|
|
You're in the
dotnet web services enhancements
group:Problem with my x509 makecert certificates for WSE 3.0
dotnet web services enhancements:
Hello All. Problem with my x509 makecert certificates for WSE 3.0 I am having problems getting the WSE certificates to work on a simple test system before I apply this to an existing product. I have installed walk-through certificates and these appear to work without a problem. I have made several attempts to create my own certificates and setup WSE but always come to the same problem. What am I doing wrong? Server Logs report the following error: Exception thrown: WSE600: Unable to unwrap a symmetric key using the private key of an X.509 certificate. Please check if the account 'RNDNOTEPM\ASPNET' has permissions to read the private key of certificate with subject name 'CN=DevServer2' and thumbprint '5644C8F29B69C5DD07DE2F5B0C65E88E3604CE2D'. Client Logs report the following error: Exception thrown: WSE2005: Protection requirements in MutualCertificate11Assertion are not satisfied. The certificates have been created with makecert: makecert -sk DevServer -pe -ss my -sr LocalMachine -n CN=DevServer" makecert -sk DevClient -pe -ss my -sr LocalMachine -n CN=DevClient" The WSE tool was used to allow aspnet access to the private keys and the permissions have been checked in windows explorer. The Service Policy file is: <policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy"> <extensions> <extension name="mutualCertificate10Security" type="Microsoft.Web.Services3.Design.MutualCertificate10Assertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> <extension name="x509" type="Microsoft.Web.Services3.Design.X509TokenProvider, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> <extension name="requireActionHeader" type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> <extension name="authorization" type="Microsoft.Web.Services3.Design.AuthorizationAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> </extensions> <policy name="x509"> <authorization> <allow user="CN=DevClient" /> <deny user="*" /> </authorization> <mutualCertificate11Security establishSecurityContext="true" renewExpiredSecurityContext="true" requireSignatureConfirmation="true" messageProtectionOrder="SignBeforeEncryptAndEncryptSignature" requireDerivedKeys="true" ttlInSeconds="300"> <serviceToken> <x509 storeLocation="LocalMachine" storeName="AddressBook" findValue="CN=DevServer" findType="FindBySubjectDistinguishedName" /> </serviceToken> <protection> <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" /> <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" /> <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false" /> </protection> </mutualCertificate11Security> <requireActionHeader /> </policy> </policies> And the client policy file is: <policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy"> <extensions> <extension name="mutualCertificate10Security" type="Microsoft.Web.Services3.Design.MutualCertificate10Assertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> <extension name="x509" type="Microsoft.Web.Services3.Design.X509TokenProvider, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> <extension name="requireActionHeader" type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> </extensions> <policy name="x509"> <mutualCertificate11Security establishSecurityContext="true" renewExpiredSecurityContext="true" requireSignatureConfirmation="true" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true" ttlInSeconds="300"> <clientToken> <x509 storeLocation="LocalMachine" storeName="My" findValue="CN=DevClient" findType="FindBySubjectDistinguishedName" /> </clientToken> <serviceToken> <x509 storeLocation="LocalMachine" storeName="My" findValue="CN=DevServer" findType="FindBySubjectDistinguishedName" /> </serviceToken> <protection> <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" /> <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" /> <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false" /> </protection> </mutualCertificate11Security> <requireActionHeader /> </policy> </policies>
Hi Chris,
From your description, you're using the <mutualCertificate10Security> policy assertion to do mutual x509 certification authentication, however, you found the service call works when using the WSE built-in test certificates , but failed when using your custom test certifricates, correct? Based on the configuration fragment and the certificate creation command yo pasted, here are something I think you can have a further check and test: 1. in the <extension> setting section, you use <extension name="mutualCertificate10Security" , however, in the below policy assertion section, you use<mutualCertificate11Security ...>, I would suggest you make them consistent. Generally, if you do not want to make use of those new WS sedurity 1.1 features, you can just uncheck the "Enable WS-Security 1.1 extensions" option if you're using the VS 2005 WSE 3.0 configuration wizard to configure the policy file. 2. Currently you're using the following command to create the test certificates: ========================== makecert -sk DevServer -pe -ss my -sr LocalMachine -n CN=DevServer" makecert -sk DevClient -pe -ss my -sr LocalMachine -n CN=DevClient" ========================== I've checked the WSE 3.0's test certificate creation script, there are some difference between that command and yours: ** you need to specify the signature algorithm as "sha1" through -a option since WSE setting use Sha1Thumbprint by default ** mark the certificate's type as exchange Here is the modified command to create the certificates(I've tested them on my local machine without any problem). =================== makecert.exe -sr LocalMachine -ss MY -a sha1 -n CN=DevServer -sky exchange -pe makecert.exe -sr LocalMachine -ss My -a sha1 -n CN=DevClient -sky exchange -pe =================== #Certificate Creation Tool (Makecert.exe) http://msdn2.microsoft.com/en-us/library/bfsktky3.aspx The above things can makesure the test certificates are created correctly. And you still need to make sure your service or application's security account has sufficient to access the certificate's private key. The WinHttpCertCfg.exe" tool can help grant access permission for certificates, you can find it in the WSE 3.0 SDK's installation folder. Please have a look at the above things to see whether they help for you. I've also a local test solution which use the above mentioned settings and certificates and work well. If you feel necessary, I can send it to you also. Sincerely, Steven Cheng Microsoft MSDN Online Support Lead ================================================== Get notification to my posts through email? Please refer to http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif ications. Note: The MSDN Managed Newsgroup support offering is for non-urgent issues where an initial response from the community or a Microsoft Support Engineer within 1 business day is acceptable. Please note that each follow up response may take approximately 2 business days as the support professional working with you may need further investigation to reach the most efficient resolution. The offering is not appropriate for situations that require urgent, real-time or phone-based interactions or complex project analysis and dump analysis issues. Issues of this nature are best handled working with a dedicated Microsoft Support Engineer by contacting Microsoft Customer Support Services (CSS) at http://msdn.microsoft.com/subscriptions/support/default.aspx. ==================================================
Don't see what you're looking for? Try a search.
|
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |