Hi,
I'm trying to consume a Java web service using a WCF client. The requirements are the following:
- The client needs to authenticate using a client certificate over HTTPS
- SOAP message headers need to be signed using the same certificate
Here's what I've tried so for:
- basicHttpsBinding and wsHttpBinding with TransportWithMessageCredential security:
<basicHttpsBinding>
<binding name="HttpEndPointBinding">
<security mode="TransportWithMessageCredential">
<message algorithmSuite="Basic128Rsa15" clientCredentialType="Certificate"/>
<transport clientCredentialType="Certificate"/>
</security>
</binding>
<binding name="HttpEndPointBinding1"/>
</basicHttpsBinding>
<endpointBehaviors>
<behavior>
<clientCredentials>
<clientCertificate findValue="******************" storeLocation="CurrentUser"
storeName="My" x509FindType="FindByThumbprint"/>
</clientCredentials>
</behavior>
</endpointBehaviors>
According to the trace this will produce a signed SOAP message, however the client fails to create the SSL channel. After analyzing packets using Wireshark, I found out that the certificate is not included in the "Certificate, Client Key Exchange, Change
Cipher Spec, Encrypted Handshake Message" packet.
When searching online, I read that basic http and ws bindings (apparently) do not support transport and message-level certificates at the same time, which led me to my second attempt:
- Custom binding:
var c = new CustomBinding();
MessageSecurityVersion version = MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10;
var sec = SecurityBindingElement.CreateCertificateOverTransportBindingElement(version);
c.Elements.Add(sec);
c.Elements.Add(new TextMessageEncodingBindingElement() { MessageVersion = MessageVersion.Soap11 });
c.Elements.Add(new HttpsTransportBindingElement() { RequireClientCertificate = true });
This would create a secure SSL channel, but fail with the following error message:
"FaultException: SECU1075: An error was discovered processing the <wsse:Security> header"
According to the trace, this is due to the missing SOAP header signature.
- Is there a way to force the client to send the certificate using a basicHttpsBinding?
- If my only option is a custom binding, how do I configure it in order to sign the message header?
Regards
Rafik