Signed soap message headers over HTTPS with client certificate authentication

Question

Hi,

I'm trying to consume a Java web service using a WCF client. The requirements are the following:

- The client needs to authenticate using a client certificate over HTTPS

- SOAP message headers need to be signed using the same certificate

Here's what I've tried so for:

- basicHttpsBinding and wsHttpBinding with TransportWithMessageCredential security:

      <basicHttpsBinding>
        <binding name="HttpEndPointBinding">
          <security mode="TransportWithMessageCredential">
            <message algorithmSuite="Basic128Rsa15" clientCredentialType="Certificate"/>
            <transport clientCredentialType="Certificate"/>
          </security>
        </binding>
        <binding name="HttpEndPointBinding1"/>
      </basicHttpsBinding>

      <endpointBehaviors>
        <behavior>
          <clientCredentials>
            <clientCertificate findValue="******************" storeLocation="CurrentUser"
                               storeName="My" x509FindType="FindByThumbprint"/>
          </clientCredentials>
        </behavior>
      </endpointBehaviors>

According to the trace this will produce a signed SOAP message, however the client fails to create the SSL channel. After analyzing packets using Wireshark, I found out that the certificate is not included in the "Certificate, Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message" packet.

When searching online, I read that basic http and ws bindings (apparently) do not support transport and message-level certificates at the same time, which led me to my second attempt:

- Custom binding:

            var c = new CustomBinding();
            MessageSecurityVersion version = MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10;
            var sec = SecurityBindingElement.CreateCertificateOverTransportBindingElement(version);
            c.Elements.Add(sec);
            c.Elements.Add(new TextMessageEncodingBindingElement() { MessageVersion = MessageVersion.Soap11 });
            c.Elements.Add(new HttpsTransportBindingElement() { RequireClientCertificate = true });

This would create a secure SSL channel, but fail with the following error message:

"FaultException: SECU1075: An error was discovered processing the <wsse:Security> header"

According to the trace, this is due to the missing SOAP header signature.

1. Is there a way to force the client to send the certificate using a basicHttpsBinding?
2. If my only option is a custom binding, how do I configure it in order to sign the message header?

Regards

Rafik

Answer 1

Hi Rafik,

What is the security mode in the Java Web Service? Could you generate the client code by adding service reference?

I suggest you try Transport security and client certificate as credential.

#How to: Use Certificate Authentication and Transport Security in WCF Calling from Windows Forms

https://msdn.microsoft.com/en-us/library/ff650785.aspx?f=255&MSPPError=-2147217396

If you call Java service from SOAPUI, what is the difference between your request from SOAPUI?

Best Regards,

Tao Zhou

---

MSDN Community Support
Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.