none
How to configure the connection to a Web service providing an X509 Certificate? [HELP!] RRS feed

  • Question

  • Hello!

    I am writing a VB.NET Winforms application, and I need to use a WSDL that is used to generate the access points to a Web Service for Authentication and Assertion, which SHOULD follow the OASIS SSO standard. I tried to generate the "standard" service using the set of files in saml-2.0-os.zip (https://docs.oasis-open.org/security/saml/v2.0/) and it works.

    However, the company that handles the sign on for the service I need modified the WSDL, including a request for assertion and password change that requires an X509 certificate to be given when the service is generated from the WSDL.

    My problem is: How can I give the certificate to the service THROUGH the WSDL?

    The "offending" part of the code is

    <wsdl:service name="IAPserviceRVE">
    	<wsdl:port name="AuthenticateAndGetAssertionService"
    		binding="tns:AuthenticateAndGetAssertionBinding">
    		<soap12:address location="https://ipam.bit4id.org/ws"/>
    	</wsdl:port>
    	<wsdl:port name="UpdatePasswordService" binding="tns:AuthenticateAndGetAssertionBinding">
    		<soap12:address location="https://ipam.bit4id.org/ws"/>
    	</wsdl:port>
    </wsdl:service>

    and I need to give an X509 to the https://ipam.bit4id.org/ws end point.

    HOW DO I DO THAT???

    Help! Thank you!

    <?xml version="1.0" encoding="UTF-8"?>
    <wsdl:definitions xmlns:responsens="urn:oasis:names:tc:SAML:2.0:protocol"
    	xmlns:utp="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
    	xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
    	xmlns:requestns="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:requestns2="urn_rve_2013:rve-body"
    	xmlns:responsens2="urn_rve_2013:rve-body" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    	xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/"
    	xmlns:tns="urn_rve_2013:authenticateAndGetAssertion"
    	xmlns:wsbf="http://docs.oasis-open.org/wsrf/bf-2"
    	xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
    	xmlns:xsd="http://www.w3.org/2001/XMLSchema"
    	xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl" xmlns:rve-b="urn_rve_2013:rve-body"
    	name="IdentityAndAssertionProvider" targetNamespace="urn_rve_2013:authenticateAndGetAssertion">
    	<wsdl:documentation>Versione 0.1, 17novembre2013</wsdl:documentation>
    	<wsdl:types>
    		<xsd:schema elementFormDefault="qualified">
    			<xsd:import namespace="http://www.w3.org/2005/08/addressing"
    				schemaLocation="ws-addr.xsd"/>
    		</xsd:schema>
    		<xsd:schema elementFormDefault="qualified">
    			<xsd:import namespace="urn:oasis:names:tc:SAML:2.0:protocol"
    				schemaLocation="saml-schema-protocol-2.0.xsd"/>
    		</xsd:schema>
    		<xsd:schema elementFormDefault="qualified">
    			<xsd:import
    				namespace="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
    				schemaLocation="oasis-200401-wss-wssecurity-secext-1.0.xsd"/>
    		</xsd:schema>
    		<xsd:schema elementFormDefault="qualified">
    			<xsd:import
    				namespace="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
    				schemaLocation="oasis-200401-wss-wssecurity-utility-1.0.xsd"/>
    		</xsd:schema>
    		<xsd:schema elementFormDefault="qualified">
    			<xsd:import namespace="urn:oasis:names:tc:SAML:2.0:assertion"
    				schemaLocation="saml-schema-assertion-2.0.xsd"/>
    		</xsd:schema>
    		<xsd:schema>
    			<xsd:import namespace="http://docs.oasis-open.org/wsrf/bf-2" schemaLocation="bf-2.xsd"/>
    		</xsd:schema>
    		<xsd:schema>
    			<xsd:import namespace="urn_rve_2013:rve-body" schemaLocation="rve-body.xsd"/>
    		</xsd:schema>
    	</wsdl:types>
    	<wsdl:message name="addressing">
    		<wsdl:part name="addressingTo" element="wsa:To"/>
    		<wsdl:part name="addressingMsgID" element="wsa:MessageID"/>
    	</wsdl:message>
    	<wsdl:message name="addressingResp">
    		<wsdl:part name="addressingRelatesTo" element="wsa:RelatesTo"/>
    	</wsdl:message>
    	<wsdl:message name="authentication">
    		<wsdl:part name="securityHeader" element="wsse:Security"/>
    	</wsdl:message>
    	<wsdl:message name="response">
    		<wsdl:part name="AuthenticateAndGetAssertionResponse" element="responsens:Response"/>
    	</wsdl:message>
    	<wsdl:message name="request">
    		<wsdl:part name="AuthenticateAndGetAssertionRequest" element="requestns:AuthnRequest"/>
    	</wsdl:message>
    	<wsdl:message name="request2">
    		<wsdl:part name="updateReq" element="requestns2:UpdatePasswordRequest"/>
    	</wsdl:message>
    	<wsdl:message name="response2">
    		<wsdl:part name="updateRes" element="responsens2:UpdatePasswordResponse"/>
    	</wsdl:message>
    	<wsdl:message name="Fault">
    		<wsdl:part name="parameter" element="wsbf:BaseFault"/>
    	</wsdl:message>
    	<wsdl:portType name="AuthenticateAndGetAssertionPT">
    		<wsdl:operation name="AuthenticateAndGetAssertion">
    			<wsdl:input message="tns:request" name="AuthenticateAndGetAssertionRequest"
    				wsaw:Action="urn:rve:AuthenticateAndGetAssertionRequest"/>
    			<wsdl:output message="tns:response" name="AuthenticateAndGetAssertionResponse"
    				wsaw:Action="urn:rve:AuthenticateAndGetAssertionResponse"/>
    			<wsdl:fault name="BaseFault" message="tns:Fault"/>
    		</wsdl:operation>
    		<wsdl:operation name="UpdatePassword">
    			<wsdl:input message="tns:request2" name="UpdatePasswordRequest"
    				wsaw:Action="urn:rve:UpdatePasswordRequest"/>
    			<wsdl:output message="tns:response2" name="UpdatePasswordResponse"
    				wsaw:Action="urn:rve:UpdatePasswordResponse"/>
    			<wsdl:fault name="BaseFault" message="tns:Fault"/>
    		</wsdl:operation>
    	</wsdl:portType>
    	<wsdl:binding name="AuthenticateAndGetAssertionBinding" type="tns:AuthenticateAndGetAssertionPT">
    		<soap12:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
    		<wsdl:operation name="AuthenticateAndGetAssertion">
    			<soap12:operation soapAction="urn:rve:AuthenticateAndGetAssertion"/>
    			<wsdl:input>
    				<soap12:header message="tns:addressing" part="addressingTo" use="literal"/>
    				<soap12:header message="tns:addressing" part="addressingMsgID" use="literal"/>
    				<soap12:header message="tns:authentication" part="securityHeader" use="literal"/>
    				<soap12:body use="literal"/>
    			</wsdl:input>
    			<wsdl:output>
    				<soap12:header message="tns:addressing" part="addressingMsgID" use="literal"/>
    				<soap12:header message="tns:addressingResp" part="addressingRelatesTo" use="literal"/>
    				<soap12:body use="literal"/>
    			</wsdl:output>
    		</wsdl:operation>
    		<wsdl:operation name="UpdatePassword">
    			<soap12:operation soapAction="urn:rve:UpdatePassword"/>
    			<wsdl:input>
    				<soap12:header message="tns:addressing" part="addressingTo" use="literal"/>
    				<soap12:header message="tns:addressing" part="addressingMsgID" use="literal"/>
    				<soap12:header message="tns:authentication" part="securityHeader" use="literal"/>
    				<soap12:body use="literal"/>
    			</wsdl:input>
    			<wsdl:output>
    				<soap12:header message="tns:addressing" part="addressingMsgID" use="literal"/>
    				<soap12:header message="tns:addressingResp" part="addressingRelatesTo" use="literal"/>
    				<soap12:body use="literal"/>
    			</wsdl:output>
    		</wsdl:operation>
    	</wsdl:binding>
    	<wsdl:service name="IAPserviceRVE">
    		<wsdl:port name="AuthenticateAndGetAssertionService"
    			binding="tns:AuthenticateAndGetAssertionBinding">
    			<soap12:address location="https://ipam.bit4id.org/ws"/>
    		</wsdl:port>
    		<wsdl:port name="UpdatePasswordService" binding="tns:AuthenticateAndGetAssertionBinding">
    			<soap12:address location="https://ipam.bit4id.org/ws"/>
    		</wsdl:port>
    	</wsdl:service>
    </wsdl:definitions>




    Greetings, TheGiops

    Wednesday, March 9, 2016 9:22 AM

All replies

  • Hello,

    >>My problem is: How can I give the certificate to the service THROUGH the WSDL?

    If I do not misunderstand you idea, in my mind in order to implement the similar requirement, first we can try to create the service by using the wsdl document, after that we can configure the service with the X509 certificate authentication. At last, the client can connect to a Web service by providing the correct client Certificate.
    If I have misunderstood you, please feel free to let me know. :)

    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Friday, March 11, 2016 1:55 PM
    Moderator
  • Thank you for your interest!!! :-)

    Unfortunately, the situation is a bit more complicated.
    I am able (On other services) to create the access points, and then use the service with the "ClientCertificates" section of the service.

    In this case, the service indicated in the <soap12:address location="https://ipam.bit4id.org/ws"/> line requires a certificate in order to be used, and it's integral part of the Web Service.

    I can configure the thing through SoapUI, giving the authentication certificate as a property, but... How do I do it in VS2013, when I create the web reference?

    I'm slowly going mad...


    Greetings, TheGiops

    Saturday, March 12, 2016 3:44 AM
  • Hello,

    >>How do I do it in VS2013, when I create the web reference?

    Have you tried to add the client certificate in code as following?

    client.ClientCredentials.ClientCertificate.SetCertificate(
        StoreLocation.CurrentUser,
        StoreName.My,
        X509FindType.FindBySubjectName,
        "test.com");

    For more information, please try to refer to the following article:
    https://msdn.microsoft.com/en-us/library/ms731074.aspx?f=255&MSPPError=-2147217396 .

    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Thursday, March 17, 2016 8:36 AM
    Moderator
  • Sorry for the delay!

    Yes, I tired that, but the issue is that the certificate is needed BEFORE the program runs.

    The problem is that during the creation of the classes (Project>add service reference>add web reference) the xml refers to a server that wants a certificate to disclose the xml.

    And it's driving me insane...


    Greetings, TheGiops

    Monday, April 11, 2016 5:15 PM
  • Hi,
    If I do not misunderstand you idea,

    from soapUI can save the wsdl file and then point to this in VS to create the service 

    (url : file: //xxxx.wsdl)

    HTH


    Volevamo cambiare il mondo! ...peccato che abbiamo perso lo scontrino


    • Edited by Luigi Rinna Tuesday, April 12, 2016 2:45 PM
    Tuesday, April 12, 2016 2:44 PM
  • Oh, si, ma io il WSDL ce l'ho gia'.

    Quel che non arrivo a capire e' come fare a dare il certificati al server ipam attraverso il WSDL, cioe' al momento della definizione del servizio.

    <soap12:address location="https://ipam.bit4id.org/ws"/>

    Il problema e' che questo indirizzo e' contenuto nel WSDL, e quindi non posso dargli un certificato PRIMA di dichiararlo!
    SoapUI ha la maniera di mettere il certificato come proprieta' del test, ma non riesco proprio a capre come farlo da Vs2013/15

    L'errore si verifica qui, perche' non c'e' autenticazione.Per la cronaca: Si parla del servizio di spedizione ricette dematerializzate della Regione Veneto (consorzioarsenal.it)

    P


    Greetings, TheGiops

    Monday, April 25, 2016 4:40 PM
  • If I understand corretly:

    You need to add a WebService Reference.

    The WSDL is published over HTTPS (so its encrypted)

    You have tried using the Add Web Service Refrence with no luck (maybe there is some error stating that your connection was refused or simply that VS could not connect)

    This post has some explanation of how to add a Web Service Reference with something else than TSL

    This post seems to address a related issue.


    Please be so kind to close your Threads when you found an answer, these Threads should help everyone with similar issues.
    You can close a Thread via the"Mark as Answer" link below posts. You can mark your own posts as answers if you were not helped out but found a solution, in such a case, please provide the answer.
    Happy coding
    PS: I assure everyone that I did not ever had the desire to offend anyone.


    • Edited by MDeero Monday, April 25, 2016 5:20 PM
    Monday, April 25, 2016 5:12 PM
  • This is taking me somewhere, actually.

    So, if I create the class with SoapUI and THEN use it in the code, I should be able to configure the whole thing.

    Too bad that, now, Neither SoapUI or wsdl.exe can create the darn class. Need to contact the maker of the thing.

    I'm going insane...


    Greetings, TheGiops

    Tuesday, April 26, 2016 12:02 AM
  • Oh, si, ma io il WSDL ce l'ho gia'.

    Quel che non arrivo a capire e' come fare a dare il certificati al server ipam attraverso il WSDL, cioe' al momento della definizione del servizio.

    <soap12:address location="https://ipam.bit4id.org/ws"/>

    Il problema e' che questo indirizzo e' contenuto nel WSDL, e quindi non posso dargli un certificato PRIMA di dichiararlo!
    SoapUI ha la maniera di mettere il certificato come proprieta' del test, ma non riesco proprio a capre come farlo da Vs2013/15

    L'errore si verifica qui, perche' non c'e' autenticazione.Per la cronaca: Si parla del servizio di spedizione ricette dematerializzate della Regione Veneto (consorzioarsenal.it)

    P


    Greetings, TheGiops

     Ciao,

    da quello che ho capito , a te mancano dei  file xsd che sono ricercati all'url https://...

    che richiede il certificato.

    Ma se, come mi sembra di aver capito,   sei riuscito a crearti il progetto soapUI 

    allora questi xsd che ti mancano da qualche parte li hai e se li inserisci nella stessa dir

    del wsdl ( oppure modifichi ol relativo lo schema location in file://....xsd) dovresti poter crearti il servizio puntando al wdl locale.

    Altra strada che potresti provare a percorrere è creare n soapUI un "SoapUI mock Service" e puntare a questo in VS; url = http://<soapUI mockservice:port>?wsdl

    HTH


    Volevamo cambiare il mondo! ...peccato che abbiamo perso lo scontrino

    Tuesday, April 26, 2016 8:15 AM
  • No no no, i files XSD li ho tutti.

    Il problema e' che questo servizio e' parte del protocollo di comunicazione della ricetta dematerializzata, e decisamente non posso cambiare il file WSDL in maniera da farlo funzionare "a spintoni".

    VS2013 e' abbastanza bravo a configurare i Web Service, se gli dai un WSDL fatto bene, e infatti per le altre regioni funzona bene. Il Veneto mi sta dando dei mal di testa fenomenali, e mi hanno detto di rivolgermi alla concorrenza per sapere come hanno fatto loro (seeehhh... Immaginati!)

    Secondo te, un WSDL che definisce l'autenticazione al servizio non dovrebbe essere blindato e non modificabile? Ti oare possibile che secondo il Veneto devo mettemelo a posto da solo, mandando a farsi benedire tuttto l'ambaradan?

    Saresti in grado (Se ti do WSDL+XSD) di vedere dove non va?

    Ok che sono riuscito a configurare 12 regioni, ma loro mi hanno dato tutti dei WSDL che funzonano al primo colpo.

    EH? Eh? Ci riusciresti?


    Greetings, TheGiops

    Saturday, May 28, 2016 7:05 PM