I have deployed Orchestration as WCF service.
I've implemented WCF CustomIsolated, BasicHttp binding,
TransportWithMessageCredential scurity.
I am getting Signed message (with WS-Scurity Header).
But the response which is going back to client requires to be signed by
my Signing certificate. As of now Response going back to client only
contains a timestamp in the Security header .
How to configure the WCF response to be signed with the Signing Certificate?
You must first install the certificate on the computer running BizTalk Server. To do this you can try following these steps:
On the windows start menu click 'Run', type mmc and press enter;
A 'Console1' windows will apear. Click on the 'File' menu and then on 'Add/Remove Snap-in';
In the 'Add or Remove Snap-ins' dialog box, in the Available snap-ins list, double-click Certificates. Check 'Computer account', click next and then click finish.
Back in the 'Add or Remove Snap-ins' window click OK;
In the Console1 window expand Certificates, right-click 'Other People'->All Tasks->Import;
On the wizzard click next, and on the 'File to import' page click browse;
Browse to your certificate location and open the certificate.
Click next, next again and then click finish;
On the Wizard message box click OK;
Now you can configure your Send Port in Biztalk Server. Double-click the port, and on the left side click 'Certificates'. Choose your certificate and confirm.
You should now be able to sign your outgoing message
Related
I'm trying to run a REST call test case in SoapUI, and I need an ssl keystore - certificate verificaton for all the tests except one where I check if it rejects calls without a cert.
Is there a way to disable the cert with setup scripts or any other way without removing it from the ssl preferences for that test only?
One way to do it is via the following groovy code:
testRunner.testCase.testSteps['Step Name'].testRequest.setSslKeystore(new EmptyWssCrypto())
(Source: https://community.smartbear.com/t5/API-Functional-Security-Testing/Set-SSL-Keystore-using-Groovy-on-Test-Step-level/td-p/195889)
You can also do it by setting your Keystore on a project level (double-click on your project -> Click on Tab WS-Security Configurations -> Click on Keystore -> Click "+" and choose Keystore)
If this is set up you can choose between Keystores for each Request on your "Request Properties" at the bottom left:
So if you don´t pick any Keystore here it should lead to the behaviour you are looking for.
Is there a way to get Fiddler 4.6.2.3 to send Basic Authentication credentials to an upstream proxy ONLY when the Fiddler "Manual Proxy Configuration" has been activated? I know how to configure Fiddler to send Basic Auth credentials with every HTTP request, but I want to turn Fiddler's "Manual Proxy Configuration" feature on/off as I test my applications. When the Manual Proxy Configuration is "off" I don't want Fiddler sending Basic Auth credentials because Fiddler will be configured to use my Windows' System Proxy and its IP. When the Manual Proxy Configuration is turned "on" I want the Basic Auth credentials sent to the upstream proxy so that I can use the proxy's IP.
I know I can change this directly in IE11 (I'm on a Windows 7 Pro 64-bit laptop) settings, but I don't want to do that, because I want to manage this "on/off" functionality from a single application. In my case, I'd like this to be Fiddler. I looked for a flag associated with the "Manual Proxy Configuration" in the Debugging With Fiddler - Second Edition book, but didn't see anything. Is my request possible, and if so, how?
Thanks In Advance For Your Help -
Thanks To Eric Lawrence (the author of Fiddler) for this answer (via e-mail).
Step 1: Click Rules>Customize. The FiddlerScript Editor will open.
Step 2: Just after the very beginning of the class Handlers { add the following code:
// Use a fixed proxy IP with Basic authentication
public static RulesOption("Use Auth-Proxy")
var bUseAuthProxy: boolean = false;
Step 3: Inside the OnBeforeRequest function (further down in the Handlers class code) add the following code:
if (bUseAuthProxy) {
oSession["X-OverrideGateway"] = "myAuthenticatingProxy:8080";
oSession.RequestHeaders["Proxy-Authorization"] = "Basic yourbase64stringhere";
}
Don't forget the closing right-brace (like I did!) in the above code snippet (it's so easy to overlook!). If you forget the right-brace, the "Use Auth-Proxy" option won't appear in the "Rules" menu.
The string "myAuthenticatingProxy:8080" is the IP and port number for your proxy server in the form of IP:Port Number. Make sure that the IP and port number are separated by a colon (":"), that it is double-quoted, and that the code line ends with a semicolon.
The string for your authentication credentials MUST start with the word "Basic" (which indicates Basic authentication as opposed to NTLM, etc., authentication). The "yourbase64stringhere" is your proxy IP authentication credentials in the form of username:password (with a colon ":" included in the string) that has been converted to a Base-64 string. Fiddler comes with a built-in Base-64 converter. Click Tools>Text Wizard. Type your username:password string into the upper panel. By default, the Text Wizard is set to convert text entered in the upper panel to a Base-64 string output in the lower panel (notice the "Transform" drop-down located between the upper and lower panels). Copy the Base-64 string that has been output in the lower panel and append it to the word "Basic" SEPARATED BY A SPACE. Put double-quotes around the entire string and end the line of code with a semicolon.
Step 4: Save the file. Click the Rules entry on the main Fiddler menu. You should now see a rule item named "Use Auth-Proxy". Clicking this entry will configure Fiddler to use the IP and authentication credentials you coded in Step 3. Unchecking the "Use Auth-Proxy" reverts Fiddler to using whatever configuration has been established under Tools>Fiddler Options>Gateway. This is a very efficient way to "select" and "unselect" a specific proxy during application development. Thanks again Eric for the great solution!
-- Bill Vallance
I am trying to implement the Apache authentication through PKI digital certificates stored on token / smart card.
I'm using XAMPP 5.6.8.0-VC11 on a Windows 7 computer.
Following what I found searching the internet, I uncommented the following settings httpd-ssl.conf file in the Apache configuration:
SSLVerifyClient require
SSLVerifyDepth 10
From there, access to https: // localhost, the browser (IE 11, Chrome 43 and FF 38) display the digital certificate of the screen (use an e-CPF in standard ICP-Brazil, stored in token) and requests the password.
After entering the password and press ENTER, the behavior in browsers is as follows:
In IE, I is shown a page with the message "This page can not be displayed".
In FF, is loading the page indefinitely.
In Chrome, you see the message "Authentication based on certificate failed" ERR_BAD_SSL_CLIENT_AUTH_CERT and clicking on "details" appears:
"This server requires a certificate for authentication and did not accept the one sent by the browser. Your certificate may have expired or the server does not trust the issuer. Try again with a different certificate, if you have one, or you must obtain a certificate valid from somewhere else. "
Already tested several additional settings I found on the internet, but nothing works.
I have also changed the Windows Internet options regarding SSL and TSL, also successful.
I would like to figure out how to implement authentication with digital certificates for a more secure login system that esté in development.
Has anyone experienced this or know how to solve the issue?
I need to run secure ws.
When I run it from SOAP UI I use basic security with username.
in the UFT I defined Username token on port.
but when I run the API I get an error: "An invalid security token was provided".
In the request API I dont see the security element
What am I missing
Thank you.
If you define the security on the port, please check that the "Use port security settings" is checked in the security tab in the properties pane of the step (it should be by default).
The security headers are not printed to the user log pane, but you can find them in the "vtd_internal.log" file, located at: /Log directory.
Is the "An invalid security token was provided" message from UFT or from the server?
do you get the same message if you don't use and security settings on the step?
I have hosted WCF service on IIS 6 using a custom AppPool. This AppPool is configured to run under a user who is in IIS_WPG group.
I can access the service from a remote location and can see the wsdl as well, but when I try to access the same service through "WCF Test Client", I got following error
Update: When I run the same service by changing AppPool's identity to "Network Service" group, then service is accessible through test client. So service metadata isn't accessible only when service runs under identity other than "Network Service" (which is default identity for user)
I have experienced this problem in the past and the solution was to authenticate using a service account between client and the server hosting the service.
I have the same issue as described above.. Here are the things I've done while finding solution to this issue.
I will start will my deployment process of WCF to IIS6.
Create a folder into the server and copy the WCF package.
Create an AppPool for your WCF.
Right click the newly created AppPool, select Properties, then go to Identity tab. Select "configurable" then enter your service account credential instead of NETWORK SERVICE.
I didn't created a new web site. For my case, I created a virtual directory under the Default Web Site and point it to the WCF folder that I've copied.
Once the virtual directory is created, right-click on it then select Properties. Below are the settings for each tabs
Virtual Directory Tab
Click Create button to create application name.
Select "Scripts Only" in execute permission.
Select the AppPool that you have created.
Click Apply button to save changes.
Document Tab
Add new content - the name of your WCF .svc file.
Click Apply button to save changes.
Directory Security Tab
Click Edit button in Authentication and access control.
Change the user name and password with your service account credential.
Click OK (enter the password again if reconfirmation is needed).
Click Apply button to save changes.
ASP.Net Tab
Select 4.0.30319 version (if .net framework 4.0 is required)
Click Apply button to save changes.
Now, go to Computer Management > System Tools > Local Users and Groups > Groups
Open the IIS_WPG group and add your service account.
Then go to Start > Administrative Tools > Local Security Policy
Expand Security Settings > Local Policies > User Rights Assignment. Search for Log on as service then add your service account there.
Lastly, Go to C:\WINDOWS\Temp folder. Right click on it then select Properties. Click Security tab then add your service account.
To set a special permission, click Advance button.
Select your service account then click Edit button. In the list of permissions, tick or check only the "List Folder/Read Data" and "Delete" permissions. Click OK and Apply button to apply changes. If message box prompted you, click Yes to apply in sub folders.
Now, the final moment. Make sure the app pool is running. Test the WCF in browser and then in WCF Test client.
In my case it's working, perfectly :)
Hope this will help you...