none
How to create SSL channel (transport security mode with client certificate) and send signed message through this channel RRS feed

  • Question

  • Hi,

    I would like to use WCF client to connect to third party Java web service - I have wsdl, and some simple description for Java clients, but I have none description or recomendation for .Net WCF. This Java service uses https connection and through this SSL channel expects signed messages. I can set up HTTPS/SSL channel from my wcf client (as client credential type is used first certificate), but I do not know how to send signed message with second certificate. In wcf message and socket log I can see outgoing soap message was successfully send to Java web service (without signature) and Java web service sends soap response with an error: "WSDoAllReceiver: Request does not contain required Security header". Response from Java web service is not signed (it is readable soap message without any security headers), only request from my client sended to Java web service has to be signed (in soap header must be signature of request body).

    To set up SSL channel I use this configuration (it works fine - I use first certificate):

    <system.serviceModel>
    	<behaviors>
    		<endpointBehaviors>
    			<behavior name="CruBehavior">
    				<clientCredentials>
    					<clientCertificate findValue="17a34cf8d70455d92dc152b43b73de48ba59ff66" storeLocation="LocalMachine" x509FindType="FindByThumbprint" />
    				</clientCredentials>
    			</behavior>
    		</endpointBehaviors>
    	</behaviors>
    	<bindings>
    		<basicHttpsBinding>
    			<binding name="CruBindingHttps">
    				<security mode="Transport">
    					<transport clientCredentialType="Certificate" />
    				</security>
    			</binding>
    		</basicHttpsBinding>
    	</bindings>
    	<client>
    		<endpoint address="https://wsd2.cnb.cz/cruuzmvd/services/cruuzmvdPort" behaviorConfiguration="CruBehavior" binding="customBinding" bindingConfiguration="CruCustomBinding"
    		contract="TestCallAllCb3Services.Interfaces.ICru" name="Cru" />
    	</client>
    </system.serviceModel>

    But I do not know how to sign the message with second certificate. I found some solution with SecureMessage method in WSE, but none for WCF itself (without WSE). It seems that this is not common situation.

    Any ideas or solution would by fine.

    Saturday, August 13, 2016 11:34 AM

All replies

  • Hi martinek,

    >> I would like to use WCF client to connect to third party Java web service - I have wsdl, and some simple description for Java clients, but I have none description or recomendation for .Net WCF.

    For use WCF Client to connect Java web service, I suggest you refer the link below:

    # WCF client to Java web service

    http://www.irasenthil.com/2010/10/wcf-client-to-java-web-service.html

    Based on your description, it seems you have java service wsdl, and description for Java clients. If so, I suggest you try to compare the differences between wcf client request and java client request in Fiddler.

    Based on the error message, it seems you need to include security headers in WCF Calls, I suggest you refer the link below:

    # WSDoAllReceiver: Incoming message does not contain required Security header

    http://stackoverflow.com/questions/3922240/wsdoallreceiver-incoming-message-does-not-contain-required-security-header

    Best Regards,

    Edward

    Note: This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you.
    Microsoft does not control these sites and has not tested any software or information found on these sites;
    Therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there.
    There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet.


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.


    Monday, August 15, 2016 10:49 AM
  • Thanks Edward, sorry for long time to reply. I was on holiday.

    The right request has to have security headers, as is in this example (it is example from company where Java web service is running):

    <?xml version="1.0" encoding="UTF-8"?>
    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    	<soapenv:Header>
    		<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
    			<wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-44602933">
    			...here is 'strewn chinesse tea' (it is not signature, so far I do not know what it is exactly)...</wsse:BinarySecurityToken>
    			<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-9470766">
    				<ds:SignedInfo>
    					<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    					<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
    					<ds:Reference URI="#Timestamp-26285048">
    						<ds:Transforms>
    							<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    						</ds:Transforms>
    						<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
    						<ds:DigestValue>GgsEMCYlruuXb0Z0zkMSxkiphyI=</ds:DigestValue>
    					</ds:Reference>
    					<ds:Reference URI="#id-25675100">
    						<ds:Transforms>
    							<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    						</ds:Transforms>
    						<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
    						<ds:DigestValue>Yb13xm9c8Oj2MuMGcmKG2oYnXQk=</ds:DigestValue>
    					</ds:Reference>
    				</ds:SignedInfo>
    				<ds:SignatureValue>
    QXjWpnaCHCQ//VHcjUp1zPjLP+U0mOazuJDiopT/7Igfwg/XFzUGynQpZdnaT0lPraL/AfS699JS
    IyQ+EHMMgN19GIYAKn46rHgZNHy1MEOYO8qZ+SpVQFozFy8cgAJI95joGZinH3iRdP01I9IPr6qW
    P0DXp239bUYc6rSpMjHpD
    f3J5FeBupeUHui7U8ONSppgj4Abnt5RXU9rKIQD8MsUs+9oOqVyPpN3
    DQN+AL/94CQdFDy4paYKZBLbI5Hyvsw64B8DnksEVaMbsHtcdOyJNSpIhisPg6TpDxAZi6H+1LXb
    BbrThaupPk2QWAYLhpjy+bOnXiUMrBZYbpAEOQ==
    				</ds:SignatureValue>
    				<ds:KeyInfo Id="KeyId-8440521">
    					<wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-9065611">
    						<wsse:Reference URI="#CertId-44602933" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
    					</wsse:SecurityTokenReference>
    				</ds:KeyInfo>
    			</ds:Signature>
    			<wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-26285048">
    				<wsu:Created>2010-11-19T09:07:13.449Z</wsu:Created>
    				<wsu:Expires>2010-11-19T09:12:13.449Z</wsu:Expires>
    			</wsu:Timestamp>
    		</wsse:Security>
    	</soapenv:Header>
    	<soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-25675100">
    		<loadQueryRequest xmlns="http://cnb.cz/cruuz/datatypes">
    			<K_OPER>D</K_OPER>
    			<MESIC_OD xsi:nil="true"/>
    			<MESIC_DO xsi:nil="true"/>
    			<ID_KLIENT xsi:nil="true"/>
    			<K_OSOBA>PA</K_OSOBA>
    			<ICO>123456789</ICO>
    			<Z_ECO xsi:nil="true"/>
    			<O_NAZEV xsi:nil="true"/>
    			<ZEME_S xsi:nil="true"/>
    			<RC xsi:nil="true"/>
    		</loadQueryRequest>
    	</soapenv:Body>
    </soapenv:Envelope>

    My request has right body and missing whole security headers. My soap body is almost same as in example (but it is not problem):

    <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
    	<s:Header>
    		<ActivityId CorrelationId="01557c46-427f-4df6-b822-e283288f2ff9" xmlns="http://schemas.microsoft.com/2004/09/ServiceModel/Diagnostics">579a3be3-3d13-4ec2-8e2d-a3a8c8b919f6</ActivityId>
    	</s:Header>
    	<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
    		<loadQueryRequest xmlns="http://cnb.cz/cruuzmvd/datatypes">
    			<K_OPER>D</K_OPER>
    			<MESIC_OD xsi:nil="true"/>
    			<MESIC_DO xsi:nil="true"/>
    			<ID_KLIENT xsi:nil="true"/>
    			<K_OSOBA xsi:nil="true"/>
    			<ICO>74972375</ICO>
    			<Z_ECO xsi:nil="true"/>
    			<O_NAZEV xsi:nil="true"/>
    			<ZEME_S xsi:nil="true"/>
    			<DAT_NAR_FN xsi:nil="true"/>
    			<ULICE_S xsi:nil="true"/>
    			<C_DOMU_S xsi:nil="true"/>
    			<MESTO_S xsi:nil="true"/>
    			<PSC_S xsi:nil="true"/>
    			<POBOX_S xsi:nil="true"/>
    			<DIC xsi:nil="true"/>
    			<P_FORMA xsi:nil="true"/>
    			<NACE xsi:nil="true"/>
    			<PODPRAH_UZ xsi:nil="true"/>
    			<UCEL_UV xsi:nil="true"/>
    			<PRODL_F_UZ xsi:nil="true"/>
    			<SPLAT_F_UZ xsi:nil="true"/>
    		</loadQueryRequest>
    	</s:Body>
    </s:Envelope>

    Only missing security Headers is whole problem and I only do not know how to add these headers using my WCF client and I have not find any recommended Microsoft example how to use WCF client in this case (how to use transport mode with one certificate as credential and also sign the request with another certificate). Second tip you have send to me looks like a right way. So far I did not have any time to try it and try to add missing elements in header:

    • wsse:BinarySecurityToken - may be it is a whole encrypted public part of certificate (??)
    • ds:Signature - I suppose it is signature from rare request with information (for example ds:KeyInfo) about certificate (?). To create this signature I suppose I have to use second certificate.
    • wsu:Timestamp

    Response from Java web service is ok. It has no signature. So only security headers in WCF client request is whole problem.

    I try solution according second tip may be during september and after that I post my result in here. It has now lower priority.



    • Edited by martinek.t Wednesday, August 24, 2016 9:02 AM Try to set missing mail alert
    Wednesday, August 24, 2016 8:58 AM