locked
Certificate issue with SODA App RRS feed

  • Question

  • I have an issue with the certs. I created a new SODA application in C# and also created the certificate in HV using ApplicationManager.exe.

     

    But the Client ID that the application generated on its own, is not registered with the HV and it is raising an error.

     

    The application ID is 7cc4824c-fb46-4a45-a036-0e362422271b under https://config.healthvault-ppe.com/default.aspx for this application and is registered as a SODA application. The error mentions that "The specified certificate-HVClientApp-a8dff020-xxxx-xxxxxxxxxxx could not be found in the current user's certificate store or the certificate does not have a private key."

     

    Can you please help me out on this issue.

     

    Thanks

     

    Friday, November 12, 2010 1:16 AM

Answers

  • Hello Prakash,

    I am able to resolve the issue by following the below steps. Could you also try the below steps and let me know if you still face the issue.

    ·         Open Configuration center https://config.healthvault-ppe.co.uk/default.aspx .

    ·         Click on Create a new application.

    ·         Give the Application Name.

    ·         Select the Application type as SODA.

    ·         Now you need a .cer file to load the private key for you certificate in order to get the .cer file you need to execute the makecert.exe command.

    ·         Copy the application ID from the Application id text box.

    ·         To create the private/public key pair(.cer file):

    Find makecert.exe in C:\Program Files\Microsoft Visual Studio 8\Common7\Tools\Bin. It is also available in the Downloads section of the HealthVault MSDN site.

    Using the MakeCert command, generate a certificate with the same name as the one that we sent you when your AppId was created:

    makecert.exe "<OutputPath>\<CertFileName>.cer" -a sha1 -n "CN=WildcatApp-<AppId>" -sr LocalMachine -ss My -sky signature -pe -len 2048

    For example:

    makecert.exe "c:\temp\MyCert.cer" -a sha1 -n "CN=WildcatApp-6296418d-a6c7-418d-84ea-f4c04b9dd1b6" -sr LocalMachine -ss My -sky signature -pe -len 2048

    ·         Click on browse button of Public certificate   in Create New Application page and select the .cer file which we have saved in the prior step.

    ·         Now run your application SODA application by giving master application Id in app.config file or you can follow the complete process except Create the Client Application mentioned in this URL .

     

    Regards,

    Madan Kamuju

     

     


    • Proposed as answer by Madan kamuju Monday, December 27, 2010 1:03 PM
    • Marked as answer by Aneesh D Tuesday, March 8, 2011 9:02 PM
    Tuesday, December 21, 2010 11:20 AM

All replies

  • Can you share more details or code about how you are generating the client certificate?
    Friday, November 12, 2010 1:58 AM
  • Hi,

     

    This may be an issue with your certificate that the instance generated. Can you please confirm that the certificate is present in Current User’s certificate store? If it is present then please make sure that you can export the certificate with the private key.

     

    Current User’s certificate store can open through command prompt by entering ‘certmgr’.

     

    Thank you,


    Anish Ravindran
    Friday, November 12, 2010 7:46 AM
  • Now I am getting a different error after I deleted that certificate in CertMgr.

    The error mentions - Invalid parameters - The parameters received were invalid. Please ensure that Master App ID is a valid master SODA Application, the instance app ID is unique and the certificate is valid.

    Please let me know.

    Anish - If you can provide your e-mail ID to me, that would be great.

     

    Friday, November 12, 2010 6:00 PM
  • It may be noted that the master application ID being used is absolutely unique and not being reused. So that is not the issue here. It may also be noted that I have tried creating the certificate multiple times with the same result every time everytime I tried the new Master App ID for the SODA App.
    Friday, November 12, 2010 6:09 PM
  • Assuming your master application ID is a valid SODA app, please try creating a new child app id and certificate, and then run the create application workflow (through the HV Shell). One challenge with SODA is you can only do the create application operation once. After that, you will get the error you mentioned ("Invalid parameters...").

    Please let us know if this resolves your issue. If it does not, it would be great to see the exact set of steps you are going through to get the problem. 

    Saturday, November 13, 2010 1:25 AM
  • Hello ,

    Could you please check whether your App.config file contains the entries like below mentioned.

                <setting name="clientAppId" serializeAs="String">
                    <value>00000000-0000-0000-0000-000000000000</value>
                </setting>
                <setting name="masterAppId" serializeAs="String">
                    <value>Your SODA App Id</value>
                </setting>

    You can also  try to Reauthorize the application from the user's account and authenticate again.  Please follow the below Reauthorization  Steps:

    1). Log into to HealthVault Shell(https://account.healthvault-ppe.com/ ).

    2). Click on Sharing Tab.

    3). Select the SODA application which you are using.

    4). click on change access.

    5). Click on Remove all access button.


    Regards,

    Madan Kamuju

     

    • Proposed as answer by Madan kamuju Thursday, November 25, 2010 10:49 AM
    Monday, November 15, 2010 11:07 AM
  • Hi Madan or Anish,

    I created an HV SODA console app. Certificate with private key is installed properly. I am able to run the C# console app in a visual studio and successfully submitted data to the HV account. No issues. I take the same code and created a dll to use within a BizTalk Orchestration environment. 

    I get the following as well:

    Exception: The specified certificate, CN=HVClientApp-3fa8bb6b-5b29-4798-8b95-2d4ccdb154b8, could not be found in the CurrentUser certificate store,or the certificate does not have a private key.

     

    I am assuming the BTS Service Account is unable  (no permission etc..) to get the certificate.

    I tried to install the certificate with private key in the following cert stores:

    Local Computer\Personal     

    Local Computer\Other People 

    Current User\Personal

    Current User\Trusted Root CA

    Service (BizTalk Server BizTalk Group : BizTalkServerApplication) \ Personal

    Service (BizTalk Server BizTalk Group : BizTalkServerApplication) \ Trusted Root CA

     

    On the Local Computer\Personal  certificate, I also right clicked on the cert and "All Task\Managed Private Keys", I gave my BTS service Account full permission.

     

    A workaround was to use the add the following to the BTS config file.

     

    <add key="ApplicationCertificateFileName" value="C:\myCertWithPrivateKey.pfx" />

    <add key="ApplicationCertificatePassword" value="myPassword" />

     

     

    I do not want this work around as it force me to use a single cert file. I would like BTS to be able to get the cert associated with the ClientAppId and MasterAppId. 

     

    Please advise. Thank you in advance.

    James Tuanda

     

     

     

    Thursday, November 18, 2010 12:42 AM
  • Hello James,

    The above mentioned exception basically occurs when the certificate not installed in your local computer.  Could you please confirm me whether you would like to install the certificate in your machine's  local computer certificat store or not.

    Note that the Application Id name has to be "WildcatApp" followed by the full ApplicationID as mentioned in this url . I observed that your Application Id is starting with "HVClientApp" but not with this "WildcatApp".

    If you would like to use the certificate which is installed in your macine then please follow the steps  mentioned in this post .

    If you want to run a HealthVault Application in IIS without installing a certificate in the certificate store then use this post   to resolve the issue.

    Hope this helps, Let me know if you have any issues.

    Regards,

    Madan Kamuju

    Thursday, November 18, 2010 11:30 AM
  • madan,

    Thank you for the quick response. Yes the cert is installed on the computer. I installed them in the location mention in my previous post.

    The C# console app is on the same computer as the BTS environment. The C# app is able to use the cert while the BTS environment can not.

    I did not create the cert. I specified a MasterAppId and a new Guid for the ClientAppId. The cert was automatically installed by the HealthVault Application Authorization process "HealthClientApplication.StartApplicationCreationProcess()" when the ClientAppId is not recognized.  After the app authorization process is completed through the browser, I checked the cert store to find the certifcate name "HVClientApp-3fa8bb6b-5b29-4798-8b95-2d4ccdb154b8".

    IIS is running under the NETWORK_SERVICE account. In my case, the BTS environment is running under a local service account i created. I am assuming the service account doesnt have permission to get the cert, which is why i tried to add the certs in the following cert location:

     

    Local Computer\Other People 

    Service (BizTalk Server BizTalk Group : BizTalkServerApplication) \ Personal

    Service (BizTalk Server BizTalk Group : BizTalkServerApplication) \ Trusted Root CA

     

    In order for me to installed the cert in those location, I had to export it cert "HVClientApp-3fa8bb6b-5b29-4798-8b95-2d4ccdb154b8"

    out and was required to put a password on the cert. 

     

     

    -James Tuanda

    UGotCoupon

     

     

    Friday, November 19, 2010 10:18 PM
  • Hello James,

    Could you please explain your scenario with more details like the flow of your application and also let me know why are you using  SODA application.

    Regards,

    Madan Kamuju
    Monday, November 22, 2010 1:15 PM
  • We have client application which will manage patient's healthvault info. Authorization happens there. After patient encounters , the client application will generate CCD documents. These documents and the patient's HV PersonId and RecordId will be routed to our BizTalk application. The BizTalk app will upload the CCD into the patient's HealthVault. The BizTalk application will have the MasterAppId, ClientAppId, certificate installed.  The BizTalk app will act as a proxy to upload the documents to HV. The BizTalk app will not do any authorization on its end.

    Is this an appropriated usage of a SODA application? Should it be configured as a Master Application Type?

    We just need the ability to upload a document to HealthVault in BizTalk.

     

    Thanks

    James Tuanda

    UGotCoupon

     

     

     

    Tuesday, November 23, 2010 9:50 PM
  • Hello James,

    As per my knowledge the SODA architecture won’t work in your scenario. You would use SODA if you want the client application to connect directly to HealthVault. If you want your BizTalk server to interact with HealthVault, then you need your own authentication and protocol between the BizTalk server and the client. The server would then be an intermediary between the client and HealthVault. The only reason you would use SODA is if you want the client application to connect directly to HealthVault. Also, SODA applies more naturally if your client application is distributed broadly to consumers.

    Regards,
    Madan Kamuju.
    • Proposed as answer by Madan kamuju Thursday, December 2, 2010 9:03 AM
    Thursday, November 25, 2010 10:56 AM
  • I got this error(mentioned in the beginning of this thread) too. The steps I followed:

    - Created a console app exactly as explained in this 'how to' article - http://msdn.microsoft.com/en-gb/healthvault/ee708278.aspx  For the first time it worked as expected.

    - The next time when I ran the program (either from VS or the exe) The above error appeared.

    I repeated the above steps by creating console app fresh and got the same pattern - worked for the first time and then same error.

    Any help/suggestion would be appriciated.

    Thursday, November 25, 2010 11:52 PM
  • Hello Prakash,

    Could you please paste complete stack trace of the error and also let me know whether you are running the application in the same box in which you have created SODA master application Id.

    Regards,

    Madan Kamuju

    Friday, November 26, 2010 10:27 AM
  • Hi Madan,

    Yes I am running the app in the same machine in which I have created the app (in fact from VS). Here goes the stack trace:

    System.Security.SecurityException was unhandled

      Message=The specified certificate, CN=HVClientApp-a6f7ffb4-8e99-4e00-8d3c-78c4c14dd876, could not be found in the CurrentUser certificate store,or the certificate does not have a private key.

      Source=Microsoft.Health

      StackTrace:

           at Microsoft.Health.ApplicationConfiguration.GetApplicationCertificateFromStore(Guid applicationId, StoreLocation storeLocation, String certSubject)

           at Microsoft.Health.ApplicationConfiguration.GetApplicationCertificate(Guid applicationId, StoreLocation storeLocation, String certSubject)

           at Microsoft.Health.ApplicationConfiguration.GetSignatureCertRsaProvider(Guid applicationId, StoreLocation storeLocation, String certSubject)

           at Microsoft.Health.Web.Authentication.WebApplicationCredential.SetupSignatureCertRsaProvider(Guid applicationId, StoreLocation storeLocation, String certSubject)

           at Microsoft.Health.Web.Authentication.WebApplicationCredential.Initialize(Guid applicationId, StoreLocation storeLocation, String certSubject)

           at Microsoft.Health.Web.Authentication.WebApplicationCredential..ctor(Guid applicationId, StoreLocation storeLocation, String certSubject)

           at Microsoft.Health.HealthClientApplication.Connect()

           at Microsoft.Health.HealthClientApplication.get_ApplicationConnection()

           at Microsoft.Health.HealthClientApplication.GetApplicationInfo()

           at SODA_Client_TestApp.Program.Main(String[] args) in C:\Users\Prakash\Documents\Visual Studio 2010\Projects\WP7TrainingKitSolutions\SODA_Client_TestApp\Program.cs:line 92

           at System.AppDomain._nExecuteAssembly(RuntimeAssembly assembly, String[] args)

           at Microsoft.VisualStudio.HostingProcess.HostProc.RunUsersAssembly()

           at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean ignoreSyncCtx)

           at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)

           at System.Threading.ThreadHelper.ThreadStart()

      InnerException: 



    However I can see through certmgr that the certificate is present at 'Current User/Personal/Certificates'.

    Thanks in advance ...

     

    Saturday, November 27, 2010 2:56 AM
  • Hello Prakash,

    Could you please let me know is this a stand alone application (Console app / windows app) or you are integrating the SODA app with any other application.  Are you running this application directly from Visual-studio IDE?.

    I am not able to reproduce the issue with new SODA application I created by following this link .

    Let me know if you have any concerns.

    Regards,

    Madan kamuju

    Monday, November 29, 2010 11:02 AM
  • Hi Madam, 

    as I have mentioned above all I did was as demonstrated in the link - the console app only. I built the app with same code and instructions and ran the exe - it went fine as expected first time. Then I ran the app again (second time) with same exe  and got the error for which I posted the stack trace before.

    To investigate I repeated the same process more than once and also tried running the program from VS and got the same error every time.  

     

    Though my real intention is to integrate SODA with some other application I want to build a prototype with standalone window/console SODA app which I am not able to do. 

    Thursday, December 2, 2010 1:33 AM
  • Hello Prakash,

    Could you please send your complete  code(sample solution)to my emailId v-madank@microsoft.com . I will try to repro the issue from my side with your code. Please send me you SODA application id.

    Regards,

    Madan Kamuju

    Thursday, December 2, 2010 9:05 AM
  • Hello Prakash,

    Through the email communication I got a confirmation that you are running the SODA application in HealthVault UK environment and I tried to repro this issue in UK environment,  the issue is reproducible. I have escalated this Issue to our HealthVault Product Group. Issues that are escalated to the Product Group are normally assigned to the appropriate person within 2 business days and most issues are normally resolved within 7 days.  I will contact you with any information from the Product Group as soon as I receive an update from the Product Group.  Please feel free to contact me if you have any questions or concerns regarding your issue.

    Regards,
    Madan Kamuju

    Friday, December 3, 2010 11:24 AM
  • Hello Prakash,

    I am able to resolve the issue by following the below steps. Could you also try the below steps and let me know if you still face the issue.

    ·         Open Configuration center https://config.healthvault-ppe.co.uk/default.aspx .

    ·         Click on Create a new application.

    ·         Give the Application Name.

    ·         Select the Application type as SODA.

    ·         Now you need a .cer file to load the private key for you certificate in order to get the .cer file you need to execute the makecert.exe command.

    ·         Copy the application ID from the Application id text box.

    ·         To create the private/public key pair(.cer file):

    Find makecert.exe in C:\Program Files\Microsoft Visual Studio 8\Common7\Tools\Bin. It is also available in the Downloads section of the HealthVault MSDN site.

    Using the MakeCert command, generate a certificate with the same name as the one that we sent you when your AppId was created:

    makecert.exe "<OutputPath>\<CertFileName>.cer" -a sha1 -n "CN=WildcatApp-<AppId>" -sr LocalMachine -ss My -sky signature -pe -len 2048

    For example:

    makecert.exe "c:\temp\MyCert.cer" -a sha1 -n "CN=WildcatApp-6296418d-a6c7-418d-84ea-f4c04b9dd1b6" -sr LocalMachine -ss My -sky signature -pe -len 2048

    ·         Click on browse button of Public certificate   in Create New Application page and select the .cer file which we have saved in the prior step.

    ·         Now run your application SODA application by giving master application Id in app.config file or you can follow the complete process except Create the Client Application mentioned in this URL .

     

    Regards,

    Madan Kamuju

     

     


    • Proposed as answer by Madan kamuju Monday, December 27, 2010 1:03 PM
    • Marked as answer by Aneesh D Tuesday, March 8, 2011 9:02 PM
    Tuesday, December 21, 2010 11:20 AM