I'm trying to get a certificate from the appreg.intuit.com area. I have a webapp that was previously registered with mysubdomain.myhost.com as the host and myapp.myhost.com as the AppLogin. Due to recent changes in some of our systems, we need to run the application that interfaces with QBOE from an IP address. We have a certificate for the IP address that we created and is currently set up.
I created a new key in the java keystore with CN=123.456.78.9:myapp.myhost.com
Once I did this I generated a new cert request:
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIEUzCCAzsCAQAwczEdMBsGA1UEAxMUcWJvZS5hZXJ1c29ubGluZS5jb20xCzAJ
BgNVBAsTAklUMRMwEQYDVQQKEwpBZXJ1cywgTExDMRAwDgYDVQQHEwdCcmlzdG9s
MREwDwYDVQQIEwhWaXJnaW5pYTELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDMqC2g9voE9WwEl4puuOUYTOBOJECe+7N/BVLt6My0
hn9fj0zDkKzQitYiebFYPLbArECybSfTNubjmOiwl/OsR2sLltAXpdqp4+JTiBWW
e/9w95jGwCNu4T4Dzuv7O0Cj5lFp3b+ATfeRQjkTy8On5FwbU0ESrMOE/l1FpXd0
raL5dCVJSOnqROnD+t1+toapSfZgCNp3FD6swlYHBQ80dsrON2uj8J0gj6kqhcjg
3jfgy7RBksE2RDbRXwLKBb+BaSWCMHe8EbLMDrN+sah9YHuHNKxJRQNjAl2ccS09
Ss2BfPYkABMBzmV5su8Y87ahu6ve1szX4XzPdSz9K6dzAgMBAAGgggGZMBoGCisG
AQQBgjcNAgMxDBYKNS4wLjIxOTUuMjB7BgorBgEEAYI3AgEOMW0wazAOBgNVHQ8B
Af8EBAMCBPAwRAYJKoZIhvcNAQkPBDcwNTAOBggqhkiG9w0DAgICAIAwDgYIKoZI
hvcNAwQCAgCAMAcGBSsOAwIHMAoGCCqGSIb3DQMHMBMGA1UdJQQMMAoGCCsGAQUF
BwMBMIH9BgorBgEEAYI3DQICMYHuMIHrAgEBHloATQBpAGMAcgBvAHMAbwBmAHQA
IABSAFMAQQAgAFMAQwBoAGEAbgBuAGUAbAAgAEMAcgB5AHAAdABvAGcAcgBhAHAA
aABpAGMAIABQAHIAbwB2AGkAZABlAHIDgYkAJ1L9qpiQmoL5dNlVLkM2P6UFcMYM
E1cUMidPEUHEGfxOB1eTGXu8rhguJfDScUiy9h1SOkHO8CnjCQFoYPhb/iRhaCbb
u1UsNfoJG1imCP07Lr8k8gOW76zuvn+zfU5AbSQjJf/SbXyLZO9TDbe4Y2aklRo2
aeZBVm2GXz3ezjYAAAAAAAAAADANBgkqhkiG9w0BAQUFAAOCAQEAVUT0xkyDB5rB
niZT5zYMcYa8vd68Dgl0RZ7CtEkBS4EFf4IayDBO1Z3ycZkjpEP879ktpkfD9pbP
1c1Ksm2s61RKivYqcF4HD594UDJCAfjqMyyQOUtkw/iegMSIVos5ngbQVcABvdY8
c6J2icTY30L+WGrmZmZczNGHB5GrU6Vc5f2mU49cDHaLF8j4KaDIHqX+9+WY/xm8
FQ8ovW6zIkmdxn8lZ1jmTGAE/v3/DTFsAHtRh+4m2uT4LDUQTA4vHYxcfGoGZk9R
U5ypYayMScLIWYBPIZG9lZdj0iD7P6XD04GBzjdmgQxZi7zaYi9JtlwqVK+g9kYx
fr2pEzvrPw==
-----END NEW CERTIFICATE REQUEST-----
When I try to paste this into the request area in the app registration, I get "ARSC262: common name not in hostname:applogin format.". Which, it is in the right format as far as I know. I also saw somewhere on the forums where you shouldn't add an email address or any optional fields. I removed them with the same error message. Is there something that I need to change so that my applogin matches the host or at least part of the host in some way? Are they even related at all? What other possibilites could the error message be pointing to besides just an incorrect format?
Evidently, you can't use an IP address as the host name. Here's the response I got from Intuit:
The hostname has to be a DNS name and
cannot be an IP address.
Regards,
William Lorfing á±–The hostname has to
be a DNS name and cannot be an IP
address.
Regards,
Intuit Developer Network
Related
I am trying to configure JDBC but kept getting the same error I am getting using snowsql:
250001 (08001): Failed to connect to DB. Verify the account name is correct: JG3409.canada-central.azure.snowflakecomputing.com:443. 000403: 403: HTTP 403: Forbidden
If the error message is unclear, enable logging using -o log_level=DEBUG and see the log to find out the cause. Contact support for further help.
Goodbye!
I have configured the config file, and I have double checked the account, company, region, reset password to only use alphanumeric.
I have used both forms of the URL
The only possibility is that I am using a trial account, but I can't imagine that this would limit external non-browser connections?
I use a simple user/password, I have whitelisted my IP and I don't have a problem with a proxy or a firewall. I can successfully connect using a browser.. using:
https://app.snowflake.com/canada-central.azure/jg63409
Important contents of the config file:
[connections]
accountname=JG3409
#accountname=uegxydq-pz20606
region=canada-central.azure
username=ASHSNOWFLAKE
any ideas?
Your account is not JG3409 but JG63409 based on this link:
https://app.snowflake.com/canada-central.azure/jg63409
Try in your browser:
https://jg63409.canada-central.azure.snowflakecomputing.com
I found out using snowcd that my computer could not connect via my home router.
When I used my personal hotspot on my (5G) phone, snowcd passed all the tests immediately. The problem then arose how to adjust the network security policy to allow a CIDR block of network addresses through since my phone uses a new address every time I connect, and I can't edit the policy to allow my phone while connected via my phone (for obvious reasons)
Catch 22
123.45.0.0/16 is not accepted in the new Snowflake UI, and 0.0.0.0 doesn't work for me, but the documentation gave me a clue.. the new UI doesn't separate by commas, so I switched to the old UI and voila!
Incidentally the OLD UI uses the same URL as SnowSQL so I picked up my error in my account number there as well (although I should have seen it earlier).
Diabolical but thanks #Sergiu too!
I want to configure Freeradius server as a Passpoint using Hotspot2.0. I'm new to freeRADIUS server configuration, but I got it to configure Freeradius Server for 802.1x autentication and It's working normally for TLS (with certificate), TTLS (with certificate), PEAP and PWD. But I don't know how to configure Freeradius Server to use autentication for Passpoint/Hotspot2.0.
How can I install and configure this?
For Passpoint R1 release:
If your free radius is already working, there is no special configuration for that. All you need to do now is setting up correctly the profile (used by the device that will connect to the hotspot) and the AP (access point).
For Android devices, this example will guide you: https://source.android.com/devices/tech/connect/wifi-passpoint#example_profile_oma-dm_xml
You will change the fields nested beneath Realm (username, password, EAPMethod) to match with whatever you have configured on your radius.
The key value, though, is FQDN. Your AP must have the same FQDN configured on the hotspot2.0 network. The device will match the profile FQDN with the SSID FQDN. And only when they match the device will use the profile to authenticate agains that AP.
You know when it is working when the friendly name show up in the wifi networks list.
The link above has the instructions to install the profile in the device.
I am debugging network calls of one of the client's application whom code I am not having. The steps I have gone thorough is as below.
1) Install fiddler in a windows system.
2) unable HTTPS decryption.
3) set the system proxy to match the client's country. (USA)
4) install the app on iOS to which is on same network.
5) Installed the Fiddler certificate in phone, added to trusted certificate
6) Applied the manual proxy matching the same internal IP of the windows system. (not the system proxy of USA)
Now when I open the app, I am able to trace the network calls till login page. Also able to detect network call which send the credentials.
But after loading for 5-8 seconds, the app shows "something went wrong, we are unable to serve you"
I am not able to see any trace of my machine IP (internal IP), in network calls being sent. I changed my phones Timezone in case that is the triggering point for stop serving.
Also randomly after 2-3 attempts the following popup comes. I have set the Client Certificate as asked, which was downloaded from http://ipv4.fiddler:8888 .
There are many other apps for which I am able to see the entire network calls but not for this specific one.
Is there any issue in my system settings or the app provider have mechanism to identify man in the middle proxies. Or certificate issues?
Update 1 : I checked the fiddler log and found the below error
HTTPS hand shake to TargetURL failed The exact error was "a call to SSPI failed, see inner Exception, the certificate chain was issued by an authority that is not trusted. is this case if SSL Pinning?
You are mixing up the certificates. Usually the problem is the server certificate, however in your case the problem arises from a client certificate. A SSL client certificate is a optional feature that allows to identify a user based on a certificate + private key instead of username+password. It is often used in companies where each user has a certificate+private key on a smart card.
There are now two possibilities:
The iOS app includes a client certificate+private key and the app developers use this to protect the communication API (a bit similar like an API key). In this case you have to extract the certificate and the private key and provide it to Fiddler. Most likely certificate and private key are the same for every device world-wide and can be found as static resource in the iOS app (potentially obfuscated or somehow protected).
The server asks for a client certificate but providing a certificate is optional. I don't know if Fiddler can handle this situation.
We are implementing Authentication using keycloak. Specifically for forgot password option: When user clicks on Forgot password option, and provides user name, an email will be sent to their id with the link to reset password.
My Question is specifically on the link:
The link sent out in email looks like below:
https://:/auth/realms//login-actions/reset-credentials?code=
But the mentioned is really an internal physical host name that can be found in /etc/hosts, but it is not accessible to external users, so we need to replace this host:port number.
The code in .ftl file looks like below under themes/base/email/html/password-reset.ftl:
${msg("passwordResetBodyHtml",link, linkExpiration, realmName)}
While figured out from admin console on where the values for linkExpiration and realmName (They are under Realm Settings in admin console), I am unable to find out how and where the "link" is configured. Can someone please help with this?
I looked up other threads and did some findings, and found this link:(Keycloak - URL Reset Password email behind a proxy, but it really talks about NginX proxy, which we haven't configured.
Got this resolved after multiple discussion with Redhat team. Below are the steps followed
We were using RH SSO 7.0.x: Added proxy-address-forwarding=true as below.
The server didn't start because this tag is not available in Keycloak 7.0.x. as confirmed by Redhat.
Did upgrade to RH SSO 7.2.0 and the same flag addition worked. Forgot password email content has the https:///auth/realms/archcap-au/login-actions/action-token?key=
Before change:
header=x-forwarded-host= <External Host>
header=Host= <Internal host:8443>
After Change:
header=x-forwarded-host= <External Host>
header=Host= <External Host>
the tag would retain the forwarded host header.
I have a number of devices connected to a server. When it restarts the ip address might change. How would the remaining devices find the new address?
I want to automate the process since I want to distribute the software and there won't be any network administrator.
I found solutions like configuring a DHCP server or manually configuring the router, but it won't possible to manually configure the routers of the devices that would use the software.
What you could do is following :-
Assign static IP-Address to the server; it could be done by adding a reservation for server's IP-Address based on the MAC address of the server in the router. Check your router manual for how to add IP-Address reservation for a designated MAC-Address.
Once server has got a static IP-Address, your work would be so easy to achieve. You either need to ensure that the clients make an entry of the server's hostname and the corresponding static IP into the client's host name OR if you've an adhoc connection(WiFi/Bluetooth), it would do that automatically without your intervention.
That's it, you have a static IP-Address for your server and you have mapping of server's IP-Address and hostname into each client's etc/hosts file(not needed for adhoc connections as explained above).