[![enter image description here][1]][1]Currently I'm reading a client certificate from the external client and then validating in apim using policies which is done using
<policies>
<inbound>
Now when the request is valid and must attach the servercertificate along with the request and then send it back to the client.
How must this be done? can you please help.
Since you're putting certificate into a header you could simply bin64 encode it. You should be able to do it either by accessing RawData property or calling Export on it.
Related
I'm fairly new to HTTPS/SSL/TLS and I'm a bit confused over what exactly the clients are supposed to present when authenticating with certificates.
I have performed following process and it works well in SOAP UI
I have generated .jks file using java keystore command. Using this .jks file
I have generated a .crt file.
I have shared .crt file generated above with the server team for whitelisting it.
I have a JSON request that I need to pass to the server and get JSON response back.
Set Authorization to basic and pass it in the header of every request.
Set ClientID and ClientSecretKey in the header for every request.
All the above process works well in SOAP UI.
Following is the json request I am passing
{
"requestMsg":"B6FFF4C33AFBAA30D51DE049CB3CA4357E32C632DFBC7D7CA0461920F765980A6632943AD811B7E20205696C6A26105E24F7A2FC85979CDE1352BD35DEA620C594CC8A4B58FF408FD8967F69D6F970C186028ED5BD6A089B9F13924D2F9B44811027DA9039EA7136D4EA57D73584A0FFE2BCB990A25AE701EFF5042F3C709992C0C57BCEE0B8B651918ACE684BCE645D6A4A222A90EAA06A3A8D175A5A0E58EBACB8E1BBCBE98814D03B416FBC241C01E3CCA530E7ED1033AA639BA81A7B458562FFAF1B1D80DE098466DD0BBF95E50550501614BC9706C3943705BDF37108376CCD6FD46A00CECC1D4166A0CFCA02B7",
"agentInstitutionId":"YS01"
}
8) When I am trying to do same using my .net web application, the below are the issues which I am facing
How to Pass .crt certificate along with HTTP web request.
Settings for configuring it in IIS.
Is there any URL or steps that need to be done for attaching .crt file with
each request. ( please give pointwise steps)
I need to use a messagewebsocket, but the documentation says the SetRequestHeader method doesn't support sec-websocket-extensions. The data I need to receive is sent in-whole as a single inbound websocket packet.
The initial http header requires sec-websocket-key and -version values.
How do I get around this?
The initial http header requires sec-websocket-key and -version values.
For connecting to server by WebSocket, the client must send an opening handshake to the server firstly. The Sec-WebSocket-Key header field is used in the WebSocket opening handshake and it is must be included. Without this field, the MessageWebSocket will not connect server successfully. So actually the MessageWebSocket APIs have already setting this field to the header. You don't need to set the request header. You can use Fiddler to grab the get request send by MessageWebSocket, and you will see Set-WebSocket-Key and Set-WebSocket-Version in the header.
As the Sec-WebSocket-Key value of this header field MUST be a nonce consisting of a randomly selected 16-byte and the nonce MUST be selected randomly for each connection, also this header field MUST NOT appear more than once in an HTTP request, so we cannot set this again. But you can set an additionally Set-WebSocket-Version by code as follows although I don't think you need doing this.
messageWebSocket.SetRequestHeader("Sec-WebSocket-Verson", "666");
Details about the WebSocket Protocol please reference RFC6455. And more details about how to use WebSocket in UWP app please reference the official sample. This sample has both server and client side for testing.
This is my first time developing this kind of system, so many of these concepts are very new to me. Any and all help would be appreciated. I'll try to sum up what I'm doing as efficiently as possible.
Background: I have a web application running AngularJS with Bootstrap. The app communicates with the server and DB through a web service programmed using C#. On the site, users can upload files and reference them later using direct links. There's no restriction to file type (yet), so just about anything is allowed.
My Goal: Having direct links creates a big security problem for me, since the documents/images are supposed to be private data. What I would prefer to do is validate a user's credentials when the link is clicked, then load the file in the browser using a more generic url path.
--Example--
"mysite.com/attachments/1" ---> (Image)
--instead of--
"mysite.com/data/files/importantImg.jpg"
Where I'm At: Not very far. My first thought was to add a page that sends the server request and receives a file byte stream along with mime type that I can reassemble and present to the user. However, I have no idea if this is possible using a web service that sends JSON requests, nor do I have a clue about how the reassembling process would work client-side.
Like I said, I'll take any and all advice. I'd love to learn more about this subject for future projects as well, but for now I just need to be pointed in the right direction.
Your first thought is correct, for it, you need to use the Response object, and more specifically the AddHeader and Write functions. Of course this will be a different page that will only handle file downloads, so it will be perfectly fine in your JSON web service.
I don't think you want to do this with a web service. Just use a regular IHttpHandler to perform the validation and return the data. So you would have the URL "attachments/1" get rewritten to "attachments/download.ashx?id=1". When you've verified access, write the data to the response stream. You can use the Content Disposition header to set the file name.
How do you use the Twilio sandbox mode with C#? I have a ashx.cs file that I am using to write my code. Would I put it there? If so, what does that look like?
There is no real great examples on their website on how to do this except for CURL and Ruby.
We are using TwiML to general an XML file tha t parses our data to send back and forth to the Twilio service. We don't want to be charged every time we send a test text message.
How would we set the Sandbox up so we could do some testing.
I found the Test auth Token and account Sid, but how do I use those?
We don't have them in our current application and we are specifying our .ashx page in Twilio to process our code.
Thanks in advance.
Twilio evangelist here.
So if you just want to test that your ASHX handler is generating the right results the easiest way to do this is to just fake a POST or a GET request to that handler. This lets you simulate the GET or POST request that Twilio will make to your app when it gets a text message.
You can see the parameters that Twilio will pass to your app when it receives a text message here:
http://www.twilio.com/docs/api/twiml/sms/twilio_request#synchronous
There are a whole bunch of ways to simulate these requests. cURL is one of them. If your ASHX is expecting query string values, you can also just load the ASHX directly in the browser and append those values in the URL. If the handler is expecting a POST request, I used a chrome plugin called Simple REST Client to make these.
Of course you can also Fiddler to make just about any HTTP request.
The Test Credentials really are more for simulating the use of the REST API (programatically sending SMS messages). I just wrote a blog post that shows how to use the test credentials to create integration tests:
http://www.twilio.com/blog/2013/05/automating-twilio-integration-tests-with-test-credentials.html
Hope that helps.
Devin
So I'm using the PayPal API. They require bigger companies to send an X509Certificate along with each SOAP API request. I've never heard of using a cert, it's always been just send the API signature along with an API request.
So I first created a class called Cerficate that implements the .NET ICerfiticatePolicy. One of the member methods, really the only one you have to implement is:
System.Net.ICertificatePolicy.CheckValidationResult(System.Net.ServicePoint, System.Security.Cryptography.X509Certificates.X509Certificate, System.Net.WebRequest, int)
So far I'm having trouble really understanding what to pass to this method. I guess the method simply validates that the Cerfiticate is valid. So I'm not sure what ServicePoint is and what to pass into it. I assumed it was my web service reference and a proxy class within such as the PayPalAPIAAInterfaceClient
I also see a very old example using ServicePointManager.S for something but I don't understand it, even after looking at MSDN. So I guess you are to use ServicePointManager.ServerCertificateValidationCallback and I suppose set the callback to the CheckValidationResult? If so, when do you do this? It's just very confusing to me.
Also, So I guess I create an instance of my Certificate class and set the certificate properties by reading the P12 certificate from my disk and then pass in that to this method to check if it's valid? I guess that's right.
I'm still trying to figure out this whole thing and I'm really stuck on the ServicePoint as well as WebRequest because really I'm using a proxy class in PayPal which does the under the hood sending of the request. So I don't see how I can even pass in type WebRequest because I'm using a proxy method for that anyway. So what would I even pass for the WebRequest param? I'm using a SOAP API WSDL, not NVP here so I'm not for example creating an HttpWebRequest variable like you do with REST services in order to send the API request over Http.
so far here's what I've tried:
PayPalAPIAAInterfaceClient client = new PayPalAPIAAInterfaceClient();
Certificate x509Certificate = new Certificate();
ServicePointManager.ServerCertificateValidationCallback = x509Certificate.CheckValidationResult();
client.ClientCredentials.ClientCertificate.Certificate = x509Certificate;
the problem is, what do I pass in for the ServicePiont and the rest of the params for CheckValidationResult?? I don't even know if I'm calling this right.
It's certainly not unheard of and in fact fairly common to secure SOAP services with X.509 certificates using the WS-Security spec - in fact, we do this for all of our internal and external web services. All web service frameworks including WCF are specifically designed to make this as easy as possible.
You should never have to use the ServicePointManager or ICertificatePolicy with a SOAP service using WS-Security. Unless there's something truly bizarre about PayPal's API, I think you're on the wrong track with that. All you have to do in WCF is this:
var client = new PayPalAPIInterfaceClient();
X509Certificate2 certificate = (...);
client.ClientCredentials.ClientCertificate.Certificate = certificate;
client.AddressVerify(...); // or whatever method you want to call
You don't even really need to write this code; if you have the certificate installed in the server's certificate store then you just edit the binding and behavior elements of the app.config - or use the WCF Service Configuration Editor, which is a lot easier.
Of course, in order to do this you have to have an X.509 certificate, and PayPal has to know about it. You can't just write new X509Certificate2(). You need to have a .pfx or .p12 file somewhere or, as mentioned above, have the certificate physically installed (this is the easiest way and the most secure because you're not hard-coding a password). And you need to upload the public key to PayPal.
You might be able to use OpenSSL to create a cert. PayPal's EWP page suggests that they'll accept these and gives instructions on how to create them, although it's not entirely clear whether or not the same process can be used for their SOAP API. It could be that they require a "real" certificate from Verisign, Thawte, etc. - I would try OpenSSL first and see, or just ask them.
There's a pretty comprehensive guide to the whole process here - you'll probably want to skip the sections on generating the certificate unless you have a Microsoft CA somewhere. Again, for that part, you'll probably want to try using the OpenSSL utility instead and follow PayPal's instructions, then install the cert on your server and skip to step 7 of that guide.