CA Service Management

Dear friends,

I spent many hours trying to get loginServiceManaged to work and I'm more and more confused

What I tried:

1. using pdm_pki I generated the DEFAULT.p12 certificate for the DEFAULT WS Policy

2. I copied the DEFAULT.p12 cert to the axis folder

3. I followed the step by step example in ..\sdk\websvc\perl\test1_pki\opensslSample.sh for DEFAULT policy (with password DEFAULT):

openssl pkcs12 -info -in DEFAULT.p12 -out file.pem -passout pass:dummy

openssl x509 -in file.pem -pubkey -noout > DEFAULT.pub

openssl pkcs12 -in DEFAULT.p12 -nodes -nocerts -out DEFAULT.priv

echo -n "DEFAULT" | openssl dgst -d -sign DEFAULT.priv -sha1 > file.bin

echo -n "DEFAULT" | openssl dgst -verify DEFAULT.pub -signature file.bin -sha1

openssl base64 -e -in file.bin -out file.b64

4. The results of all the commands seem to be OK

5. The final encrypted_policy string also seems to be nice

fzK745Qa60GYN65qXhJB1GlIbqe5PXKWemCeemJTcViM4XYYnNbNOEJOX0fdgb8u
LQN0lSgumQEwmpsBj5aPoKrRpGM+gc1uPn9wUEfaDgzqQLgrjT/lh1f7RUW/Xx5o
EP1jJgTAbSeoL0o/mfE4aBO1ZXfMIrXjer4mwMDsHIj0H46sEw3A9+9YiOJFv//Y
ItPN+eYliCgg1LjcUFi0twPb3Nx2BrmEPtvuYA7l0Bkrs52l2TJD3/lMnwx40V0R
R3y2uZeEzum3GlZErCxEzehj9v3b5z2Tqp0L+W+kVCXur+Lm5GXJCSQRkQO0yhPr
y+36eQ4yeoVJyEoJC8Q6Ew==

But it simply doesn't work in my powershell script 

$wsurl = "http://itasm:8181/axis/services/USD_R11_WebService?wsdl"

$ws=New-WebServiceProxy -uri $wsurl
$sid = $ws.loginServiceManaged("DEFAULT", "fzK745Qa60GYN65qXhJB1GlIbqe5PXKWemCeemJTcViM4XYYnNbNOEJOX0fdgb8uLQN0lSgumQEwmpsBj5aPoKrRpGM+gc1uPn9wUEfaDgzqQLgrjT/lh1f7RUW/Xx5oEP1jJgTAbSeoL0o/mfE4aBO1ZXfMIrXjer4mwMDsHIj0H46sEw3A9+9YiOJFv//YItPN+eYliCgg1LjcUFi0twPb3Nx2BrmEPtvuYA7l0Bkrs52l2TJD3/lMnwx40V0RR3y2uZeEzum3GlZErCxEzehj9v3b5z2Tqp0L+W+kVCXur+Lm5GXJCSQRkQO0yhPry+36eQ4yeoVJyEoJC8Q6Ew==")
$sid

#$sid2 = $ws.impersonate($sid,"jarnold")
#$sid2

$ws.logout($sid)

The error is "Error - invalid login policy encryption"

Also the DEFAULT policy seems to be correctly defined..

Any ideas?

Thank you,

Jakub

Following error message appears in jsrvr.log

10/29 10:15:37.758[http-nio-8181-exec-4] ERROR usdsda ? Login policy does not match with the encrypted policy code.
10/29 10:15:37.761[http-nio-8181-exec-4] ERROR usdsda ? Error - invalid login policy encryption, from caller IP fe80:0:0:0:a52c:6b82:7d6c:8743%14, error = 3004

Jakub

Hi Jakub,

I tried your powershell code on my end and it works, so your problem is likely with the encrypted policy string. I modified the pkilogin.jsp file that comes in the webservice java samples to return the encrypted policy key.

Review the instructions for the sample pki login in nx_root\samples\sdk\websvc\java\test1_pki.

Replace the line

out.print("Got BOPSID for " + userId + " of '" + bopSid + "'<p>");

with

out.print("Got BOPSID for " + userId + " of '" + bopSid + "' Encryption: " + encryption + "<p>");

Now when you navigate to the pkilogin page and login it'll return the encryption key. I tried to add an attachment but it doens't like .jsp files.. Hopefully this helps.

Hi Grant,

I tried the pkilogin.jsp, but it didn't work for me - the page always returns error screen. I probably don't have the java correctly set up.

But I'll give it another try.

Thank you,

Jakub

Hi Jakub.

never worked with it that way.

anyway your first mentioned openssl command is different to the one in opensslSample.sh:

openssl pkcs12 -info -in DEFAULT.p12 -out file.pem -passout pass:dummy

instead of

openssl pkcs12 -info -in $POLICYNAME.p12 -out file.pem -passin file:password.txt -passout pass:dummy

bold stuff is missing ?

Regards

..........Michael

Michael's right, as long as the password.txt file has the real password for your keystore, 

openssl pkcs12 -info -in POLICY_File_NAME.p12 -out file.pem -passin file:password.txt -passout pass:dummy  this guy should extract the needed info

_R

Hi Michael, Radgu,

thank you for your suggestions. But the file is there only for passing the password and if you don't specify it the openssl tool prompts you to specify it. I simply wanted to have everything under control and the password was correct. It's also visible on the cmd screenshot.

Michael, you mentioned that you don't work with it this way - is there another way? I simply wanted to try impersonation and to do it I need to use loginServiceManaged method which needs encrypted policy string. And obtaining the policy string should be the circus above  At least as I understand it...

Jakub

Hi Jakub

I am working with java usually.

I redid your steps exactly as you posted in your first question:
pdm_pki -p DEFAULT -f

openssl pkcs12 -info -in DEFAULT.p12 -out file.pem -passout pass:dummy

openssl x509 -in file.pem -pubkey -noout > DEFAULT.pub

openssl pkcs12 -in DEFAULT.p12 -nodes -nocerts -out DEFAULT.priv

echo -n "DEFAULT" | openssl dgst -d -sign DEFAULT.priv -sha1 > file.bin

echo -n "DEFAULT" | openssl dgst -verify DEFAULT.pub -signature file.bin -sha1

openssl base64 -e -in file.bin -out file.b64

cat file.b64

I concatenated the lines of file.b64 and used this string in SOAP-UI in loginServiceManaged method

and it was working fine.

I compiled the java example . It produced exactly the same encrypted string as with your steps.

No idea , what's going wrong...I'm working with SDM 17.0.

best regards

..........Michael

Hi Michael,

strange behavior.. I have CA ITASM DoD with SDM 17.1. I'll try SOAP UI instead of powershell script or different SDM implementation tomorrow.

Thanks a lot for your help and time,

Jakub

Hi Michael,

finally, I was able to successfully call the loginServiceManaged method and obtain SID.

I used the Java example which generated a different string compared to the openssl procedure. Not sure why, I'll try to investigate on it later.. It's still a piece of black magic for me

Thank you for your help,

Jakub

Just to be sure I've tried the same procedure with the password stored in the text file (the password for the generated DEFAULT.p12 certificate is "DEFAULT"). The results are exactly the same - I have the same encrypted policy string, but it can't be used for loginServiceManaged login method 

Jakub

Can try creating a new policy instead of default? I tested your code and it worked for me but the one difference is I was not using the default policy.

Hi,

the same results for custom WS policy   I think I try to use different CA SDM installation - this one is CA ITASM DoD.

Thanks a lot for your suggestions! At least I know I'm on the right track

Jakub

Chi_Chen if you get another case regarding login service managed and the encrypted policy then you can reference this post. There appears to be an easier way to get the encryption key.  

Hi, your comment doesn't have any link to any post.

Jakub