Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / ASP.NET / Web Services / September 2006

Tip: Looking for answers? Try searching our database.

Problem with my x509 makecert certificates for WSE 3.0

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Chris Hoare - 08 Sep 2006 11:33 GMT
Hello All.

Problem with my x509 makecert certificates for WSE 3.0

I am having problems getting the WSE certificates to work on a simple test
system before I apply this to an existing product. I have installed
walk-through certificates and these appear to work without a problem. I have
made several attempts to create my own certificates and setup WSE but always
come to the same problem.

What am I doing wrong?

Server Logs report the following error:
    Exception thrown: WSE600: Unable to unwrap a symmetric key using the
private key of an X.509 certificate. Please check if the account
'RNDNOTEPM\ASPNET' has permissions to read the private key of certificate
with subject name 'CN=DevServer2' and thumbprint
'5644C8F29B69C5DD07DE2F5B0C65E88E3604CE2D'.

Client Logs report the following error:
Exception thrown: WSE2005: Protection requirements in
MutualCertificate11Assertion are not satisfied.

The certificates have been created with makecert:
           makecert -sk DevServer -pe -ss my -sr LocalMachine -n
CN=DevServer"

makecert -sk DevClient -pe -ss my -sr LocalMachine -n CN=DevClient"

The WSE tool was used to allow aspnet access to the private keys and the
permissions have been checked in windows explorer.

The Service Policy file is:
<policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy">
 <extensions>
   <extension name="mutualCertificate10Security"
type="Microsoft.Web.Services3.Design.MutualCertificate10Assertion,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
   <extension name="x509"
type="Microsoft.Web.Services3.Design.X509TokenProvider,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
   <extension name="requireActionHeader"
type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
   <extension name="authorization"
type="Microsoft.Web.Services3.Design.AuthorizationAssertion,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
 </extensions>
 <policy name="x509">
   <authorization>
     <allow user="CN=DevClient" />
     <deny user="*" />
   </authorization>
   <mutualCertificate11Security establishSecurityContext="true"
renewExpiredSecurityContext="true" requireSignatureConfirmation="true"
messageProtectionOrder="SignBeforeEncryptAndEncryptSignature"
requireDerivedKeys="true" ttlInSeconds="300">
     <serviceToken>
       <x509 storeLocation="LocalMachine" storeName="AddressBook"
findValue="CN=DevServer" findType="FindBySubjectDistinguishedName" />
     </serviceToken>
     <protection>
       <request signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="true" />
       <response signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="true" />
       <fault signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="false" />
     </protection>
   </mutualCertificate11Security>
   <requireActionHeader />
 </policy>
</policies>

And the client policy file is:
<policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy">
 <extensions>
   <extension name="mutualCertificate10Security"
type="Microsoft.Web.Services3.Design.MutualCertificate10Assertion,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
   <extension name="x509"
type="Microsoft.Web.Services3.Design.X509TokenProvider,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
   <extension name="requireActionHeader"
type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
 </extensions>
 <policy name="x509">
   <mutualCertificate11Security establishSecurityContext="true"
renewExpiredSecurityContext="true" requireSignatureConfirmation="true"
messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true"
ttlInSeconds="300">
     <clientToken>
       <x509 storeLocation="LocalMachine" storeName="My"
findValue="CN=DevClient" findType="FindBySubjectDistinguishedName" />
     </clientToken>
     <serviceToken>
       <x509 storeLocation="LocalMachine" storeName="My"
findValue="CN=DevServer" findType="FindBySubjectDistinguishedName" />
     </serviceToken>
     <protection>
       <request signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="true" />
       <response signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="true" />
       <fault signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="false" />
     </protection>
   </mutualCertificate11Security>
   <requireActionHeader />
 </policy>
</policies>
Reply to this Message
Steven Cheng[MSFT] - 11 Sep 2006 04:37 GMT
Hi Chris,

From your description, you're using the <mutualCertificate10Security>
policy assertion to do mutual x509 certification authentication, however,
you found the service call works when using the WSE built-in test
certificates , but failed when using your custom test certifricates,
correct?

Based on the configuration fragment and the certificate creation command yo
pasted, here are something I think you can have a further check and test:

1. in the <extension> setting section, you use  <extension
name="mutualCertificate10Security" , however, in the below policy assertion
section, you use<mutualCertificate11Security ...>,  I would suggest you
make them consistent.  Generally, if you do not want to make use of those
new WS sedurity 1.1 features, you can just uncheck the "Enable WS-Security
1.1 extensions" option if you're using the VS 2005 WSE 3.0 configuration
wizard to configure the policy file.

2. Currently you're using the following command to create the test
certificates:

==========================
makecert -sk DevServer -pe -ss my -sr LocalMachine -n CN=DevServer"

makecert -sk DevClient -pe -ss my -sr LocalMachine -n CN=DevClient"
==========================

I've checked the WSE 3.0's test certificate creation script, there are some
difference between that command and yours:

** you need to specify the signature algorithm as "sha1" through -a option
since WSE setting use Sha1Thumbprint by default
** mark the certificate's type as exchange

Here is the modified command to create the certificates(I've tested them on
my local machine without any problem).

===================
makecert.exe -sr LocalMachine -ss MY -a sha1 -n CN=DevServer  -sky exchange
-pe

makecert.exe -sr LocalMachine -ss My -a sha1 -n CN=DevClient  -sky exchange
-pe
===================

#Certificate Creation Tool (Makecert.exe)  
http://msdn2.microsoft.com/en-us/library/bfsktky3.aspx

The above things can makesure the test certificates are created correctly.  
And you still need to make sure your service or application's security
account has sufficient to access the certificate's private key. The
WinHttpCertCfg.exe" tool can help grant access permission for certificates,
you can find it in the WSE 3.0 SDK's installation folder.

Please have a look at the above things to see whether they help for you.  
I've also a local test solution which use the above mentioned settings and
certificates and work well. If you feel necessary, I can send it to you
also.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead



==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.



Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================



This posting is provided "AS IS" with no warranties, and confers no rights.
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.