locked
Access Denied via java, even though we can get through with both .NET and php RRS feed

  • Question

  • I was playing with the java libraries and am getting an Access Denied error. We can still get through using the .NET layer or with php, but not through java.

    I have tried 2 things: 
    1) convert the .pfx to a java keystore (.jks)
    2) create the keystore by converting *cer and *pem file to der and then create a keystore

    Neither of these strategies seems to work.

    I still get Access Denied.

    I have seen your post on 


    but that doesn't really fit, for we already have our private/public key all set up.

    Any help would be appreciated.

    For example, what are you seeing on your end. Our app_id is 813C11EA-1B9C-11DD-AB99-FEB456D89593
    Sunday, March 15, 2009 8:14 PM

Answers

  • I looked in the PPE environment and I see a few requests from that application id.  It looks like you have successfully authenticated the application but and you are receiving access denied for another reason.  Be sure that your HealthVault user has authorized the application to access your record.  Additionally, ensure that your HealthVault user has granted access to the data types your application has attempted to upload.

    --Rob
    • Marked as answer by mdotmoment11 Tuesday, March 17, 2009 5:01 AM
    Tuesday, March 17, 2009 2:56 AM

All replies

  • This question may be better asked here:  http://healthvaultjavalib.codeplex.com/Thread/List.aspx

    I have a couple of questions for you: 

    1.  How did you convert the .pfx to a java keystore?
    2.  How did you create the keystore by converting the *.cer and *.pem files into the keystore?


    We want to get into a state where the private key is held in the java keystore and the public certificate is configured for your application within HealthVault.

    This reply details the answer:

    The .cer files are DER encoded X.509 certificates for the public key.  .pfx files contain both the private key and the public key.  The public key and needs to get into HealthVault's application repository.  The private key goes into the keystore.  The easiest way to get a private key into the keystore is to generate it there in the first place.  Then export the public key as the .cer file.  Generating a private key elsewhere and importing it into the keystore requires writing some custom code--not difficult, just not existing.  None of the keytool's commands support importing/exporting the private keys

    Use the application manager to create your app in HealthVault initially.  The application manager wants a .pfx file because it places the private key into windows local key manager and registers your public key with HealthVault.  Create a new cert with the tool.  This first step is unnecessary for java applications but the tools show their origins.  Once your application is created in HealthVault, replace your public key stored with HealthVault with one generated with the keytool.  Protect the keystore and your private key, as it provides your access to HealthVault.
    Here is another reference:  http://healthvaultjavalib.codeplex.com/Wiki/View.aspx?title=Using%20Your%20Own%20App%20Id
    Monday, March 16, 2009 6:46 PM
  • 1. i used the java keytool to convert the .pfx to .jks, following these directions:
    http://www.cb1inc.com/2007/04/30/converting-pfx-certificates-to-java-keystores

    2. I followed these instructions: http://www.agentbob.info/agentbob/79-AB.html
    which basically converts the cer/pem into der files, then combines those into a keystore

    i suppose i could just start all over?
    Tuesday, March 17, 2009 12:19 AM
  • I looked in the PPE environment and I see a few requests from that application id.  It looks like you have successfully authenticated the application but and you are receiving access denied for another reason.  Be sure that your HealthVault user has authorized the application to access your record.  Additionally, ensure that your HealthVault user has granted access to the data types your application has attempted to upload.

    --Rob
    • Marked as answer by mdotmoment11 Tuesday, March 17, 2009 5:01 AM
    Tuesday, March 17, 2009 2:56 AM
  • Rob,

    Now I feel stupid. That was it. I forgot to allow a data type. -ala Homer Simpson, "Doh!"

    Thanks much.
    Tuesday, March 17, 2009 5:00 AM
  • Rob,

    OK. We're moving to production now, and I'm having similar issues:

    <wc-request:request xmlns:wc-request="urn:com.microsoft.wc.request"><header><method>CreateAuthenticatedSessionToken</method><method-version>1</method-version><app-id>813C11EA-1B9C-11DD-AB99-FEB456D89593</app-id><language>en</language><country>US</country><msg-time>2009-06-01T16:16:08.622-04:00</msg-time><msg-ttl>180000</msg-ttl><version>0.0.0.1</version></header><info><auth-info><app-id>813C11EA-1B9C-11DD-AB99-FEB456D89593</app-id><credential><appserver><sig digestMethod="SHA1" sigMethod="RSA-SHA1" thumbprint="1af3fc729258046668a313f5ed20bb17ed022e48">Gc8QI2KqYYuW+n2PWHkGDDpPLEcOA/ScpUQWD+27aZbnZG0wFiNGU4qXh8YqAsn4zwUGqxv233sl4sj7pb1JPUT+vRIrG19H5djeu0d5iSNmSyqJkqg1CuV2G0pD5el8LZOSgm4ElwV+g4gzUqUl7m8DFTbLxoZ0LVC/C1POHhw=</sig><content><app-id>813C11EA-1B9C-11DD-AB99-FEB456D89593</app-id><shared-secret><hmac-alg algName="HMACSHA1">Q1n6O5nyxr01sg+TGlBb/HDJg8o=</hmac-alg></shared-secret></content></appserver></credential></auth-info></info></wc-request:request>
    <?xml version="1.0" encoding="utf-8"?><response><status><code>11</code><error><message>Access is denied.</message></error></status></response>
    Access id Denied with code 11. 

    I can't find reference to that code anywhere.

    I'm confident the keystore is fine (and the same key works on our .NET version of this app).

    Any help here would be great.
    Tuesday, June 2, 2009 3:29 AM