Worklight 6.2 Developer Server - Self Signed SSL - ssl

We have a HTTPS RESTFul service running in IIS. We are able to successfully call it using the browser. However, when we call the service from a worklight adapter, we are getting the following exception:
"javax.net.ssl.SSLPeerUnverifiedException"
The worklight adapter was working perfectly fine when we were using HTTP instead of HTTPS.
We have followed all the steps mentioned in the documentation:
Create certificate using keytool in the IIS server. Bind it to the RestFul service.
Exporting the public key to a .cert file
Importing the file into Worklight keystore
Mentioned https as the protocol in the adapter.xml.
We have even verified the default.keystore of the worklight, it is matching with the certificate present in the IIS server.
We don't need mutual authentication. We just want to use SSL in the RestFul service deployed in the IIS.
Thanks,
Pavan

You forgot to add the certificate to your device's trust store. Since it is self signed, devices will not trust them by default. To do so, follow the steps here for your device's OS: http://www-01.ibm.com/support/knowledgecenter/SSZH4A_6.2.0/com.ibm.worklight.installconfig.doc/admin/c_ssl_config.html?lang=en
Specifically, look at this for iOS and this one for Android.

Related

How to require a client certificate to a web application in IIS?

I have created an asp.net web application and deployed it in IIS10. The design of the application is to require a client certificate for each user which will be provided by us. For testing purposes I created a self-signed certificate using the makecert.exe and followed the instructions at https://blog.jayway.com/2014/10/27/configure-iis-to-use-your-self-signed-certificates-with-your-application/. I added the certificate in the MMC Personal Certificates.
I also configured the iisClientCertificateMappingAuthentication in the IIS Configuration Editor using the one-to-one mapping approach. When I tested it on the browser, at first it asked for a digital certificate (which is correct), but when I clicked the certificate I added on the bindings it returns an error "Your client certificate is either not trusted or is invalid."
What should be the problem here since the installed client certificate is already added in the IIS one to one mapping configuration? Do I need additional configuration in the IIS?

HTTPS communication in ServiceFabric Local Cluster

Here's my setup
an IdentityServer 4 as a stateless reliable ASP.NET Core service.
a WebAPI as a reliable ASP.NET Core service.
using them with a JS client, it is now working with HTTP. The problem is with HTTPS. The WebAPI needs to request the openID config via htttps [is4URL].well-known/openid-configuration. I'm getting this error
System.InvalidOperationException: IDX10803: Unable to obtain
configuration from:
'https://localhost:9999/.well-known/openid-configuration'. --->
System.IO.IOException: IDX10804: Unable to retrieve document from:
'https://localhost:9999/.well-known/openid-configuration'. --->
System.Net.Http.HttpRequestException: An error occurred while sending
the request. ---> System.Net.WebException: The underlying connection
was closed: Could not establish trust relationship for the SSL/TLS
secure channel. --->
System.Security.Authentication.AuthenticationException: The remote
certificate is invalid according to the validation procedure.
can anybody help me to make this work in localhost with the SF Local Cluster Manager?
Thanks
Here's my two cents worth but it will need to be verified...
I am assuming that you have created a self-signed certificate using following article or similar but the certificate has same properties.
https://learn.microsoft.com/en-us/azure/app-service-web/web-sites-configure-ssl-certificate
This means that the certificate can not be verified via actual CA. Ofcourse with self-signed certificate this is not possible.
Now when you upload the certificate to Azure App Service it installs in CurrentUser - MyStore. With self-signed certificate, it also needs to be installed in LocalMachine Root store.
This is becouse then the machine's Certificate Authority can verify that certificate to be valid. (May be a security expert can correct me if I am wrong but thats my theory). I have got same setup on my locally hosted windows server where the self-signed certificate is installed in Root Certificate Store as well as Personal store and the app works. This is the reason I belive this happens.
So this part which needs to be verified. Following is the article which shows you how you can do this in Azure App service.
https://learn.microsoft.com/en-us/azure/cloud-services/cloud-services-configure-ssl-certificate-portal
AGAIN THIS IS JUST A THEORY THIS NEEDS TO BE VERIFIED. :)
EDIT:
I have just tested this and it is the case. In cloud services you can do as shown in second link above and create Web Job which install certificate in appropriate store.
For Azure App Service unfortunaltly you dont have access to root store. It has to be install in CurrentUser's personal store. Which means the self signed certificate will not work, and you have to purchase a real certificate. :( I think this is a real thumb down to Microsoft. Why should I need to pay for real certificate for my dev/test environment? (Rant Over)
For Service Fabric you will need to find out how to install certificate in Root Store as well as personal store (if thats possible at all). Here's Links that might be useful
http://ronaldwildenberg.com/running-an-azure-service-fabric-cluster-locally-on-ssl/
https://learn.microsoft.com/en-us/azure/service-fabric/service-fabric-cluster-security-update-certs-azure
Hope this helps.

Local Cluster SSL Certificate invalid trust

My local development (5 node) cluster have two stateless services installed. One .Net Core Web Gui service and one .Net Core WebAPI service.
Both are configured to use a https endpoint.
The certificates are self signed certificates and are added to both trusted root and personal (in both current user and localmachine).
I can access both endpoints using a local browser without getting any certificate errors. It says the connection is secure and the certificates are trusted.
So far so good.
But when my Web API services calls my Web Gui service, is says it cannot create a trusted connection.
Why can my local browser create a trusted connection but not the Service running in the local cluster?
Does a Node in a local cluster have it's own Certificate Store?
So it turns out that I missed adding the certificates to the machine root and that's what caused the problem.
For local SSL to work, I needed to to add the self signed certificates to:
localmachine/my
localmachine/root
This lets services call services from within the local cluster.
currentuser/my
currentyser/root
This lets my browsers call my services without ssl errors.
Hope this helps someone else :)

Self signed client certificate does not reach server application

I have the following setup:
A self signed certificate for development purposes
An OWIN hosted Web API, deployed on a local Azure Service Fabric Cluster as a ASF service. The Web API uses HTTPS facilitated with the dev certificate in question.
A simple .net client application that calls the Web API. In that application the ServicePointManager.ServerCertificateValidationCallback method is set so it always returns true (since the CA is not trusted)
Both the client application and the Web API are on the same local development machine. The certificate is installed in that same machine on the "machine store"
Now I am able to make calls to the web api using Fiddler by providing the required client certificate. However when I try to do the same via .net code (be it RestSharp or WebRequest) the client certificate is not present in the RequestContext object on the server side. This result in an Unauthorized response. I do not think the problem is with the client code, the certificate is loaded correctly and assigned to the http client or request. Fiddler shows encrypted tunneling to the server. However the client certificate does not seem to be present at the server side.
I am at a complete loss regarding what am I missing that could cause this behavior. Any help will be deeply appreciated.
Install the certificate into the 'Local Machine/Trusted People'.
The server needs to already trust the certificate before it asks. The CertificateRequest message that it sends lists the acceptable CAs that can sign the client certificate. If the client certificate's signer isn't in that message, it can't send it.
How you accomplish that in your environment is left as an exercise for the reader. In general now that SSL certificates are available free there is little reason to indulge in the time costs and administrative inconveniences of self-signed certificates. IMHO there wasn't even if you were paying for a CA signature.
I had a problem when a service called another service over HTTPS and it couldn't setup a secure connection. My problem was that since the service is running as NETWORK SERVICE, it couldn't find the certificate, because it was looking in the localmachine/my certificate store.
When I was running from my web browser it was working fine because then, my browser found the certificate in the currectuser/my certificate store.
Add the certificate to the machine/my store and see if it helps.

Mismatched SSL certificate in Azure Compute Emulator

I have Azure app containing 4 sites in a single web role (differentiated by host headers). I setup the sites to run over SSL. I issued 2 self signed certificates: 1 as CA installed into Trusted Root CAs store and 1 wildcard SSL certificate (issued using the first one).
The application runs, however I'm getting certificate error 'Mismatched address' in Azure Compute Emulator. I examined the mismatched certificate and found out it is not the one specified in service configuration. I went into IIS management console and checked the bindings - there was no cert set for my sites. So I setup the wildcard certificate manually in the site bindings. But in browser I still have mismatched certificate, still the one for 127.0.0.1 (comming with DevFabric). How can I make the IIS to return the correct certificate configured for the site?
(I have some services in the web sites consumed by Silverlight application and it does not work when there is forced manual confirmation of the certificate by user.)
Thanks!
Are you sure that you really access the service using https://127.0.0.1 and not using https://localhost?