none
How to configure WCF with Transport and Message security enabled RRS feed

  • Question

  • I am having problems adding https to a webservice already configured to use message security over http.

    I’ll try to describe the situation the best I can.

    Original requirements

    • SOAP version 1.1
    • HTTP connection
    • Signature of the body element on the SOAP message
    • Timestamp of the signature of the body element

    To accomplish these requisites I used the following configuration:

    Original configuration

    We declared the interface to implement according to this code:

    <System.CodeDom.Compiler.GeneratedCodeAttribute("System.ServiceModel", "4.0.0.0")> _

    <System.ServiceModel.ServiceContractAttribute([Namespace]:="http://net.aocat/MUX2",

    ConfigurationName:="RegistreReferenciaSoap", ProtectionLevel:=ProtectionLevel.Sign)> _

    Public Interface RegistreReferenciaSoap

        <System.ServiceModel.OperationContractAttribute(Action:="http://net.aocat/MUX2/clientRequestwithReturn", ReplyAction:=".*")> _

        <System.ServiceModel.XmlSerializerFormatAttribute()> _

        Function clientRequestwithReturn(request As clientRequestwithReturnRequest) As <System.ServiceModel.MessageParameterAttribute(Name:="RespostaRegistre")> clientRequestwithReturnResponse

    End Interface

     

    In the Web service config file we defined the following service configuration:

    <service behaviorConfiguration="RegistreReferenciaBehavior" name="WebServiceRegistreUnificatWCF.RegistreReferencia">

    <endpoint    address="" binding="basicHttpBinding"

    bindingConfiguration="RegistreReferenciaBinding"

    name="RegistreReferenciaEndpoint" contract="RegistreReferenciaSoap">

    <identity>

    <dns value="localhost" />

    </identity>

    </endpoint>

    </service>

     

    Using the following binding configuration:

    <basicHttpBinding>

    <binding name="RegistreReferenciaBinding">

    <security mode="Message">

    <message clientCredentialType="Certificate" />

    </security>

    </binding>

    </basicHttpBinding>

     

    And the following behavior configuration:

    <behavior name="RegistreReferenciaBehavior">

    <serviceMetadata httpGetEnabled="true" />

    <serviceDebug includeExceptionDetailInFaults="false" />

    <serviceCredentials>

    <clientCertificate>

    <authentication certificateValidationMode="PeerTrust" trustedStoreLocation="LocalMachine" />

    </clientCertificate>

    <serviceCertificate

    findValue="3f 93 f4 a5 6c 77 a6 c2 50 64 48 99 33 d9 84 86"

    storeLocation="LocalMachine"

    x509FindType="FindBySerialNumber" />

    </serviceCredentials>

    </behavior>

     

    With this configuration the Webservice was running without problems and accepting connections from the third party service.

    New requeriments

    At certain moment the third party that is connection to our webservice decided to upgrade the security and implemented HTTPS. Leaving the requirements as follow:

    • SOAP version 1.1
    • HTTPS connection
    • Signature of the body element on the SOAP message
    • Timestamp of the signature of the body element

    So we updated the configuration of the webservice in the config file to reflect the change.

    New configuration

    We changed the service definition to:

    <service behaviorConfiguration="RegistreReferenciaBehavior" name="WebServiceRegistreUnificatWCF.RegistreReferencia">

    <endpoint    address="" binding="basicHttpBinding"

    bindingConfiguration="RegistreReferenciaBindingHTTPS"

    name="RegistreReferenciaEndpoint" contract="RegistreReferenciaSoap">

    <identity>

    <dns value="localhost" />

    </identity>

    </endpoint>

    </service>

     

    Using the following binding configuration:

    <basicHttpBinding>

    <binding name=" RegistreReferenciaBindingHTTPS ">

    <security mode="TransportWithMessageCredential">

    <transport clientCredentialType="None" />

    <message clientCredentialType="Certificate" />

    </security>

    </binding>

    </basicHttpBinding>

     

    Leaving the rest identical to the first configuration.

    Result

    But this configuration causes the webservice to terminate the connection with the message:

    “Signing without primary signature requires timestamp”

    “The security protocol cannot verify the incoming message”

    Question

    In one simple phrase what I need is to configure the service to use Transport security while maintaining the existing Message security.

    So my question is:

    Is not the new configuration the logical upgrade of adding HTTPS to the configuration?.

    If so, how can I configure the service to use HTTPS and Message security?

    Friday, August 1, 2014 4:29 PM

Answers