CA Service Management

Expand all | Collapse all

CA-SDM Integration - Webservice R11.2

Jump to Best Answer
  • 1.  CA-SDM Integration - Webservice R11.2

    Posted 12-11-2015 06:26 AM

    Hello everybody. I build up a webservice using vbscript and C# to get information from a specific CHG or Incident. It all worked fine until a new policy came in to squash my work. I used the login constructor to authenticate (User and PW) but now I must use a PKI auth. I know I must use the loginservicemanaged constructor and I have the certificate (.p12) locally for testing. But I am unable to properly authenticate. It gives me the error "invalid login policy encryption".

     

    Here it is the main code:

     

    private string GetCertificado()

            {

                // Certificados X509 Versão 3

     

                string strPKI = string.Empty;

     

                X509Certificate2 objCertificado = null;

                X509Store localiz_certif = new X509Store(StoreName.Root, StoreLocation.LocalMachine);

                localiz_certif.Open(OpenFlags.ReadOnly);

     

                        //-> strNomeCert="CN=ServiceDesk ZDACPolicy"

                X509Certificate2Collection Resultado =

                        localiz_certif.Certificates.Find(X509FindType.FindByIssuerDistinguishedName, _strNomeCertif, true);

                if (Resultado.Count != 0)

                {

                    objCertificado = Resultado[0];

                    //strPKI = objCertificado.PrivateKey.ToXmlString(false);

     

                    strPKI = Convert.ToBase64String(objCertificado.Export(X509ContentType.Cert), Base64FormattingOptions.None);

                    localiz_certif.Close();

                }

                return strPKI;

            }

     

     

     

    public int Ligar(string strCertifPKI)

            {

                string strSID;

     

                try

                {

                    strSID = objCAWebService.loginServiceManaged ("ZDACPolicy", strCertifPKI);

                  

                    int intSID = int.Parse(strSID);

                    return intSID;

                }

                catch (Exception erro)

                {

                    Console.WriteLine(erro);

                    return 0;

                }

            }

     

    Has anyone implemented code using a PKI with the loginservicemanaged?

    Thanks in advance.



  • 2.  Re: CA-SDM Integration - Webservice R11.2

    Posted 12-11-2015 06:43 AM

    Hi, basicaly what you need to do is to extract private key from certificate and sign policy name with it. I do not see this hapening in your code. Please use C:\CA\SDM\samples\sdk\websvc\java\test1_pki\USDWSUtil.java for the reference



  • 3.  Re: CA-SDM Integration - Webservice R11.2

    Posted 12-15-2015 05:49 AM

    Hello Gutis. I do not have CA installed in my local machine, therefore I cannot view the USDWSUtil.java reference. After the signing of the policy what I have to do next? Encode it with Base64?

     

    Thanks for the reply.



  • 4.  Re: CA-SDM Integration - Webservice R11.2

    Posted 12-15-2015 06:13 AM

    Yes you need to encode it.

    I have attached USDWSUtil.java for you.



  • 5.  Re: CA-SDM Integration - Webservice R11.2

    Posted 12-15-2015 07:18 AM

    I am going to try. Thanks



  • 6.  Re: CA-SDM Integration - Webservice R11.2

    Posted 12-29-2015 11:06 AM

    Hello Gutis - I cannot implement the code you provided because it is JAVA and I am coding in C#. However the code gave me some insight but I am getting an "Invalid Login Policy Encryption" error.

     

    Here's my code (I can get the certificate that is stored):

     

    1. private string GetCertificado(string strNCertif)
    2.         {
    3.        
    4.             string strPKI = string.Empty;
    5.             X509Store stoLocalizCertif = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
    6.             stoLocalizCertif.Open(OpenFlags.ReadOnly);
    7.             X509Certificate2Collection Resultado =
    8.                     stoLocalizCertif.Certificates.Find(X509FindType.FindByIssuerDistinguishedName, strNCertif, true);
    9.             if (!(Resultado.Count.Equals(0)))
    10.             {
    11.                 byte[] bytCertifValor = Resultado.Export(X509ContentType.Cert);
    12.                 SHA1 objSHA1 = new SHA1CryptoServiceProvider();
    13.                 var rsaCSP = new RSACryptoServiceProvider();
    14.                 byte[] bytCodific = objSHA1.ComputeHash(bytCertifValor);
    15.                 bytCodific = rsaCSP.SignHash(bytCodific, CryptoConfig.MapNameToOID("SHA1"));
    16.                 strPKI = Convert.ToBase64String(bytCodific);
    17.                 stoLocalizCertif.Close();
    18.             }
    19.             return strPKI;
    20.         }
    21. strSID = objCAWebService.loginServiceManaged ("xxxxPolicy", strCertifPKI);

     

    Maybe you can help me out.



  • 7.  Re: CA-SDM Integration - Webservice R11.2

    Posted 12-29-2015 11:27 AM

    Hello, i am not programer, but i don't see where in your code you have extracted private key from the certificate. As far as i understand you exporting certificate from localMachine store, but i don't see where you extracting private key from the certificate using policy name as password.



  • 8.  Re: CA-SDM Integration - Webservice R11.2

    Posted 12-29-2015 11:54 AM

    You are right - I've changed the code a little but the error msg still maintains.

     

    1. private string GetCertificado(string strNCertif)
    2.         {
    3.             string strPKI = string.Empty;
    4.             X509Store stoLocalizCertif = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
    5.             stoLocalizCertif.Open(OpenFlags.ReadOnly);
    6.             X509Certificate2Collection Resultado =
    7.                     stoLocalizCertif.Certificates.Find(X509FindType.FindByIssuerDistinguishedName, strNCertif, true);
    8.             if (!(Resultado.Count.Equals(0)))
    9.             {
    10.                 X509Certificate2 objCertificado = Resultado[0];
    11.                 RSACryptoServiceProvider objChvPrv = objCertificado.PrivateKey as RSACryptoServiceProvider;
    12.                 byte[] bytCertifValor = Resultado.Export(X509ContentType.Cert);
    13.                 byte[] bytAssinatura = objChvPrv.SignData(bytCertifValor, new SHA1Managed());
    14.                 byte[] bytCodific = SHA1Managed.Create().ComputeHash(bytCertifValor);
    15.                 RSAPKCS1SignatureFormatter objFormata = new RSAPKCS1SignatureFormatter(objCertificado.PrivateKey);
    16.                 objFormata.SetHashAlgorithm("SHA1");
    17.                 bytAssinatura = objFormata.CreateSignature(bytCodific);
    18.                 strPKI = Convert.ToBase64String(bytAssinatura);
    19.                 stoLocalizCertif.Close();
    20.             }
    21.             return strPKI;
    22.         }

     

    strSID = objCAWebService.loginServiceManaged ("xxxxPolicy", strCertifPKI);



  • 9.  Re: CA-SDM Integration - Webservice R11.2

    Posted 12-29-2015 01:38 PM
    You need to provide password to extract private key. Password is your policy name. After that you need to sign policy name with that private key. Only then convert signed policy name to base64 format. I don't see neither happening in your code.




  • 10.  Re: CA-SDM Integration - Webservice R11.2

    Posted 12-29-2015 01:40 PM

    From your code it seems that you are signing certificate itself instead of policy name



  • 11.  Re: CA-SDM Integration - Webservice R11.2

    Posted 01-04-2016 05:55 AM

    Thank you for your help and effort Gutis - I shall introspect and code accordingly.



  • 12.  Re: CA-SDM Integration - Webservice R11.2

    Posted 01-05-2016 11:12 AM

    Hello Gutis, I changed the code, tried to do what you had written, but to no avail. It still gives me "Invalid policy encription"...

     

    • private string GetCertificado(string strNCertif)
    •         {
    •             //Certificado RSA PKCS#12 (.P12)
    •             // RSA 1024bit | SHA1 Algoritmo
    •             string strPKI = string.Empty;
    •             var objAlgoritRSA = new RSACryptoServiceProvider(1024);
    •             var stoLocalizCertif = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
    •             stoLocalizCertif.Open(OpenFlags.ReadOnly);
    •             X509Certificate2Collection ccolCertificado =
    •                     stoLocalizCertif.Certificates.Find(X509FindType.FindByIssuerDistinguishedName, strNCertif, true);
    •             stoLocalizCertif.Close();
    •             if (!(ccolCertificado.Count.Equals(0)))
    •             {
    •                 X509Certificate2 objCertificado = ccolCertificado[0];
    •                 //Chave Privada do Certificado
    •                 RSACryptoServiceProvider rsaChvPrv = objCertificado.PrivateKey as RSACryptoServiceProvider;
    •                 byte[] bytCertificado = ccolCertificado.Export(X509ContentType.Cert,"name_policy");
    •                 byte[] bytAssinatura = rsaChvPrv.SignData(bytCertificado, CryptoConfig.MapNameToOID("SHA1"));
    •                 strPKI = Convert.ToBase64String(bytAssinatura);
    •             }
    •             return strPKI;
    •         }


  • 13.  Re: CA-SDM Integration - Webservice R11.2
    Best Answer

    Posted 01-05-2016 12:21 PM
      |   view attached

    I have found an old test executable that we used to test this method. Since i was not able to find source i have decompiled it. So project most probably will not compile but it will give you some guidance

    Attachment(s)

    zip
    wsproj.zip   2.05MB 1 version


  • 14.  Re: CA-SDM Integration - Webservice R11.2

    Posted 01-06-2016 05:11 AM

    Hello Gutis and thank you very much for showing me such corporate project! I just look at it very fast but I think this could help alot, mainly the UsdList.cs tiny little file... It looks promising and I think you do not need to give me guidance. Thanks again for your big and opportune effort.



  • 15.  Re: CA-SDM Integration - Webservice R11.2

    Posted 01-06-2016 12:15 PM

    Hello Gutis and... THANK YOU!!!!!

    I only used the file that I told you (UsdList.cs) to make it work.

    But I had, offcourse to modify alot of code. Moreover, the uppercase and lowercase didn't worked at all. The code returned an uppercase string which it does not work in my case. I tested extensively and the policy string must be equal as it is displayed in the MMC's console of the certificate tree.

     

    I searched and posted in other forums but nobody could help me out. You don't know how much did you helped me! Thank you so much Gutis!



  • 16.  Re: CA-SDM Integration - Webservice R11.2

    Posted 01-06-2016 12:44 PM

    You are welcome