I'm developing some code to connect my Beckhoff controller to microsoft Azure through MQTT Iot. To start I have used the example code provided by Beckhoff. Azure side is configured and I have the SAS Token. In Twincat I pasted the code and configured everything except the TLS/certification configuration since Beckhoff documentation it's a bit confusing at this point
https://infosys.beckhoff.com/content/1033/tf6701_tc3_iot_communication_mqtt/3528172299.html?id=376207444360410914
(¿CA is optional but mandatory at the same time?)
Anyway I tried to get a CA certificate to test. As I don't how/where to get it, I tried to export Baltimore certificate to a file with certmgr.exe but the format it is not .crt type as in documentation example. Export formats are cert and p7b type. If I try with any of these types of files I get a TLS validating error in connection.
I'm a bit lost at this moment so any steps to help me in this part?
I'm not familiar with certification/TLS so can you please guys provide some tips or info links focused in this matter so I can get this kind of certificates to validate the connection?
Thanks in advance.
The CA location is optional, since it will be searched for at its default location. Nevertheless, the CA file has to be at the specified location or at the default location. The CA file has to be saved with PEM formatting, but it doesn't matter which extension the file has.
The connection configuration regarding the SAS-token is different whether you connect to an azure-device or -module.
To connect to an azure-device, the following has to be configured:
sUserName := ''; and sUserPassword := '';
copy-paste the SAS-token from e.g. Azure Iot Explorer into stTLS.sAzureSas (the SAS-token is formatted like this: HostName=<hub-name>.azure-devices.net;DeviceId=<device-id>;SharedAccessSignature=SharedAccessSignature sr=<hub-name>.azure-devices.net%2Fdevices%2F<device-id>&sig=...&se=...)
To connect to an azure-module, the following has to be configured (like in python):
sUserName := '<hub-name>.azure-devices.net/<device>/<module>/?api-version=2018-06-30';
sUserPassword := 'SharedAccessSignature sr=<hub-name>.azure-devices.net%2Fdevices%2F<device-id>&sig=...&se=...'; (this is part of the SAS-token, copy everything after ...SharedAccessSignature=)
stTLS.sAzureSas := '';
Publishing messages, take care to send to only send to the expected topic, otherwise the message won't be sent and the connection temporarily lost.
(¿CA is optional but mandatory at the same time?)
Because you must connect over TLS/SSL, you will need to reference the DigiCert Baltimore Root Certificate to connect to Azure IoT Hub.
You can find this certificate in the Azure-iot-sdk-c repository
My recommendation is that you follow steps described in the documentation on how to Communicate with your IoT hub using the MQTT protocol
Related
I have a basic "Web Server Application" created by going to File > New > Web Server Application and choosing ISAPI Dynamic Link Library, which I am using to test Windows Authentication when running within IIS.
I have code that reads in the TWebRequest.Authorization property and decodes the string that is sent from IIS (which is usually Negotiate xxxxxxxxxxxx...) This all works when running the site without SSL. I can extract the username, password, domain and workstation name from the Type3 Message as per http://davenport.sourceforge.net/ntlm.html#type3MessageExample.
When SSL is enabled, it seems the string is somehow further encrypted and I get a mess of data from my code which as stated works when SSL is not enabled.
Could anyone tell me what I could be missing? I have not posted any code (but can) as I suspect this is not specific to my code but something to do with SSL that I am not aware of. And searching for answers to this has been somewhat uneventful as I am unaware of the correct terminology to use to get the to correct answers.
I am not so much looking for a "here is the answer" but a pointer in the correct direction would be most appriciated.
When not using SSL, the Negotiate value is: 'Negotiate TlRMTVNT....
When using SSL, the Negotiate value is: 'Negotiate oXcwdaADCgEBo......
Note on the Non-SSL version the string begins TlRMTVNT, this is what I would expect as that is the NTMLSSP signature Base64Encoded.
When you create a "Web Service Application" project, Delphi creates a TIdHTTPWebBrokerBridge object by default as Server :
type
TForm1 = class(TForm)
...
private
FServer: TIdHTTPWebBrokerBridge;
procedure StartServer;
...
end;
During the wizard of creating Web Service Application project, you have an option to use HTTPS :
By Activating this check-box, you will be prompted for information of a Certificate file :
You can search a bit about SSL Certificate files, but you can use OpenSSL to create a self-signed SSL Certificate, here are some useful explanations: https://www.cloudflare.com/learning/ssl/what-is-an-ssl-certificate/
And regarding using OpenSSL : How to generate a self-signed SSL certificate using OpenSSL?
Here are the OpenSSL binary file and Indy SSL required DLL files:
https://github.com/IndySockets/OpenSSL-Binaries
....
After creating your project by activating HTTPS option you will have some other things included by default, the main difference is that now the TIdHTTPWebBrokerBridge component is using a TIdServerIOHandlerSSLOpenSSL component as IO-Handler:
procedure TForm1.FormCreate(Sender: TObject);
var
LIOHandleSSL: TIdServerIOHandlerSSLOpenSSL;
begin
FServer := TIdHTTPWebBrokerBridge.Create(Self);
LIOHandleSSL := TIdServerIOHandlerSSLOpenSSL.Create(FServer);
LIOHandleSSL.SSLOptions.CertFile := '';
LIOHandleSSL.SSLOptions.RootCertFile := '';
LIOHandleSSL.SSLOptions.KeyFile := '';
LIOHandleSSL.OnGetPassword := OnGetSSLPassword;
FServer.IOHandler := LIOHandleSSL;
end;
You just need to make SSL Certificate files and put their addresses on OnCreate event as shown above, that IOHandler will handle SSL decryption
I am trying to set up a neo4j server with a set of certificates for https. I have the key used to get the certs, the certificate itself, and the ca certificate chain file. According to the documentation:
Neo4j also supports chained SSL certificates. This requires to have all certificates in PEM format combined in one file and the private key needs to be in DER format.
I've encoded my key in DER format and have that set up, however I am having trouble getting the certificate chain set up correctly. I combined all the certificates in one file (PEM) and gave it to neo4j, and it crashed silently trying to start the server. On the off hand, I took the first certificate and changed it to DER, changed neo4j to use that, and it started but browsers/curl throw a fit because there's no CA chain along with it.
This is using neo4j 2.2.0 community edition.
Any suggestions as to how to get neo4j to use PEM certificate chains correctly?
See https://github.com/neo4j/neo4j/tree/2.2/community/server/src/test/resources/certificates for certifcates used when running the unit tests of Neo4j. Most interesting test case is https://github.com/neo4j/neo4j/blob/2.2/community/server/src/test/java/org/neo4j/server/security/ssl/KeyStoreFactoryTest.java#L82
Double check if your pem file has the same structure than the one provided there.
I have problem creating tls-trust-store for connecting to the gmail account via IMAP in Mule ESB
If I delete "path" and "storePassword" fields in the imaps:tls-client and imaps:tls-trust-store tags I
can connect, but them I have to delete it every time I've change anything in the xml, cause Mule recreate this fields.
I've tried to get the key via openssl and create key via keytool application - but I've not succeed.
Can anyone help me with the right way how to create such things?
Mule recreate this fields
Mule doesn't alter your XML configuration ever. You're apparently dealing with Mule Studio bug that makes it remove valid XML configuration elements. This is a known faulty behaviour of Studio that is generally well known and being worked on fixing.
I am having difficulty making connection to secured webservice. My service provider gave me a WSDL URL (which uses SSL Connection) and a PFX file. The service provider told us that WSDL can only be accessed by users belonging to our network.
So far I have tried:
(i) Exported key from given pfx file to separate keystore
(ii) Exported certificate to (a) java 's default truststore (b) seaparate store
I have set system properties:
System.setProperty("javax.net.ssl.keyStore", "C:/Test/keystore.jks");
System.setProperty("javax.net.ssl.keyStorePassword", "test123");
System.setProperty("javax.net.ssl.keyStoreType", "jks");
System.setProperty("javax.net.ssl.trustStore", "C:/Program Files/Java/jdk1.7.0_17/jre/lib/security/cacerts");
System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
I am using latest versions of CXF & Java. I got several exceptions which I could resolve by Googling the issues, but I am finally struck with "could not send message exception". How can I deal with this exception?
I'm currently trying to add to a software the capability to list unread emails in the user's inbox using IMAP. After having no success at all using Indy10, I discovered Synapse which seemed better for what I needed, but I can't find a way to get it working.
My problem is with the login (thus I think with the SSL configuration). I can't find a working combination of "FullSSL", "Sock.SSL.SSLType" and "AutoTLS". Whenever I do the "Login()" function, it fails.
For the sake of testing, are any of you able to connect to Gmail's IMAP server using Synapse, and, if yes, how?
Having just done this myself, I might recommend that you just follow the simple example on the Synapse HowTo http://synapse.ararat.cz/doku.php/public:howto:smtpsend
The only other thing would be that you need to download the openssl dll's and place the in your project folder.
IMHO .... I would recommend that you also consider looking at CleverComponents.com at their IMAP4 with built in SSL (not requiring OpenSSL, which has some licensing restrictions) and is completely NON-Blocking sockets.
mfw is correct, but here's a clearer and more current answer.
Go to the page skamradt said and download the "Binaries" ZIP. From its Bin folder, copy these files into your EXE's folder:
libssl32.dll
libeay32.dll
In your DPR, add
uses ssl_openssl;
For GMail / port 587:
// support for upgrade session to TSL/SSL:
SMTP.AutoTLS := True ;
SMTP.FullSSL := False;
For other SMTP servers / port 465:
// support for TSL/SSL tunnel:
SMTP.AutoTLS := False;
SMTP.FullSSL := True ;
This might also work for POP / port 995. It's how I got Synapse to send mail securely in Delphi 7 + Synapse Release 40 (2012-04-23)
I suggest Mailbee IMAP ActiveX from AfterLogic.
I did the research when developing Gmail Keeper (a Gmail backup software), CleverComponnets' feature set seems good but their support is very badm they seem discontinued that promising component set, you can try to email them back and forth to see if there is anything changed since it's been a long time since I checked them last time, I indeed wish they continue their VCL.
On the other hand, afterlogic's support is really good, especially when the reasonable price is considered.
One-click to backup Gmail with labels to local disk (supports backup scheduling)
http://GmailKeeper.com
You need these libraries in your program:
libeay32.dll
ssleay32.dll