I spent many hours trying to get loginServiceManaged to work and I'm more and more confused
What I tried:
1. using pdm_pki I generated the DEFAULT.p12 certificate for the DEFAULT WS Policy
2. I copied the DEFAULT.p12 cert to the axis folder
3. I followed the step by step example in ..\sdk\websvc\perl\test1_pki\opensslSample.sh for DEFAULT policy (with password DEFAULT):
openssl pkcs12 -info -in DEFAULT.p12 -out file.pem -passout pass:dummy
openssl x509 -in file.pem -pubkey -noout > DEFAULT.pub
openssl pkcs12 -in DEFAULT.p12 -nodes -nocerts -out DEFAULT.priv
echo -n "DEFAULT" | openssl dgst -d -sign DEFAULT.priv -sha1 > file.bin
echo -n "DEFAULT" | openssl dgst -verify DEFAULT.pub -signature file.bin -sha1
openssl base64 -e -in file.bin -out file.b64
4. The results of all the commands seem to be OK
5. The final encrypted_policy string also seems to be nice
But it simply doesn't work in my powershell script
$wsurl = "http://itasm:8181/axis/services/USD_R11_WebService?wsdl"
$ws=New-WebServiceProxy -uri $wsurl$sid = $ws.loginServiceManaged("DEFAULT", "fzK745Qa60GYN65qXhJB1GlIbqe5PXKWemCeemJTcViM4XYYnNbNOEJOX0fdgb8uLQN0lSgumQEwmpsBj5aPoKrRpGM+gc1uPn9wUEfaDgzqQLgrjT/lh1f7RUW/Xx5oEP1jJgTAbSeoL0o/mfE4aBO1ZXfMIrXjer4mwMDsHIj0H46sEw3A9+9YiOJFv//YItPN+eYliCgg1LjcUFi0twPb3Nx2BrmEPtvuYA7l0Bkrs52l2TJD3/lMnwx40V0RR3y2uZeEzum3GlZErCxEzehj9v3b5z2Tqp0L+W+kVCXur+Lm5GXJCSQRkQO0yhPry+36eQ4yeoVJyEoJC8Q6Ew==")$sid
#$sid2 = $ws.impersonate($sid,"jarnold")#$sid2
The error is "Error - invalid login policy encryption"
Also the DEFAULT policy seems to be correctly defined..
Following error message appears in jsrvr.log
10/29 10:15:37.758[http-nio-8181-exec-4] ERROR usdsda ? Login policy does not match with the encrypted policy code.10/29 10:15:37.761[http-nio-8181-exec-4] ERROR usdsda ? Error - invalid login policy encryption, from caller IP fe80:0:0:0:a52c:6b82:7d6c:8743%14, error = 3004
I tried your powershell code on my end and it works, so your problem is likely with the encrypted policy string. I modified the pkilogin.jsp file that comes in the webservice java samples to return the encrypted policy key.
Review the instructions for the sample pki login in nx_root\samples\sdk\websvc\java\test1_pki.
Replace the line
out.print("Got BOPSID for " + userId + " of '" + bopSid + "'<p>");
out.print("Got BOPSID for " + userId + " of '" + bopSid + "' Encryption: " + encryption + "<p>");
Now when you navigate to the pkilogin page and login it'll return the encryption key. I tried to add an attachment but it doens't like .jsp files.. Hopefully this helps.
I tried the pkilogin.jsp, but it didn't work for me - the page always returns error screen. I probably don't have the java correctly set up.
But I'll give it another try.
never worked with it that way.
anyway your first mentioned openssl command is different to the one in opensslSample.sh:
openssl pkcs12 -info -in $POLICYNAME.p12 -out file.pem -passin file:password.txt -passout pass:dummy
bold stuff is missing ?
Michael's right, as long as the password.txt file has the real password for your keystore,
openssl pkcs12 -info -in POLICY_File_NAME.p12 -out file.pem -passin file:password.txt -passout pass:dummy this guy should extract the needed info
Hi Michael, Radgu,
thank you for your suggestions. But the file is there only for passing the password and if you don't specify it the openssl tool prompts you to specify it. I simply wanted to have everything under control and the password was correct. It's also visible on the cmd screenshot.
Michael, you mentioned that you don't work with it this way - is there another way? I simply wanted to try impersonation and to do it I need to use loginServiceManaged method which needs encrypted policy string. And obtaining the policy string should be the circus above At least as I understand it...
I am working with java usually.
I redid your steps exactly as you posted in your first question:pdm_pki -p DEFAULT -f
I concatenated the lines of file.b64 and used this string in SOAP-UI in loginServiceManaged method
and it was working fine.
I compiled the java example . It produced exactly the same encrypted string as with your steps.
No idea , what's going wrong...I'm working with SDM 17.0.
strange behavior.. I have CA ITASM DoD with SDM 17.1. I'll try SOAP UI instead of powershell script or different SDM implementation tomorrow.
Thanks a lot for your help and time,
finally, I was able to successfully call the loginServiceManaged method and obtain SID.
I used the Java example which generated a different string compared to the openssl procedure. Not sure why, I'll try to investigate on it later.. It's still a piece of black magic for me
Thank you for your help,
Just to be sure I've tried the same procedure with the password stored in the text file (the password for the generated DEFAULT.p12 certificate is "DEFAULT"). The results are exactly the same - I have the same encrypted policy string, but it can't be used for loginServiceManaged login method
Can try creating a new policy instead of default? I tested your code and it worked for me but the one difference is I was not using the default policy.
the same results for custom WS policy I think I try to use different CA SDM installation - this one is CA ITASM DoD.
Thanks a lot for your suggestions! At least I know I'm on the right track
Chi_Chen if you get another case regarding login service managed and the encrypted policy then you can reference this post. There appears to be an easier way to get the encryption key.
Hi, your comment doesn't have any link to any post.