?
Solved

WS Security - Private Key missing

Posted on 2009-05-07
9
Medium Priority
?
1,101 Views
Last Modified: 2012-05-06
Hi experts,
    I am trying to access a third party web service hosted with Apache server using a VB.Net application through WS Security. I generated a keystore & keypair using java keytool. Using the Public Key, I generated a certificate request and sent it to the CA and they gave me the signed certificate request back to me with the CA certificate. I am using WSE3.0 to create a policy using these certificates and while trying to sign the web service requests, it is giving me back an error saying that the Private key is missing. Can anybody help me on getting around this issue? I am using Visual Studio 2008, WSE 3.0
Thanks & Regards,
Deepu
0
Comment
Question by:Deepu Sreedhar
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
9 Comments
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24327962
You did not delete the request file before you installed the signed cert, did you?  Deleting the cert (including 'move' command instead of 'copy' to transport it) will typically delete the associated private key.

I would suggest just creating a new one, if it is from your own CA it shouldn't be a big deal and if from a commercial CA - they will typically reissue even with a new CSR within 2 or 4 weeks, depending on vendor.  Just contact their support or sales.

If that doesn't help - what did you use to generate the CSR?  OpenSSL, a windows app, or something else?
0
 
LVL 3

Author Comment

by:Deepu Sreedhar
ID: 24334599
Hi Paranormastic,

   Thank you for your reply. I will tell you the steps I followed.
1. I used Java Keytool to generate a keystore & keypair
keytool -genkey -alias mydomain -keyalg RSA -keystore keystore.jks
2. Generated the CSR for that keystore
keytool -certreq -alias mydomain -keystore keystore.jks -file mydomain.csr
3. Sent the CSR to the CA and they gave me back with the signed cert req and the CA cert.
4. I placed the CA cert into the Trusted Root Cert Auth. And the signed cert to the personal keytore of the Local computer so that WSE3.0 tool can find them
5. I changed the web.config file using the WSE3.0 tool by enabling the web service security and created a policy file pointing to these certificates.
6. Part of Web.Config file  given below
7. I am trying to sign the outgoing request with these settings. [Is that just by doing the .SetPolicy to the policy file?] Anyway, The error I am getting says private key is missing. even if I am trying to open the certificate in MMC and try to do a renew cert with same key or if I am opening it in the WSE certificate tool to View Private key file properties it is saying Private key does not exists or not accessible.

Is this makes any sense?
------ Web.Config ----------
<microsoft.web.services3>
    <security>
      <x509 allowTestRoot="true" storeLocation="LocalMachine" />
      <binarySecurityTokenManager>
        <add valueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
      </binarySecurityTokenManager>
    </security>
    <diagnostics>
      <trace enabled="true" input="InputTrace.webinfo" output="OutputTrace.webinfo" />
    </diagnostics>
    <messaging>
      <mtom clientMode="On" />
    </messaging>
    <policy fileName="wse3policyCache.config" />
  </microsoft.web.services3>
----------------------------------------------------------------

Open in new window

0
 
LVL 3

Author Comment

by:Deepu Sreedhar
ID: 24372596
            So, as you said. I created a new Private Key and a CSR and sent it to the CA ( This time I used OpenSSL for that). They gave me back a Signed cert Request and the CA certificate. So everything is in one folder now. My folder is now having CA Cert, Signed Cert Request Back from them, My private Key, Original Cert Request. I didn't even import them to the c ertificate store.
             Now can you tell me what should I do? Before I was doing like this. I used to import the signed cert request to the "personal" certificate store of the local computer and the CA certificate to the "Other People" store of the local computer. And using WSE3.0 I am configuring the Web.config file and create the policy file using the certificate policy and pointing the Signed Certificate Request as the Client Certificate and the CA certificate as the Server Certificate.
Any Ideas?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 3

Author Comment

by:Deepu Sreedhar
ID: 24385115
I got around this issue by converting the PEM format certificate to PKCS12 Format certificate by including the Private Key also. So not it is not coming up with the missing private key message, but instead I am getting a different message "WSE101: An asynchronous operation raised an exception. "
"System.ArgumentException: WSE2166: The content type has an incomplete quoted parameter. "
I am including the stacktrace for your reference if anybody can help me out there.
Thanks & Regards,
Deepu
System.ArgumentException: WSE2166: The content type has an incomplete quoted parameter. Server stack trace: at Microsoft.Web.Services3.Mime.ContentTypeParser.ConsumeQuotedString(StringBuilder sb) at Microsoft.Web.Services3.Mime.ContentTypeParser.GetToken() at Microsoft.Web.Services3.Mime.ContentTypeParser..ctor(String s) at Microsoft.Web.Services3.Mime.MtomHelper.IsXopContentType(String contentType) at Microsoft.Web.Services3.Messaging.SoapHttpTransport.IsSupportedContentType(String contentType) at Microsoft.Web.Services3.Messaging.SoapHttpTransport.Send(SoapEnvelope message, EndpointReference destination, SoapHttpChannelOptions options) at Microsoft.Web.Services3.Messaging.SoapHttpOutputChannel.Send(SoapEnvelope message) at System.Runtime.Remoting.Messaging.StackBuilderSink._PrivateProcessMessage(IntPtr md, Object[] args, Object server, Int32 methodPtr, Boolean fExecuteInContext, Object[]& outArgs) at System.Runtime.Remoting.Messaging.StackBuilderSink.PrivateProcessMessage(RuntimeMethodHandle md, Object[] args, Object server, Int32 methodPtr, Boolean fExecuteInContext, Object[]& outArgs) at System.Runtime.Remoting.Messaging.StackBuilderSink.AsyncProcessMessage(IMessage msg, IMessageSink replySink) Exception rethrown at [0]: at System.Runtime.Remoting.Proxies.RealProxy.EndInvokeHelper(Message reqMsg, Boolean bProxyCase) at System.Runtime.Remoting.Proxies.RemotingProxy.Invoke(Object NotUsed, MessageData& msgData) at Microsoft.Web.Services3.Messaging.SoapOutputChannel.SendDelegate.EndInvoke(IAsyncResult result) at Microsoft.Web.Services3.Messaging.SoapOutputChannel.EndSend(IAsyncResult result) at Microsoft.Web.Services3.Messaging.SoapSender.EndSend(IAsyncResult result) at Microsoft.Web.Services3.Messaging.SoapClient.EndSendOneWay(IAsyncResult result) at Microsoft.Web.Services3.Messaging.SoapClient.SoapClientAsyncResult.OnSendComplete(IAsyncResult result)

Open in new window

0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24476879
If you happen to be running apache AXIS-2 then check to make sure you are at version 1.3.0 or newer:
https://issues.apache.org/jira/browse/AXIS2C-930

Beyond that, I'm not seeing this error documented to be able to say much.

Glad you found the PEM thing for your main issue - sorry I was busy there for a few days and didn't get to post much to follow up.  Many apps like things in PEM - converting to PEM is a good troubleshooting step for most apps whenever you are having difficulty getting a cert to install.
0
 
LVL 3

Author Comment

by:Deepu Sreedhar
ID: 24481369
Thank you very much for your reply. As the CA is a third party I don't have any control on the server. I contacted them with the error that I am getting and they came back with a possible helpful point. They were saying my request seems to declare the utf-8 charset twice.

content-id: <0.633784301818437500@example.org>
    content-type:application/xop+xml; charset=utf-8; type="text/xml; charset=utf-8"
    content-transfer-encoding: binary

and the second charset, i.e. utf-8 is being reported back to you in an error message which cannot be parsed by your application because the final quote is assumed to be part of the string on this side.

So now the question becomes how to change that or where to change that to declare it only once?

Regards,
Deepu



content-id: <0.633784301818437500@example.org>
    content-type:application/xop+xml; charset=utf-8; type="text/xml; charset=utf-8"
    content-transfer-encoding: binary

Open in new window

0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24521633
unless you could parse out xop+xml; charset=utf-8 and replace it with xop+xml; I'm not really sure what to say here without seeing more.
0
 
LVL 3

Author Comment

by:Deepu Sreedhar
ID: 24524789
How can I replace that? Or where can I change those settings? Is that anything that I can do in the WSE3.0 settings?

0
 
LVL 3

Accepted Solution

by:
Deepu Sreedhar earned 0 total points
ID: 24699545
Hi All,
   All the issues sorted with this. I just moved back to Visual Studio 2003, .Net framework 1.1 and WSE 2.0 and it works fine with this. Thanks for all who tried to help me here.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Just a quick little trick I learned recently.  Now that I'm using jQuery with abandon in my asp.net applications, I have grown tired of the following syntax:      (CODE) I suppose it just offends my sense of decency to put inline VBScript on a…
It’s quite interesting for me as I worked with Excel using vb.net for some time. Here are some topics which I know want to share with others whom this might help. First of all if you are working with Excel then you need to Download the Following …
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
Suggested Courses

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question