CLIENT-PRINCIPAL:VALIDATE-SEAL failed because keys do not ma

Posted by riche on 11-Apr-2015 16:31

can't seem to figure out what I am doing wrong or the piece that I am missing here.

I generated a .cp file adding the -domain switch:



I'm built my IHybridRealm class based on the example provided and am using the Properties class as well.

I have my spaservice.properties file using the same password as I used to seal the cp file:




The domain I'm trying to use:




I am using appSecurity-form-oerealm.xml (attached the file for review) and have it pointing to my cp file and using the domain access code.

I am running the http://local:8980/HelpdeskMobileApp/static/auth/login.html to check the security and it is failing in the VALIDATE-SEAL method. Here is my ValidateClient:




Here is the broker log error (notice that I outputted that I am using the correct password and it is the correct domain):



I don't see how the keys wouldn't match

OpenEdge Development - Forum

All Replies

Posted by Rob Fitzpatrick on 11-Apr-2015 16:41

[mention:6daadace7d7f4cbe8bb589a05d9989a3:e9ed411860ed4f2ba0265705b8793d05]

You should be aware that encoded passwords are not secure.  You shouldn't post them online if you care about having them remain secret.

Posted by Michael Jacobs on 12-Apr-2015 04:42

The Client-Principal:validate( <domain-access-code> ) does not use the HelpdeskMobile domain you configured in your database.   The general rule to remember is that all domain access codes are entered into utilities as clear-text, and stored in encrypted/encoded form.  (OE will automatically do the encrypting/decrypting for you)   So enter clear-text domain-access-code into the Admin, genspacp, and genpassword utilties in clear-text.    When you manually store the domain access codes outside of the OE database then put the oech1::xxxx values in text files.   The Client-Principal:validate() method will do the decoding of the oech1::xxxx value for you to do the validation.

One debug trick is to enter the clear-text value into genspacp and the Client-Principal:validate() to ensure you are sending the right C-P from the REST service.  Dump the C-P user-id,domain,session-id, and create-date in your server's debug code and see that they align with when and what you entered into the genspacp utility.   When that works, then change the storage of the domain-access-code in the text file to the oech1::xxxx form.  

Posted by knavneet on 12-Apr-2015 04:42

Looking at your code and .xml file, I  feel the problem is that while generating the .cp file you provide seal-key (using –password option in genspacp.bat) that is different from the Domain Access code of the domain in the database.
You have a screen shot that shows HelpdeskMobile has a Domain Access Key which on encoding appears as oech1::19011c0xxxx, whereas the .cp file is sealed with and validated using oech1::18161c1xxxx.
 
My suggestion would be to (a) generate .cp using a separate domain that is not defined in the database or (b) use the same key as the Domain Access code of that domain
 
Just to add some more information, ValidateClient() is optional. If you implement and call it in realm class methods, ValidateClient() does an additional check to see if the incoming request to the OERealm methods has a valid Client-Principal (C-P)sealed by a key that you choose. In your case it is “oech1::18161c171315322023”. You provide this value as –password in genspacp.bat.
 
So you can have this C-P that REST Adapter sends while calling OERealm belong to a domain different from the domain to which requests for Mobile Service classes belong. Your appSecurity-form-oerealm.xml indicates that you want your Mobile Service request to belong to HelpdeskMobile. For ValidateClient() you may chose a different domain.
 
Also, it appears that you use same appserver i.e. restbroker for running both OERealm and REST classes. You may want to run OERealm on a different appserver so that you can keep startup, activate procs etc separate.
 
 
[collapse]
From: Jean Richert [mailto:bounce-jri@community.progress.com]
Sent: Saturday, April 11, 2015 2:02 AM
To: TU.Mobile@community.progress.com
Subject: RE: [Technical Users - Mobile] CLIENT-PRINCIPAL:VALIDATE-SEAL failed because keys do not match error when using SPA with a domain
 
Reply by Jean Richert

riche as the one being in charge of our Community, I just wanted to let you know that I'm getting error messages when trying to move this thread in the correct OE Forum. I'm investigating what could be the reasons but it may take me a little while.

May I suggest you re-post your issue in the following forum
community.progress.com/.../19.aspx

Stop receiving emails on this subject.

Flag this post as spam/abuse.

[/collapse]

This thread is closed