Soap header security was not understood RRS feed

  • Question

  • Hi,

    Iam trying to consume an external web service written in Java. The web service URL is exposed via https and the external vendor has provided me a client certificate to call the web service.

    My client environment is as follows

    Windows Form Application developed using C# (.NET 3.0)

    Steps followed to call the webservice

    1. Added a web reference through the WSDL provided by external vendor
    2. Installed the client certificate in Trusted Root CA and Personal store
    3. called the respective web service using the following code snippet

       create & initialize request object -> generated through web reference
       // Assign Client Certificate to the request object
        X509Store store = new X509Store(StoreLocation.CurrentUser);
        X509Certificate2Collection certCollection = store.Certificates;
        X509Certificate2 certificate = null;
      // iterate through the certCollection, find the certificate and assign it to certificate object
      // Add the certificate to the service object -> generated through web refrence proxy class
      myWebService.proxy = //WebProxy object initialized with my proxy server and credential details

      //Accept the certificate automatically, if it asks for confirmation
      System.Net.ServicePointManager.ServerCertificateValidationCallback += 
                                                   object send,                         
                                                   System.Security.Cryptography.X509Certificates.X509Certificate pCertificate, 
                                                   System.Security.Cryptography.X509Certificates.X509Chain pChain, 
                                                   System.Net.Security.SslPolicyErrors pSSLPolicyErrors
                        return true;
      myWebService.AllowAutoRedirect = true;

      // call webservice whose URL is https://server/webservice....
      response = myWebService.ServiceRequest();


    The above call failed with "Soap header security was not understood" error.

    Would appreciate if you could help me some direction in solving the above error.

    Thanks & Regards
    Arvind T N

    Wednesday, January 14, 2009 4:55 PM


  • It seems the response is signed. I'm not sure why this is needed as SSL is used but I guess this fact is given.

    Messsage level security requires you will use WSE2 or WSE3 extensions - only they can understand it. Also there are sometimes interoperability issues between .Net and Java so it is not guaranteed to work.

    If the body of the message is not encrypted then you can alternaqtivel build a SOAP extension to change the mustUnderstand to "0". This will mean that the signature will not be validated. Since you use SSL I don't think it is required anyway.
    WCF Security, Performance And Testing Blog
    Thursday, January 15, 2009 9:53 PM

All replies