I want to access secure service(rest style https) for credit card detail in AIR app so I want to authenticate .PEM certificate. how to use addBinaryChainBuildingCertificate() method because it accept DER encoded x509 certificate, do i need to pass private rsa key and certificate separately to addBinaryChainBuildingCertificate() method.
I tried using TLSsocket using as3crypto i connect to host for some time and then i receive close event.
if SWF running in browser do we still need to pass certificate/key or not
how flex deal keystore and certstore or uses its own?
Any help is appreciated. Thanks!
Related
I am trying to achieve the following the scenario but ending up as 403 response.
Client -> sends Cert A -> API Management -> Forwards Cert A -> Backend API (Azure Api App) -> Authenticates the certificate.
Is there is a way to configure API management to forward the incoming certificate to the backend API?
I tried various transformation policies on the incoming request but none of the options worked.
Please suggest.
This is technically not possible since client certificate's private key is never transmitted over wire. So there is no way APIM could use it to authenticate to backend. Even more so since there is no affinity between client connection and backend connection in APIM. Your best option is to send client certificate information in a custom header. You can use ser-header policy to set it at APIM level along with policy expressions to extract client certificate information from request.
With the new authentication-certificate policy (learn.microsoft.com) you may return the certificate as a byte[] coming from a separate send-request response-variable and use it as follows:
<authentication-certificate body="#(context.Variables.GetValueOrDefault<byte[]>("byteCertificate"))" password="optional-certificate-password" />
You could store the password as a secret named value or even get it from the KeyVault by using this snippet:
github.com/Azure/api-management-policy-snippets
We have multiple device which access microservice via Azure APIM. Each device has wrapper, for example Mobile wrapper which access microservice. Now i want to do mutual certificate authentication in order to restrict mobile wrapper accessing microservice directly via APIM. Hence we decided to install client certificate at mobile wrapper which is hosted on Azure Appservice and server certificate at Azure APIM to do authentication before connecting to microservices. Similarly we have multiple client certificate for individual device wrapper like whatsapp bot, FB etc which will be interacting with APIM. My question is if this approach is feasible from architecture perspective.
Sure that would work, just make sure that you actually test for a client certificate in APIM policy (context.Request.ClientCertificates) and validate them somehow. You could compare thumbprint to a predefined hardcoded value, or call .Validate on a certificate if all of them are issued by limited number of CA, and CA cert is uploaded into APIM.
To borrow some thought on using APIm to secure webapi, are the scenarios below supported?
certificate
The intention is to secure the azure hosted webapi, my thought now is to have APIm to validate incoming calling client and check the thumbprint to be one of the certificate I configured in APIm, upon authenticated then APIm to forward the call to my webapi however using another certificate (where I am to hardcode the certificate in my webapi logic check)
IP restriction
The intention is to limit the caller IP in APIm, furthermore I can somehow configure webapi to accept the call only from APIm nowhere else (lock down)
Yes, all the scenarios are possible. Refer below links
Secure Apis with client certificate
Secure your backend with mutual certificates
Restrict caller IPs policy
I'm using the API Gateway service to manage my spring boot resources. I want to point the gateway to my sub-domain. I tried adding it to alias in Route 53 but it does not work. There's an option in the API Gateway console which asks for my domain and some credentials. I don't know if a sub-domain can work and what should i add to certificate input. Probably it is asking for an SSL certificate and I am ready to purchase one, but before i do that, i want to be sure that it accepts sub-domains.
Yes, API Gateway supports subdomains. You can try with self-signed certificate and see the options.
See the official documentation on using Custom Domain Names in API Gateway.
I am working on a site that will be using HTML5 sockets to communicate with other server. At that time our users will be logged in , I can't code on other server . I am using PHP at server side. I don't know whether other server has even PHP or not. Client says PKI is a solution. So if user login on our server then I start their communication with HTML5 sockets towards other server to send and receive data. So how can other server authenticate them? I also think that I can have a userkey (like 32hash format) that is sent with HTML5 socket while communication that other server validate and then start working with that user. So client says that hacker can see data over network so I think SSL can work for it. What you guys suggest in such scenario? Please advise
More details:
There will be connection made between our users and another server using apache thrift(will be using TCP), and scenario is that user will login to our site, then we will connect them via HTML5socket to apache thrift on different domain, so in HTML5socket communication we will be forwarding userid to tell thrift server that which user is this, so it is fine. But there are two problems,
As HTML5sockets are at client side then a hacker can create his/her own socket and connect to that server in same way and use some one's id as these are just simple integers.
If we will append some thing in data then a hacker sitting on the network can get it like some hackers do this for session hijacking.
So that's why I am not sure that whether using a sort of SSL or TLS will solve the problem or some PKI or some other digital certificate. So that's why I am asking that here.
thanks
SSL cannot solve this problem. SSL is about creating a secure link between the client and server, it does absolutely nothing to protect the server from a malicious client. SSL cannot solve the problem of SQL Injection or in your case Insecure Direct Object Reference relating to the user id. Judging by this SSL suggestion you probably have never heard of TamperData, which allows you to read/intercept and modify all HTTPS traffic generated by your browser (Including components like flash and JavaScript), BURP is more advanced but does the same thing.
The right way to do this is to have a shared session store that your collection of servers can access. The client is issued a very large random number or cryptographic nonce that it uses as a verification token, which is kind of like a session id. This verification token is used to look up session state in the data store. The communal session store could be as simple as a PHP page that accepts the verification token as a parameter and tells you if its linked to a valid session.
Having 3rd parties issue a callback to verify the session is really the "right way" to do this. It is possible to do this with cryptography, although it is a misuse of cryptography because it introduces the possibility of an attack, where as a callback is absolute. The PHP server can issue the JavaScript client an HMAC token consisting of the user id, a timestamp and the message authentication code. The tricky part is that both the PHP server and any 3rd party will have to share a secret in order to verify the message authentication code. If done properly you can transmit the client can transmit the token, and 3rd parties can verify that the session hasn't expired based on the timestamp and that your servers issued the token (instead of a hacker's forgery) based on the message authentication code.