EldoS | Feel safer!

Software components for data protection, secure storage and transfer

failure to load private key from windows certificate store

Also by EldoS: RawDisk
Access locked and protected files in Windows, read and write disks and partitions and more.
#26197
Posted: 08/22/2013 06:09:27
by Cyrill Gustavsson (Standard support level)
Joined: 08/22/2013
Posts: 2

I am using Bizcrypto adapter version 9.1.212 and try to get SFTP connection
Working with the private key stored in the certificate store. All is fine if I load the key from a file location.
I configure private key source as System and set the private key property
Like store="MY", subject="CN=MYCN". Trustall keys is set to true and private key file property empty. I am getting Ssh authentication error 114 with this setup.
If I configure nonsense in the private key field I am still getting the same error with the log saying "1 key loaded" referring to the private key. There is no further log details referring to debug entries about loading the key.
When storing the private key in file I use the rsa format. I converted the key using openssh commands in a .p12 file in order to load it in the certificate store - user store of the Biztalk host Instance user currently.
I also imported the corresponding x509 certificate into trusted authorities
But not really sure if that is needed or not.
Any ideas - the most worrying part is the log entries saying key successfully loaded when I used completely invalid configuration.
#26199
Posted: 08/22/2013 07:33:17
by Ken Ivanov (EldoS Corp.)

Hello Cyrill,

BizCrypto SFTP adapter does not support system-based keys at the moment, sorry (first of all due to difficulties with managing and identifying 'raw' RSA keys in system stores, which are fine-tuned for X.509 certificates and not keys). So I am afraid you can't use system stores for storing your private keys. Still, you can use the SSO storage for storing the keys securely.

Quote
If I configure nonsense in the private key field I am still getting the same error with the log saying "1 key loaded" referring to the private key. There is no further log details referring to debug entries about loading the key.

Could you please provide us some details about what exactly 'nonsense' you are passing to the adapter and how exactly you are doing it?
#26206
Posted: 08/23/2013 05:10:36
by Cyrill Gustavsson (Standard support level)
Joined: 08/22/2013
Posts: 2

Hi Ken,

Thanks for the fast answer.

The invalid configuration is set with private key source = system, private key file = empty and private key = abcdefg or similar. I used it to determine if the adapter is actually evaluating the private key field.

Are there any plans to supporting the storage of keys in the windows certificate store in the near future? I am also worried about the tons of different formats available but its a feature Investec is looking for.
#26216
Posted: 08/23/2013 17:32:28
by Ken Ivanov (EldoS Corp.)

Hello Cyrill,

Strange, the adapter definitely should not report the key as loaded in the above circumstances. We will try to reproduce the problem locally. Could you please share the adapter log with us? (feel free to remove all the details you consider sensitive). BTW, did you try to restart the host instance and your BizTalk application after introducing the changes to the adapter configuration?

Quote
Are there any plans to supporting the storage of keys in the windows certificate store in the near future? I am also worried about the tons of different formats available but its a feature Investec is looking for.

I doubt that this feature will be available in the near future. Still, you are welcome to submit the idea to the wish list - if the idea has enough votes, we will implement the feature faster.

BizCrypto understands all popular SSH key formats (this includes OpenSSH, IETF and Putty), so there is naturally very little chance that it won't understand your key files.

Ken

Reply

Statistics

Topic viewed 4821 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!