I'm using Yubikey4 as my smart card with my StartCom Class 1 login certificate. My problem is: windows don't want to use this card.
Windows credential manager: "No valid certificates were found on this smart card".
Microsoft office doesn't see this card.
Windows VPN: "A certificate could not be found that can be used with this Extensible Authentication Protocol."
Keepass2 (RSA Certificate Key Provider plugin - uses windows security): "No cerficiate available. No certificates meets the application criteria." (of course tested with RSA certificate too).
My certificate details:
Key Usage: Digital Signature, Key Encipherment, Data Encipherment (b0)
Enhanced Key Usage: Client Authentication (1.3.6.1.5.5.7.3.2), Secure Email (1.3.6.1.5.5.7.3.4)
Public key parameters: ECDH_P384
From device manager:
Smart card name: "Identity Device (NIST SP 800-73 [PIV])"
Smart card reader name: "Microsoft Usbccid Smartcard Reader (WUDF)"
Is there any key usage required for smart card usage?
Your Device Manager indicates that you are using the Microsoft Minidriver for the smartcard. According to the Yubikey Basic Troubleshooting Guide this problem can be caused by using these minidrivers for the smartcard rather than the Yubico minidrivers.
You can install the driver following this guide: https://support.yubico.com/hc/en-us/articles/360015654560-Deploying-the-YubiKey-Minidriver-to-Workstations-and-Servers.
Related
I am trying to send data from my Raspberry Pi to an Azure IoT Hub with the code in this GitHub repository (https://github.com/Azure-Samples/azure-iot-samples-node/tree/master/iot-hub/Tutorials/RaspberryPiApp). However, I would like to use an x.509 certificate instead of the Azure IoT Hub Device Connection String. I believe I have to modify the index.js file, but I am unsure what to change, please help.
In order to use the code with x.509 authentication, you would need a cert.pem and key.pem files. I have followed the steps outlined in the article Quickstart: Provision an X.509 certificate simulated device I have generated the following set of certificates using the scripts.
I continued with the steps in the article to provision the device on the Azure portal using the device certificate generated in the above step.
I copied over the certificates generated to the Raspberry Pi device into the same directory where I have placed the index.js file. I have modified the x509 section of the initClient function of index.js file as follows to utilize the certificates.
if (connectionString.x509) {
// Read X.509 certificate and private key.
// These files should be in the current folder and use the following naming convention:
// [device name]-cert.pem and [device name]-key.pem, example: myraspberrypi-cert.pem
var connectionOptions = {
cert: fs.readFileSync('/home/rajesh/NodeApp/rasbpi-device-cert.pem', 'utf-8').toString(),
key: fs.readFileSync('/home/rajesh/NodeApp/rasbpi-device-key.pem', 'utf-8').toString(),
passphrase: '1234'
};
client = Client.fromConnectionString(connectionStringParam, MqttProtocol);
client.setOptions(connectionOptions);
console.log('[Device] Using X.509 client certificate authentication');
}
Please note that I have used MQTT protocol in this example. I observed an error when I test the same with AMQP protocol. I am not sure if this has to do with the approach I have used to generate the certificates.
If you did set a passphrase while generating the certificates, you can pass an empty string to the parameter as following '' in the above connectionOptions declaration.
You can run the file using the following command from your Raspberry Pi
sudo node index.js 'HostName=<YourHubName>.azure-devices.net;DeviceId=<deviceId>;x509=true'
Please find the output I get when I run the file using the certificates.
I'm here trying to connect a Linux Ubuntu VPC Machine to Azure Cloud network interface, only thing I can't suss out is how to config my IKE and ESP at my end to match the Below -
IKEv2 Encryption | GCMAES256, AES256
IKEv2 Integrity | GCMAES256, SHA384, SHA256, SHA1
DH Group | DHGroup2
IPsec Encryption | GCMAES256, AES256
IPsec Integrity | GCMAES256, SHA256
PFS Group | None, PFS24, ECP384, ECP256, PFS2048, PFS2, PFS1
Every variation I've tried so far
#ike=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!
#ike=3des-sha1-modp1024!
ike=aes256-sha256-modp1024,aes256-sha1-modp1024!
#esp=chacha20poly1305-sha512,aes256gcm16-ecp384,aes256-sha256,aes256-sha1,3des-sha1!
#esp=aes256-sha256-modp1024!
esp=aes256-sha256-modp1024!
I've tried to follow and decipher things from -> https://docs.strongswan.org/docs/5.9/config/IKEv2CipherSuites.html but I can't figure out which ones to use
You can use the below given combination of key exchanges, hashing, authentication, and encryption algorithms or cipher suites that ‘Strongswan’ allows for different clients to use: -
ike=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!
esp=chacha20poly1305-sha512,aes256gcm16-ecp384,aes256-sha256,aes256-sha1,3des-sha1!
Ensure that the ‘IPSec.conf.inc’ in the ubuntu VM is configured with the above stated cipher suites since according to the link that you have given for ‘Strongswan’, the IKEv2 encryption cipher suite to be used should have encryption ‘x b w o g a’ scheme for the Ubuntu Linux VM’s VPN client.
• Also, ensure to use the ‘Commercial National Security Algorithm Suite’ which specifies the algorithm parameters given as below: -
Encryption
AES with 256-bit key length (aes256gcm16 or aes256)
Key Exchange
ECDH with NIST P-384 curve (ecp384)
DH with at least 3072-bit modulus (modp3072 or higher)
Pseudo-Random Function/Integrity Protection
SHA-384 (e.g. prfsha384 or sha384 if not using AES in GCM mode)
Digital Signatures
ECDSA with NIST P-384 curve
RSA with at least 3072-bit modulus
This would include all the required encryption and algorithm parameters as stated by you through the Azure cloud network interface.
• Also, please refer to the below image which represents the implementation of IPSec gateways in host-to-host scenarios which clearly shows the IPSec VPN key exchange implementation scenarios: -
Please refer to the below links for more information on this: -
https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-20-04
https://sysadmins.co.za/setup-a-site-to-site-ipsec-vpn-with-strongswan-on-ubuntu/
Is there anyway to register the new device onto the azure iot-hub programmatically using the self/CA created certificates?
For example say, I want to register my raspberry pi on to my newly created IOT-HUB from the same rasp pi. I know we can do it using the AZ Cli. What I am looking for is there a way to do it programmatically, using MQTT/REST?.
Thanks in advance.
Regards,
Pradeep
You can make use of the device provisioning service - DPS. The DPS is another service whose purpose is to identify your device, and in case that the device identification is recognized by the DPS, the DPS will create an identity in your IoT Hub.
You set the DPS in a way that you create either individual enrollment(for individual device onboarding) or a group enrollment(for a group of the devices, typically if you use certificates or shared access key authentication type).
Enrollments typically contain an identification type that the device should present, and IoT Hub to which the device with the presented identification should be assigned.
The typical flow is that the device reaches out to the DPS with some public identification(certificate chain, TPM registration id, or SAS key). Then internally, the DPS can challenge the device(proof-of-possesion in case of CA certificates), and if the device successfully solves the challenge, that means that the device contains a specific secret(private key in case of CA certs) that identifies that device, so the DPS will create the device identity to the assigned hub in that specific enrollment. This process is called attestation.
As a result, on the device side, you receive at least the IoT Hub endpoint, and the device Id which you use to communicate with the IoT Hub.
Below are the code snippets of how you can do this with CA certificates and C#:
var certificate = new X509Certificate2(leafCertificatePath, leafCertificatePassword);
using (var security = new SecurityProviderX509Certificate(certificate))
using (var transport = new ProvisioningTransportHandlerMqtt(TransportFallbackType.TcpOnly))
{
ProvisioningDeviceClient provClient =
ProvisioningDeviceClient.Create(GlobalDeviceEndpoint, dpsScope, security, transport);
var deviceAuthentication = await GetDeviceRegistrationResultAsync(provClient, security);
var auth = new DeviceAuthenticationWithX509Certificate(deviceAuthentication.DeviceId, security.GetAuthenticationCertificate());
var deviceClient = DeviceClient.Create(hostname: deviceAuthentication.AssignedHub,
authenticationMethod: auth,
transportType: TransportType.Mqtt);
if (deviceClient == null)
{
Console.WriteLine("Failed to create DeviceClient!");
}
else
{
SendEvents(deviceClient, MESSAGE_COUNT).Wait();
}
}
Method for getting the device registration result from the DPS:
static async Task<DeviceRegistrationResult> GetDeviceRegistrationResultAsync(ProvisioningDeviceClient provClient, SecurityProviderX509 security)
{
DeviceRegistrationResult result = await provClient.RegisterAsync().ConfigureAwait(false);
if (result.Status != ProvisioningRegistrationStatusType.Assigned)
{
throw new Exception("Device not assigned");
}
return result;
}
Official example from MSFT you can find here
Here is how you can create and verify certificates with IoT Hub and DPS.
Just to clarify, 'registering' a device in IoTHub/DPS is kind of an overloaded term, and may mean different things to different people. If you are using self-signed certs, it's a two step process.
First, you need to enroll the device in DPS, which lets DPS know that sometime in the future, a device may show up with that name and that certificate. That is generally a backend process typically NOT done from the device itself. Technically, there's nothing stopping you from calling the REST APIs to do so from the device, but since you need some pretty powerful credentials to do so, it's not recommended to have them on your device. This cannot be done over MQTT. You can avoid having to enroll every individual device by uploading, verifying, and using a CA-signed cert, though.
Once that's done, the device can now/later register itself, which is the act of actually having DPS create the device registration record in IoT Hub. The device "phones home" to DPS, authenticates itself using the cert you provided in the enrollment, and registers itself, getting the IoT Hub connection information it needs back from DPS. That process can be done over MQTT and you can find step by step the process on my blog -> http://busbyland.com/azure-device-provisioning-server-over-mqtt-using-x509-certificates
Provisioning a device in IoTHub from the device itself is not recommended, as it will then require IoTHub registry write permission and use of service SDK.
The recommended approach is to use Device Provisioning Service, you can create individual or group enrollment with X509 and it will automatically provision the device in target IoTHub.
The device just needs
mechanism to attest its identity
DPS global endpoint
ID Scope to identify your instance of DPS.
Check this - https://learn.microsoft.com/en-us/azure/iot-dps/concepts-x509-attestation
I'm not able to use the secure vault to encrypt username and password in WSO# API Manager 2.6.0
I did the below config :
ran the ./ciphertool.sh -Dconfigure to start the ciphertool
gave the password to be encrypted
added it in carbon console at /_system/config/repository/
components/secure-vault location.
called in mediation as
<Password>{wso2:vault-lookup('AdminUser.Password')}</Password>
I got this error :
INFO - DefaultCryptoProviderComponent 'CryptoService.Secret' property has not been set. 'org.wso2.carbon.crypto.provider.SymmetricKeyInternalCryptoProvider' won't be registered as an internal crypto provider. Please set the secret if the provider needs to be registered.
I have Luna SA hsm and windows server 2012r2 + IIS, I'd like to lunch site using https, I'm performed standard connection operations between LunaSA HSM and win2012r2. Then I generated certification request (key pair in HSM), after that i recieved certificate from certification center and performed "certreq -accept somecert.cer"
Next, I'm configured IIS for some site, and when i selecting required certificate, i recieving this problem:
Please advise what can i do in this situation.
My trouble was in Luna KSP configuration
I registered slot for:
User: Administrator / Domain: INTEGRATION2;
User: Administrator / Domain: NT_AUTHORITY;
but second string is wrong, it must be:
User: SYSTEM / Domain: NT_AUTHORITY;