SSL setup with MSN Adcenter Sandbox

Sudhir,

Thank you for sharing your experience. I'm sorry to hear how difficult it was for you to get started on the Sandbox with SSL. I'd like to mention two things:

1) Manualy adding the SSL certificate is a known issue with Java.

2) We realize this is not a simple task, so we make it a point to change our certificates as little as possible. Unfortunately, during some recent maintenance with the Sandbox, the certificates were unintentionally updated during the procedures. Thanks to the recent input from Java API users such as yourself, we have assigned resources and we are actively working to ensure an unexpected certificate change won't happen again.

We appreciate your feedback and we hope that the changes we are working on will provide a better Sandbox experience for you.

Best Regards,

Jason

AdCenter - API

MSFT

JasonDTMSFT at 2007-9-3 >

Hi

My webpage is working fine with IE, whereas its showing ssl certification error in Firefox. (getting like this Unable to verify the identity of adcenter.msn.com as a trusted site)

In the title its showing website certified by Unknown authority.

I want to rectify this for my firefox customers

Thanks

amal

sudhirvn wrote:

Let me share my experience with the security set up I struggled with initially. Platform: Linux environment: J2EE I kept getting the error javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target in the initial stage. The first time I encountered this error was during the WSDL to JAVA source creation. The WSDL's are hosted on a secure site (https://beta6.api.idss.msn.com/v2) and thus needed the certs to be stored in the keystore. I circumvented it by downloading the WSDL's from browser and supplying local file URL as parameter to axis's WSDL2Java utility and that created the source files. The error came back to haunt me as the webservice is also hosted on a secure site. I downloaded the certificate from the adcenter UI on sandbox (https://beta1.idss.msn.com/) using IE browser (Double click the SSL lock icon in the bottom pane in the IE browser --> Details tab --> Copy to file --> [[format]] DER X.509) and stored the cert in my local keystore using the command keytool -import -file [[saved cert file loc]] -alias sandbox_api_cert -keystore MSN_Keystore VM Arguments: -Djavax.net.ssl.trustStore = [[keystore location]] -Djavax.net.ssl.trustStorePassword = [[passwd]] However this did not solve the problem. On further research I found that "if you use a certificate not signed by a pre-installed certificate authority (=root cert), you need to import both your cert and the root cert". I checked the browser to see the root cert (Double click the SSL lock icon in the bottom pane in the IE browser --> Certification Path tab) and voila!!!! the cert was internally chained 3 times (GTE CyberTrust Global Root --> Microsoft Internet Authority --> Microsoft Secure Server Authority --> Beta1.idss.msn.com). I had already entered the cert for Beta1.idss.msn.com in my local keystore (as explained above) and so I proceeded to check if the certs for the other chain members are available in the jdk1.5.0_04/jre/lib/security/cacerts file using the command keytool -v -list -keystore cacerts | grep gte Enter keystore password: changeit Alias name: gtecybertrustglobalca Alias name: gtecybertrustca Alias name: gtecybertrust5ca keytool -v -list -keystore cacerts -alias gtecybertrustglobalca Enter keystore password: changeit Alias name: gtecybertrustglobalca Creation date: May 10, 2002 Entry type: trustedCertEntry Owner: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US Issuer: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US Serial number: 1a5 Valid from: Wed Aug 12 17:29:00 MST 1998 until: Mon Aug 13 16:59:00 MST 2018 Certificate fingerprints: MD5: CA:3D3:68:F1:03:5C0:32:FA:B8:2B:59:E8:5AB SHA1: 97:81:79:508:1C:96:70:CC:348:09:CF:79:44:31:36:7E:F4:74 keytool -v -list -keystore cacerts | grep microsoft Enter keystore password: changeit So the middle chain members Microsoft Internet Authority --> Microsoft Secure Server Authority were not available in my cacerts file. I went ahead and downloaded these certs from the browser (Double click the SSL lock icon in the bottom pane in the IE browser --> Certification Path tab --> click on each certicate --> View Certificate) and follow the procedure above to save and enter the cert into local keystore. Once I did this the previous problem was resolved however I was getting a new error "java.security.cert.CertPathValidatorException: signature check failed" I was pretty sure that one of my certs was wrong so I checked the WSDL to see where the webservice was hosted and it was different from where the UI was hosted. It was hosted on https://beta6.api.idss.msn.com. So I went ahead and downloaded the cert and stored it under local keystore and this resolved all the SSL errors.

amal_cg at 2007-9-3 >