I have been given a wsdl and xsd file from a company partner to access their https service.
I have installed the client certificate and can access their API using SoapUI after configuring the security in soapUI.
what are the next steps to consume the API in a .net application?
I have generated the proxy using svcutil.
I have added the certificate to the local machine and current user - trusted root certification authorities
The cert is from the service provider and works through soapUI. its not self signed.
When i make the call to the service i get Could not establish secure channel for SSL/TLS with authority 'WEB_SERVICE_URL:11851'.
Do i need to configure https in the config file or what am i missing?
thank you
It turned out i had to specify the certificate in code
// Create the binding.
BasicHttpBinding customerBinding = new BasicHttpBinding();
customerBinding.Security.Mode = BasicHttpSecurityMode.Transport;
customerBinding.Security.Transport.ClientCredentialType =
HttpClientCredentialType.Certificate;
// Create the endpoint address. Note that the machine name
// must match the subject or DNS field of the X.509 certificate
// used to authenticate the service.
EndpointAddress customerEa = new
EndpointAddress("https:URL_OF_SERVICE:11851/WebServices/GetCustomerDetailsService");
// Create the client.
customerClient = new GetCustomerDetails1Client(customerBinding, customerEa);
// The client must specify a certificate trusted by the server.
customerClient.ClientCredentials.ClientCertificate.SetCertificate(
StoreLocation.CurrentUser,
StoreName.My,
X509FindType.FindBySubjectName,
"CERTIFICATE_NAME");
Related
We have a websphere application that must connect to a webservice over https. Websphere Application server has version 8.5.5
We have the wsdl of the service, so we were able to create the client using the JAX-WS wizard in eclipse 4.5.
The SSL connection requires both accepting the server certificate and authentication with client certificate (private key).
The restriction we have is that the SSL configuration must be at application level, and not at server level. In a first time we were able to configure the server with the repective certificates in the default truststore and keystore, but that configuration was not accepted.
So we created a SSL configuration with a keystore that includes both the signer certificates of the server of the webservice and the personal certificate (with the private key) of the client. Type is JKS.
We suppose that we have to create in some way a "Web services Client security bindings" in Applications > Application Types > WebSphere enterprise applications > application_name > Manage Module > module_name > Web services: Client security bindings, but that list is empty:
Currently when we try to test the service client we get the exception:
exception: javax.xml.ws.soap.SOAPFaultException:
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
You need to import the SSL certificate into the Web SPhere truststore, you can do it from here:
Security > SSL certificate and key management > Key stores and certificates > CellDefaultTrustStore > Signer certificates > Retrieve from port
or
You can directly upload the certificate from:
SSL certificate and key management > Key stores and certificates > CellDefaultTrustStore > Signer certificates > Add signer certificate
Hope this solves your issue.
We have Web Service deployed on WebSphere 8.5 that needs to communicate with LDAP over ssl. The ssl communication works only when the ldap certificates are imported in JRE cacerts store.
For other services we use, the certificate can be imported in CellDefaultTrustStore from the console, however the LDAP communication does not work by simply importing the certs on console in CellDefaultTrustStore.
Is there a specific configuration required to avoid using cacerts ? Appreciate any help in this regard.
Here is the code snippet making LDAP connection [ variable names updated ]
Hashtable env = new Hashtable();
env.put(DirContext.SECURITY_AUTHENTICATION, "simple");
env.put(DirContext.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.SECURITY_PRINCIPAL, bindUserName);
env.put(Context.SECURITY_CREDENTIALS, bindPassword);
// this is the url with ldaps://hostname
env.put(Context.PROVIDER_URL, url);
DirContext dirContext = new InitialDirContext(env);
Unfortunately I do not know the details about how your LDAP connection is being made. If it's going to the cacerts file, it suggests the JSSE default SSL Configuration is being used. So something about the call is making it go to the JSSE default and not use the WebSphere socket factories.
You probably want to leverage dynamic outbound SSL configurations.
Configure a trust store when your LDAP's cert.
(You probably have this already).
Create an SSL Configuration for communicating with LDAP
using trust store from step 1.
Create a dynamic outbound endpoint configuration using
the host/port info of your LDAP. Reference the SSL
configuration from step 2.
I'm trying to set up a WCF-service with SSL on Azure.
Can someone please explain a bit about the differences of using certificates is these cases?
Certificate for https-binding in IIS
ServiceCertificate in Web.Config
ClientCertificate in Web.Config
Certificate in ServiceDefinition.csdef
Certificate in ServiceConfiguration.Local.cscfg
Certificate in ServiceConfiguration.Cloud.cscfg
More I should know about?
I want to publish several service-endpoints within the same role, some with SSL and some without. Do I need binding-certificates at all or is it service-certificates I should use?
Start by reading WCF Transport Security with Certificate Authentication and Configuring SSL for an application in Windows Azure
Certificate for https-binding in IIS - exactly what it says, the cert is used by IIS to create a secure binding on a site/service, typically on port 443
ServiceCertificate in Web.Config - WCF service-side binding cert used for WCF Transport Security with Certificate Authentication - private key cert used to authenticate client request signed with the corresponding public key
ClientCertificate in Web.Config - WCF client-side binding cert used for WCF Transport Security with Certificate Authentication - public key cert used to sign a request for authentication to a service using Transport Security with the corresponding private key
Certificate in ServiceDefinition.csdef - default certificate used to create a secure endpoint in Azure worker & web roles. NOTE: This is the certificate Azure installs in IIS to bind to the service endpoint (see #1)
Certificate in ServiceConfiguration.Local.cscfg - same as 4, just used in a "Local" build/deployment configuration
Certificate in ServiceConfiguration.Cloud.cscfg - same as 4, just used in a "Cloud" build/deployment configuration
I am writing a WCF service where I need to access the Hash Code of client certificates that are used to connect to the service.
I am looking for a property or method similar to Request.ClientCertificate from ASP.NET 2.0 days but cannot find anything that allows easy access to the client certificate.
Our service is set up such that it is running with SSL using basicHttpBinding and security mode of "Transport".
IIS has been set up to Require SSL and Accept certificates.
One thing to note is that our server certificate used to secure the endpoint is from a different CA to that of the client certificates - the client certificates are intended to be validated solely through custom code (thus the need to get the hash code of a connecting certificate).
I have created a custom implementation of the IDispatchMessageInspector to see if there is any access to a client certificate from there but to no avail.
Has anyone attempted this and had success before?
Looks like what the best option for you would be to implement a custom Certificate Validator for your service. This is basically a class that derives from X509CertificateValidator and is then registered through the config file.
There's more complete information on how to do this on this article.
For reference if anyone else attempts to apply client certificate authentication the following steps were required to get it to work (we are using basicHttpBinding within WCF for this instance and running in a local instance of IIS):
Set up IIS to use a HTTPS binding for the site and secure this in IIS with a server certificate
Within IIS change the SSL Settings for your site to Require SSL and Require client certificates (It must be Require - Accept will not work)
Within the WCF configuration ammend the basicHttpBinding and set security mode to "Transport" and the transport clientCredentialType to "Certificate"
Ensure that the root certificate (the one used to create any client certificates) is within the "Trusted Root Cerrtification Authorities" for the Local Computer on which IIS is running.
NOTE If you are in a development environment you may need to generate your own root certificate, the makecert command line application is very useful for this; simply run the following command:
makecert -n "CN=My Test Auth" -r -cy authority -a sha1 -sv "My Private Key.pvk" TestAuth.cer
This creates a certificate called TestAuth.cer (which needs to be added to the Computer's "Trusted Root Cerrtification Authorities") and a private key file called "My Private Key.pvk".
Now to generate a client certificate you can run this command:
makecert -a sha1 -n "CN=myConnectionCert" -ic "TestAuth.cer" -iv "My Private Key.pvk" -ss My
This created a certificate with a subject of myConnectionCert and adds it to your personal certificate store - when you now access the site (to view the service page for example) IE should prompt you to select the certificate - chose the one you have just created and you should see the service page as normal.
Is there way to attach client side SSL file (.pfx) file in WCF binding? I don't want to use certificate store.
This should work
webServiceProxyInstance.ClientCredentials.ClientCertificate.Certificate = new X509Certificate2("path to the pfx file", "password to open the private key");