none
WCF Client to connect to datapower service using different certificates for encryption and signing RRS feed

  • Question

  • Hello,

    We are developing a .net wcf client that connects to a datapower service.

    The service needs the client to encrypt with one certificate (Certificate A) and validate response signature with a different certificate (Certificate B).

    Microsoft has a full documented procedure to achieve this (https://docs.microsoft.com/en-us/dotnet/framework/wcf/extending/how-to-use-separate-x-509-certificates-for-signing-and-encryption?redirectedfrom=MSDN), but it seems to need ws-addressing (due to the fact that this examples to work needs CompositeDuplexBindingElement and OneWayBindingElement).

    We don´t have any control over the service, and we have been told that it can not be changed.

    What do we need to do to make our client connect to a datapower service under those circurmstances?  We can not use ws-addressing.  Is it possible to achieve for a wcf client?

    In advance, thanks.

    Friday, January 24, 2020 11:27 PM

All replies

  • We are developing a .net wcf client that connects to a datapower service.

    Is the service a WCF service, becuase If not, the connection cannot be made to a non WCF service from a WCF client?

    Sunday, January 26, 2020 1:05 PM
  • Hi,
    As far as I know, if a new ClientCredential object is generated by inheriting Clientcredential, it is possible to specify multiple certificates for signature and encryption during communication. 
    But these changes are implemented on the server side, and we cannot implement the security feature on the client side separately .  Only after the server-side configuration is complete do we need to specify additional certificates on the client-side for encryption and signing.
    It is already a secure solution that the client and the server use a single certificate for signing and encryption respectively.  I don't think it's necessary to use multiple certificates, otherwise what is the point of the security significance of a single certificate?
    Feel free to let me know if there is anything I can help with.
    Best Regards
    Abraham
    Monday, January 27, 2020 6:07 AM
    Moderator
  • The service is a DataPower service.

    The client is a WCF client.

    Monday, January 27, 2020 1:06 PM
  • Hi Abraham,

    The service is already built like that (it expects to receive requests encrypted with Certificate A, and signs response with certificate B).   I cannot do anything to change it, it is a bank service and they did it that way. So, asking about the correctness or not of using two different certificates would be interesting for academic purposes, but for this particular need no.

    As long as this is already done on the server side, can you share the source code of the client side, that uses one certificate for signature and another for encryption? 

    Thanks.

    John.

    Monday, January 27, 2020 1:12 PM
  • Hi,
    You can follow the steps in the official documentation. 
    https://docs.microsoft.com/en-us/dotnet/framework/wcf/extending/how-to-use-separate-x-509-certificates-for-signing-and-encryption?redirectedfrom=MSDN
    According to the documentation, the service should be created by a compatible custom binding, otherwise the service channel created by custombinding may not consume the service correctly. However, according to your above description, your server not be WCF.
    I advise you can try to implement a custom clientCredential class, a ClientCredentailSecurityTokenManager class by using the particular certificates(signing and encryption), subsequently apply it on the client channel created by the custom binding. 
    I didn’t use it before. This is a complex task. Note that the specified certificate must be consistent with the server signature and encrypted certificate. That is all I know, wish you good lucky.
    Best Regards
    Abraham
    Tuesday, January 28, 2020 3:16 AM
    Moderator