I am new to rabbitMQ. I enabled TLS for rabbitMQ on my local. As a part of it I created the certificate on my WINDOWS machine (followed the LINIUX Step) as discussed in the https://www.rabbitmq.com/ssl.html.
Also updated the rabbitMQ.config file as below:
[
{rabbit, [
{ssl_listeners, [5671]},
{ssl_options, [
{cacertfile,"/etc/ca_certificate.pem"},
{certfile,"/etc/private_key.pem"},
{keyfile,"/etc/server_certificate.pem"},
{password, "MySecretPassword"},
{verify,verify_peer},
{fail_if_no_peer_cert,true}
]}
]}
].
Steps followed to create the certificates on WINDOWS MACHINE:
Bash Cmd Prompt:
cd /C/temp/ThirdOne
mkdir testca
cd testca
mkdir certs private
chmod 700 private
echo 01 > serial
touch index.txt
Using OpenSSL CMD
openssl req -x509 -config openssl.cnf -newkey rsa:2048 -days 365 -out ca_certificate.pem -outform PEM -subj /CN=MyTestCA/ -nodes
openssl x509 -in ca_certificate.pem -out ca_certificate.cer -outform DER
mkdir server
cd server
openssl genrsa -out private_key.pem 2048
openssl req -new -key private_key.pem -out req.pem -outform PEM -subj /CN=desktop-s08pnk3/O=server/ -nodes
cd..
openssl ca -config openssl.cnf -in ./server/req.pem -out ./server/server_certificate.pem -notext -batch -extensions server_ca_extensions
openssl pkcs12 -export -out ./server/server_certificate.p12 -in ./server/server_certificate.pem -inkey ./server/private_key.pem -passout pass:MySecretPassword
mkdir client
cd client
openssl genrsa -out private_key.pem 2048
openssl req -new -key private_key.pem -out req.pem -outform PEM -subj /CN=desktop-s08pnk3/O=client/ -nodes
cd..
openssl ca -config openssl.cnf -in ./client/req.pem -out ./client/client_certificate.pem -notext -batch -extensions client_ca_extensions
openssl pkcs12 -export -out ./client/client_certificate.p12 -in ./client/client_certificate.pem -inkey ./client/private_key.pem -passout pass:MySecretPassword
On top of it I installed the certificate of client on Local.
NOTE: My client and server are both are local machine only.
Code that I am using for connecting to rabbit MQ:
private static void RabbitMQWithSSLEnable()
{
try
{
string rabbitmqHostName = "desktop-s08pnk3";
string rabbitmqServerName = "desktop-s08pnk3";
string certificateFilePath = #"C:\temp\ThirdOne\client\client_certificate.pem";
string certificatePassphrase = "MySecretPassword";
string rabbitmqUsername = "test";
string rabbitmqPassword = "test";
var factory = new ConnectionFactory();
factory.HostName = rabbitmqHostName;
factory.UserName = rabbitmqUsername;
factory.Password = rabbitmqPassword;
//factory.Uri = new Uri("amqps://test:test#desktop-s08pnk3");
factory.AuthMechanisms = new IAuthMechanismFactory[] { new ExternalMechanismFactory() };
// Note: This should NEVER be "localhost"
factory.Ssl.ServerName = rabbitmqServerName;
// Path to my .p12 file.
factory.Ssl.CertPath = certificateFilePath;
// Passphrase for the certificate file - set through OpenSSL
factory.Ssl.CertPassphrase = certificatePassphrase;
factory.Ssl.Enabled = true;
// Make sure TLS 1.2 is supported & enabled by your operating system
factory.Ssl.Version = SslProtocols.Tls12;
// This is the default RabbitMQ secure port
factory.Port = AmqpTcpEndpoint.UseDefaultPort;
factory.VirtualHost = "/";
factory.Ssl.AcceptablePolicyErrors = SslPolicyErrors.RemoteCertificateChainErrors | SslPolicyErrors.RemoteCertificateNameMismatch | SslPolicyErrors.RemoteCertificateNotAvailable;
//System.Net.ServicePointManager.Expect100Continue = false;
using (var connection = factory.CreateConnection())
{
using (var channel = connection.CreateModel())
{
// publish some messages...
}
}
}
catch (System.Exception ex)
{
var error = ex.ToString();
System.Console.WriteLine(error);
}
}
The above code is throwing error:
RabbitMQ.Client.Exceptions.BrokerUnreachableException: None of the specified endpoints were reachable
---> System.AggregateException: One or more errors occurred. (Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host..)
---> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host..
---> System.Net.Sockets.SocketException (10054): An existing connection was forcibly closed by the remote host.
--- End of inner exception stack trace ---
at System.Net.Security.SslStream.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslStream.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslStream.ProcessAuthentication(LazyAsyncResult lazyResult, CancellationToken cancellationToken)
at System.Net.Security.SslStream.BeginAuthenticateAsClient(SslClientAuthenticationOptions sslClientAuthenticationOptions, CancellationToken cancellationToken, AsyncCallback asyncCallback, Object asyncState)
at System.Net.Security.SslStream.BeginAuthenticateAsClient(String targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation, AsyncCallback asyncCallback, Object asyncState)
at System.Net.Security.SslStream.<>c.<AuthenticateAsClientAsync>b__64_1(String arg1, X509CertificateCollection arg2, SslProtocols arg3, AsyncCallback callback, Object state)
at System.Threading.Tasks.TaskFactory`1.FromAsyncImpl[TArg1,TArg2,TArg3](Func`6 beginMethod, Func`2 endFunction, Action`1 endAction, TArg1 arg1, TArg2 arg2, TArg3 arg3, Object state, TaskCreationOptions creationOptions)
at System.Threading.Tasks.TaskFactory.FromAsync[TArg1,TArg2,TArg3](Func`6 beginMethod, Action`1 endMethod, TArg1 arg1, TArg2 arg2, TArg3 arg3, Object state, TaskCreationOptions creationOptions)
at System.Threading.Tasks.TaskFactory.FromAsync[TArg1,TArg2,TArg3](Func`6 beginMethod, Action`1 endMethod, TArg1 arg1, TArg2 arg2, TArg3 arg3, Object state)
at System.Net.Security.SslStream.AuthenticateAsClientAsync(String targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation)
at RabbitMQ.Client.Impl.SslHelper.<>c__DisplayClass2_0.<TcpUpgrade>b__0(SslOption opts)
at RabbitMQ.Client.Impl.SslHelper.TcpUpgrade(Stream tcpStream, SslOption options)
at RabbitMQ.Client.Impl.SocketFrameHandler..ctor(AmqpTcpEndpoint endpoint, Func`2 socketFactory, TimeSpan connectionTimeout, TimeSpan readTimeout, TimeSpan writeTimeout)
at RabbitMQ.Client.Framing.Impl.IProtocolExtensions.CreateFrameHandler(IProtocol protocol, AmqpTcpEndpoint endpoint, ArrayPool`1 pool, Func`2 socketFactory, TimeSpan connectionTimeout, TimeSpan readTimeout, TimeSpan writeTimeout)
at RabbitMQ.Client.ConnectionFactory.CreateFrameHandler(AmqpTcpEndpoint endpoint)
at RabbitMQ.Client.EndpointResolverExtensions.SelectOne[T](IEndpointResolver resolver, Func`2 selector)
--- End of inner exception stack trace ---
at RabbitMQ.Client.EndpointResolverExtensions.SelectOne[T](IEndpointResolver resolver, Func`2 selector)
at RabbitMQ.Client.Framing.Impl.AutorecoveringConnection.Init(IEndpointResolver endpoints)
at RabbitMQ.Client.ConnectionFactory.CreateConnection(IEndpointResolver endpointResolver, String clientProvidedName)
--- End of inner exception stack trace ---
at RabbitMQ.Client.ConnectionFactory.CreateConnection(IEndpointResolver endpointResolver, String clientProvidedName)
at RabbitMQ.Client.ConnectionFactory.CreateConnection(String clientProvidedName)
at RabbitMQ.Client.ConnectionFactory.CreateConnection()
at RabbitMQ.Explore.Program.RabbitMQWithSSLEnable() in C:\Users\warke\source\repos\RabbitMQ.Explore\RabbitMQ.Explore\Program.cs:line 71
Can anyone please help me to get it resolved?
Thanks.
Below are the things that I tried:
A) Enabled the TLS on internet options.
B) Enabled Ports also.
#Team FYI and Questions:
I installed the client certificate on my local - Not sure on it
as it's not mentioned.
Do I need to installed the Server
Certificate on my local as I am trying to connect to it from local (client and server both are same machine)
I need to do Peer verification, so created both client and server certificate.
The password added in config and while calling the rabbitMQ on from local is the same which I used to create the certificate for Client and Server.
I created a new user for connection i.e. test and given the admin access to it.
Related
I need to use RSA cryptography for encryption of data. I have used ImportPkcs8PrivateKey method of System.Security.Cryptography for importing private key. The code working fine in visual studio but only ImportPkcs8PrivateKey method is not working in hosting server. My Hosting server is windows 2019 and I have installed all hosting package.
var privateKeyBytes = Convert.FromBase64String(marchentPrivateKey);
int myarray;
var rsa = RSA.Create();
rsa.ImportPkcs8PrivateKey(privateKeyBytes, out myarray);
return rsa;
The following Error trace is generated in hosted server
at lambda_method(Closure , Object )
at Microsoft.Extensions.Internal.ObjectMethodExecutorAwaitable.Awaiter.GetResult()
at Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor.AwaitableObjectResultExecutor.Execute(IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeActionMethodAsync>g__Awaited|12_0(ControllerActionInvoker invoker, ValueTask`1 actionResultValueTask)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeNextActionFilterAsync>g__Awaited|10_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Rethrow(ActionExecutedContextSealed context)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeInnerFilterAsync()
--- End of stack trace from previous location where exception was thrown ---
at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeNextExceptionFilterAsync>g__Awaited|25_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
Actually its issue of IIS setting. Cryptographic Service Provider try to store a key for certificate in the user store and if a profile was not available, a cryptographic context was not available. By default IIS Load User Profile is false. See for more details
What exactly happens when I set LoadUserProfile of IIS pool?
I'm trying to make a request to create a new user in WSO2 Identity Server but I can't connect to the api:
javax.net.ssl|ALL|A9|https-jsse-nio-9443-exec-5|2021-06-02 11:37:20.318 GMT|X509Authentication.java:264|No X.509 cert selected for EC
javax.net.ssl|ALL|A9|https-jsse-nio-9443-exec-5|2021-06-02 11:37:20.318 GMT|X509Authentication.java:264|No X.509 cert selected for EC
javax.net.ssl|DEBUG|AB|https-jsse-nio-9443-exec-7|2021-06-02 11:37:20.408 GMT|Alert.java:238|Received alert message (
"Alert": {
"level" : "fatal",
"description": "certificate_unknown"
}
)
javax.net.ssl|ERROR|AB|https-jsse-nio-9443-exec-7|2021-06-02 11:37:20.410 GMT|TransportContext.java:342|Fatal (CERTIFICATE_UNKNOWN): Received fatal alert: certificate_unknown (
"throwable" : {
javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:337)
at java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:186)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:171)
at java.base/sun.security.ssl.SSLEngineImpl.decode(SSLEngineImpl.java:681)
at java.base/sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:636)
at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:454)
at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:433)
at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:637)
at org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:499)
at org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel.java:238)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1568)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.base/java.lang.Thread.run(Thread.java:834)}
)
I've already imported my certificate in client-truststore.jks.
Steps:
1-) keytool -genkey -alias custom -keyalg RSA -keysize 2048 -keystore custom.jks -dname "CN=<"wso2-is-ip">, OU=Home,O=Home,L=SL,S=WS,C=LK" -storepass wso2carbon -keypass wso2carbon
2-) keytool -export -alias custom -keystore custom.jks -file custom.pem
3-) Import certificate in /wso2is-5.11.0/repository/resources/security/
keytool -import -alias custom -file custom.pem -keystore client-truststore.jks -storepass wso2carbon
4-) Check if was imported:
keytool -list -v -keystore client-truststore.jks -alias custom -storepass wso2carbon -keypass wso2carbon
Java application:
protected void setKeyStore() {
System.setProperty("javax.net.ssl.trustStore", "custom.jks");
System.setProperty("javax.net.ssl.trustStorePassword", "wso2carbon");
System.setProperty("javax.net.ssl.trustStoreType", "JKS");
}
protected void submit(HttpMethodBase method) throws IOException {
HttpClient httpUpdateClient = new HttpClient();
// **************************Erro SSL*******************************
int responseStatus = httpUpdateClient.executeMethod(method);
// **************************Erro SSL*******************************
String response = method.getResponseBodyAsString();
System.out.println("/******SCIM response status: " + responseStatus);
System.out.println("SCIM response data: " + response + "******/");
}
Am I missing anything?
PS: WSO2-IS is running on a docker environment in development environment and I'm trying to connect from local machine.
I've used the certificate that comes with WSO2 IS in my application and it worked.
wso2is-5.11.0/repository/resources/security/wso2carbon.jks
protected void setKeyStore() {
System.setProperty("javax.net.ssl.trustStore", "wso2carbon.jks");
System.setProperty("javax.net.ssl.trustStorePassword", "wso2carbon");
}
I have installed RavenDb on Ubuntu system (on Azure cloud) using Docker and trying to use LetsEncrypt wizard to generate the certificate.
My ravendb installation is successful and this is the port setup
root#XXXX:~# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
64ee58cab746 ravendb/ravendb "/bin/sh -c /opt/Rav…" 6 hours ago Up 6 hours (healthy) 161/tcp, 0.0.0.0:9002->8080/tcp, 0.0.0.0:48888->38888/tcp ravendb
47b715b56482 bitnami/neo4j:latest "/app-entrypoint.sh …" 43 hours ago Up 15 hours 0.0.0.0:7473-7474->7473-7474/tcp, 0.0.0.0:7687->7687/tcp, 8756/tcp neo4j
Based on the configuration I tried to setup ravendb with following configuration,
Node Tag A
HTTPS Port 9002
TCP Port 48888
IP Address / Hostname 0.0.0.0
External IP Address X.X.X.X
External HTTPS Port 9002
External TCP Port 48888
;but it gives me following error
PS: To debug this issue, I just opened all the ports inbound and outbound on azure VM
This seems the main culprit in code below:
The SSL connection could not be established, see inner exception. ---> System.IO.IOException: The handshake failed due to an unexpected packet format.
Setting up RavenDB in Let's Encrypt security mode failed.
System.InvalidOperationException: Setting up RavenDB in Let's Encrypt security mode failed. ---> System.InvalidOperationException: Validation failed. ---> System.InvalidOperationException: Failed to simulate running the server with the supplied settings using: https://a.educosys-db.ravendb.community:9002 ---> System.InvalidOperationException: Client failed to contact webhost listening to 'https://a.educosys-db.ravendb.community:9002'.
Are you blocked by a firewall? Make sure the port is open.
Settings file:/opt/RavenDB/Server/settings.json.
IP addresses: 0.0.0.0:9002.
Response: .
---> System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception. ---> System.IO.IOException: The handshake failed due to an unexpected packet format.
at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.PartialFrameCallback(AsyncProtocolRequest asyncRequest)
--- End of stack trace from previous location where exception was thrown ---
at System.Net.Security.SslState.ThrowIfExceptional()
at System.Net.Security.SslState.InternalEndProcessAuthentication(LazyAsyncResult lazyResult)
at System.Net.Security.SslState.EndProcessAuthentication(IAsyncResult result)
at System.Net.Security.SslStream.EndAuthenticateAsClient(IAsyncResult asyncResult)
at System.Net.Security.SslStream.<>c.<AuthenticateAsClientAsync>b__47_1(IAsyncResult iar)
at System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, Action`1 endAction, Task`1 promise, Boolean requiresSynchronization)
--- End of stack trace from previous location where exception was thrown ---
at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)
--- End of inner exception stack trace ---
at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)
at System.Threading.Tasks.ValueTask`1.get_Result()
at System.Net.Http.HttpConnectionPool.CreateConnectionAsync(HttpRequestMessage request, CancellationToken cancellationToken)
at System.Threading.Tasks.ValueTask`1.get_Result()
at System.Net.Http.HttpConnectionPool.WaitForCreatedConnectionAsync(ValueTask`1 creationTask)
at System.Threading.Tasks.ValueTask`1.get_Result()
at System.Net.Http.HttpConnectionPool.SendWithRetryAsync(HttpRequestMessage request, Boolean doRequestAuth, CancellationToken cancellationToken)
at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
at System.Net.Http.HttpClient.FinishSendAsyncBuffered(Task`1 sendTask, HttpRequestMessage request, CancellationTokenSource cts, Boolean disposeCts)
at Raven.Server.Commercial.SetupManager.SimulateRunningServer(X509Certificate2 serverCertificate, String serverUrl, String nodeTag, IPEndPoint[] addresses, Int32 port, String settingsPath, SetupMode setupMode, CancellationToken token) in C:\Builds\RavenDB-Stable-4.2\42034\src\Raven.Server\Commercial\SetupManager.cs:line 1966
--- End of inner exception stack trace ---
at Raven.Server.Commercial.SetupManager.SimulateRunningServer(X509Certificate2 serverCertificate, String serverUrl, String nodeTag, IPEndPoint[] addresses, Int32 port, String settingsPath, SetupMode setupMode, CancellationToken token) in C:\Builds\RavenDB-Stable-4.2\42034\src\Raven.Server\Commercial\SetupManager.cs:line 1983
at Raven.Server.Commercial.SetupManager.SimulateRunningServer(X509Certificate2 serverCertificate, String serverUrl, String nodeTag, IPEndPoint[] addresses, Int32 port, String settingsPath, SetupMode setupMode, CancellationToken token) in C:\Builds\RavenDB-Stable-4.2\42034\src\Raven.Server\Commercial\SetupManager.cs:line 1995
at Raven.Server.Commercial.SetupManager.ValidateServerCanRunWithSuppliedSettings(SetupInfo setupInfo, ServerStore serverStore, SetupMode setupMode, CancellationToken token) in C:\Builds\RavenDB-Stable-4.2\42034\src\Raven.Server\Commercial\SetupManager.cs:line 980
--- End of inner exception stack trace ---
at Raven.Server.Commercial.SetupManager.ValidateServerCanRunWithSuppliedSettings(SetupInfo setupInfo, ServerStore serverStore, SetupMode setupMode, CancellationToken token) in C:\Builds\RavenDB-Stable-4.2\42034\src\Raven.Server\Commercial\SetupManager.cs:line 984
at Raven.Server.Commercial.SetupManager.SetupLetsEncryptTask(Action`1 onProgress, SetupInfo setupInfo, ServerStore serverStore, CancellationToken token) in C:\Builds\RavenDB-Stable-4.2\42034\src\Raven.Server\Commercial\SetupManager.cs:line 475
--- End of inner exception stack trace ---
at Raven.Server.Commercial.SetupManager.SetupLetsEncryptTask(Action`1 onProgress, SetupInfo setupInfo, ServerStore serverStore, CancellationToken token) in C:\Builds\RavenDB-Stable-4.2\42034\src\Raven.Server\Commercial\SetupManager.cs:line 479
--- End of inner exception stack trace ---
at Raven.Server.Commercial.SetupManager.LogErrorAndThrow(Action`1 onProgress, SetupProgressAndResult progress, String msg, Exception e) in C:\Builds\RavenDB-Stable-4.2\42034\src\Raven.Server\Commercial\SetupManager.cs:line 649
at Raven.Server.Commercial.SetupManager.SetupLetsEncryptTask(Action`1 onProgress, SetupInfo setupInfo, ServerStore serverStore, CancellationToken token) in C:\Builds\RavenDB-Stable-4.2\42034\src\Raven.Server\Commercial\SetupManager.cs:line 506
at Raven.Server.Web.System.SetupHandler.SetupLetsEncrypt() in C:\Builds\RavenDB-Stable-4.2\42034\src\Raven.Server\Web\System\SetupHandler.cs:line 650
at Raven.Server.Routing.RequestRouter.HandlePath(RequestHandlerContext reqCtx) in C:\Builds\RavenDB-Stable-4.2\42034\src\Raven.Server\Routing\RequestRouter.cs:line 189
at Raven.Server.RavenServerStartup.RequestHandler(HttpContext context) in C:\Builds\RavenDB-Stable-4.2\42034\src\Raven.Server\RavenServerStartup.cs:line 173
I'm consuming a third-party's web service with WCF. I've got a PFX certificate file that I'm attaching via the ClientCredentials.ClientCertificate.SetCertificate method. I'm using the "Message Security Version" WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10.
Everything works fine. Now the third-party's certificate is expiring so they've issued a new one. However, this time it's a P7B file with just the public key.
When I try to use this certificate, I get a NotSupportedException with the message "The private key is not present in the X.509 certificate."
No part of my code is supplying the private key password, so I'm assuming this means that the private key is not being used. If this is the case, how can I consume this web service using only the public key? Or have I misunderstood something? (very likely)
EDIT
Ok, here's some code. The service client class I'm using was generated by svcutil and has been modified via a partial class to implement IDisposable. These are the relevant fragments:
private ServiceResponse CallService(ServiceParameters serviceParameters)
{
...
using (var client = new ThirdPartyServiceClient())
{
SetClientCredentials(client);
client.RemoteCall(serviceParameters);
}
...
}
private void SetClientCredentials(ThirdPartyServiceClient client)
{
if (client.ClientCredentials == null)
{
throw new InvalidOperationException("ClientCredentials was null and certificate could not be set");
}
client.ClientCredentials.ClientCertificate.SetCertificate(
StoreLocation.LocalMachine,
StoreName.My,
X509FindType.FindBySubjectName,
_configuration.CertificateSubject);
}
And this is my WCF config:
<system.serviceModel>
<bindings>
<customBinding>
<binding name="ThirdPartyServiceBinding">
<security includeTimestamp="true" enableUnsecuredResponse="true" authenticationMode="CertificateOverTransport" messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10" />
<textMessageEncoding messageVersion="Soap11WSAddressing10" />
<httpsTransport requireClientCertificate="true" />
</binding>
</customBinding>
</bindings>
<client>
<endpoint address="https://third-party.com/service" binding="customBinding" bindingConfiguration="ThirdPartyServiceBinding" contract="Namespace.To.ProxyClasses" name="ThirdPartyService" />
</client>
</system.serviceModel>
The exception is thrown by the client.RemoteCall(serviceParameters); call, and the stack trace is
Server stack trace:
at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.GetSignatureFormatter(String algorithm)
at System.IdentityModel.SignedXml.ComputeSignature(SecurityKey signingKey)
at System.ServiceModel.Security.WSSecurityOneDotZeroSendSecurityHeader.CompletePrimarySignatureCore(SendSecurityHeaderElement[] signatureConfirmations, SecurityToken[] signedEndorsingTokens, SecurityToken[] signedTokens, SendSecurityHeaderElement[] basicTokens, Boolean isPrimarySignature)
at System.ServiceModel.Security.WSSecurityOneDotZeroSendSecurityHeader.CreateSupportingSignature(SecurityToken token, SecurityKeyIdentifier identifier)
at System.ServiceModel.Security.SendSecurityHeader.SignWithSupportingToken(SecurityToken token, SecurityKeyIdentifierClause identifierClause)
at System.ServiceModel.Security.SendSecurityHeader.SignWithSupportingTokens()
at System.ServiceModel.Security.SendSecurityHeader.CompleteSecurityApplication()
at System.ServiceModel.Security.SecurityAppliedMessage.OnWriteMessage(XmlDictionaryWriter writer)
at System.ServiceModel.Channels.BufferedMessageWriter.WriteMessage(Message message, BufferManager bufferManager, Int32 initialOffset, Int32 maxSizeQuota)
at System.ServiceModel.Channels.TextMessageEncoderFactory.TextMessageEncoder.WriteMessage(Message message, Int32 maxMessageSize, BufferManager bufferManager, Int32 messageOffset)
at System.ServiceModel.Channels.HttpOutput.SerializeBufferedMessage(Message message, Boolean shouldRecycleBuffer)
at System.ServiceModel.Channels.HttpOutput.Send(TimeSpan timeout)
at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.SendRequest(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
Exception rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
at Namespace.To.ProxyClasses.ThirdPartyService.RemoteCall(ServiceParameters request)
[back up the normal call hierarchy of my code]
With message security, you sign a document with your private key, and you encrypt a document with the other parties public key. They can decrypt it with their private key, and they can verify your signature with your public key. It sounds like they replaced their key so they provided you their new public key. If their public key doesn't have a publicly verifiable chain of trust, then you need to install their public key in your local certificate store as a trusted key. If you don't do this and they aren't publicly verifiable, you will get an exception about being unable to verify the chain trust. If it is your key which is expiring, then they need a public key to identify you, and you need the private half which they shouldn't have.
I am working on a WCF service. It is hosted in IIS and secured by SSL. I am using custom biding with Soap11. I have a private key for this service and it is referenced in the web.config file. I have exported the public key from the private key and plan to give this public key to a vendor who will call this service.
When I try to test the service using a client. I am getting the below error. In my client I have referenced the public key. My client is sending the request to the service which is secured by the private key. I have checked the private key to make sure I have "you have a private key that correspond to this certificate. also, i have the IIS app pool running under my user name. I am the administrator in the computer.
However, when i try to send a request, I get the error "The private key is not present in the X.509 certificate." in the client. What could be causing this error?
Stack Trace:
System.NotSupportedException was caught
HResult=-2146233067
Message=The private key is not present in the X.509 certificate.
Source=mscorlib
StackTrace:
Server stack trace:
at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.GetSignatureFormatter(String algorithm)
at System.IdentityModel.SignedXml.ComputeSignature(SecurityKey signingKey)
at System.ServiceModel.Security.WSSecurityOneDotZeroSendSecurityHeader.CompletePrimarySignatureCore(SendSecurityHeaderElement[] signatureConfirmations, SecurityToken[] signedEndorsingTokens, SecurityToken[] signedTokens, SendSecurityHeaderElement[] basicTokens, Boolean isPrimarySignature)
at System.ServiceModel.Security.SendSecurityHeader.CompleteSignature()
at System.ServiceModel.Security.SendSecurityHeader.CompleteSecurityApplication()
at System.ServiceModel.Security.SecurityAppliedMessage.OnWriteMessage(XmlDictionaryWriter writer)
at System.ServiceModel.Channels.BufferedMessageWriter.WriteMessage(Message message, BufferManager bufferManager, Int32 initialOffset, Int32 maxSizeQuota)
at System.ServiceModel.Channels.TextMessageEncoderFactory.TextMessageEncoder.WriteMessage(Message message, Int32 maxMessageSize, BufferManager bufferManager, Int32 messageOffset)
at System.ServiceModel.Channels.HttpOutput.SerializeBufferedMessage(Message message)
at System.ServiceModel.Channels.HttpOutput.Send(TimeSpan timeout)
at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.SendRequest(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
Exception rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
at PaymentGatewayTestClient.Customer.ICustomerDetails.CustomerDetails(CustomerDetailRequest request)
at PaymentGatewayTestClient.Customer.CustomerDetailsClient.CustomerDetails(CustomerDetailRequest request) in c:\temp\Test\PaymentGatewayTestClient\PaymentGatewayTestClient\Service References\Customer\Reference.cs:line 937
at PaymentGatewayTestClient.Program.Main(String[] args) in c:\temp\Test\PaymentGatewayTestClient\PaymentGatewayTestClient\Program.cs:line 38
InnerException:
It looks like the server can't access the private part of the key. You have to grant permission to the private key for the user that runs your app pool.
Also see this:
PrivateKey trust permissions for local machine "Trusted roots" certificates