I have a service which is not built in .Net and requires a X509 certificate authentication. The services requires a soap string to be sent. I have built the soap manually and added the X509 cert to the httpwebrequest but when i read the response i get the "Service Not Authenticated" response.
However when i use the same soap string from SoapUI Client, right click and add the ougoing wss->" Apply Cert name" , it adds the wsse:Security elements dynamically and then when i run the request it gives me the response
So, the question i have is how do i add the wsse:Security elements using the X509 cert dynamically in the headers
Any help is appreciated.
Related
I have a VB.NET website configured in IIS to use client certificate authentication.
When a user opens website url, he gets a popup to choose the certificate. Once the user is on the web page there is a button, clicking this will make a SOAP request to a 3rd party.
Presently I am able to use a single certificate stored on the server to make the SOAP request (by attaching the certificate). Thus the same certificate is used irrespective of which user clicks on the button.
How do I attach the client certificate of the respective user to a SOAP request? Is this possible?
How do I attach the client certificate of the respective user to a SOAP request? Is this possible?
simply attaching the public certificate of client makes little sense. If you need to co-sign the SOAP request with client certificate, then you need to send unsigned SOAP request to client (say, client downloads the request from your web site), sign it, send to server, allow the server to co-sign the SOAP request and then submit this SOAP request to 3rd party.
You cannot upload client certificate to server in order to make SOAP signing on server. It is unsupported and vulnerable approach. Client certificate's private key (which is used to sign data) MUST NEVER leave client machine/device. If you need to sign anything with client certificate, signing operation must be performed on that client only.
I have created a WCF service with X.509 certificate. I took a reference from this article: http://www.codeproject.com/Articles/36683/simple-steps-to-enable-X-certificates-on-WCF. Now it requires a certificate to be sent along with request to the server in order to access the service. My question is that does using a X.509 certificate in request encrypt the message to be sent to the server or do I have to do anything more to do it?
A client sending a request to a WCF service should only require a public key to start off. If you have your service (and client) configured correctly, WCF should automatically handle the authentication / encryption before the transmission of your request content.
As I understand it, your client does not need a X509 cert.
We have a wcf service hosted in IIS. We like to restrict the client callers to known clients so we implemented a custom X509CertificateValidator. The service is configured with WSHttpBinding binding and IIS set to SSL and require client certificate. Everything is working as expected.
However, we found that we have other aspx pages hosted within the same site that should not require client certificate. It breaks our usage pattern.
I read that turning the IIS setting from Required Client Certificate to Accept Client certificate does not work. I tried this out, while still passing in the client cert from client and it seems to invoke my custom validator. However, using wcf proxy library, I'm unable to call it without a client cert to verify not passing one in.
If "accept client certificate" is not an option, what is the best alternative? Adding some type of message inspector?
Thanks very much in advance.
I am currently in the process of integrating a WCF client into a java web service. The server requires the client to authenticate via certificate using SSL and the message to be signed.
I have successfully sent the message to the server through SSL, Signed, etc. However, the server response message is also signed but with a different certificate than the one used to authenticate the server.
The WCF client doesn't like this behavior. It failed with the message: "The incoming message was signed with a token which was different from what used to encrypt the body. This was not expected." The problem is described here in detail.
Looking around on Google I found it is possible to decouple the clients transport certificate from the singing certificate by implementing ClientCredentials and other security related classes, and adding a new extension. You can read all the details about it here. However I'm having some trouble figuring out where exactly do i have to extend to provide this same behavior for the server's certificate on client mode.
Any help on the subject or reference would be appreciated.
Thanks in advance.
Have a look here
This shows you how to create an custom ServiceCredentialsSecurityTokenManager that allows you to specify the various message signing and encryption certificates for requests and responses to and from the server.
I emphasise message because the problem as you describe it appears to me to be message security validation. The transport security is seaperate from the mechanism used to validate the message security, i.e. the message signature and message decryption.
Ignore the transport security as this is lower down in the WCF pipeline and appears to be working working correctly from your description. A seaperate concern is the message security. It appears that you need to be able to use a certificate for decrypting the response and a certificate for verifying the signature. The above article shows a example for enabling this type of certificate managment, it does detail how you could create behaviours and extensions to apply this to your client that is a seaperate concern. This depends on how you want to configure your proxies i.e. through code or through configuration.
The example article you linked too is not a complete implementation for what you require, it only provides for a certifiate for signing and a certificate for the transport client credentials.
You could create a hybrid ServiceCredentialsSecurityTokenManager that provides the transport certificate and the signing and decryption, this should be clear enough from looking at the SecurityTokenRequirement documentation
Do not really know how x509 works.
If I have a Web Service that needs to authenticate and validate the client, and he uses a ClientCertificate, could he send me some information that I could then validate against?
I do not create the Web Site itself so I can't be sure they would do it right. I don't wan't to allow someone to say to the Web Service "It's okay, I ClientCertificated him and he's good".
You can implement your own custom client certificate validator but its usage will be different based on the way how do you use the client certificate. If you use pure message security your validator will be the only component used to validate the certificate. If you use HTTPS with client certificate (transport security) the certificate will be first validated by Windows (= your service hosting server must trust the certificate) and after that it will be passed to WCF and validated by your validator.