We Keep Coding

Why my WCF client encrypts the request when I change from WS-Security 1.0 to 1.1?

I'm trying to consume a java web service from a WCF client with this specifications:
The request must be signed (but NOT encrypted). I have my client's certificate installed on my computer.
The response is signed (not encrypted) by the server. I have the server's certificate installed on my computer.
Communication is over HTTPS (certificate installed on my computer).
This is the configuration of the client:
Endpoint:
<endpoint address="https://..."
binding="customBinding" bindingConfiguration="SincronSoapCustom" behaviorConfiguration="webEndpointExtern"
contract="Proves.Service.SincronSoap" name="SincronSoap">
<identity>
<dns value="Test app"/>
</identity>
</endpoint>
Custom binding:
<customBinding>
<binding name="SincronSoapCustom" >
<security authenticationMode="MutualCertificate" allowSerializedSigningTokenOnReply="true" requireSignatureConfirmation="false" requireDerivedKeys="false" includeTimestamp="true" securityHeaderLayout="LaxTimestampLast" messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10">
</security>
<textMessageEncoding messageVersion="Soap11" writeEncoding="utf-8" ></textMessageEncoding>
<httpsTransport transferMode="Buffered" ></httpsTransport>
</binding>
</customBinding>
Behavior:
<behavior name="webEndpointExtern">
<clientCredentials>
<clientCertificate findValue="19cab2cd6bc982fb" storeLocation="CurrentUser"
storeName="My" x509FindType="FindBySerialNumber" />
<serviceCertificate>
<defaultCertificate findValue="311a360557c1056c5367435e7dad3866" storeLocation="CurrentUser"
storeName="My" x509FindType="FindBySerialNumber" />
<authentication certificateValidationMode="PeerOrChainTrust" />
</serviceCertificate>
</clientCredentials>
</behavior>
To only sign the message (and avoid encryption) I set the protection level in the service contract:
<System.CodeDom.Compiler.GeneratedCodeAttribute("System.ServiceModel", "4.0.0.0"),
System.ServiceModel.ServiceContract([Namespace]:="http://xxxx/", ProtectionLevel:=Net.Security.ProtectionLevel.Sign)>
Public Interface SincronSoap
<System.ServiceModel.OperationContractAttribute(Action:="http://xxxxxx", ReplyAction:="*", ProtectionLevel:=Net.Security.ProtectionLevel.Sign),
System.ServiceModel.XmlSerializerFormatAttribute(SupportFaults:=True)>
Function procesa(ByVal request As Service.procesaRequest) As Service.procesaResponse
<System.ServiceModel.OperationContractAttribute(Action:="http://xxxxxx", ReplyAction:="*")>
Function procesaAsync(ByVal request As PdibService.procesaRequest) As System.Threading.Tasks.Task(Of Service.procesaResponse)
End Interface
With this configuration, my requests are processed correctly by the server but my client throws an error when processing the response:
Cannot read the token from the 'SignatureConfirmation' element with the 'http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd' namespace for BinarySecretSecurityToken, with a '' ValueType. If this element is expected to be valid, ensure that security is configured to consume tokens with the name, namespace and value type specified.
Ok, my client uses WS-Security 1.0 and the SignatureConfirmation element is only allowed in WS-Security 1.1. The provider of the service confirms to me that the correct versión is 1.1.
So I change from:
WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10
to:
WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10
But when I make a request using this config, the remote server returns an error:
WSDoAllReceiver: security processing failed; nested exception is:
org.apache.ws.security.WSSecurityException: General security error (WSSecurityEngine: No crypto propery file supplied for decryption)
It seems that in this case my client is including some encryption in the request and the server doesn't expects it. This is the request:
<?xml version="1.0" encoding="UTF-8"?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<ActivityId xmlns="http://schemas.microsoft.com/2004/09/ServiceModel/Diagnostics" CorrelationId="868039bc-362d-4d3b-93fa-afb7ccdaf7e9">8160d724-54b3-4aa5-acbd-82d26abbf3b5</ActivityId>
<o:Security xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" s:mustUnderstand="1">
<e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#" Id="uuid-caa9c9fc-8225-403e-b844-fffa7e439ec6-1">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<DigestMethod xmlns="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
</e:EncryptionMethod>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference>
<o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">M0m/j9IjdvtsfXoboTzGX4jRw5I=</o:KeyIdentifier>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>..removed..</e:CipherValue>
</e:CipherData>
</e:EncryptedKey>
<o:BinarySecurityToken>
<!--Removed-->
</o:BinarySecurityToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#" Id="_0">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1" />
<Reference URI="#_1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>m6K+Htbhimq+ncV9cu48xtaHCXU=</DigestValue>
</Reference>
<Reference URI="#uuid-caa9c9fc-8225-403e-b844-fffa7e439ec6-2">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>DptGdl9nICPuR7ym4VB4DAsT05o=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>b7kn3APi45hTIGgnbhSvwInLmMP=</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference xmlns:k="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" k:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey">
<o:Reference ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey" URI="#uuid-caa9c9fc-8225-403e-b844-fffa7e439ec6-1" />
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#_0">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>80Q2miLGWvPm9Tl8qN2CwPHwbIA=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>..removed..</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-20121b2c-b772-4bc9-83fe-f422d6a80a0b-1" />
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
<u:Timestamp u:Id="uuid-caa9c9fc-8225-403e-b844-fffa7e439ec6-2">
<u:Created>2017-01-23T11:48:37.635Z</u:Created>
<u:Expires>2017-01-23T11:53:37.635Z</u:Expires>
</u:Timestamp>
</o:Security>
</s:Header>
<s:Body xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" u:Id="_1">
.................. removed ............................
</s:Body>
</s:Envelope>
And this is the request when I use WS-Security 1.0:
<?xml version="1.0" encoding="UTF-8"?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<ActivityId xmlns="http://schemas.microsoft.com/2004/09/ServiceModel/Diagnostics" CorrelationId="8797dc6e-b03a-4681-ab6f-6d52c561a79a">3e959f6f-2b84-4aca-a024-b5b50f429730</ActivityId>
<o:Security xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" s:mustUnderstand="1">
<o:BinarySecurityToken>
<!--Removed-->
</o:BinarySecurityToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#_1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>frO7LOsocv71gm5QWTGhfem0VQY=</DigestValue>
</Reference>
<Reference URI="#uuid-5768e670-1786-4c0c-b563-0306ac7fc3eb-1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>/FLwiT1IYuqSWdrthZRebVeql0c=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>..removed..</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-2cf2ba54-442a-422c-a2e7-b6861431c23b-2" />
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
<u:Timestamp u:Id="uuid-5768e670-1786-4c0c-b563-0306ac7fc3eb-1">
<u:Created>2017-01-23T11:36:11.128Z</u:Created>
<u:Expires>2017-01-23T11:41:11.128Z</u:Expires>
</u:Timestamp>
</o:Security>
</s:Header>
<s:Body xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" u:Id="_1">
... removed ...
</s:Body>
</s:Envelope>
In this case no encryption is included in the request.
The question is, why my client uses encryption when I change from WS-Security 1.0 to 1.1?
How can I avoid this?
Thanks.

WCF service with username security should accept messages with additional ws-security headers. Is it possible?

I have an wcf service that has classical username-password message security.
On transport level this service has https
Binding is typical
<bindings>
<wsHttpBinding>
<binding name="RgiServiceBinding">
<security mode="TransportWithMessageCredential">
<message clientCredentialType="UserName" negotiateServiceCredential="false" establishSecurityContext="false" />
</security>
</binding>
</wsHttpBinding>
</bindings>
But. Now we should add client signing to this interchange. We decide to use standard wsse headers for this signature.
Example:
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action s:mustUnderstand="1">http://tempuri.org/IRgiService/RegisterAuction</a:Action>
<a:MessageID>urn:uuid:054cd820-1e0c-4643-881d-48d8c7682080</a:MessageID>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1">https://ws.test.rosim.ru:8443/RGI_ETP/RgiService.svc</a:To>
<Security xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<UsernameToken b:Id="urn:uuid:bc811ecb-4313-44f4-a627-9237d147294e" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:b="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<Username>login</Username>
<Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">password</Password>
</UsernameToken>
</Security>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" s:actor="http://esugi.rosim.ru/pibi/actors/etp">
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#gostr34102001-gostr3411" />
<Reference URI="#body8d018149d5ea441a817ea018da2c8ce1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#gostr3411" />
<DigestValue>0pgHWuhnDlw/s8aHBxbk2FrHc072go1xXE/JnUBboRk=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>aL6ag12120eSmz6CQYQY8HjgZ+Gdz6UfaRZdV9qXY21ccxVfCkme1zsSw9Vy4jh2ofK/QYsebomEnWd51xIq1w==</SignatureValue>
<KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference URI="#cert9c65aba5ea814fc5a27137859c9c3df2" />
</wsse:SecurityTokenReference>
</KeyInfo>
</Signature>
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="cert9c65aba5ea814fc5a27137859c9c3df2">therewascertificateinbase64</wsse:BinarySecurityToken>
</wsse:Security>
</s:Header>
<s:Body>
<RegisterAuction xmlns="http://tempuri.org/" xmlns:i="http://www.w3.org/2001/XMLSchema-instance" wsu:Id="body8d018149d5ea441a817ea018da2c8ce1">
<auctionInfo xmlns:b="http://schemas.datacontract.org/2004/07/Rgi.Etp.Service.Contract.DataContracts">
<b:AuctionNumber>1112233</b:AuctionNumber>
<b:Note>Новый аукцион создан</b:Note>
</auctionInfo>
<tradeRequestInfo xmlns:b="http://schemas.datacontract.org/2004/07/Rgi.Etp.Service.Contract.DataContracts">
<b:TradeRequestDate>2015-03-11T00:00:00</b:TradeRequestDate>
<b:TradeRequestNumber>111</b:TradeRequestNumber>
</tradeRequestInfo>
</RegisterAuction>
</s:Body>
</s:Envelope>
But WCF don't want to work with multiple wsse headers. It says "An error occurred when verifying security for the message." without any additional info, and it is before my own code.
Can I do something to get my signatures on server side and my username validation works?

WCF error calling WS-Security web service: Cannot find a token authenticator for the X509SecurityToken

I'm trying to connect with an external Java Web service with WS-Security enabled over https with a WCF client.
The service use UserNameToken authentication.
When the client call the service, I get this exception:
Cannot find a token authenticator for the 'System.IdentityModel.Tokens.X509SecurityToken' token type. Tokens of that type cannot be accepted according to current security settings.
I use a custom binding with this configuration:
The endpoint:
<endpoint address="https://des-afirma.redsara.es/afirmaws/services/ValidarFirma"
binding="customBinding" bindingConfiguration="ValidarFirmaBinding"
contract="AFirma.Firma" name="ValidarFirma" />
</endpoint>
The binding:
<binding name="ValidarFirmaBinding">
<textMessageEncoding messageVersion="Soap11" />
<security
allowSerializedSigningTokenOnReply="true"
authenticationMode="UserNameOverTransport">
<secureConversationBootstrap />
</security>
<httpsTransport>
<extendedProtectionPolicy policyEnforcement="Never" />
</httpsTransport>
</binding>
I read this link http://webservices20.blogspot.co.uk/2010/10/wcf-cannot-find-token-authenticator.html and I configured the allowSerializedSigningTokenOnReply value, but it failed.
This is the message generated by WCF:
<?xml version="1.0" encoding="UTF-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<soap:Header>
<wsa:Action />
<wsa:MessageID>urn:uuid:5b36bb8b-4a59-4c5f-9c67-065543db51d5</wsa:MessageID>
<wsa:ReplyTo>
<wsa:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:Address>
</wsa:ReplyTo>
<wsa:To>http://des-afirma.redsara.es/afirmaws/services/ValidarFirma</wsa:To>
<wsse:Security soap:mustUnderstand="1">
<wsu:Timestamp wsu:Id="Timestamp-cef53b94-4432-4ede-89ea-7a42b7a686d2">
<wsu:Created>2012-11-13T13:49:32Z</wsu:Created>
<wsu:Expires>2012-11-13T13:54:32Z</wsu:Expires>
</wsu:Timestamp>
<wsse:UsernameToken wsu:Id="SecurityToken-40deaa3d-fe02-4462-963e-7705e4648b24">
<wsse:Username>UserName</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">[Password]</wsse:Password>
<wsse:Nonce>G5CU1R6lKSTpBQ0FAF01rA==</wsse:Nonce>
<wsu:Created>2012-11-13T13:49:32Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
</soap:Header>
<soap:Body>
<ValidarFirma xmlns="http://afirmaws/services/ValidarFirma">
<paramIn xmlns="">[Param value (XML String)]</paramIn>
</ValidarFirma>
</soap:Body>
</soap:Envelope>
And this is the response:
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Header>
<wsse:Security soapenv:actor="http://schemas.xmlsoap.org/soap/actor/next" soapenv:mustUnderstand="0">
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="binaryToken">
MIIG2TCCBcGgAwIBAgIISXHqSo0f+C0wDQYJKoZIhvcNAQEFBQAwUjERMA8GA1UEAxMIQUNDVi1D
[...]
</wsse:BinarySecurityToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#" Id="Signature-BDFADICIJJIDI81">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#SignedBody-BDFADICIJJIDI81">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>TFKLyv9zd1G7RXK4sJV+hG2WfqQ=</DigestValue>
</Reference>
<Reference URI="#keyInfo-BDFADICIJJIDI81">
<Transforms>
<Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>SWO3sIcC16EcT17pBREoGe3CVes=</DigestValue>
</Reference>
<Reference URI="#binaryToken">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>GT+8/UoUzQgUAhvc25bn+DL6T1E=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue Id="SignatureValue-BDFADICIJJIDI81">
sTVgtvYlVuwhQ9XGcTfHh7lKdUcsf8vF6vyJ/5LVxuwarRDAjMzHcQlvFBlZTn8f
[..]
</SignatureValue>
<KeyInfo Id="keyInfo-BDFADICIJJIDI81">
<KeyValue>
<RSAKeyValue>
<Modulus>
tCxb/yk9DgCJmdxshvm6RwQtRMHqTdI2nDzQ2C761KEGmAaz7jrv8PtVSoNMRVr9
[...]
</Modulus>
<Exponent>AQAB</Exponent>
</RSAKeyValue>
</KeyValue>
<X509Data>
<X509Certificate>
MIIG2TCCBcGgAwIBAgIISXHqSo0f+C0wDQYJKoZIhvcNAQEFBQAwUjERMA8GA1UE
[...]
</X509Certificate>
<X509IssuerSerial>
<X509IssuerName>Certificate name</X509IssuerName>
<X509SerialNumber>Serial number</X509SerialNumber>
</X509IssuerSerial>
</X509Data>
<wsse:SecurityTokenReference xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:Reference URI="#binaryToken" />
</wsse:SecurityTokenReference>
</KeyInfo>
</Signature>
</wsse:Security>
</soapenv:Header>
<soapenv:Body wsu:Id="SignedBody-BDFADICIJJIDI81">
<ValidarFirmaResponse xmlns="http://afirmaws/services/ValidarFirma">
<ValidarFirmaReturn xmlns="" xsi:type="c0bxsd:string">
[return value (XML String)]
</ValidarFirmaReturn>
</ValidarFirmaResponse>
</soapenv:Body>
</soapenv:Envelope>
I tried the web service with WSE 3.0 and it works, but I can't install the package in the server because it is Windows Server 2008 and the installation failed.

Try to play with MessageSecurityVersion (for example
WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11) and security tag. And look at soap envelop.

WSSecurity IBM DataPower issues with WCF client

I'm trying to consume an IBM DataPower web service in WCF getting the following error message:
Cannot find a token authenticator for the 'System.IdentityModel.Tokens.X509SecurityToken' token type. Tokens of that type cannot be accepted according to current security settings.
The HTTP response is coming back as 200 and I can see the correct SOAP response while debugging it in Fiddler.
However, the WCF clients doesn't seem to know how to process the BinarySecurityToken element in the SOAP response.
Here is my WCF config:
<client>
<endpoint address="https://xxxx:6443/xxxx/xxxxx"
binding="customBinding" bindingConfiguration="NewBinding0"
contract="SoapPort" name="XXSoapPort" behaviorConfiguration="ServiceBehavior">
</endpoint>
</client>
<customBinding>
<binding name="NewBinding0">
<security allowSerializedSigningTokenOnReply="true" authenticationMode="CertificateOverTransport" messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10" requireDerivedKeys="false" securityHeaderLayout="Lax" />
<textMessageEncoding messageVersion="Soap11" />
<httpsTransport />
</binding>
</customBinding>
<behaviors>
<endpointBehaviors>
<behavior name="ServiceBehavior">
<clientCredentials>
<clientCertificate findValue="xxxxxx" storeLocation="LocalMachine" x509FindType="FindBySubjectName" storeName="My" />
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
This is a SOAP request sample:
<soapenv:Envelope xmlns:dgi="http://dgi.gub.uy" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header><wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-
1.0.xsd"><wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-45851B081998E431E8132880700036719"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-
1.0.xsd">binarysecuritytoken base64...</wsse:BinarySecurityToken><ds:Signature Id="Signature-13"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#id-14">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>62KaCXQkeXTGyGd+aoX46cGAl9M=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
YdwY0hmkHE8tnQmGQBdfA5fjVyoHWMiQhKanI1SEaii295hakwMbf5KsP3YMMhzl4HEHs6nqhZpq
lyL1OBcbJPJQN34uhOtucnzgObUYHckkJqfAN/sYmfNMSFGDvyZCFQSiJwh8dkvKxmxzdUwv3wza
M+i0nzLAh9viQZYS8N8=
</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-45851B081998E431E8132880700036720">
<wsse:SecurityTokenReference wsu:Id="STRId-45851B081998E431E8132880700036821" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-
wss-wssecurity-utility-1.0.xsd"><wsse:Reference URI="#CertId-45851B081998E431E8132880700036719" ValueType="http://docs.oasisopen.
org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/></wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature></wsse:Security></soapenv:Header>
<soapenv:Body wsu:Id="id-14" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<method>
data...
</method>
..
This is an SOAP response:
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:SOAPENC="
http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<SOAP-ENV:Header>
<wsse:Security SOAP-ENV:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:BinarySecurityToken wsu:Id="SecurityToken-c0477b7a-df1a-4883-9ae1-59a518913f96" EncodingType="http://docs.oasisopen.
org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wssx509-
token-profile-1.0#X509v3" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-
1.0.xsd">MIIFrDCCA5SgAwIBAgIQas+Rf7PxwFxNudVRjoOzEjANBgkqhkiG9w0BAQUFADB6MQswCQYDVQQGEwJVWTErMCkGA1UECgwiQURNSU5JU1RSQ
UNJT04gTkFDSU9OQUwgREUgQ09SUkVPUzEfMB0GA1UECwwWU0VSVklDSU9TIEVMRUNUUk9OSUNPUzEdMBsGA1UEAwwUQ29ycmVvIFVydWd1YXlvIC
0gQ0EwHhcNMTEwNDI4MjEwMDAxWhcNMTIwNDI4MjEwMDAxWjCBxzEiMCAGCSqGSIb3DQEJARYTam1vbnRhbmVAZGdpLmd1Yi51eTEfMB0GA1UECwwW
QU5BTElTSVMgREUgUFJPRFVDQ0lPTjEhMB8GA1UECgwYREdJLVBSVUVCQSBTRVJWSUNJT1MgV0VCMRMwEQYDVQQIDApNb250ZXZpZGVvMQswCQ
YDVQQGEwJVWTEYMBYGA1UEBRMPUlVDMjE5OTk5ODIwMDEzMSEwHwYDVQQDDBhER0ktUFJVRUJBIFNFUlZJQ0lPUyBXRUIwgZ8wDQYJKoZIhvcNAQE
BBQADgY0AMIGJAoGBAMcMcu70s0RQkD6ifYBGXwATovTxxA/Hjc8WKM16yJkz63d0eSTjjREYmM87g6NRacADy9LZRyENiRPjsBI+Tw9PHR/7g+frTIS+vIQZ0+f
9Rq1q2uxvw8TKoO9FvcrBabdl9dUBIrJEPa20wj6U+dupTZ66bD5uFXBUsKo2sZujAgMBAAGjggFiMIIBXjAeBgNVHREEFzAVgRNqbW9udGFuZUBkZ2kuZ3ViLnV
5MAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgP4MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDARBglghkgBhvhCAQEEBAMCBaAw
HQYDVR0OBBYEFP0YQfFQvej6szyGhKlpNI0tESi5MB8GA1UdIwQYMBaAFCWP30Mvjmq6C75GXFdQk7dRvvzZMFQGA1UdIARNMEswSQYMKwYBBAGB9U8
BAQEEMDkwNwYIKwYBBQUHAgEWK2h0dHA6Ly93d3cuY29ycmVvLmNvbS51eS9jb3JyZW9jZXJ0L2Nwcy5wZGYwGAYNKwYBBAGB9U8BAQEEAQQHDAVE
aXNjbzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vd3d3LmNvcnJlby5jb20udXkvQ29ycmVvQ2VydC9hbmMuY3JsMA0GCSqGSIb3DQEBBQUAA4ICAQA01MEJ
sZ8VXJIybZQ0NlBJPXz7n8GbTf41Aq4lWxLI5rBWJD1uyWUdz2jUD0DuqflTAGknphzxn49QACCTA1Pv0aZ6hnK04uI9j7UJe4LiVx3aWbpLRBCnYrIs+QU2pyClEM
4bNPt0BU2DG+Q9k9SeCDQ8VD7hiD2W/aK8HLo6EVLAEwrl3pTums2dwxtO1KKPw6OBbYYitCjR5j6Hy5q1+fMTFXmx0vo+ZYFOl8DVoSp6OQJd2mcaL0CNVWI
9sOYRkJKEoELIJDSnIMKkUqgN2ilg05Dqcl/TDj2I5VfPLXZpnpuQbb6ADjEOtMzlkfe2EFemn0s/+2Hn97h5rtJMcjTuUhh937JZPWnD1XQTxICjS3ql1nSwbnJz9bk8P
N/j8cK4Kw+xipGo7pRxITFKUHmOIXsj05tH3kFWf8htdU/4rIyrvzJ3xUhita78SHaJMALQa4AGxmSxIEvej0+qyrxx4geMkzb/n5t3JAAluxW2ja3f/FrXMuwT7iKebreMS4
4FO0maMpP29SW94G8yClumghtU/6LI67oHxhpUNkCQ3UV4JaI6wEZcgV5KLXm9rr1i/hMKV5FspQcYg36qdeRz/N4DwuorVwZuTsXCIMwcKQCkzu1oUSkvO3PE
5cCRnu9cyJ3GzPfUO0T8mrCmI2XwISAvkuLs3kd6FeRBAw==</wsse:BinarySecurityToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#Body-75c3e1d7-a956-4387-827e-58e7bf7f9672">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>O+QjV1cBEXJlS3Z15FBQZImx/Gs=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>lCEfQOGBeSvfvHPLUYtT5PUlwe8Gdbv6b2yto4WzSsoEpYz+6d4YFlyt+Vzq1DSK8Jcmz1ELuJkzPwZCt2aAkSxpToI51vjziELJJqiZfGR5gLJRCZ
CK/zhk3pJUBzaiLLSwfN1iX9t4X8IGqisc6yqrS9kabkhUvvsiYrdRIr4=</SignatureValue>
<KeyInfo>
<wsse:SecurityTokenReference xmlns="">
<wsse:Reference URI="#SecurityToken-c0477b7a-df1a-4883-9ae1-59a518913f96" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-
wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</KeyInfo>
</Signature>
</wsse:Security>
</SOAP-ENV:Header>
<SOAP-ENV:Body wsu:Id="Body-75c3e1d7-a956-4387-827e-58e7bf7f9672" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurityutility-
1.0.xsd">
...data...
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
Thanks in advance!

Use "MutualCertificate" instead of "CertificateOverTransport".
This will require you to supply a service certificate - just configure any dummy certificate, even the same one as used for signature. Also you will get an exception on dns expected name which will tell you what to fix.
Then try it once with allowSerializedSigningTokenOnReply true and once false.
If this fails send me your config, the soap request you sent, and the response the server sent.

WCF - Java web service interop - Signed outgoing message not accepted

I try to sign a message using a certificate and a private key to call a java (JBoss) web service, but the server refuses to accept my signed message. It only echoes back the same message that I've sent.
I have successfully signed the outgoing message using the certificate, and the structure of the message look alright when I compare it to an exampel message supplied by the web service creator.
I use a custom binding declared as shown below
<binding name="FSACustomServiceBinding"
closeTimeout="00:01:00"
openTimeout="00:01:00"
receiveTimeout="00:10:00"
sendTimeout="00:01:00">
<textMessageEncoding
messageVersion="Soap11" />
<security
authenticationMode="MutualCertificate"
requireDerivedKeys="false"
keyEntropyMode="ClientEntropy"
includeTimestamp="false"
securityHeaderLayout="Lax"
messageProtectionOrder="SignBeforeEncrypt"
messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10">
<secureConversationBootstrap />
</security>
<httpTransport/>
</binding>
and the resulting message looks like this
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:BinarySecurityToken u:Id="uuid-0794e8c9-f354-42de-acf2-3d2caf80ff9c-2" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">[BINARYSECURITYTOKEN]</o:BinarySecurityToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#_1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>[DIGESTVALUE]</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>[SIGNATUREVALUE]</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference><o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-0794e8c9-f354-42de-acf2-3d2caf80ff9c-2"/></o:SecurityTokenReference>
</KeyInfo>
</Signature></o:Security></s:Header>
<s:Body u:Id="_1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><list xmlns="http://etis.ford.com/services/fsa/1.0"><String_1 xmlns="">[VINNUMBER]</String_1></list></s:Body>
</s:Envelope>
An exampel message that works with the web service:
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:ns0="http://etis.ford.com/services/fsa/1.0" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<env:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" env:mustUnderstand="1">
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="token-26-1284446233382-10880960">[BINARYSECURITYTOKEN]</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#element-25-1284446233382-9656454">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>[DIGESTVALUE]</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>[SIGNATUREVALUE]</ds:SignatureValue>
<ds:KeyInfo>
<wsse:SecurityTokenReference><wsse:Reference URI="#token-26-1284446233382-10880960" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/></wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature></wsse:Security></env:Header>
<env:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="element-25-1284446233382-9656454"><ns0:list><String_1>[VINNUMBER]</String_1></ns0:list></env:Body>
</env:Envelope>
I've run out of ideas, and the web service creator doesn't supply any information what so ever as to why my message isn't accepted.
Does anyone have an idea?
Regards,
Simon

One possibility is that you are using a self signed certificate that the Jboss server does not trust.