I am developing SFTP WinSCP client using C# (.NET Assembly). In my testing environment I did it by password authentication. Here are my session options:
// Setup session options
SessionOptions sessionOptions = new SessionOptions {
Protocol = Protocol.Sftp,
HostName = "example.com",
UserName = "user",
Password = "mypassword",
SshHostKeyFingerprint = "ssh-rsa 2048 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx"
};
But real environment don't have password for the user. Server admin provide Public Key with extension ".crt"
So using this Public Key how can I change my program (SessionOptions)?
Are this details enough to proceed this implementation?
Preview of crt file
From the extension, look and size of the the file you received, I believe it is a public key of the server in form of a certificate.
First, server's public key can be used only to verify that the server you connected to is actually the one you wanted to connect to (i.e. there's no man-in-the-middle attack ongoing).
Second, certificate format of keys is never used with SSH. It's used with TLS/SSL, so for example with FTPS (FTP over TLS/SSL), or HTTPS.
I'd say that there's some great misunderstanding between you and the server admin.
If you want more details, you should better ask on SuperUser or ServerFault, as this does not look like a programming question in the end.
Related
Currently, I'm struggling with automation our API over SSL with Karate DSL, and the main problem is that I'm not able to automate this API without keeping that cert.pfx in some directory with below configuration:
// enable X509 certificate authentication with PKCS12 file 'certstore.pfx' and password 'certpassword'
configure ssl = { keyStore: 'classpath:certstore.pfx', keyStorePassword: 'certpassword', keyStoreType: 'pkcs12' }
Is there any other approach to load the cert store? instead of using certstore.pfx form local directory/cloud/sftp dir?
I was thinking about creating a KeyStore java object(with chain certs& private key) and pass it to configuration instead of (pfx file) { keyStore: keyStoreObj, keyStorePassword: 'xxx' ..}, or some other memory object, which will provide all needed certs/keys to connect over SSL.
thanks for your advice!
Thank you Peter, so I decided to go to that advanced way, so decide to extend HttpClient, where I override configure(HttpConfig config, ScriptContext context) and decide to pass there KeyStore object, which was constructed before with certificates, which I got from HasiCorp Vault.
Btw Karate DSL is great!
Use Java interop: https://github.com/intuit/karate#calling-java
For example: you can implement some custom way to get the cert that you need and save it to /tmp and then use file:/tmp/mycert.pfx to load the cert.
It is up to you to implement in any way that you want. If you want to do something more advanced, consider extending the ApacheHttpClient - and tips on how to do this are provided here.
My Requirement is I want to connect to a perforce server "abc.def.com:1689" to access it requires my public and private key (identity basically) Now I want to achieve same using the Java Program.
I want to connect to the Perforce server and perform actions programmatically its not a username and password base model it uses the private key to authenticate user and allow access to the repository.
Can someone guide me on this I have already tried few suggestions mentioned in the other stackoverflow links but its not working.
String uri = "p4javassl://abc.def.com:1689";
IOptionsServer server = ServerFactory.getOptionsServer(uri, null);
server.addTrust("somefingerPrint");
server.connect();
IServerInfo sInfo = server.getServerInfo();
System.out.println("user "+sInfo.getUserName());
com.perforce.p4java.exception.ConnectionException: Unable to connect to Perforce server
If I understand correctly you want to authenticate to a Helix server with a client cert. That's not possible.
The Perforce/Helix server always needs a user for authorization as file/resource protections are based on your user. You will always need to set your user:
server.setUserName('Vikki');
I have a website, wcf service, and a security token service (STS) running on one server. Everything works great. I am now trying to now seperate the peices across servers. When the website trys to login to get the token I get ssl cert errors.
This would be on Server 2008 and IIS 7.5 and my windows 7 IIS 7.5 while i debug.
An error occurred while making the HTTP request to https://x.x.x.x/STS/issue/wstrust/mixed/username. This could be due to the fact that the server certificate is not configured properly with HTTP.SYS in the HTTPS case. This could also be caused by...
I generated a self signed cert on the STS server and exported it to the website server. I also exported the key and gave IIS access to the key on the website server. That got past a bunch of WIF errors, it would not run, but I'm not sure that its the right thing to do.
I also have tried [netsh http add sslcert ipport:0.0.0.0:44400 ect...] but im not sure what port to use, ive tried a half dozen different ones and none seem to work, and 443 wont work.
The website is using a WSTrustChannelFactory to create the connection. It bombs on the channel.issue command at the bottom.
var factory = new WSTrustChannelFactory(
new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential),
new EndpointAddress(signInEndpoint));
factory.TrustVersion = TrustVersion.WSTrust13;
factory.Credentials.UserName.UserName = userName;
factory.Credentials.UserName.Password = password;
var channel = factory.CreateChannel();
var rst = new RequestSecurityToken
{
RequestType = RequestTypes.Issue,
AppliesTo = new EndpointAddress(realm),
KeyType = KeyTypes.Bearer
};
try
{
var genericToken = channel.Issue(rst) as GenericXmlSecurityToken;
** EDIT **
I've also set website servers iis default website https bindings port 443 to use the cert that i imported from the STS server and get the same error.
** End Edit **
I've been all over google and stackoverflow and while many questions seem to be close, none of the approved answers have worked.
Ideas? I'm a server/hardware noob so the "for dummies version" would be nice.
Thanks!
Since u are using a self signed certificate, have u made sure to turn off Certificate Chain Validation or else add it to the trusted store. It looks like u are using the url of IdentityServer, in there u can turn off strong endpoint requirements and on the client use a UserNameWSTrustBinding with only message security.
In my client application I have to use web service UserNameOverTransport, so I need in client set username and password like:
client.ClientCredentials.UserName.UserName = "account";
client.ClientCredentials.UserName.Password = "password";
Is it some best practices where store username and password?
From my point of view it isn't good idea to store credentials in config file.
[Update]
When I asked this question I though that WCF provide some standard ability to store credentials in config file or have ability to setup with help of endpoints behaiviours.
The example which I looked for is solution by the following link:
http://blog.shutupandcode.net/?p=22
If you want to store credentials in the app.config/web.config, you can encrypt them using the ProtectedData class or a ProtectedConfigurationProvider. See the following links for more info (ordered from least detailed to most):
http://geekswithblogs.net/afeng/archive/2006/12/10/100821.aspx
http://weblogs.asp.net/jgalloway/archive/2008/04/13/encrypting-passwords-in-a-net-app-config-file.aspx
http://msdn.microsoft.com/en-us/library/89211k9b%28v=vs.80%29.aspx
http://msdn.microsoft.com/en-us/library/53tyfkaw%28v=vs.80%29.aspx
You do not need to store your username and password in config. What you usually store in config are client settings, like endpoints, behaviours and security settings.
Username and password should be set from inside the code, like you have shown:
client.ClientCredentials.UserName.UserName = "account";
client.ClientCredentials.UserName.Password = "password";
It's completely up to you where you will get these values from and how you are going to secure it
I'm trying to implement a custom STS for a WIF scenario I'm investigating, but it's failing. It's failing when trying to obtain the private key from the certificate used to sign the tokens. I create the STS with the following configuration:
var signingCert = new X509Certificate2(#"C:\<path>\MySigningCertificate.pfx");
var config
= new SecurityTokenServiceConfiguration()
{
DisableWsdl = true,
TokenIssuerName = "Tribold",
SecurityTokenService = typeof(TriboldSecurityTokenService),
SigningCredentials = new X509SigningCredentials(signingCert),
CertificateValidationMode = X509CertificateValidationMode.Custom,
CertificateValidator = new CertificateValidator()
};
However, with WCF diagnostic logging configured, I get the following message in the Service Trace Viewer:
The private key is not present in the X.509 certificate.
This appears to be logged as the code comes out of my custom STS (i.e., after calling GetOutputClaimsIdentity(...) on my custom STS class, and therefore I can only assume that it's now trying to sign the issued security token and failing because it can't obtain a private key to do so.
The private key appears to be present on the loaded certificate:
Debug.Assert(signingCert.HasPrivateKey == true);
but it fails later on. I'm having no luck resolving this, please help!
It looks like thread "cant use .pfx file for X.509 certificates" in the Geneva (= AD FS 2.0) forums covers the same problem which you report. So the resolution reported there might work, which is "specifying the X509KeyStorageFlags.PersistKeySet flag when initiating the X509Certificate2 object".
I'd be surprised if you didn't have to specify a password when opening a PFX file. X509Certificate2 has overloads that take a password in the form of a string or a SecureString.