EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Problems with token certificate

Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.
Posted: 09/06/2013 11:34:07
by Eduardo Helminsky (Standard support level)
Joined: 08/20/2010
Posts: 105

I have been using the attached unit HPROPKI.TXT successfully. It signs my XML files, I do the https comunication with webservices and everything was working ok until one of my customers started to use a token certificate.

The entry point of this unit is the function "EnviarSoap". The first time it returns 200 but when I try the second time the results is 403 (according with error at the end of HPROPKI.TXT file attached). If the user quits the application and starts again it backs to result 200 only for first time but the second (and others) results in 403.

My other customers are (the most) using A1 without ANY problems.

I have already instanciate the HttpClient inside the EnviarSoap but the problem still remains. What can I do to solve this problem or at least to trace down where the problem is ?

[ Download ]
Posted: 09/09/2013 02:22:10
by Vsevolod Ievgiienko (Team)

Thank you for contacting us.

From the first point of view the error is not related to the fact that the client is using a token. 403 error code stands for 'Forbidden'. What you can try to do is:

1) Ask the server administrator to check server logs if its possible.
2) Dump subsequent HTTP requests and responses using TElHTTPSClient.OnSendData/OnData/OnReceivingHeaders/OnPreparedHeaders event handlers and compare them. They may include some hints.
Posted: 09/09/2013 02:43:40
by Eugene Mayevski (Team)

Well it seems that on subsequent connections the client-side certificate is not used for whatever reason.

From your code or your post it's not clear - does the customer use the same certificate for signing and for SSL authentication OR he uses different certificates?

Sincerely yours
Eugene Mayevski
Posted: 09/09/2013 04:54:34
by Eduardo Helminsky (Standard support level)
Joined: 08/20/2010
Posts: 105

Thank you for the answers.

First I will try to catch up the HTTP requests from one connection and the subsequent connections too and compare them.

Second, altought I did not metion, yes, the certificate is the same for signing XML and SSL. What point of my code was not clear ?
Posted: 09/09/2013 05:21:34
by Eugene Mayevski (Team)

Usually data signing certificates and SSL certificates have different Key Usage fields and as such one certificate can't be used for both activities. It can happen that the token driver prevents use of the private key more frequently than once per certain period, or asks the user to re-enter the PIN after two or three uses. We can only guess at this point.

Sincerely yours
Eugene Mayevski
Posted: 09/09/2013 06:21:06
by Eduardo Helminsky (Standard support level)
Joined: 08/20/2010
Posts: 105


I donĀ“t know if it is the case because I have used to call a dotnet DLL that do the tasks (XML signing and SSL) and it never happend before. I have been replacing this DLL to use Eldos Components and as I said before when the certificate is A1 the things are working very very well (with speed and of course reliability).

I am still investigating and checking my code. One thing I suspect is the code inside ClientCertNeedEx event.
Posted: 09/09/2013 06:24:39
by Eugene Mayevski (Team)

Eduardo Helminsky wrote:
I am still investigating and checking my code. One thing I suspect is the code inside ClientCertNeedEx event.

The code there is fine (I've checked it first of all).

Alternatively you can just use ClientCertificates property (but use one way - either the event or the property, not both).

Sincerely yours
Eugene Mayevski
Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.



Topic viewed 627 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!