We have a tool that we need to integrate in our automated build process (we use TeamCity for our automated builds). The tool talks to a WCF web service that is configured for SSL certificate authentication.
I have searched around to see how this can be done in TeamCity. Unfortunately all I've found seems to be authentication between TeamCity Server and clients or plugins.
How can I consume a certificate in my machine certificates store if a running TeamCity agent as a Local System account for example. It seems when running it in this account, it does not have access to the certificates.
Thanks in advance for your help guys.
The problem comes from the fact that Local System Account can not find the certificated installed by other users on the machine.
You can install a system wide certificate Or you can run a command line under Local System Account and install the required certificate.
You can use psexec from SysInternals suit to get the command line
psexec -i -s cmd.exe
And install the certificate from command line
Related
I am new to signserver and I have to installed it using docker hub, for this I got the EJBCA ManagementCA pem file. but I am not able to access signserver admin web
Thanks in advance
To do client certificate authentication you must have install a client certificate in your web browser, i.e. like superadmin.p12 from an ejbca installation or any other CA you are using. This admin client certificate must be issued by the ManagementCA in this case.
I am trying to connect Jenkins(version 2.121.2) running on AWS to an on-premise Atlassian Crowd Server (version 3.1.2) using Jenkin's crowd 2 Plugin. The Crowd server requires two-way SSL authentication.
Steps followed:
Import the Certificate chain of the Crowd server in to Java Trust store located at $JAVA_HOME/jre/lib/security/cacerts, so Jenkins trusts Crowd Server.
Create a keystore(JKS) with the private key and certificate for Client authentication in jenkins.
Modify jenkins startup parameters (/etc/default/jenkins) to use the Trust store and Keystore. I have tried both the variations as below.
Variation 1:
JAVA_ARGS="-Djavax.net.debug=ssl -Djava.awt.headless=true
-Djavax.net.ssl.trustStore=/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/lib/security/cacerts
-Djavax.net.ssl.trustStorePassword=changeit
-Djavax.net.ssl.keyStore=/var/lib/jenkins/identity.jks
-Djavax.net.ssl.keyStorePassword=changeit"
Variation 2:
# JVM Arguments
JAVA_ARGS="-Djavax.net.debug=ssl -Djava.awt.headless=true
-Djavax.net.ssl.trustStore=/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/lib/security/cacerts
-Djavax.net.ssl.trustStorePassword=changeit"
# Jenkins arguments
JENKINS_ARGS="--webroot=/var/cache/$NAME/war
--httpPort=$HTTPS_PORT
--httpsKeyStore=/var/lib/jenkins/identity.jks
--httpsKeyStorePassword=changeit"
After filling up the details in the plugin configuration section in jenkins and trying to establish a connection, I receive a hand_shake failure in jenkins log. Information from the log,
The Server Hello passes, and provides a list of CA's that it trusts which shows the Atlassian crowd server. During jenkins startup, I can also see that it adds the certificate as trusted.
But when jenkins is responding to the verification from Crowd, it is not sending the client key/certificate from keystore. An excerpt of the log can be seen below.
CN=cloud.company.com, OU=OUnit, O=Org, L=City, ST=State, C=Country
ServerHelloDone
Warning: no suitable certificate found - continuing
without client authentication
Certificate chain <Empty>
I am not sure if this is possible using the Crowd2 Plugin or If I am doing something wrong. I had a look at this issue , but there is no definitive answer if this is possible or not.
Any help/direction is greatly appreciated.
So, The problem was due to Crowd 2 Jenkins Plugin. Version 2 of the plugin was recently released 3 months ago and I was using this. But, after downgrading the plugin to version 1.8, I was able to authenticate with the Crowd Server.
I have a VM running Windows Server 2016 Technical Preview, and have installed the Containers feature, and then run the Install-ContainerHost.ps1 script from Microsoft's container tools repo
https://github.com/Microsoft/Virtualization-Documentation/tree/master/windows-server-container-tools/Install-ContainerHost
I can now run the Docker Deamon on Windows. Next I want to copy the certificates to a client machine so that I can issue commands to the host remotely. But I don't know where the certificates are stored on the host.
In the script the path variable is set to %ProgramData%\docker\certs.d
The certificates on windows are located in the .docker folder in the current user directory.
docker --help command will show the exact path details
AFAIK there are no certificates generated when you do what you are doing. If you drop certificates in the path you found then it will use them, and be secured. But otherwise there is none on the machine. Which explains why it isn't exposed by default.
On my setup I connected without TLS but that was on a VM that I could only access on my dev machine. Obviously anything able to be accessed over a network shouldn't do that.
Other people doing this are here: https://social.msdn.microsoft.com/Forums/en-US/84ca60c0-c54d-4513-bc02-14bd57676621/connect-docker-client-to-windows-server-2016-container-engine?forum=windowscontainers and here https://social.msdn.microsoft.com/Forums/en-US/9caf90c9-81e8-4998-abe5-837fbfde03a8/can-i-connect-docker-from-remote-docker-client?forum=windowscontainers
When I dug into the work in progress post it has this:
Docker clients unsecured by default
In this pre-release, docker communication is public if you know where to look.
https://msdn.microsoft.com/en-us/virtualization/windowscontainers/about/work_in_progress#DockermanagementDockerclientsunsecuredbydefault
So eventually this should get better.
I'm quite new to the .NET Workflow stuff.
I've made a workflow service and now I want to host this service using IIS. (This workflow was well tested by debugging it in VS2012)
I'm using AppFabric and Workflow Manager to configure all of this.
Workflow Manager made all the databases needed to persist the workflow instances and the Workflow Management Site in the IIS. Then I've published my workflow service into a zip file and imported this into my Workflow Management Site.
Everything was fine and running when I had shut down my computer two days ago. Now my Workflow Manager Backend service won't start anymore. When I watch the eventlogger this is the critical error:
The Workflow Manager backend failed to start at location 'WorkflowServiceBackendHost.Start' due to an exception: System.InvalidOperationException: Certificate '90ED72666C964EE0902E84767A0D284D66F6B725' is not found in the certificate store.
I found the sha1 of this certificate in 'Microsoft.Workflow.ServiceHost.exe.config' file in 'C:\Program Files\Workflow Manager\1.0\Workflow\Artifacts'. But it's not possible to change it and try something else. So I guess it was a generated certificate by the Workflow Manager configuration.
I searched in my certmgr.msc for this sha1 and could not find it. But I didn't change or remove any certificate and I don't think that the certificate could be expired because I installed and configured everything two days ago. I don't think this is the same certificate that is used for the communication between the service and an external application.
Maybe I could change something in the Workflow Manager configuration but this tool doesn't start. Probably because the service isn't started. But as I said I'm new to all of this and the information I found this far didn't help me or was re installing the workflow manager etc. But then I wonder what will happen if all of this is in production.
Could anyone help me to get this Workflow Manager backend service up and running again?
Thanks in advance, Tim
Reset the Auto-Generation Key for WFM and Service Bus
i. $CertKey=convertto-securestring ‘YourPassword’ -asplaintext -force;
1. Note: Update with YourPassword with your own password
ii. Run this step:
1. Set-WFCertificateAutoGenerationKey –Key $CertKey
iii. Followed by this step:
1. Set-SBCertificateAutogenerationKey –Key $CertKey
iv. Update the Hosts:
1. Stop-SBFarm
2. Update-SBHost
3. Stop-WFHost
4. Update-WFHost -certificateautogenerationkey $CertKey
5. start-sbfarm
Check that the Get-WFFarm and Get-SBFarm output has changed certificate thumbprints
We are planning to create and install self-signed certificates on azure web roles.
We have a requirement to create certificate on web role itself and installing there.
But we cannot find makecert.exe on azure web and worker role. We did remote desktop on azure role and found that makecert.exe is missing.
Any direction on creating and installing certificate on azure role would be helpful?
If there is any management APIs available for creating certificate on web role, please share with me as I am unable to locate in msdn.
You have a few options to create self-signed certificates:
Deploy makecert.exe with your application (include it in your VS project, set Copy Local = true)
Write something yourself to generate the certificate (example here: https://github.com/mono/mono/blob/master/mcs/tools/security/makecert.cs)
But there's more to it than simply generating a certificate. What will you do if you have more than one instance running? Will you install the certificate on 1 instance? Or do you need all your instances to have the certificate? What if you redeploy the application? ...
In those cases you might want to look ahead. Would it be an option to store all those certificates in blob storage? Maybe you could have a process running on each instance that 'synchronizes' the certificates with the current instance. You could also use AppFabric ServiceBus Topics to notify other instances when a new certificate has been generated...
The direct answer to your questions is that Makecert.exe is an utility which is installed either from installing Visual Studio or Windows SDK or direct download from Microsoft sites. A Windows Azure VM sure not to have this makecert.exe because it is not part of base Windows deployment and if you want to use/run Makecert in Windows Azure VM you really need to add in your project and deploy it.
HOWEVER,
If you have a need to deploy a certificate to Windows Azure you really don't need to generate it on fly (i.e. using Makecert.exe) because there is other easier way to do it. You just need to add (or deploy) your PFX certificate to your Windows Azure Service -> Certificate section and when you VM will be initialize, the certificate will be provisioned to your Windows Azure Role (Web or Worker or VM) so there is no need to add Makecert.exe with your project and then use Startup task to run it.
Instead of depend on Makecert.exe or any other method to have certificate in your role, i would suggest using above method which is actually designed for such requirement. If you don't know how to deploy a certificate to your Windows Azure Service either directly to portal or using PowerShell, please let me know..