RootCaClientTest.pvk -n "CN=tempClientcert" -ic RootCaClientTest.cer -sr localmachine -ss my -sky exchange -pe
I changed the currentuser to localmachine and signature to exchange so that it will be in personal certificate store. When you access the site again, it will ask for client certificate and you can choose it to proceed.
For the main problem to access the service in visual studio xamarin via web reference (which is forbidden somehow).
I found this link to solve the forbidden problem. You can see the second post of (c)MarkoOkram for the solution.
"I am solved problem by saving web browser .wsdl and .xsd files on file system, change reference in those files to matching files. Than i succesfully add reference in visual studio to that file system .wsdl file." -(c) MarkoOkram
I downloaded the file WSDL and XSDs written in WSDL then retarget the filepath to their respective directories and it's done.
update: I also tried to import singleWSDL and it works without editing for xsd's

Messages not being received by ADM client

I'm trying to send SNS messages to a Firephone and while I seem to be sending the messages (to somewhere), nothing appears to be getting through to my firephone.
I was able to use the code in the documentation to create the KindleMobilePushApp, was able to generate a RegistrationID, I created the security profile for the test app, etc. I'm assuming that I must have done something right if I'm getting a registration ID.
Then I tried to send a message to the phone, using the Kindle demo app to receive the message but nothing seems to come through, the "onMessage" method of ADMHandler is never called.
I tried to send message both via the AWS SNS console, and through the java app provided in the documentation (sns.samples.mobilepush), the Java app seems to be publishing something, but once again, its not coming through to my firephone, or at least not being received by my Receiver class.
I've never used SNS before, so I'm ot sure where the problem is coming form, whether I'm not sending to the right endpoint, or the somehow my app isn't getting the messages its supposed to be getting. CloudWatch is reporting same number for "messages published" and "messages failed" but really no clue what's happening to the message.
Any thoughts where I should be looking? Below my manifest, and publish results from the java sender program.
<!-- Copyright 2013 Amazon.com, Inc. or its affiliates. All Rights Reserved. -->
<!-- Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at -->
<!-- http://aws.amazon.com/apache2.0/ -->
<!-- or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. -->
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
xmlns:amazon="http://schemas.amazon.com/apk/res/android"
package="com.grapevine.snstest"
android:versionName="1.0" >
<uses-sdk
android:minSdkVersion="11"
android:targetSdkVersion="17" />
<!-- This permission ensures that no other application can intercept your ADM messages. It
should have the form packagename.permission.RECIEVE_ADM_MESSAGE where packagename is the
name defined in the "package" property of the manifest tag. -->
<permission android:name="com.grapevine.snstest.permission.RECEIVE_ADM_MESSAGE"
android:protectionLevel="signature"/>
<!-- Required permissions -->
<uses-permission android:name="com.grapevine.snstest.permission.RECEIVE_ADM_MESSAGE"/>
<uses-permission android:name="com.amazon.device.messaging.permission.RECEIVE"/>
<uses-permission android:name="android.permission.INTERNET"/>
<uses-permission android:name="android.permission.WAKE_LOCK"/>
<application
android:icon="#drawable/ic_launcher"
android:label="#string/app_name"
android:theme="#style/AppTheme" >
<uses-permission android:name="com.grapevine.snstest.permission.RECEIVE_ADM_MESSAGE"/>
<activity
android:name="com.grapevine.snstest.KindleMobilePushApp"
android:screenOrientation="portrait"
android:label="#string/title_activity_main"
android:launchMode="singleTop" >
<uses-permission android:name="com.grapevine.snstest.permission.RECEIVE_ADM_MESSAGE"/>
<intent-filter>
<action android:name="android.intent.action.MAIN" />
<category android:name="android.intent.category.LAUNCHER" />
</intent-filter>
</activity>
<!-- Your application's API Key -->
<!--<meta-data android:name="AmazonAPIKey" android:value="#string/api_key"/>-->
<!-- Declare your ADMMessageHandlerBase implementation as a service -->
<service android:name="com.grapevine.snstest.ADMMessageHandler"
android:exported="false" />
<!-- You must explicitly enable ADM. You must also declare whether your application will run with or without ADM.
If you specify android:required="false", your app must degrade gracefully when ADM is unavailable. -->
<amazon:enable-feature android:name="com.amazon.device.messaging"
android:required="true" />
<receiver android:name="com.grapevine.snstest.ADMMessageHandler$MessageAlertReceiver"
android:permission="com.amazon.device.messaging.permission.SEND">
<uses-permission android:name="com.grapevine.snstest.permission.RECEIVE_ADM_MESSAGE" />
<intent-filter>
<action android:name="com.amazon.device.messaging.intent.REGISTRATION" />
<action android:name="com.amazon.device.messaging.intent.RECEIVE" />
<category android:name="com.grapevine.snstest"/>
</intent-filter>
</receiver>
</application>
</manifest>
Here's the output when I use the MobilePushApp sample program:
===========================================
Getting Started with Amazon SNS
===========================================
{PlatformApplicationArn: arn:aws:sns:us-west-2:308914227153:app/ADM/SNSTest}
{EndpointArn: arn:aws:sns:us-west-2:3089xxx53:endpoint/ADM/SNSTest/66xxxf-1f06-3xx1-b887-fxxxxbe19}
{Message Body: {"ADM":"{\"data\":{\"message\":\"Hello World! \"},\"expiresAfter\":1000,\"consolidationKey\":\"Welcome\"}"}}
{Message Attributes:}
Published!
{MessageId=90f09248-e65b-5713-a6da-debb8e5afcef}
Process finished with exit code 0
Whoops, this didn't work because SNS messaging wasn't enabled on the App in the developer portal.

Web Service hosted by SAP and consumed by a .NET Application

I'm trying to setup an SAP Web Service that would be consumed by a .NET application. Thinking it was simple, I had set the Service up in SAP to use HTTP. I right-click on the "Service References" in the .NET Project Tree, and choose "Add Service Reference...", Enter the WSDL URL locally hosted on our servers, and press Go, then select the endpoint, then press OK.
I opened up the app.config file to find that it says <httpsTransport> instead of <httpTransport>, although I set it up to use HTTP.
<system.serviceModel>
<bindings>
<customBinding>
<binding name="ZHR_RECRUITNEW1">
<!--WsdlImporter encountered unrecognized policy assertions in ServiceDescription 'urn:sap-com:document:sap:soap:functions:mc-style':-->
<!-- <wsdl:binding name='ZHR_RECRUITNEW'> -->
<!-- <wsaw:UsingAddressing xmlns:wsaw="http://schemas.xmlsoap.org/ws/2004/08/addressing">..</wsaw:UsingAddressing> -->
<!-- <saptrnbnd:OptimizedXMLTransfer xmlns:saptrnbnd="http://www.sap.com/webas/710/soap/features/transportbinding/">..</saptrnbnd:OptimizedXMLTransfer> -->
<!-- <sapattahnd:Enabled xmlns:sapattahnd="http://www.sap.com/710/features/attachment/">..</sapattahnd:Enabled> -->
<textMessageEncoding maxReadPoolSize="64" maxWritePoolSize="16"
messageVersion="Soap11" writeEncoding="utf-8">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
</textMessageEncoding>
<httpsTransport manualAddressing="false" maxBufferPoolSize="524288"
maxReceivedMessageSize="65536" allowCookies="false" authenticationScheme="Anonymous"
bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
keepAliveEnabled="true" maxBufferSize="65536" proxyAuthenticationScheme="Anonymous"
realm="" transferMode="Buffered" unsafeConnectionNtlmAuthentication="false"
useDefaultWebProxy="true" requireClientCertificate="false" />
</binding>
</customBinding>
</bindings>
<client>
<endpoint address="http://<host>:8000/sap/bc/srt/rfc/sap/zhr_recruitnew/300/zhr_recruitnew/zhr_recruitnew"
binding="customBinding" bindingConfiguration="ZHR_RECRUITNEW1"
contract="ServiceReference2.ZHR_RECRUITNEW" name="ZHR_RECRUITNEW1" />
</client>
</system.serviceModel>
So, for it to work "properly", I have to rename that xml tag from httpsTransport to httpTransport and remove the attribute requireClientCertificate="false"
So, I go into SAP to set up the Service to use HTTPS, and then go back to the .NET project and re-add that service, to get this error message:
Could not establish trust relationship for the SSL/TLS secure channel with authority '<host>:<portnumber>'.
I'm curious as to whether that comment "WsdlImporter encountered unrecognized policy assertions" in the config file has to do anything with that info being misread from SAP
Could not establish trust relationship for the SSL/TLS secure channel with authority ':'.
You get this because the certificate on the service provider isn't in your trusted root certificates locally.
You can add this to your code(before anything else) to ignore it:
System.Net.ServicePointManager.ServerCertificateValidationCallback = ((sender, certificate, chain, sslPolicyErrors) => true);