cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2086
Views
5
Helpful
5
Replies

Problem with creating ClientCertificateUser.

sukstansky
Level 1
Level 1

Hi. I'm ttrying to create ClientCertificateUserConfiguration type user with using SOAP API.

So far I've managed to create "blank" user without a certificate, but don't know how to provide a certificate into request. Here is a quote from the Northbound Guide from "CreateClientCertificateUserConfiguration" section: "RawData (string)—For information about the format of the raw data, see the Client Certificate User Specification in EDCS." That explains everything, right.... Could anyone please reveal some more details about this topic.

Thanks.

1 Accepted Solution

Accepted Solutions

Shaun Roberts
Cisco Employee
Cisco Employee

Which version of the guide are you looking at?

If you look at the 3.2 version at http://www.cisco.com/c/dam/en/us/td/docs/net_mgmt/datacenter_mgmt/Process_Orchestrator/3-2/NBWS/NB_WebServicesGuide.pdf

On page 41 I see this...

Note:
The RawData is expected to be a Base64 string returned by the following sequence of calls in C#:
X509Certificate2 cert = new X509Certificate2(filePath,password,X509KeyStorageFlags.Exportable);
 byte[] bytes = cert.Export(X509ContentType.Pfx, "");
string rawDataString = Convert.ToBase64String(bytes);
I believe what you are seeing is an older guide or maybe a non-production one?
--Shaun Roberts
Principal Engineer, CX
shaurobe@cisco.com

View solution in original post

5 Replies 5

Shaun Roberts
Cisco Employee
Cisco Employee

Which version of the guide are you looking at?

If you look at the 3.2 version at http://www.cisco.com/c/dam/en/us/td/docs/net_mgmt/datacenter_mgmt/Process_Orchestrator/3-2/NBWS/NB_WebServicesGuide.pdf

On page 41 I see this...

Note:
The RawData is expected to be a Base64 string returned by the following sequence of calls in C#:
X509Certificate2 cert = new X509Certificate2(filePath,password,X509KeyStorageFlags.Exportable);
 byte[] bytes = cert.Export(X509ContentType.Pfx, "");
string rawDataString = Convert.ToBase64String(bytes);
I believe what you are seeing is an older guide or maybe a non-production one?
--Shaun Roberts
Principal Engineer, CX
shaurobe@cisco.com

Hi. Thank you for the response. The mentioned problem was solved, but now I have another one.

I'm using ClientCertificateUser as runtimeUser for a web target to authenticate requests. It works smooth for GET requests, but fails for POST with 403 (Forbidden) error. It happens only in CPO, with other REST clients (I'm calling REST API) everything works fine, so it's probably not certificate or API access privilege issue.

Thanks.

Does it only *not* work for just POST requests? All POST? Certain POST only? Do you have the method set to POST?

If it were me, I would use wireshark and compare the across the wire messages and make sure what you have (that is working from other clients) is the same. If not, look at why it's not.

Also -- I would suggest you open a TAC case and have support look as well in case a bug needs to be opened with the BU.

--Shaun Roberts
Principal Engineer, CX
shaurobe@cisco.com

Hi  Yes, the problem with all POST requests. And I'll try wiresharking Thanks for the suggestion!

mpetra
Cisco Employee
Cisco Employee

I haven't created a cert user via the api, only manually.

Export your cert as base64, open in a text editor and use the <cert data> without the tags:

-----BEGIN CERTIFICATE-----

<cert data>

-----END CERTIFICATE-----

Review Cisco Networking for a $25 gift card