I am required to create a two way mutual handshake between a desktop client and WCF Service. I am using a Let's Encrypt Server Certificate on my Server but open to use Self Signed Certificate as well.
I wish to generate a Client Certificate and install it on the client's machine after successful authentication via OTP. The idea is to authenticate/authorize the desktop app for further communication with the server.
After few of my research I found that OpenSSL.Net enable to create certificates.
I am using IBM MQ WebSphere client v 7.5 installed on an application server.
To securely connect to the MQ queue manager I have to pass certificate whose Name should be ibmwebspheremq + "userid". I put my code on the APP SERVER to test the MQ connectivity. If I specify domain user id it works fine for me but not for other domain users. So what certificate name should be used so that it works for all domain users??
Certificate Label : ibmwebspeheremq.kdb located on the local path
certificate Name: using strmqikm.exe, open above certificate and check the name
As of now this CN is "ibmwebspheremq" + 111111(domain userid) and it works fine for the domain user 111111 ,but for domain user 222222 it is throwing SSL errors.
P.S. Security must be maintained
Update from OP comments on 11 Sept 2015
I am using the .NET Application and done code through the help of IBM.WMQ interface provided with the dll amqmdnet. I have KDB certificates and I have just provided the local certificate's path in the configuration. I am able to access the MQ Server for the particular user on APP Server (where MQ client resides) but if I want to access for all users then how to? because in my case certificate label name (using strmqikm.exe) should be like ibmwebspheremq + userid. For individual users I am able to access the certificate by doing individual login to app server but not for all users at a time. There is only one certificate and as mentioned earlier it is non-JAVA application.
The MQ client either uses IBM's C code or it uses Java and the JRE's JSSE provider. Each of these have different behaviors and requirements.
The Java EE App Server will use the JSSE Provider and its rules for selecting a personal cert from the JKS. That may or may not include searching for a particular label. Anything using IBM's compiled C code API will require a specific label for the personal certificate in the KDB. Furthermore, the behavior has changed from version to version, as explained in IBM's Technote Specifying the userid in the SSL certificate label for an MQ client.
As explained in the Technote, the Java client uses standard Java methods for finding the personal certificate and is not dependent on the label at all. That requirement is only for the non-Java client. The App server uses a JKS and the non-Java clients use a KDB. Since you did not mention converting certificates between JKS and KDB, I will assume that your testers are not using the C client or a KDB.
Presumably then, your testers are using the same JKS as the app server. If they have the right path and the password to access it, and if it has a personal cert, they will be able to find and present the personal cert. If it has more than one personal cert, MQ has no control over how it selects which one it will present. That's a Java thing. If this is the problem the answer is simple - either use one personal cert and one keystore, or else each tester has their own JKS, each with its own personal cert.
Security must be maintained
In that case, the latter approach is preferred. Each tester should have their own JKS and their own personal cert.
The other possibility is that you have a variety of certs, each of which is being found by the client and properly presented to the server, but that there's a cert exchange problem. If each developer has their own cert and those are all self-signed, the public portion must be in the QMgr's KDB to be accepted.
If you want a more precise answer, you will need to provide a lot more detail such as what code, keystore, and certificate the testers are using to test with, whether these are self-signed certs, whether the testers are using the same app channel and testing from the same node, whether you are using SSLCAUTH, etc. I would also recommend using the debugging procedure I outlined in this answer.
MQ v7.5 C# client internally calls MQ C client to establish secure connections to queue manager. Logged in user id is used to make ibmwebspheremq<userid>certificate label and pick the correct client certificate from a KDB. Hence for #Dirty Developer, the application is getting connected when a user logs in for whom a certificate with a label that has his/her userid suffixed exists in KDB.
From MQ v8, there is no need to have a certificate label always suffixed with userid. MQ v8 provides a CertificateLabel property using which applications can specify any certificate label. MQ client will use the certificate label to locate a personal certificate that is sent during the SSL handshake. In MQ v8 .NET client, this property is named MQEnvironment.CertificateLabel. Here is more on Certificate Label in MQ v8.
After all this time I have spend in research finally I have an answer !!!
1) It is not possible to change certificate name for every user who want to use MQ on server at everytime.
2)We have to find certificate name such as it will work for all users( this is my question?:) ) and methodology to incorporate this changes.
Actual procedure :
3) I have developed a code to connect to MQ in WCF service and hosted the service on IIS
4)For IIS user on server I had SERVICE ACCOUNT which I binded with certificate label i.e. ibmwebspheremq +
5) All the clients who want to connect have to call the service that I've deployed on IIS server and volla !!!!!! it worked.
6)you must have that service account to be binded with your role/domain user id
7) Note : on server you must have to provide access to IBM folder for service account.
From my .net client code, is there a way to obtain details about an SSL certificate being used by a WCF service? Assuming I can already connect successfully over SSL to the service.
I am hoping to report the expiration date of the server certificate on a dashboard. If the certificate has been updated / renewed since the last time the client communicated with the service, I'm trying to detect that as well.
Let's also assume the server cert is a real public cert from godaddy etc. i.e. the cert would not have been explicitly imported into the client store already.
Any thoughts? I was thinking I might find somewhere in System.ServiceModel.ClientBase that I could find this after opening a connection but haven't found anything yet.
Thanks!
Easiest way would probably be to just implement a certificate validation callback on the client so that you can have a chance to look at the SSL certificate provided by the server before it is trusted by the client:
http://msdn.microsoft.com/en-us/library/aa702579(v=vs.110).aspx
I need to provide mutual authentication using TLS protocol in my server-client communication. Now under development, client and server run on the same machine. My colleague created one certificate (.pfx file) for me. As it is a two-way authenticate, server and client have to authenticate each other.
This thread Mutual authentication in SSL/TLS discussed in which certificate store a certificate should be located on server side or client side. Now I am confused, as I only have one certificate, I dont know whether it is a client certificate or a server certificate, Can I use one certificate for both, if so where should I locate this certificate for both server and client ?
Thank you for your help !
You can use certificate for both ways, however what's the problem to generate standalone certificate (even self-signed) for client authentication?
In the same way as IE handles the client certificate authentication procedure, I would like to do the same from an installed .Net client app that connects to our web server which has been setup for requiring client certificates.
I know how to open the Select Certificate UI allowing the user to select a client certificate from a list of those that are installed, and then add the certificate to the outgoing HttpWebRequest.
What I can figure out is:
How to determine when a client certificate is required by the server. It's not in the HttpResponse. The status code is 403 but I can't read the substatus.
How to then filter the client certificates in the UI to list only those that are valid based on the server certificate (issued by?).
Thanks in advance.