I have a WCF client with customBinding and mtomSOAPMessage Soap11. I got a certificate in P7B format from CA which was requested using a CSR generated using OpenSSL. I see this p7b certificate doesn't have a private key linked.
How do I point my WCF configuration to this certificate for signing messages with private key?
Related
I have added my client certificates in postman by going to FILE > SETTINGS > CERTIFICATES > CLIENT CERTIFICATES SECTION.
Where do I add the server certificate, which I trust, for 2 way TLS?
There is a section above Client certificates called CA Certificates. Is this where the trusted certificate is to be added?
Thanks!
Client certificate needs to go to Client Certificates. This will be your keystore.
Server certificate needs to go to CA Certificates. This will be your truststore.
See the docs here.
Using WSO2 APIM 2.6.0 seems the primary keystore certificate is used for multiple purposes
service (nio-https) SSL - that can be easily changed
signing a JWT token to the API Gateway backend service
thrift SSL endpoint for the Traffic Manager (port 9711)
The issue I have is that in a distributed setup a separate gateway should reach the TM endpoint and the hostname needs to be trusted. So - in theory I can create a self-signed certificate with a new hostname, however a new keypair/certificate will break existing backend validating the JWT token.
In theory I may just create a different self-signed certificate with the same public key, it may be more complex to manage in long run (I don't want to promote this practice).
Question: Is there a way to configure either the JWT signing certificate or the thrift SSL certificate separately? Or disable hostname validation for the throttling service (port 9711)?
(I'm not sure we want to allow disabling the hostname validation globally)
Since you have a distributed setup, this can be achieved easily.
You need to change the certificate in the gateways so that they use that keystore for the TM connection.
Keep the KM keystore as it is so that JWT is signed using the same old keystore.
I am new to this TLS connection , certificates area.
I have certificates and private key to make connection with server;i am trying it with openssl. I am confused if i have to encrypt private key before sending to the server or use directly? Also,do i have to encrypt all the messages further with this private key?
I have 2 certificates;which api in openssl take 2 certificates for handshake?
in wso2 esb i want to add a https proxy service and but when in define proxy service in specity source url use https://... in test url get error :
Invalid WSDL URI (Unable to establish a connection)
and in next step in definr endpoint use of an endpoint https:// ... this error apear :
Unable to validate SSL Certificate of https://....
i try to certificate a crt file and in my https proxy service in wso2\repository\resources\security\client-truststore.jks with keytool
%JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA
and enable https transport sender and recsiever in axis2.xml but my problem do not solve.
I guess, you are trying to connect to a HTTPS endpoint using proxy service. Here you want to import the endpoint server's certificate chain in the the "client-truststore.jks" flie and restart the server. However; by default HTTPS transport sender and receiver are enabled. You may not need to enable them.
But few things to remember..
In transport sender, if you do NOT want to verify the host name of the end point server with its certificate, Please configure "HostnameVerifier" property to "AllowAll". If not, if your end point server's IP and certificate CN are not matched, It would create some errors.
If end point server's certificate is a self signed on, you can just import the server's certificate. If it is a CA singed on, You need to import all the CA certificate chain.
(However most common CA certificates can be found in the "client-truststore.jks" file)
If you want to change the trust store or key store files, you can do it using transport sender configurations. By default trust store file is "client-truststore.jks" Also, if you did any changes to axis2.xml file or key stores, Please restart the server.
Also If you want to expose your proxy service using SSL, you need to enable the "https" in the proxy service. And then your client needs to user ESB server's certificate to call the proxy service.
I have created a Wcf service with SAML implementation. I am using federation binding for the same. From my client application I'm able to access the services hosted on my WCF web service easily when I'm running both client and host service on same machine. I have used certificates for authentication(SAML implementation).
For your information I have custom module at client side which acts as a identity provider. The host service just has some functions which are exposed using wsfederationbinding.
Now the problem is that when I'm running my WCF service host at a different system and client application(consumer with identity provider) on a different system, I`m getting the following error message
MessageSecurityException: The EncryptedKey clause was not wrapped with the required encryption token 'System.IdentityModel.Tokens.X509SecurityToken'.
Note:I feel there is a something mismatch happening interms of certificates between client and host service.
I have resolved the above problem, actually the root cause for the above error was certificate mismatch.
I read at one of the SAML forum regarding the SAML certificate authentication procedure,which says
The token is encrypted using the Public certificate at client side.
At the server side(Webservice Host in my case) the received token is decrypted using the private key of the certificate.
So,in my case the certificates were different at client side compared to the one's at server side.
Resolution :
Just export the certificates from server side(Webservice host in my case) and import the same at client side.
Note: There exist 2 certificates,client certificate and server certificate at both sides(client side and server side).
so in reality,when a client wants to access the host web service(dynamically), just like downloading apps,we need to create both certificates at service side and deploy those certificates to client upon activation of the client app.this way certificates will be in sync.