SSL setup with MSN Adcenter Sandbox

Hot Topic

bluetooth XP
MySQL, VE API, and around 1Million places to display
Change size in other .resx
CeFindFirstFile using VB6
Capture Outgoing dialled number
Application.Exit() problem
Live Alerts & Visual Basic 2005
How do I create a collection from a list locations in URL format?
sdk not there?
How to Merge *.reg File From Code

Smart Devicet

Close TabPage by Tap & Hold on TabPage's Node (Head)
User Control data binding
Can not see Microsoft.WindowsMobile namespace
Sync webservice call can hang in Thread... Shouldn't timeout abort this call?
Deleting Folder
Drawing in a Pocket PC Picture Box
Device softreset/shutdown question
Messenger Add-in Template
Orange Icons in Live Search
WebRequest WithOut Any result in CF2.0

SSL setup with MSN Adcenter Sandbox

Let me share my experience with the security set up I struggled with initially.

Platform: Linux
environment: J2EE

I kept getting the error

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target


in the initial stage. The first time I encountered this error was during the WSDL to JAVA source creation. The WSDL's are hosted on a secure site (https://beta6.api.idss.msn.com/v2) and thus needed the certs to be stored in the keystore. I circumvented it by downloading the WSDL's from browser and supplying local file URL as parameter to axis's WSDL2Java utility and that created the source files.

The error came back to haunt me as the webservice is also hosted on a secure site. I downloaded the certificate from the adcenter UI on sandbox (https://beta1.idss.msn.com/) using IE browser

(Double click the SSL lock icon in the bottom pane in the IE browser --> Details tab --> Copy to file --> [[format]] DER X.509)

and stored the cert in my local keystore using the command

keytool -import -file [[saved cert file loc]] -alias sandbox_api_cert -keystore MSN_Keystore
VM Arguments:
-Djavax.net.ssl.trustStore = [[keystore location]]
-Djavax.net.ssl.trustStorePassword = [[passwd]]

However this did not solve the problem.

On further research I found that "if you use a certificate not signed by a pre-installed certificate authority (=root cert), you need to import both your cert and the root cert". I checked the browser to see the root cert

(Double click the SSL lock icon in the bottom pane in the IE browser --> Certification Path tab)

and voila!!!! the cert was internally chained 3 times (GTE CyberTrust Global Root --> Microsoft Internet Authority --> Microsoft Secure Server Authority --> Beta1.idss.msn.com). I had already entered the cert for Beta1.idss.msn.com in my local keystore (as explained above) and so I proceeded to check if the certs for the other chain members are available in the jdk1.5.0_04/jre/lib/security/cacerts file using the command

keytool -v -list -keystore cacerts | grep gte
Enter keystore password: changeit
Alias name: gtecybertrustglobalca
Alias name: gtecybertrustca
Alias name: gtecybertrust5ca

keytool -v -list -keystore cacerts -alias gtecybertrustglobalca
Enter keystore password: changeit
Alias name: gtecybertrustglobalca
Creation date: May 10, 2002
Entry type: trustedCertEntry

Owner: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
Issuer: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
Serial number: 1a5
Valid from: Wed Aug 12 17:29:00 MST 1998 until: Mon Aug 13 16:59:00 MST 2018
Certificate fingerprints:
MD5: CA:3D:D3:68:F1:03:5C:D0:32:FA:B8:2B:59:E8:5A:DB
SHA1: 97:81:79:50:D8:1C:96:70:CC:34:D8:09:CF:79:44:31:36:7E:F4:74

keytool -v -list -keystore cacerts | grep microsoft
Enter keystore password: changeit

So the middle chain members Microsoft Internet Authority --> Microsoft Secure Server Authority were not available in my cacerts file. I went ahead and downloaded these certs from the browser

(Double click the SSL lock icon in the bottom pane in the IE browser --> Certification Path tab --> click on each certicate --> View Certificate)

and follow the procedure above to save and enter the cert into local keystore. Once I did this the previous problem was resolved however I was getting a new error

"java.security.cert.CertPathValidatorException: signature check failed"

I was pretty sure that one of my certs was wrong so I checked the WSDL to see where the webservice was hosted and it was different from where the UI was hosted. It was hosted on https://beta6.api.idss.msn.com. So I went ahead and downloaded the cert and stored it under local keystore and this resolved all the SSL errors.


Answer this question

SSL setup with MSN Adcenter Sandbox

  • cablehead

    Sudhir,

    Thank you for sharing your experience. I'm sorry to hear how difficult it was for you to get started on the Sandbox with SSL. I'd like to mention two things:

    1) Manualy adding the SSL certificate is a known issue with Java.

    2) We realize this is not a simple task, so we make it a point to change our certificates as little as possible. Unfortunately, during some recent maintenance with the Sandbox, the certificates were unintentionally updated during the procedures. Thanks to the recent input from Java API users such as yourself, we have assigned resources and we are actively working to ensure an unexpected certificate change won't happen again.

    We appreciate your feedback and we hope that the changes we are working on will provide a better Sandbox experience for you.

    Best Regards,

    Jason

    AdCenter - API

    MSFT


  • deviparimala

    Hi

    My webpage is working fine with IE, whereas its showing ssl certification error in Firefox. (getting like this Unable to verify the identity of adcenter.msn.com as a trusted site)

    In the title its showing website certified by Unknown authority.

    I want to rectify this for my firefox customers

    Thanks

    amal

    sudhirvn wrote:

    Let me share my experience with the security set up I struggled with initially.

    Platform: Linux
    environment: J2EE

    I kept getting the error

    javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target


    in the initial stage. The first time I encountered this error was during the WSDL to JAVA source creation. The WSDL's are hosted on a secure site (https://beta6.api.idss.msn.com/v2) and thus needed the certs to be stored in the keystore. I circumvented it by downloading the WSDL's from browser and supplying local file URL as parameter to axis's WSDL2Java utility and that created the source files.

    The error came back to haunt me as the webservice is also hosted on a secure site. I downloaded the certificate from the adcenter UI on sandbox (https://beta1.idss.msn.com/) using IE browser

    (Double click the SSL lock icon in the bottom pane in the IE browser --> Details tab --> Copy to file --> [[format]] DER X.509)

    and stored the cert in my local keystore using the command

    keytool -import -file [[saved cert file loc]] -alias sandbox_api_cert -keystore MSN_Keystore
    VM Arguments:
    -Djavax.net.ssl.trustStore = [[keystore location]]
    -Djavax.net.ssl.trustStorePassword = [[passwd]]

    However this did not solve the problem.

    On further research I found that "if you use a certificate not signed by a pre-installed certificate authority (=root cert), you need to import both your cert and the root cert". I checked the browser to see the root cert

    (Double click the SSL lock icon in the bottom pane in the IE browser --> Certification Path tab)

    and voila!!!! the cert was internally chained 3 times (GTE CyberTrust Global Root --> Microsoft Internet Authority --> Microsoft Secure Server Authority --> Beta1.idss.msn.com). I had already entered the cert for Beta1.idss.msn.com in my local keystore (as explained above) and so I proceeded to check if the certs for the other chain members are available in the jdk1.5.0_04/jre/lib/security/cacerts file using the command

    keytool -v -list -keystore cacerts | grep gte
    Enter keystore password: changeit
    Alias name: gtecybertrustglobalca
    Alias name: gtecybertrustca
    Alias name: gtecybertrust5ca

    keytool -v -list -keystore cacerts -alias gtecybertrustglobalca
    Enter keystore password: changeit
    Alias name: gtecybertrustglobalca
    Creation date: May 10, 2002
    Entry type: trustedCertEntry

    Owner: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
    Issuer: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
    Serial number: 1a5
    Valid from: Wed Aug 12 17:29:00 MST 1998 until: Mon Aug 13 16:59:00 MST 2018
    Certificate fingerprints:
    MD5: CA:3DBig Smile3:68:F1:03:5CBig Smile0:32:FA:B8:2B:59:E8:5ABig SmileB
    SHA1: 97:81:79:50Big Smile8:1C:96:70:CC:34Big Smile8:09:CF:79:44:31:36:7E:F4:74

    keytool -v -list -keystore cacerts | grep microsoft
    Enter keystore password: changeit

    So the middle chain members Microsoft Internet Authority --> Microsoft Secure Server Authority were not available in my cacerts file. I went ahead and downloaded these certs from the browser

    (Double click the SSL lock icon in the bottom pane in the IE browser --> Certification Path tab --> click on each certicate --> View Certificate)

    and follow the procedure above to save and enter the cert into local keystore. Once I did this the previous problem was resolved however I was getting a new error

    "java.security.cert.CertPathValidatorException: signature check failed"

    I was pretty sure that one of my certs was wrong so I checked the WSDL to see where the webservice was hosted and it was different from where the UI was hosted. It was hosted on https://beta6.api.idss.msn.com. So I went ahead and downloaded the cert and stored it under local keystore and this resolved all the SSL errors.


  • LTremblay

    # Automate importing the ssl certificate for the MSN adcenter using standard linux tools

    # Use openssl to grab the certificate chain. Use perl to pick out the second certificate.
    echo '' | openssl s_client -showcerts -host adcenterapi.microsoft.com -port 443 | perl -e '$n=0;hile(<>){$line=$_;if($line=~/^-----(BEGIN|END) CERTIFICATE-----$/){if($n==3){print $line;}$n++;}f($n==3){print $line}}' > /tmp/msnadcenter.cert

    # Delete any existing certificate (by alias) from the keystore
    $JAVA_HOME/bin/keytool -delete -alias msnadcenter -keystore $JAVA_HOME/jre/lib/security/cacerts storepass changeit

    # Import the new certificate with an alias
    $JAVA_HOME/bin/keytool -import -alias msnadcenter -keystore $JAVA_HOME/jre/lib/security/cacerts storepass changeit -file /tmp/msnadcenter.cert -storepass changeit -noprompt

  • Andre Odendaal

    This forum is for API questions. However, keep in the mind these correct URL's for Production and Sandbox:

    https://adcenter.microsoft.com/

    https://sandbox.adcenter.microsoft.com/

    Jeff Dillon, Microsoft adCenter API Technical Support
  • SSL setup with MSN Adcenter Sandbox
Answer this question