Clarity Service Management

Expand all | Collapse all

SDM WS API: loginServiceManaged(Policy, Encrypted_Policy)

Jump to Best Answer
  • 1.  SDM WS API: loginServiceManaged(Policy, Encrypted_Policy)

    Posted 10-28-2018 03:02 PM

    Dear friends,

    I spent many hours trying to get loginServiceManaged to work and I'm more and more confused

     

    What I tried:

    1. using pdm_pki I generated the DEFAULT.p12 certificate for the DEFAULT WS Policy

    2. I copied the DEFAULT.p12 cert to the axis folder

    3. I followed the step by step example in ..\sdk\websvc\perl\test1_pki\opensslSample.sh for DEFAULT policy (with password DEFAULT):

    openssl pkcs12 -info -in DEFAULT.p12 -out file.pem -passout pass:dummy

    openssl x509 -in file.pem -pubkey -noout > DEFAULT.pub

    openssl pkcs12 -in DEFAULT.p12 -nodes -nocerts -out DEFAULT.priv

    echo -n "DEFAULT" | openssl dgst -d -sign DEFAULT.priv -sha1 > file.bin

    echo -n "DEFAULT" | openssl dgst -verify DEFAULT.pub -signature file.bin -sha1

    openssl base64 -e -in file.bin -out file.b64

    4. The results of all the commands seem to be OK

    5. The final encrypted_policy string also seems to be nice

    fzK745Qa60GYN65qXhJB1GlIbqe5PXKWemCeemJTcViM4XYYnNbNOEJOX0fdgb8u
    LQN0lSgumQEwmpsBj5aPoKrRpGM+gc1uPn9wUEfaDgzqQLgrjT/lh1f7RUW/Xx5o
    EP1jJgTAbSeoL0o/mfE4aBO1ZXfMIrXjer4mwMDsHIj0H46sEw3A9+9YiOJFv//Y
    ItPN+eYliCgg1LjcUFi0twPb3Nx2BrmEPtvuYA7l0Bkrs52l2TJD3/lMnwx40V0R
    R3y2uZeEzum3GlZErCxEzehj9v3b5z2Tqp0L+W+kVCXur+Lm5GXJCSQRkQO0yhPr
    y+36eQ4yeoVJyEoJC8Q6Ew==

     

    But it simply doesn't work in my powershell script 

     

    $wsurl = "http://itasm:8181/axis/services/USD_R11_WebService?wsdl"

    $ws=New-WebServiceProxy -uri $wsurl
    $sid = $ws.loginServiceManaged("DEFAULT", "fzK745Qa60GYN65qXhJB1GlIbqe5PXKWemCeemJTcViM4XYYnNbNOEJOX0fdgb8uLQN0lSgumQEwmpsBj5aPoKrRpGM+gc1uPn9wUEfaDgzqQLgrjT/lh1f7RUW/Xx5oEP1jJgTAbSeoL0o/mfE4aBO1ZXfMIrXjer4mwMDsHIj0H46sEw3A9+9YiOJFv//YItPN+eYliCgg1LjcUFi0twPb3Nx2BrmEPtvuYA7l0Bkrs52l2TJD3/lMnwx40V0RR3y2uZeEzum3GlZErCxEzehj9v3b5z2Tqp0L+W+kVCXur+Lm5GXJCSQRkQO0yhPry+36eQ4yeoVJyEoJC8Q6Ew==")
    $sid

    #$sid2 = $ws.impersonate($sid,"jarnold")
    #$sid2

    $ws.logout($sid)

     

    The error is "Error - invalid login policy encryption"

     

     

    Also the DEFAULT policy seems to be correctly defined..

     

     

    Any ideas?

     

    Thank you,

    Jakub



  • 2.  Re: SDM WS API: loginServiceManaged(Policy, Encrypted_Policy)

    Posted 10-29-2018 05:18 AM

    Following error message appears in jsrvr.log

     

    10/29 10:15:37.758[http-nio-8181-exec-4] ERROR usdsda ? Login policy does not match with the encrypted policy code.
    10/29 10:15:37.761[http-nio-8181-exec-4] ERROR usdsda ? Error - invalid login policy encryption, from caller IP fe80:0:0:0:a52c:6b82:7d6c:8743%14, error = 3004

     

    Jakub



  • 3.  Re: SDM WS API: loginServiceManaged(Policy, Encrypted_Policy)

    Posted 10-29-2018 10:10 AM

    Hi Jakub,

     

    I tried your powershell code on my end and it works, so your problem is likely with the encrypted policy string. I modified the pkilogin.jsp file that comes in the webservice java samples to return the encrypted policy key.

     

    Review the instructions for the sample pki login in nx_root\samples\sdk\websvc\java\test1_pki.

     

    Replace the line

    out.print("Got BOPSID for " + userId + " of '" + bopSid + "'<p>");

     

    with

    out.print("Got BOPSID for " + userId + " of '" + bopSid + "' Encryption: " + encryption + "<p>");

     

    Now when you navigate to the pkilogin page and login it'll return the encryption key. I tried to add an attachment but it doens't like .jsp files.. Hopefully this helps.



  • 4.  Re: SDM WS API: loginServiceManaged(Policy, Encrypted_Policy)

    Posted 10-30-2018 04:24 AM

    Hi Grant,

    I tried the pkilogin.jsp, but it didn't work for me - the page always returns error screen. I probably don't have the java correctly set up.

     

    But I'll give it another try.

     

    Thank you,

    Jakub

     

     



  • 5.  Re: SDM WS API: loginServiceManaged(Policy, Encrypted_Policy)

    Posted 10-29-2018 12:49 PM

    Hi Jakub.

    never worked with it that way.

    anyway your first mentioned openssl command is different to the one in opensslSample.sh:

    openssl pkcs12 -info -in DEFAULT.p12 -out file.pem -passout pass:dummy

    instead of

    openssl pkcs12 -info -in $POLICYNAME.p12 -out file.pem -passin file:password.txt -passout pass:dummy

    bold stuff is missing ?

    Regards

    ..........Michael



  • 6.  Re: SDM WS API: loginServiceManaged(Policy, Encrypted_Policy)

    Posted 10-29-2018 04:15 PM

    Michael's right, as long as the password.txt file has the real password for your keystore, 

     

    openssl pkcs12 -info -in POLICY_File_NAME.p12 -out file.pem -passin file:password.txt -passout pass:dummy  this guy should extract the needed info

     

    _R



  • 7.  Re: SDM WS API: loginServiceManaged(Policy, Encrypted_Policy)

    Posted 10-30-2018 04:06 AM

    Hi Michael, Radgu,

    thank you for your suggestions. But the file is there only for passing the password and if you don't specify it the openssl tool prompts you to specify it. I simply wanted to have everything under control and the password was correct. It's also visible on the cmd screenshot.

     

    Michael, you mentioned that you don't work with it this way - is there another way? I simply wanted to try impersonation and to do it I need to use loginServiceManaged method which needs encrypted policy string. And obtaining the policy string should be the circus above  At least as I understand it...

     

    Jakub



  • 8.  Re: SDM WS API: loginServiceManaged(Policy, Encrypted_Policy)
    Best Answer

    Posted 10-30-2018 01:30 PM

    Hi Jakub

    I am working with java usually.

    I redid your steps exactly as you posted in your first question:
    pdm_pki -p DEFAULT -f

    openssl pkcs12 -info -in DEFAULT.p12 -out file.pem -passout pass:dummy

    openssl x509 -in file.pem -pubkey -noout > DEFAULT.pub

    openssl pkcs12 -in DEFAULT.p12 -nodes -nocerts -out DEFAULT.priv

    echo -n "DEFAULT" | openssl dgst -d -sign DEFAULT.priv -sha1 > file.bin

    echo -n "DEFAULT" | openssl dgst -verify DEFAULT.pub -signature file.bin -sha1

    openssl base64 -e -in file.bin -out file.b64

    cat file.b64

    I concatenated the lines of file.b64 and used this string in SOAP-UI in loginServiceManaged method

    and it was working fine.

    I compiled the java example . It produced exactly the same encrypted string as with your steps.

    No idea , what's going wrong...I'm working with SDM 17.0.

    best regards

    ..........Michael



  • 9.  Re: SDM WS API: loginServiceManaged(Policy, Encrypted_Policy)

    Posted 10-30-2018 02:04 PM

    Hi Michael,

    strange behavior.. I have CA ITASM DoD with SDM 17.1. I'll try SOAP UI instead of powershell script or different SDM implementation tomorrow.

     

    Thanks a lot for your help and time,

    Jakub



  • 10.  Re: SDM WS API: loginServiceManaged(Policy, Encrypted_Policy)

    Posted 12-17-2018 05:56 AM

    Hi Michael,

    finally, I was able to successfully call the loginServiceManaged method and obtain SID.

     

    I used the Java example which generated a different string compared to the openssl procedure. Not sure why, I'll try to investigate on it later.. It's still a piece of black magic for me

     

    Thank you for your help,

    Jakub

     



  • 11.  Re: SDM WS API: loginServiceManaged(Policy, Encrypted_Policy)

    Posted 10-30-2018 04:37 AM

    Just to be sure I've tried the same procedure with the password stored in the text file (the password for the generated DEFAULT.p12 certificate is "DEFAULT"). The results are exactly the same - I have the same encrypted policy string, but it can't be used for loginServiceManaged login method 

     

    Jakub



  • 12.  Re: SDM WS API: loginServiceManaged(Policy, Encrypted_Policy)

    Posted 10-30-2018 07:07 AM

    Can try creating a new policy instead of default? I tested your code and it worked for me but the one difference is I was not using the default policy.



  • 13.  Re: SDM WS API: loginServiceManaged(Policy, Encrypted_Policy)

    Posted 10-30-2018 02:00 PM

    Hi,

    the same results for custom WS policy   I think I try to use different CA SDM installation - this one is CA ITASM DoD.

     

    Thanks a lot for your suggestions! At least I know I'm on the right track

     

    Jakub



  • 14.  Re: SDM WS API: loginServiceManaged(Policy, Encrypted_Policy)

    Posted 10-29-2018 08:18 PM

    Chi_Chen if you get another case regarding login service managed and the encrypted policy then you can reference this post. There appears to be an easier way to get the encryption key.  



  • 15.  Re: SDM WS API: loginServiceManaged(Policy, Encrypted_Policy)

    Posted 10-30-2018 04:08 AM

    Hi, your comment doesn't have any link to any post.

     

    Jakub