I have created self-signed certificate and configured tomcat to use it (Port 443)
When i try to access it through j2me application i get CertificateException
public void run() {
String url = "https://192.168.1.40/test/index.jsf";
try {
HttpsConnection hc = (HttpsConnection)Connector.open(url);
int respCode= hc.getResponseCode();
}catch (IOException ioe) {
Alert a = new Alert(ioe.toString(), null, AlertType.INFO);
}
javax.microedition.pki.CertificateException:Certificate failed verification
I think emulator has options to import certificate but
is there any way to package the certificate with the j2me jar and make it to accept self-signed certificate in real mobile device.
A late answer: few phones have such feature (import root certs), I do not remember exactly, probably SE (sonyericsson) phones and Nokia Symbian (not all models). Majority of phones does not support this feature.
You may consider using SSL encryption in J2ME code such as bouncycastle, see here: Client side ssl in J2me?
Related
I have an issue with the Windows Azure ACS and I can't quite determine if it's supposed to be that way, or if there's an error in my code.
I have a number of relying parties configured in the ACS and all of them are configured with HTTPS. Every service is configured in such a way that Token Encryption is required. For this, I've uploaded a certificate created using MakeCert.exe.
When the client communicates with the relying party, I add the public part of the certificate as the service certificate and I add the subject name as a DnsIdentity:
var identity = EndpointIdentity.CreateDnsIdentity( GetClientCertificateSubjectName() );
var serviceEndpointAddress = new EndpointAddress( new Uri( _serviceAddress ), identity );
// Creation of channel factory
if( channelFactory.Credentials != null ) {
channelFactory.Credentials.ServiceCertificate.DefaultCertificate = GetClientCertificate();
channelFactory.Credentials.ClientCertificate.Certificate = GetServiceIdentityCertificate();
}
Here's the thing: when I call the relying party over HTTPS, then I can skip the creation of the EndpointIdentity and then the relying party will give me a correct answer. I can also skip setting the ServiceCertificate.DefaultCertificate property or set a totally random certificate, and the relying party will still give me a correct answer.
When calling over HTTP, doing any of the above will result in the ACS erroring out with messages indicating that I haven't used the correct certificates. In short: when calling over HTTP, I can only communicate with the correct client certificate. I expected that this was the case for HTTPS as well.
I can imagine that the ChannelFactory<T> or the ACS is smart enough to detect that HTTPS is used and that the configured encryption is skipped, in favour of SSL encryption. Sadly, I can't find any documentation that supports this idea.
My question is: Is it normal to ignore the EndpointIdentity and certificates when calling a relying party over HTTPS? Or do I need additional configuration to make this work?
Thanks in advance!
The amount of information I gave turned out to be insufficient to properly answer the question. It turned out that it was all in the bindings we were creating. It creates a binding with the following piece of code:
public static Binding CreateServiceBinding( string acsCertificateEndpoint, string bindingNameSpace, bool useSsl ) {
var binding = new IssuedTokenWSTrustBinding( CreateAcsCertificateBinding(), new EndpointAddress( acsCertificateEndpoint ) );
if( useSsl ) {
binding.SecurityMode = SecurityMode.TransportWithMessageCredential;
}
if( !string.IsNullOrWhiteSpace( bindingNameSpace ) ) {
binding.Namespace = bindingNameSpace;
}
return binding;
}
public static CertificateWSTrustBinding CreateAcsCertificateBinding() {
return new CertificateWSTrustBinding( SecurityMode.TransportWithMessageCredential );
}
That results in the following:
If it is http communication, it goes through MutualCertificate authentication mode flow and it is applied on the message layer only. That is why client is mandated to present a client certificate. This binding element creates an asymmetric security binding element that is configured to require certificate-based client authentication as well as certificate-based server authentication.
If it is https communication, it goes through the CertificateOverTransport authentication mode flow and it is applied on transport layer only. That’s why even though client certificate is not presented, it works. This binding element expects the transport to provide server authentication as well as message protection (for example, HTTPS).
For more information on the security modes, check out the following links:
https://msdn.microsoft.com/en-us/library/ms733098%28v=vs.110%29.aspx
https://msdn.microsoft.com/en-us/library/ms731074%28v=vs.110%29.aspx
Hope this helps someone!
I am trying to create a local workspace so I can map it to VisualStudio online account. Here is the command I am trying to run.
tf workspace -new -login:"Windows Live ID"\user,pass -collection:https://shaggyinjun.visualstudio.com/DefaultCollection
For some reason I am seeing an error. The command does have a domain/user,pass. What is this new username and password it is asking me for ?
Federated authentication to this server requires a username and password.
Apparantly this is issue is caused even when using java clients. Here is what Visual Studio Online has to say for it's questionable behavior.
Alternate authentication credentials
Some applications that work outside the browser (including Team Explorer Everywhere
command line client and the git-tf utility) require basic authentication credentials.
Other applications do not properly handle using an e-mail address for the user name
during authentication.
To work with these applications, you need to enable alternate credentials, set a
password, and optionally set a secondary user name not in the form of an e-mail address. > Please note that alternate credentials cannot be used to sign in to the service from a web
browser or outside of these applications.
Here is another question that I posted and was shot down. Just documenting here for future reference
I am able to login using my Visual Studio online credentials via the CLC, but When I try to do the same with a java program, I get an Authentication exception. Is there anything special that needs to be done for Java and / or Visual Studio Online ?
Java Code
public static final String NATIVE_LIBS_SYSTEM_PROPERTY = "com.microsoft.tfs.jni.native.base-directory";
public void connect() {
System.setProperty(NATIVE_LIBS_SYSTEM_PROPERTY, TFS_NATIVE_LIBS_HOME);
Credentials credentials = new UsernamePasswordCredentials("Windows Live ID\\user", "password");
TFSConnection connection = null;
try {
connection = new TFSConfigurationServer(new URI("https://shaggyinjun.visualstudio.com/DefaultCollection"), credentials);
connection.authenticate();
} catch (URISyntaxException ex) {
Exceptions.printStackTrace(ex);
}
}
}
Exception
com.microsoft.tfs.core.ws.runtime.exceptions.UnauthorizedException: Authorization failure connecting to 'https://shaggyinjun.visualstudio.com/DefaultCollection/TeamFoundation/Administration/v3.0/LocationService.asmx' (authenticating as Windows Live ID\user)
at com.microsoft.tfs.core.ws.runtime.client.SOAPService.executeSOAPRequestInternal(SOAPService.java:709)
at com.microsoft.tfs.core.ws.runtime.client.SOAPService.executeSOAPRequest(SOAPService.java:473)
at ms.ws._LocationWebServiceSoap12Service.connect(_LocationWebServiceSoap12Service.java:384)
at com.microsoft.tfs.core.clients.framework.location.internal.LocationWebServiceProxy.connect(LocationWebServiceProxy.java:70)
Caused: com.microsoft.tfs.core.exceptions.TFSUnauthorizedException: Access denied connecting to TFS server https://shaggyinjun.visualstudio.com/ (authenticating as Windows Live ID\venkatram.akkineni#gmail.com)
at com.microsoft.tfs.core.exceptions.mappers.TECoreExceptionMapper.map(TECoreExceptionMapper.java:75)
at com.microsoft.tfs.core.exceptions.mappers.LocationExceptionMapper.map(LocationExceptionMapper.java:32)
at com.microsoft.tfs.core.clients.framework.location.internal.LocationWebServiceProxy.connect(LocationWebServiceProxy.java:76)
at com.microsoft.tfs.core.clients.framework.location.LocationService.connect(LocationService.java:754)
at com.microsoft.tfs.core.clients.framework.location.LocationService.authenticate(LocationService.java:928)
at com.microsoft.tfs.core.TFSConnection.authenticate(TFSConnection.java:748)
at org.netbeans.modules.libswrapper.Installer.restored(Installer.java:54)
at org.netbeans.core.startup.NbInstaller.loadCode(NbInstaller.java:471)
[catch] at org.netbeans.core.startup.NbInstaller.loadImpl(NbInstaller.java:394)
at org.netbeans.core.startup.NbInstaller.access$000(NbInstaller.java:105)
at org.netbeans.core.startup.NbInstaller$1.run(NbInstaller.java:346)
at org.openide.filesystems.FileUtil$2.run(FileUtil.java:447)
at org.openide.filesystems.EventControl.runAtomicAction(EventControl.java:127)
at org.openide.filesystems.FileSystem.runAtomicAction(FileSystem.java:609)
at org.openide.filesystems.FileUtil.runAtomicAction(FileUtil.java:431)
at org.openide.filesystems.FileUtil.runAtomicAction(FileUtil.java:451)
at org.netbeans.core.startup.NbInstaller.load(NbInstaller.java:343)
at org.netbeans.ModuleManager.enable(ModuleManager.java:1194)
at org.netbeans.ModuleManager.enable(ModuleManager.java:1017)
at org.netbeans.core.startup.ModuleList.installNew(ModuleList.java:340)
at org.netbeans.core.startup.ModuleList.access$2400(ModuleList.java:118)
at org.netbeans.core.startup.ModuleList$Listener.stepEnable(ModuleList.java:1409)
at org.netbeans.core.startup.ModuleList$Listener.access$1400(ModuleList.java:1007)
at org.netbeans.core.startup.ModuleList$Listener$1.run(ModuleList.java:1231)
at org.openide.filesystems.EventControl.runAtomicAction(EventControl.java:127)
at org.openide.filesystems.FileSystem.runAtomicAction(FileSystem.java:609)
at org.netbeans.core.startup.ModuleList$Listener.run(ModuleList.java:1207)
at org.openide.util.RequestProcessor$Task.run(RequestProcessor.java:1423)
at org.openide.util.RequestProcessor$Processor.run(RequestProcessor.java:2033)
If you're connecting to visualstudio.com from the cross-platform command line client, you need to set up and use "alternate credentials".
You cannot use a Microsoft Account (Live ID) because - crazy as it sounds - that only works by supplying passwords to that web page and we cannot rely on a web browsers existence on many platforms.
I have a client/server application through windows azure relaying.
This works well using a console application for both server and client.
Now I want to use Windows Phone as a client, but for some reason, I cannot call the servicebus.
I can't add a web reference and when targeting the url in a browser I get the following message:
<s:Fault xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><faultcode xmlns:a="http://schemas.microsoft.com/ws/2005/05/addressing/none">a:ActionNotSupported</faultcode><faultstring xml:lang="nl-NL">The message with Action 'GET' cannot be processed at the receiver, due to a ContractFilter mismatch at the EndpointDispatcher. This may be because of either a contract mismatch (mismatched Actions between sender and receiver) or a binding/security mismatch between the sender and the receiver. Check that sender and receiver have the same contract and the same binding (including security requirements, e.g. Message, Transport, None).</faultstring></s:Fault>
I have entered the following code in the server app.config:
// sb:// binding
Uri sbUri = ServiceBusEnvironment.CreateServiceUri("sb", serviceNamespace, "blabla");
var sbBinding = new NetTcpRelayBinding(EndToEndSecurityMode.Transport, RelayClientAuthenticationType.None);
serviceHost.AddServiceEndpoint(typeof(IMyContract), sbBinding, sbUri);
// https:// binding (for Windows Phone etc.)
Uri httpsUri = ServiceBusEnvironment.CreateServiceUri("https", serviceNamespace, "https/" + "blabla");
var httpsBinding = new BasicHttpRelayBinding(EndToEndBasicHttpSecurityMode.Transport, RelayClientAuthenticationType.None);
serviceHost.AddServiceEndpoint(typeof(IMyContract), httpsBinding, httpsUri);
And before opening the host, i'm setting the endpoints to discovery mode public.
What else can or do I need to do to make this work with windows phone?
I think you're fairly close. By what I gather you can't add the web reference to your phone project. While that's possible through that path, I wouldn't recommend to make the effort to expose the metadata endpoint through the Relay since you will not use it at runtime. Instead, reference the contract into your Windows Phone project and make a ChannelFactory with BasicHttpBinding and the target address for the BasicHttpRelatBinding endpoint on the service side.
You've got everything else set up right by what I can tell, including having ACS turned off on the listener so that you can use the regular BasicHttpBinding on the phone.
EDIT:
Since that probably wasn't completely clear, here's a service:
[ServiceBehavior(InstanceContextMode = InstanceContextMode.Single)]
class Program : IEcho
{
static void Main(string[] args)
{
var sh = new ServiceHost(new Program(),
new Uri("http://clemensv.servicebus.windows.net/echo"));
sh.Description.Behaviors.Add(
new ServiceMetadataBehavior {
HttpGetEnabled = true,
HttpGetUrl = new Uri("http://localhost:8088/echowsdl")});
var se = sh.AddServiceEndpoint(typeof(IEcho),
new BasicHttpRelayBinding(EndToEndBasicHttpSecurityMode.None,
RelayClientAuthenticationType.None), String.Empty);
var endpointBehavior = new TransportClientEndpointBehavior(
TokenProvider.CreateSharedSecretTokenProvider("owner", "...key ..."));
se.Behaviors.Add(endpointBehavior);
sh.Open();
Console.WriteLine("Service is up");
Console.ReadLine();
sh.Close();
}
public string Echo(string msg)
{
return msg;
}
}
The contract IEcho is trivial and not shown. What you'll notice is that I have a ServiceMetadataBehavior hanging "off on the side" exposed through localhost that will give you WSDL if you hit that URI. You can use that address with the "Add Web Reference" client in Visual Studio to create the proxy on Windows Phone; that proxy will use BasicHttpBinding on the phone. I just did that and it works as expected in a trivial phone app (with the reference renamed to MySvc)
private void button1_Click(object sender, RoutedEventArgs e)
{
var client = new MySvc.EchoClient();
client.EchoCompleted += OnClientOnEchoCompleted;
client.EchoAsync("foo");
}
void OnClientOnEchoCompleted(object sender, EchoCompletedEventArgs c)
{
this.textBox1.Text = c.Result;
}
Windows Phone doesn’t stand by the sb protocol. So we can’t use NetTcpRelayBinding. We have two options if we want to consume Service Bus in Windows Phone: Use BasicHttpRelayBinding or WebHttpRelayBinding. In either case, we need to disable the default ACS authentication by setting RelayClientAuthenticationType to None: http://msdn.microsoft.com/en-us/library/windowsazure/microsoft.servicebus.relayclientauthenticationtype.aspx. Then on Windows Phone, we can use the built-in BasicHttpBinding to access SOAP services, and use HttpWebRequest to access REST services.
Best Regards,
Ming Xu.
I'm trying to figure out what iOS' policy is when verifying certificates using Security.Framework regarding revocation of certificates.
I cannot find information about this in the docs for iOS.
In the context of an iPad project I'm working on at the moment, there is reason to demand checking revocation status for some certs. Anyone ideas on how to force CRL / OCSP checking during cert verification using Security.Framework? Or do I need to "fall back" to OpenSSL to accomplish this?
It seems that also on Mac OS X 10.6 CRL / OCSP checks are done optionally and have to be turned on manually through Keychain Access.
Martijn
I have an answer to this question by Apple guys, I posted the full answer here:
Details on SSL/TLS certificate revocation mechanisms on iOS
To sum it up, there are several things to keep in mind for OCSP implementation on iOS:
OCSP policy cannot be configured at this moment
it works for the EV certificates only
high-level stuff, such as NSURLConnection or UIWebView use TLS security policy, which uses OCSP
SecTrustEvaluate is a blocking network operation
it works the "best attempt" - if OCSP server cannot be contacted, the trust evaluation will not fail
I just did this on iOS in GCDAsyncSocket.
For a given SecTrustRef trust;
do this
SecPolicyRef policy = SecPolicyCreateRevocation(kSecRevocationOCSPMethod)
SecTrustSetPolicies(trust, policy);
SecTrustResultType trustResultType = kSecTrustResultInvalid;
OSStatus status = SecTrustEvaluate(trust, &trustResultType);
if (status == errSecSuccess && trustResultType == kSecTrustResultProceed)
{
//good!
}
else
{
//not good
}
//edit to check the trustResultType
I was able to enable CRL checking for a SecTrustRef object on iOS 10:
SecTrustRef trust = ...; // from TLS challenge
CFArrayRef oldPolicies;
SecTrustCopyPolicies(trust, &oldPolicies);
SecPolicyRef revocationPolicy = SecPolicyCreateRevocation(kSecRevocationCRLMethod);
NSArray *newPolicies = [(__bridge NSArray *)oldPolicies arrayByAddingObject(__bridge id)revocationPolicy];
CFRelease(oldPolicies);
SecTrustSetPolicies(trust, (__bridge CFArrayRef)newPolicies);
SecTrustSetNetworkFetchAllowed(trust, true);
// Check the trust object
SecTrustResult result = kSecTrustResultInvalid;
SecTrustEvaluate(trust, &result);
// cert revoked -> kSecTrustResultRecoverableTrustFailure
Calling SecTrustSetNetworkFetchAllowed was key. Without that call, SecTrustEvaluate returned kSecTrustResultUnspecified instead.
I am using midp 2.0. Here, I am using FileConnection for read and write files on mobile memory. I am able to read and write files on mobiles successfully. But while I am trying to write file data on mobile, it asking message like below.
Application wants to read from the local file system
is it OK to read your files?
if I press yes, then it again shows
Application wants to write to the local file system
is it OK to update your files?
These message are continuously showing approximately 10 times.
Is there any way to prevent this repeating this more than one time?
I have included my fileWrite method for your reference also:
public String fileWrite(String root)
{
FileConnection fc = null;
String fName = "test.txt";
DataOutputStream dos=null;
try
{
fc = (FileConnection) Connector.open(root + fName, Connector.READ_WRITE);
if(!fc.exists())
{
fc.create();
}
else
{
System.out.println("File Exists part");
fc.delete();
fc.create();
}
dos = fc.openDataOutputStream();
dos.write("f".getBytes());
}
catch (Exception e)
{
e.printStackTrace();
}
finally
{
try
{
fc.close();
dos.close();
}
catch (IOException e) { }
}
return "Saved in "+root+fName;
//return "NULL";
}//filewrite ends here*/
This is not coding related issue. Basically this type of confirm alert asking for security purpose. Because you are using JSR-75.
In this purpose, You need to sign your application with atleast any 3rd party signature like one from Verisign or Thrawte and then go to the application settings - permissions - and set permission for "Access User Data" as "Ask only Once" or "Allow Always" (these settings might not be available for your unsiged app on the device.)
If you facing this Issue on the emulator, go to preferences and MIDP tab, set the application domain to Trusted and set permission as "Allow Always". For more info, see here...
Signing sites are,
Thawte
Verisign
Java Verified
If you go to 3rd party trusted certificate means its minimum cost is RS.10000 per year. For deploying your application in client (final stage). It will worth.
But for testing, validating input, developing stage the cost is high. So check if your mobile has support for self signed certificate. If it supports self signed certificate, then process with self signed certificate.
But keep in mind self signed certificate is only for testing / development purpose. For delivering the project to client you should go to trusted party certificates.