Solved: Problem with creating ClientCertificateUser.

sukstansky · ‎11-25-2015

Hi. I'm ttrying to create ClientCertificateUserConfiguration type user with using SOAP API.

So far I've managed to create "blank" user without a certificate, but don't know how to provide a certificate into request. Here is a quote from the Northbound Guide from "CreateClientCertificateUserConfiguration" section: "RawData (string)—For information about the format of the raw data, see the Client Certificate User Specification in EDCS." That explains everything, right.... Could anyone please reveal some more details about this topic.

Thanks.

Shaun Roberts · ‎12-10-2015

Which version of the guide are you looking at?

If you look at the 3.2 version at http://www.cisco.com/c/dam/en/us/td/docs/net_mgmt/datacenter_mgmt/Process_Orchestrator/3-2/NBWS/NB_WebServicesGuide.pdf

On page 41 I see this...

Note:

The RawData is expected to be a Base64 string returned by the following sequence of calls in C#:

X509Certificate2 cert = new X509Certificate2(filePath,password,X509KeyStorageFlags.Exportable);

byte[] bytes = cert.Export(X509ContentType.Pfx, "");

string rawDataString = Convert.ToBase64String(bytes);

I believe what you are seeing is an older guide or maybe a non-production one?

--Shaun Roberts
Principal Engineer, CX
shaurobe@cisco.com

View solution in original post

Shaun Roberts · ‎12-10-2015

Which version of the guide are you looking at?

If you look at the 3.2 version at http://www.cisco.com/c/dam/en/us/td/docs/net_mgmt/datacenter_mgmt/Process_Orchestrator/3-2/NBWS/NB_WebServicesGuide.pdf

On page 41 I see this...

Note:

The RawData is expected to be a Base64 string returned by the following sequence of calls in C#:

X509Certificate2 cert = new X509Certificate2(filePath,password,X509KeyStorageFlags.Exportable);

byte[] bytes = cert.Export(X509ContentType.Pfx, "");

string rawDataString = Convert.ToBase64String(bytes);

I believe what you are seeing is an older guide or maybe a non-production one?

--Shaun Roberts
Principal Engineer, CX
shaurobe@cisco.com

sukstansky · ‎01-12-2016

Hi. Thank you for the response. The mentioned problem was solved, but now I have another one.

I'm using ClientCertificateUser as runtimeUser for a web target to authenticate requests. It works smooth for GET requests, but fails for POST with 403 (Forbidden) error. It happens only in CPO, with other REST clients (I'm calling REST API) everything works fine, so it's probably not certificate or API access privilege issue.

Thanks.

Shaun Roberts · ‎01-13-2016

Does it only *not* work for just POST requests? All POST? Certain POST only? Do you have the method set to POST?

If it were me, I would use wireshark and compare the across the wire messages and make sure what you have (that is working from other clients) is the same. If not, look at why it's not.

Also -- I would suggest you open a TAC case and have support look as well in case a bug needs to be opened with the BU.

--Shaun Roberts
Principal Engineer, CX
shaurobe@cisco.com

sukstansky · ‎01-13-2016

Hi Yes, the problem with all POST requests. And I'll try wiresharking Thanks for the suggestion!

mpetra · ‎12-10-2015

I haven't created a cert user via the api, only manually.

Export your cert as base64, open in a text editor and use the <cert data> without the tags:

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----