Im consuming a SOAP web service which has two-way SSL enabled. So I provided the client cert ( public key) to the server and configured the private key in my SOAP UI client project. Im able to consume the web service. But what I do not understand is, shouldn't I confugure server's certificate ( that can be extacted using the endpoint through browser) explicitly in SOAP UI to enable two way SSL? or SOAPUI takes care of if automatically?
Seems that in SOAP UI there is no SSL verification, since it's bypassing it by code. In the main class which starts the application, there is a call to SecureTools.setTrustSSL(); in main(args[]) method. If you check what SecureTools.setTrustSSL() method does, it modifies SSL default context factory with a trustManager which not does any check.
Related
I added the service to the WCF Test Client app and I get Service Added Successfully, but I don't see any of the operations available.
This WCF service is already being consumed by several javascript charts, so I should be able to see something here.
What am I doing wrong?
By default, WCFTestclient doesn’t support call the Restful service by using a client proxy. WCF creates the Restful style service with WebHttpbinding. thereby the client proxy class generates nothing thought the service WSDL is available.
Besides, we are capable of making a successful call to the service by using a client proxy. please refer to the below link.
WCF: There was no endpoint listening at, that could accept the message
the above client proxy class is generated by adding service reference.
https://learn.microsoft.com/en-us/dotnet/framework/wcf/accessing-services-using-a-wcf-client
Here is a detailed exposition of WCFTestClient from Microsoft document.
https://learn.microsoft.com/en-us/dotnet/framework/wcf/wcf-test-client-wcftestclient-exe?redirectedfrom=MSDN
Feel free to let me know if there is anything I can help with.
I have a WCF service hosted in IIS. The service is mandated to be basicHttpBinding. There is IBM DataPower in front of the WCF service that exposes it to outside world.
I am writing a WCF client app (inheriting from ClientBase) that has to encrypt the message body using a pre-shared public key and DataPower will decrypt it and forward the message to the hosting server. As for responses, DataPower will encrypt it and the client should be able to decrypt the responses received. One way to achieve this (that I could think of) is using IClientMessageInspector and use the BeforeSendRequest() to encrypt AfterReceiveReply() to decrypt. Before going this route, I wanted to know what other options are available to achieve this?
Usually the pattern is to use SSL which is easy to work with in DataPower and WCF clients. I'm not sure how easy it is to configure message level encryption in DataPower. If you insist on message level encryption first check if DP dsupports the standard WS-Security approach, in which case configuring the WCF client is easy (basic http binding with security mode of message and client credential type of certificate or username, but of course depend if you want to configure client auth).
Yes datapower supports WS-Security standard and you can play around any part or whole of messages for encryption/decryption. The only thing you need to weight here is whether to use PKI or symmetric encryption/decryption technique while playing with message level security.
I am using wsHttpBinding to call a WCF web service. When I look into the Fiddler2, I see multiple calls to the server before calling my actual OperationContract.
From this post I understood what these service calls are doing.
However, I want to know if there is any way to avoid these calls after first successful service call.
In my application, the web service is called so frequently that 3-4 additional calls per actual call to web service operation will not be accepted.
As you mentioend what happens is that WCF negotiates for a key. More details in here.
You have a few options:
set negotiateServerCredential and establishSecurityContext to false (this would require the client to have the server certificate out of band)
change to a different security mechanism (user name auth, or transport with SSL)
stay with the current situation. Once the negotiation is established no more extra calls are made. They happen once per proxy generation.
There is no way to make the negotiation process shorter. It consists of several message exchanges since this is the WS-Trust protocol.
i have a wcf rest service hosted on iis which is ssl enabled. i have both a console application and a browser as client. Is it possible to implement ssl on the console app? is possible, any idea or links to related resources will be greatly helpful.
If you want to use mutual SSL with a REST service from your console application, you can use the WebChannelFactory class.
http://msdn.microsoft.com/en-us/library/bb908674.aspx
The client certificate is set using the WebChannelFactory.Credentials property. The advantage of this approach is that you can set the certificate in connnnfiguration so you can change it later without recompiling.
Alternatively, you can use the HttpWebRequest class and its ClientCertificates property.
I am very new to using WCF services. Right now I have a WCF service that I call using jQuery. I'm concerned about users making unauthorized calls to the service. What would be the best way to secure my service?
If this is a browser app and you're worried about security, presumably you already have some sort of authentication mechanism (cookies, sessions, something). All these are accessible from WCF services (I'm assuming you're using webHttpBinding or basicHttpBinding?) via the WebOperationContext.Current.IncomingRequest property. You can check/validate a cookie (or whatever else) from your service code, or write a cross-cutting MessageInspector to apply the check to all methods on your service behavior. WCF services also can be integrated with traditional ASP.NET authentication (forms, etc) if you host the service with the compatibility flag. The browser app logs in normally, and your service can consume the credential/token/whatever.
you can use a certificate to sign the WCF messages (it's all in the WCF Settings) on both sides (client and server)
Here is some detailed explanation:
Message Security