Hi Does anyone have any experience of getting Progress Openedge to authenticate with login.microsoft.com.
Specifically with the certificates required to get it to work.
I have installed the Baltimore Root cert and the VeriSignClass3PublicPrimaryCertificationAuthority-G5
and the Symantec SymantecClass3EVSSLCA-G3 certificates in the Progress\Openedge\certs folder.
The error i'm getting is
Secure Socket Layer (SSL) failure. error code -55: CONNECT HostName: (login.microsoftonline.com) does not match
Certificate: (graph.windows.net) (9318)
Nowhere in my code am i referencing graph.windows.net and i believe this is an issue with the certificate setup but i'm at a loss as to what it is.
BLOCK-LEVEL ON ERROR UNDO, THROW.
USING OpenEdge.Core.String.
USING OpenEdge.Net.HTTP.ClientBuilder.
USING OpenEdge.Net.HTTP.IHttpRequest.
USING OpenEdge.Net.HTTP.IHttpResponse.
USING OpenEdge.Net.HTTP.RequestBuilder.
DEFINE VARIABLE httpUrl AS CHARACTER NO-UNDO.
DEFINE VARIABLE oRequest AS IHttpRequest NO-UNDO.
DEFINE VARIABLE oResponse AS IHttpResponse NO-UNDO.
DEFINE VARIABLE oRequestBody AS String NO-UNDO.
DEFINE VARIABLE JsonString AS LONGCHAR NO-UNDO.
SESSION:DEBUG-ALERT = TRUE.
httpUrl = "https://login.microsoftonline.com/extSTS.srf".
oRequestBody = new String('samlenvelope').
oRequest = RequestBuilder:Post(httpUrl, oRequestBody)
:ContentType('application/soap+xml; charset=utf-8')
:AcceptJson()
:Request.
oResponse = ClientBuilder:Build():Client:Execute(oRequest).
MESSAGE
oResponse:StatusCode SKIP
oResponse:StatusReason SKIP
VIEW-AS ALERT-BOX.
OpenEdge < 11.7 is still common, so the answer below is still valid. However, Microsoft changed the certificates and aliases, and this addressed in my specific answer.
The error message of SSL failure, is telling us that the HTTPS certificate was issued to a different entity than expected. This is what older OpenEdge see, because it does not see a property called SAN, which contain all valid name for the site.
In practice, all you need to do is following these 3 steps:
Step 1: Do you trust the certificate?
Validate that you trust "stamp2.login.microsoftonline.com" (at the time of the question was "login.microsoftonline.com").
Step 2: Optional Mapping
It is possible that "stamp2.login.microsoftonline.com" is not reachable. In this case you'd need to edit the "hosts" file of the OE server, so "stamp2.login.microsoftonline.com" would resolve to the IP of "login.microsoftonline.com" (how to edit the "hosts" file: https://www.siteground.com/kb/how_to_use_the_hosts_file/)
Step 3: Replace the URL in your code
Replace
httpUrl = "https://login.microsoftonline.com/extSTS.srf".
with
httpUrl = "https://stamp2.login.microsoftonline.com/extSTS.srf".
Related
I'm currently using hiera to set all my class parameters for the Puppet forge Gitlab module.
cat hieradata/nodes/example.yaml
---
gitlab::backup_cron_enable: true
gitlab::gitlab_rails:
backup_keep_time: 604800
backup_path: /opt/gitlab_backup
gitlab_default_can_create_group: false
initial_root_password: foobar
...
cat site/profiles/manifests/gitlab.rb
class profile::gitlab {
include gitlab
}
This code works as intended but I'd like to redact the password values in the log output and reports.
I tried to use hiera_options to convert the sensitive values but Puppet still displays the unredacted values.
cat hieradata/nodes/example.yaml
---
lookup_options:
gitlab::gitlab_rails::initial_root_password:
convert_to: "Sensitive"
gitlab::backup_cron_enable: true
gitlab::gitlab_rails:
backup_keep_time: 604800
backup_path: /opt/gitlab_backup
gitlab_default_can_create_group: false
initial_root_password: foobar
...
What is the best way to redact all sensitive values whilst using hiera to define the class parameters?
You need to have the password as a separate key in order for the auto conversion to take effect. The key that is looked up is bound to a hash, and it is not possible to address individual values in a hash with lookup_options (it is the entire hash that is looked up).
You can make an individual value Sensitive by using an alias and binding the password in clear text to a separate key - like this:
cat hieradata/nodes/example.yaml
---
lookup_options:
gitlab::gitlab_rails::initial_root_password:
convert_to: "Sensitive"
gitlab::backup_cron_enable: true
gitlab::gitlab_rails:
backup_keep_time: 604800
backup_path: /opt/gitlab_backup
gitlab_default_can_create_group: false
initial_root_password: '%{alias("gitlab::gitlab_rails::initial_root_password")}'
gitlab::gitlab_rails::initial_root_password: 'foobar'
...
With this approach you could also use EYAML or some other secure hiera backend to store the password in encrypted form. Such a backend may already return decrypted values wrapped in Sensitive - this is for example done by the Vault backend.
However, even if you get past the first hurdle, the result depends on what the gitlab module does with the hash now containing a Sensitive value. If it just passes the value for initial_root_password on it may work, but if it is doing any operation on this value (like checking if it is an empty string for example) it may fail. If you are unlucky it may seem to work but you may end up with the password "redacted" :-). Contact the maintainers of the module if it does not work and request that they support having the password as a Sensitive value instead of a String.
Say I have an app called 'MRT`, inside the app I have 2 flow definitions.
Flow_A and Flow_B
both registered via #rest.register as below:
#frontend.register
#rest.register
class Flow_A(Flow):
....
#frontend.register
#rest.register
class Flow_B(Flow):
....
When I runserver, it raises warning: ?: (urls.W005) URL namespace 'viewflow_rest:mrt' isn't unique. You may not be able to reverse all URLs in this namespace
The consequences of this is that causing tasks of one of the flow(depends on which one registered last) cannot be url reversed. eg. Reverse for 'check_size__detail' not found. 'check_size__detail' is not a valid view function or pattern name.
Issue has been rectified in v1.5.11
see github ticket
I setup OpenSips 2.3 proxy server, so any call come on server, my script grabs sip URI from DB, and forward call to that uri. When I get value I used AVP to get value and save it in $avp(didnumber), if I use rewrite with manually specifying uri it is working, but when I grab this value from DB and than assign it, it is not working in rewriteuri() method.
$ru = "sip:"+$avp(didnumber)
if I write
rewriteuri("[$ru]")
it throws following error
ERROR:core:parse_sip_msg_uri: bad uri <[$ru>
ERROR:tm:new_t: uri invalid
ERROR:tm:t_newtran: new_t failed
I think this method does not accept normal variable so I added quotation to make it string variable, now it shows fine on log but seem I have to convert variable using AVP or transformation, I tried many syntaxes but still could not do it. Please suggest.
rewrite_uri() has been deprecated in favour of simply using $ru. Your R-URI already gets completely rewritten by this statement:
$ru = "sip:" + $avp(didnumber);
However, note that the above is incorrect, since you do not supply a "hostport" part to the uri, according to the SIP RFC 3261:
SIP-URI = "sip:" [ userinfo ] hostport
uri-parameters [ headers ]
The parser will likely report an error. There are two fixes for this:
either only rewrite the R-URI "userinfo" part, like so:
$rU = $avp(didnumber);
supply a destination hostname:
$ru = "sip:" + $avp(didnumber) + "#" + $var(destination);
Following from here, you can just t_relay() using your new R-URI.
EDIT: the OpenSIPS URI parser will actually tolerate a URI such as "sip:44776772882", but it will interpret the DID as a hostname, so the errors may start appearing later, should the script writer attempt to relay the message to the invalid "44776772882" hostname.
I am deploying FIWARE security GEs (i.e., Wilma, AuthzForce, Keyrock) in my computer. Security level 2 (Basic Authorization) is working well, but now I need security level 3 (Advanced Authorization) using XACML.
Long story short, I want a tutorial of implementation security level 3. However, as far as I know, any tutorial or document about security level 3 does not exist.
For now, I create my policy with PAP's API, and change 'custom_policy' option in config.js from 'undefined' to 'policy.js'. And then I create 'policy.js' file into 'PEP/policies', but don't change anything compared with its template file because I don't know what this code does exactly. I think I should make XACML Request form using 'xml' variable. But in my case, PEP gives me the error when I make the XACML Request using 'xml' variable, and return this variable. Here is my error of PEP:
Error: Root - Error in AZF communication <?xml version="1.0" encoding="UTF-8" standalone="yes"?><error xmlns="http://authzforce.github.io/rest-api-model/xmlns/authz/S" xmlns:ns2="http://www.w3.org/2005/Atom" xmlns:ns3="http://authzforce.github.io/core/xmlns/pdp/5.0" xmlns:ns4="http://authzforce.github.io/pap-dao-flat-file/xmlns/properties/3.6"><message>Invalid parameters: cvc-elt.1: Cannot find the declaration of element 'Request'.</message></error>
And here is my 'getPolicy' code (XACML Request) in policy.js. I just made very simple request whether response is permit or not because I'm not sure what I'm doing at that time.:
exports.getPolicy = function (roles, req, app_id) {
var xml = xmlBuilder.create('Request', {
'xmlns': 'urn:oasis:names:tc:xacml:3.0:core:schema:wd-17',
'CombinedDecision': 'false',
'ReturnPolicyIdList': 'false'})
.ele('Attributes', {
'Category': 'urn:oasis:names:tc:xacml:1.0:subject-category:access-subject'});
So, anyone can give me any information about implementation of security level 3?
Upgrade to Wilma 6.2 (bug fixing).
Reuse the code from lib/azf.js which is known to work, and adapt the Request content to your needs. The variable is wrongly called XACMLPolicy there, but don't be mistaken, this is an actual XACML Request. This is using xml2json package to convert the JSON to XML, whereas in your code you seem to use a different one, xmlbuilder maybe? You didn't paste the full code - where does this xmlBuilder variable come from? - so I'm just guessing.
If you are indeed using xmlbuilder package and want to stick with it, I notice that in the example using namespaces, the xmlns attribute is put in a different way:
var xmlBuilder = require('xmlbuilder');
var xml = xmlBuilder.create('Request', { encoding: 'utf-8' })
.att('xmlns', 'urn:oasis:names:tc:xacml:3.0:core:schema:wd-17')
.att('CombinedDecision': 'false')
.att('ReturnPolicyIdList': 'false')
.ele('Attributes', {'Category': 'urn:oasis:names:tc:xacml:1.0:subject-category:access-subject'});
Maybe this makes a difference, I didn't check.
Also feel free to create an issue with your question on Wilma's github to get help from the dev team. (I am not one of them but we've worked together for AuthzForce integration.)
The error you are getting is really
Invalid parameters: cvc-elt.1: Cannot find the declaration of element
'Request'.
This is a simple XML validation issue. You need to make sure that the XACML request you send contains the right namespace declaration.
You'll see there is another question on this topic here.
Can you paste your XACML request so we can tell whether it is valid?
This shows error "The request signature we calculated does not match the signature you provided. Check your AWS.
string url;
integer statuscode;
String date1=json.serialize(Datetime.now());
if(date1.contains('"')){
date1=date1.replace('"','');}
String algorithmName = 'HmacSHA256';
date1=date1.substring(0,(date1.length()-5));
date1=date1+'Z';
date1=EncodingUtil.UrlEncode(date1,'UTF-8');
String Action=EncodingUtil.UrlEncode('CreateTopic','UTF-8');
String AccessKey=EncodingUtil.UrlEncode('APIKEY','UTF-8'); // API key hide due to security resion but i check it work fine for SES
String Signaturemethod=EncodingUtil.UrlEncode('HmacSHA256','UTF-8');
string str= 'GET\nsns.us-east-1.amazonaws.com\n/\nAction='+Action+'&Name=Testtopics&AWSAccessKeyId='+AccessKey+'&Timestamp='+date1+'&SignatureVersion=2&SignatureMethod='+Signaturemethod;
Blob mac = Crypto.generateMac(algorithmName,Blob.valueOf(str),Blob.valueOf('SECURITYKEY')); //blob value of key used in signature
url='https://sns.us-east-1.amazonaws.com/?Action=CreateTopic&Name=Testtopics&AWSAccessKeyId=ACCESSKEY&Timestamp='+date1+'&SignatureVersion=2&SignatureMethod=HmacSHA256&Signature='+EncodingUtil.UrlEncode(EncodingUtil.base64Encode(mac),'UTF-8'); // final url
I don't have much Idea about the AWS but below is what I was able to find. can't test these things anywhere to figue out the problem.
A common cause of the error message below is not properly creating the string to sign, such as forgetting to URL encode characters such as the colon (:) and the forward slash (/) in Amazon S3 bucket names.
<Error>
<Type>Sender</Type>
<Code>SignatureDoesNotMatch</Code>
<Message>The request signature we calculated does not match the signature you provided.
Check your AWS Secret Access Key and signing method.
Consult the service documentation for details.</Message>
</Error>
http://docs.aws.amazon.com/general/latest/gr/signature-version-2.html
http://docs.aws.amazon.com/AmazonS3/latest/dev/BucketRestrictions.html
It looks like you might be missing a trailing single quote at the end of your url. See if that makes a difference.
url="https://sns.us-east-1.amazonaws.com/?Action=CreateTopic&Name=Testtopics&AWSAccessKeyId=ACCESSKEY&Timestamp='+date1+'&SignatureVersion=2&SignatureMethod=HmacSHA256&Signature='+EncodingUtil.UrlEncode(EncodingUtil.base64Encode(mac),'UTF-8')+"'";