I implemented OAuth 2.0 Provider layer so all communication between my server and
IBM-Connections server happens with proper OAuth token.
I followed the steps mention in below mention URL:
http://www-10.lotus.com/ldd/lcwiki.nsf/dx/Building_Embedded_Experience_gadgets_for_third-_party_IBM_Connections_Activity_Streams
Request is coming to my server (after clicking on the gadget mention on above URL)
https://?client_id=853e738c8f514ea0b0beb03c538df1e4&redirect_uri=https%3A%2F%2FBLTCon4Gold1.actiance.local%3A9444%2Fconnections%2Fopensocial%2Fgadgets%2Foauth2callback&response_type=code&scope=read_stream%2Cpublish_stream&state=WcSdxX0BvPkwiOli2VFnlsIWEWzAprpT6DW2I9RXEjDtUpD-faNVQkYvLb1AcgX3Z3njZg0qPPZjd5XMT7ENQSYiBr1thpOiUlLzYKkmt5-2qG304QgYEpWE8csezSIJ-4qHiFFeGbJpILbgzUw7DBoNMVMPcF-OfMbZ5orqgKwBCCajFVKdgQeukivSq4r3hBFY89lgto4co_dacDR1Dt7AWDM
After user credential validation, OAuth provider layer is redirecting the request to call back URL with code and state as query parameter:
https://bltcon4gold1.actiance.local:9444/connections/opensocial/gadgets/oauth2callback?code=477885dfb80644958cd4bae049bc2b9f&state=WcSdxX0BvPkwiOli2VFnlsIWEWzAprpT6DW2I9RXEjDtUpD-faNVQkYvLb1AcgX3Z3njZg0qPPZjd5XMT7ENQSYiBr1thpOiUlLzYKkmt5-2qG304QgYEpWE8csezSIJ-4qHiFFeGbJpILbgzUw7DBoNMVMPcF-OfMbZ5orqgKwBCCajFVKdgQeukivSq4r3hBFY89lgto4co_dacDR1Dt7AWDM
Response shows http status code 200.
But the Problem is IBM-Connection server is not making further call for request Token.
Please advise me.
check your systemout.log for PXIX or other SSL errors
if you are using a self signed certificate, you should import the key into the trust store.
Login to your Deployment Manager
Go to Security > SSL certificate and key management
Click on Key stores and certificates
Select CellDefaultTrustStore
Click Signer Certificates
Click Retrieve from port
Give it a name localhttp
type in the ip:port
click retrieve from port
you can also turn on trace in your deployment manager
Related
I am looking for some guidance on how I can use an Azure B2C custom policy to federate to a legacy Authentication Server. Here is the current flow that I would like to implement in the custom policy.
This protocol looks like a hybrid Oauth1 and the "actors" involved are:
Browser based user
Application Server
Authentication Server + protected resources
The Application server is preconfigured with an application id and an application secret provided by the Authentication Server. The Authentication server is also configured with a callback URL (pointing to the Application server). - Similar setup to OAuth.
Flow:
Step 1: The user requests a resource from the Application server by performing a GET on the application server (e.g. GET /resource
Step 2: The application server calculates an attribute using the preconfigured client secret and redirects the browser to the Authentication Server.
Step 3: If the Authentication Server determines that the user needs to be authenticated and may prompt the user for a username/password. This is transparent to the application server.
Step 4: The Authentication Server verifies the application server-provided attributes sent in Step 2 and responds by redirecting the user to the preconfigured application server callback URL. This request will additionally include a number of attributes set by the authentication server.
Step 5: The browser redirects the user to the application server’s callback URL and the application server uses the attributes received in Step 4 to calculate a resource request token
Step 6: The application server uses this request token to request protected resources and responds to the user's original request.
I am looking for ways to implement the above. Do I build this using a custom policy with an Oauth1 Technical profile Or an OIDC technical profile or something else?
The only way to do this is to create some middle layer than talks OpenId Connect to AAD B2C and talks the proprietary protocol to your legacy system.
Azure AD B2C can then make an open id connect request to your web server and it can do whatever it needs. Just have it respond back to B2C in an open id connect way.
So I'm trying to use 2 API's from our external data source, an organization that solely focuses on delivering data to customers (me).
They have 2 different API's:
A login API: this API is called with basic authentication (username and password) and will provide a bearer token
An API to extract data and manage filters (this API will require the bearer token acquired through the login API)
Important notes:
The login API requires a self-signed certificate, I have created a certificate on my PC using openSSL and shared the public key with the external data source.
I uploaded the .pfx file in Azure (however i cannot set the domain or port number, this seems to be an issue, I can do this in Postman but can't seem to find it in Azure)
The data source confirmed that the certificate is valid and I am able to use the certificate in Postman but only if i set the correct hostname and also the correct port number (Else i get a TLS error in Postman)
Everything is working as it should in Postman (I can call the Login API and i can use the bearer token to access and download the data using a json file made for postman that i received from the data source organization)
I uploaded the .pfx certificate in Azure using AppServices > TLS/SSL settings and upload the private certificate, however the hostname it says here is my own database name (I am not sure if this is correct, in Postman i set the hostname when i upload the certificate to be the hostname of our data source with the needed port number)
I tried making a web call in Azure Datafactory, here i've used the correct URL i also use in Postman to access the login API and selected basic authentication and filled in the credentials
However when i try to debug pipeline (only the login web call) it gives the following error:
Error code 2108
Troubleshooting guide
Failure type User configuration issue
DetailsError calling the endpoint '[LINK i put with portnumber, which is correct]'. Response status code: 'NA - Unknown'. More details: Exception message: 'NA - Unknown [ClientSideException] An error occurred while sending the request.'.
Request didn't reach the server from the client. This could happen because of an underlying issue such as network connectivity, a DNS failure, a server certificate validation or a timeout.
Source
Pipeline
Punctuality
Am i looking in the wrong direction for this kind of data retrieval? is something going wrong with the certificate? I can't seem to find where i can set the correct hostname and port number (Like i can in Postman when uploading the certificate in .pfx format) Should I use API Management Service rather than Data Factory to make the API call to the external data source?
Select the authentication method as Client Certificate in web activity settings.
Specify base64-encoded contents of a PFX file in Pfx.
I have an App Service that's protected by a TLS certificate. It worked fine with small payloads, however, it started failing with larger payloads.
According to an article, I enabled certificate negotiation for my API Management Service:
https://notetoself.tech/2019/06/13/api-call-with-client-certificate-policy-failing-to-execute-due-to-message-size-on-azure-api-management/
However, it still randomly fails with certificate negotiation error, as seen below:
Important - I do not want to use client authentication between browser <-> API management. I'm using it only between API management <-> App Service.
I could not find any information on this substatus 72 code. What does it mean and can it be fixed? Is Azure client certificate authentication broken and won't work with large payloads?
The Negotiate Client Certificate checkbox will not help here as this is for the mutual auth between the client and your apim service where your problem is between apim and app service. Your app service should force apim to exchange the client certificate during the initial SSL handshake rather than waiting until it is needed.
This problem is not related specifically to azure, see this
https://techcommunity.microsoft.com/t5/networking-blog/https-client-certificate-request-freezes-when-the-server-is/ba-p/339672
The issue description to me or at least to how I understood it does not match with the error code as the 17 substatus code means that the client certificate has expired or is not yet valid.
See this https://www.google.com/search?q=403.17+http+code&oq=403.17+http+code&aqs=chrome..69i57.9265j0j7&client=ms-android-samsung-gn-rev1&sourceid=chrome-mobile&ie=UTF-8
And this https://techcommunity.microsoft.com/t5/iis-support-blog/client-certificate-revisited-how-to-troubleshoot-client/ba-p/348053
For testing purposes I would like to enable the 'Incoming Client Certificates' option in my Azure App Service (running a WCF webservice), and see if my Client application can still connect to the webservice. Since I am still in a testing phase, my app service still has the .azurewebsites.net domain name.
However, I can't seem to figure out how to get a proper client certificate that the server will accept (without switching to a custom domain name, which I know will work).
Currently, I see 2 possible routes to a solution:
Somehow get my hands on .cer that is signed by a CA trusted by the App Service server.
Generate a self-signed .pfx and .cer with my own self-signed CA. Import the pfx on the App Service and install the .cer on the client.
Both directions have not yielded any success so far. Does anyone have any experience with this?
Per my understanding, the client certificate is used by client systems to make authenticated requests to a remote server. In this case, your webservice is the remote server in a C/S mode. As you point out, "validating this certificate is the responsibility of the web app. So this means that any certificate will be valid as long as you don't validate anything". It does not effect on whether you have a custom domain or not in your web app service.
If you want to use client cert authentication with Azure app, you can refer to How To Configure TLS Mutual Authentication for Web App.
If the server has requested client certificate in its server hello and the client cert has signing capability, then it is expected to send the CertificateVerify message to the server. It contains signed hash of all messages from Client Hello till that point which are buffered on the server side. The server TLS layer will decrypt this using the client public key (which is in the Client certificate received earlier) and compare with its calculated hash. It will call back to application layer if this fails.
The application needs to handle it at that point and return its own error or continue with the session. https://www.rfc-editor.org/rfc/rfc5246#section-7.4.8
One example of this with Wolfssl library is https://github.com/wolfSSL/wolfssl/blob/14ef517b6113033c5fc7506a9da100e5e341bfd4/wrapper/CSharp/wolfSSL-Example-IOCallbacks/wolfSSL-Example-IOCallbacks.cs#L145
I have a cloud service and an Azure APIM instance with a self signed client cert setup on them (the cert has intended purposes of server auth and client auth).
Each API within the APIM has the client cert setup on its security. However, when I perform the call the following comes back in the trace.
"messages":["Error occured while calling backend service.","The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.","The remote certificate is invalid according to the validation procedure."
Is there anything I am missing here, searching online and cannot see anything obvious.
Yes you are correct, the option is not available in the portal to allow self-signed certificates. Here is a blogpost by Sasha Rosenbaum: http://divineops.net/enable-self-signed-certificates-in-azure-api-management-services/
Here basically you are skipping the certificate verification using "skipCertificateChainValidation" attribute.
You can create a backend entity through power shell scripts to skipcertifioc