I'm trying to consume an IBM DataPower web service in WCF getting the following error message:
Cannot find a token authenticator for the 'System.IdentityModel.Tokens.X509SecurityToken' token type. Tokens of that type cannot be accepted according to current security settings.
The HTTP response is coming back as 200 and I can see the correct SOAP response while debugging it in Fiddler.
However, the WCF clients doesn't seem to know how to process the BinarySecurityToken element in the SOAP response.
Here is my WCF config:
<client>
<endpoint address="https://xxxx:6443/xxxx/xxxxx"
binding="customBinding" bindingConfiguration="NewBinding0"
contract="SoapPort" name="XXSoapPort" behaviorConfiguration="ServiceBehavior">
</endpoint>
</client>
<customBinding>
<binding name="NewBinding0">
<security allowSerializedSigningTokenOnReply="true" authenticationMode="CertificateOverTransport" messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10" requireDerivedKeys="false" securityHeaderLayout="Lax" />
<textMessageEncoding messageVersion="Soap11" />
<httpsTransport />
</binding>
</customBinding>
<behaviors>
<endpointBehaviors>
<behavior name="ServiceBehavior">
<clientCredentials>
<clientCertificate findValue="xxxxxx" storeLocation="LocalMachine" x509FindType="FindBySubjectName" storeName="My" />
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
This is a SOAP request sample:
<soapenv:Envelope xmlns:dgi="http://dgi.gub.uy" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header><wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-
1.0.xsd"><wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-45851B081998E431E8132880700036719"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-
1.0.xsd">binarysecuritytoken base64...</wsse:BinarySecurityToken><ds:Signature Id="Signature-13"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#id-14">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>62KaCXQkeXTGyGd+aoX46cGAl9M=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
YdwY0hmkHE8tnQmGQBdfA5fjVyoHWMiQhKanI1SEaii295hakwMbf5KsP3YMMhzl4HEHs6nqhZpq
lyL1OBcbJPJQN34uhOtucnzgObUYHckkJqfAN/sYmfNMSFGDvyZCFQSiJwh8dkvKxmxzdUwv3wza
M+i0nzLAh9viQZYS8N8=
</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-45851B081998E431E8132880700036720">
<wsse:SecurityTokenReference wsu:Id="STRId-45851B081998E431E8132880700036821" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-
wss-wssecurity-utility-1.0.xsd"><wsse:Reference URI="#CertId-45851B081998E431E8132880700036719" ValueType="http://docs.oasisopen.
org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/></wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature></wsse:Security></soapenv:Header>
<soapenv:Body wsu:Id="id-14" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<method>
data...
</method>
..
This is an SOAP response:
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:SOAPENC="
http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<SOAP-ENV:Header>
<wsse:Security SOAP-ENV:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:BinarySecurityToken wsu:Id="SecurityToken-c0477b7a-df1a-4883-9ae1-59a518913f96" EncodingType="http://docs.oasisopen.
org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wssx509-
token-profile-1.0#X509v3" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-
1.0.xsd">MIIFrDCCA5SgAwIBAgIQas+Rf7PxwFxNudVRjoOzEjANBgkqhkiG9w0BAQUFADB6MQswCQYDVQQGEwJVWTErMCkGA1UECgwiQURNSU5JU1RSQ
UNJT04gTkFDSU9OQUwgREUgQ09SUkVPUzEfMB0GA1UECwwWU0VSVklDSU9TIEVMRUNUUk9OSUNPUzEdMBsGA1UEAwwUQ29ycmVvIFVydWd1YXlvIC
0gQ0EwHhcNMTEwNDI4MjEwMDAxWhcNMTIwNDI4MjEwMDAxWjCBxzEiMCAGCSqGSIb3DQEJARYTam1vbnRhbmVAZGdpLmd1Yi51eTEfMB0GA1UECwwW
QU5BTElTSVMgREUgUFJPRFVDQ0lPTjEhMB8GA1UECgwYREdJLVBSVUVCQSBTRVJWSUNJT1MgV0VCMRMwEQYDVQQIDApNb250ZXZpZGVvMQswCQ
YDVQQGEwJVWTEYMBYGA1UEBRMPUlVDMjE5OTk5ODIwMDEzMSEwHwYDVQQDDBhER0ktUFJVRUJBIFNFUlZJQ0lPUyBXRUIwgZ8wDQYJKoZIhvcNAQE
BBQADgY0AMIGJAoGBAMcMcu70s0RQkD6ifYBGXwATovTxxA/Hjc8WKM16yJkz63d0eSTjjREYmM87g6NRacADy9LZRyENiRPjsBI+Tw9PHR/7g+frTIS+vIQZ0+f
9Rq1q2uxvw8TKoO9FvcrBabdl9dUBIrJEPa20wj6U+dupTZ66bD5uFXBUsKo2sZujAgMBAAGjggFiMIIBXjAeBgNVHREEFzAVgRNqbW9udGFuZUBkZ2kuZ3ViLnV
5MAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgP4MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDARBglghkgBhvhCAQEEBAMCBaAw
HQYDVR0OBBYEFP0YQfFQvej6szyGhKlpNI0tESi5MB8GA1UdIwQYMBaAFCWP30Mvjmq6C75GXFdQk7dRvvzZMFQGA1UdIARNMEswSQYMKwYBBAGB9U8
BAQEEMDkwNwYIKwYBBQUHAgEWK2h0dHA6Ly93d3cuY29ycmVvLmNvbS51eS9jb3JyZW9jZXJ0L2Nwcy5wZGYwGAYNKwYBBAGB9U8BAQEEAQQHDAVE
aXNjbzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vd3d3LmNvcnJlby5jb20udXkvQ29ycmVvQ2VydC9hbmMuY3JsMA0GCSqGSIb3DQEBBQUAA4ICAQA01MEJ
sZ8VXJIybZQ0NlBJPXz7n8GbTf41Aq4lWxLI5rBWJD1uyWUdz2jUD0DuqflTAGknphzxn49QACCTA1Pv0aZ6hnK04uI9j7UJe4LiVx3aWbpLRBCnYrIs+QU2pyClEM
4bNPt0BU2DG+Q9k9SeCDQ8VD7hiD2W/aK8HLo6EVLAEwrl3pTums2dwxtO1KKPw6OBbYYitCjR5j6Hy5q1+fMTFXmx0vo+ZYFOl8DVoSp6OQJd2mcaL0CNVWI
9sOYRkJKEoELIJDSnIMKkUqgN2ilg05Dqcl/TDj2I5VfPLXZpnpuQbb6ADjEOtMzlkfe2EFemn0s/+2Hn97h5rtJMcjTuUhh937JZPWnD1XQTxICjS3ql1nSwbnJz9bk8P
N/j8cK4Kw+xipGo7pRxITFKUHmOIXsj05tH3kFWf8htdU/4rIyrvzJ3xUhita78SHaJMALQa4AGxmSxIEvej0+qyrxx4geMkzb/n5t3JAAluxW2ja3f/FrXMuwT7iKebreMS4
4FO0maMpP29SW94G8yClumghtU/6LI67oHxhpUNkCQ3UV4JaI6wEZcgV5KLXm9rr1i/hMKV5FspQcYg36qdeRz/N4DwuorVwZuTsXCIMwcKQCkzu1oUSkvO3PE
5cCRnu9cyJ3GzPfUO0T8mrCmI2XwISAvkuLs3kd6FeRBAw==</wsse:BinarySecurityToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#Body-75c3e1d7-a956-4387-827e-58e7bf7f9672">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>O+QjV1cBEXJlS3Z15FBQZImx/Gs=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>lCEfQOGBeSvfvHPLUYtT5PUlwe8Gdbv6b2yto4WzSsoEpYz+6d4YFlyt+Vzq1DSK8Jcmz1ELuJkzPwZCt2aAkSxpToI51vjziELJJqiZfGR5gLJRCZ
CK/zhk3pJUBzaiLLSwfN1iX9t4X8IGqisc6yqrS9kabkhUvvsiYrdRIr4=</SignatureValue>
<KeyInfo>
<wsse:SecurityTokenReference xmlns="">
<wsse:Reference URI="#SecurityToken-c0477b7a-df1a-4883-9ae1-59a518913f96" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-
wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</KeyInfo>
</Signature>
</wsse:Security>
</SOAP-ENV:Header>
<SOAP-ENV:Body wsu:Id="Body-75c3e1d7-a956-4387-827e-58e7bf7f9672" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurityutility-
1.0.xsd">
...data...
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
Thanks in advance!
Use "MutualCertificate" instead of "CertificateOverTransport".
This will require you to supply a service certificate - just configure any dummy certificate, even the same one as used for signature. Also you will get an exception on dns expected name which will tell you what to fix.
Then try it once with allowSerializedSigningTokenOnReply true and once false.
If this fails send me your config, the soap request you sent, and the response the server sent.
Related
I'm trying to consume a java web service from a WCF client with this specifications:
The request must be signed (but NOT encrypted). I have my client's certificate installed on my computer.
The response is signed (not encrypted) by the server. I have the server's certificate installed on my computer.
Communication is over HTTPS (certificate installed on my computer).
This is the configuration of the client:
Endpoint:
<endpoint address="https://..."
binding="customBinding" bindingConfiguration="SincronSoapCustom" behaviorConfiguration="webEndpointExtern"
contract="Proves.Service.SincronSoap" name="SincronSoap">
<identity>
<dns value="Test app"/>
</identity>
</endpoint>
Custom binding:
<customBinding>
<binding name="SincronSoapCustom" >
<security authenticationMode="MutualCertificate" allowSerializedSigningTokenOnReply="true" requireSignatureConfirmation="false" requireDerivedKeys="false" includeTimestamp="true" securityHeaderLayout="LaxTimestampLast" messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10">
</security>
<textMessageEncoding messageVersion="Soap11" writeEncoding="utf-8" ></textMessageEncoding>
<httpsTransport transferMode="Buffered" ></httpsTransport>
</binding>
</customBinding>
Behavior:
<behavior name="webEndpointExtern">
<clientCredentials>
<clientCertificate findValue="19cab2cd6bc982fb" storeLocation="CurrentUser"
storeName="My" x509FindType="FindBySerialNumber" />
<serviceCertificate>
<defaultCertificate findValue="311a360557c1056c5367435e7dad3866" storeLocation="CurrentUser"
storeName="My" x509FindType="FindBySerialNumber" />
<authentication certificateValidationMode="PeerOrChainTrust" />
</serviceCertificate>
</clientCredentials>
</behavior>
To only sign the message (and avoid encryption) I set the protection level in the service contract:
<System.CodeDom.Compiler.GeneratedCodeAttribute("System.ServiceModel", "4.0.0.0"),
System.ServiceModel.ServiceContract([Namespace]:="http://xxxx/", ProtectionLevel:=Net.Security.ProtectionLevel.Sign)>
Public Interface SincronSoap
<System.ServiceModel.OperationContractAttribute(Action:="http://xxxxxx", ReplyAction:="*", ProtectionLevel:=Net.Security.ProtectionLevel.Sign),
System.ServiceModel.XmlSerializerFormatAttribute(SupportFaults:=True)>
Function procesa(ByVal request As Service.procesaRequest) As Service.procesaResponse
<System.ServiceModel.OperationContractAttribute(Action:="http://xxxxxx", ReplyAction:="*")>
Function procesaAsync(ByVal request As PdibService.procesaRequest) As System.Threading.Tasks.Task(Of Service.procesaResponse)
End Interface
With this configuration, my requests are processed correctly by the server but my client throws an error when processing the response:
Cannot read the token from the 'SignatureConfirmation' element with the 'http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd' namespace for BinarySecretSecurityToken, with a '' ValueType. If this element is expected to be valid, ensure that security is configured to consume tokens with the name, namespace and value type specified.
Ok, my client uses WS-Security 1.0 and the SignatureConfirmation element is only allowed in WS-Security 1.1. The provider of the service confirms to me that the correct versiĆ³n is 1.1.
So I change from:
WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10
to:
WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10
But when I make a request using this config, the remote server returns an error:
WSDoAllReceiver: security processing failed; nested exception is:
org.apache.ws.security.WSSecurityException: General security error (WSSecurityEngine: No crypto propery file supplied for decryption)
It seems that in this case my client is including some encryption in the request and the server doesn't expects it. This is the request:
<?xml version="1.0" encoding="UTF-8"?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<ActivityId xmlns="http://schemas.microsoft.com/2004/09/ServiceModel/Diagnostics" CorrelationId="868039bc-362d-4d3b-93fa-afb7ccdaf7e9">8160d724-54b3-4aa5-acbd-82d26abbf3b5</ActivityId>
<o:Security xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" s:mustUnderstand="1">
<e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#" Id="uuid-caa9c9fc-8225-403e-b844-fffa7e439ec6-1">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<DigestMethod xmlns="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
</e:EncryptionMethod>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference>
<o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">M0m/j9IjdvtsfXoboTzGX4jRw5I=</o:KeyIdentifier>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>..removed..</e:CipherValue>
</e:CipherData>
</e:EncryptedKey>
<o:BinarySecurityToken>
<!--Removed-->
</o:BinarySecurityToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#" Id="_0">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1" />
<Reference URI="#_1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>m6K+Htbhimq+ncV9cu48xtaHCXU=</DigestValue>
</Reference>
<Reference URI="#uuid-caa9c9fc-8225-403e-b844-fffa7e439ec6-2">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>DptGdl9nICPuR7ym4VB4DAsT05o=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>b7kn3APi45hTIGgnbhSvwInLmMP=</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference xmlns:k="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" k:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey">
<o:Reference ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey" URI="#uuid-caa9c9fc-8225-403e-b844-fffa7e439ec6-1" />
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#_0">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>80Q2miLGWvPm9Tl8qN2CwPHwbIA=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>..removed..</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-20121b2c-b772-4bc9-83fe-f422d6a80a0b-1" />
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
<u:Timestamp u:Id="uuid-caa9c9fc-8225-403e-b844-fffa7e439ec6-2">
<u:Created>2017-01-23T11:48:37.635Z</u:Created>
<u:Expires>2017-01-23T11:53:37.635Z</u:Expires>
</u:Timestamp>
</o:Security>
</s:Header>
<s:Body xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" u:Id="_1">
.................. removed ............................
</s:Body>
</s:Envelope>
And this is the request when I use WS-Security 1.0:
<?xml version="1.0" encoding="UTF-8"?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<ActivityId xmlns="http://schemas.microsoft.com/2004/09/ServiceModel/Diagnostics" CorrelationId="8797dc6e-b03a-4681-ab6f-6d52c561a79a">3e959f6f-2b84-4aca-a024-b5b50f429730</ActivityId>
<o:Security xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" s:mustUnderstand="1">
<o:BinarySecurityToken>
<!--Removed-->
</o:BinarySecurityToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#_1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>frO7LOsocv71gm5QWTGhfem0VQY=</DigestValue>
</Reference>
<Reference URI="#uuid-5768e670-1786-4c0c-b563-0306ac7fc3eb-1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>/FLwiT1IYuqSWdrthZRebVeql0c=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>..removed..</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-2cf2ba54-442a-422c-a2e7-b6861431c23b-2" />
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
<u:Timestamp u:Id="uuid-5768e670-1786-4c0c-b563-0306ac7fc3eb-1">
<u:Created>2017-01-23T11:36:11.128Z</u:Created>
<u:Expires>2017-01-23T11:41:11.128Z</u:Expires>
</u:Timestamp>
</o:Security>
</s:Header>
<s:Body xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" u:Id="_1">
... removed ...
</s:Body>
</s:Envelope>
In this case no encryption is included in the request.
The question is, why my client uses encryption when I change from WS-Security 1.0 to 1.1?
How can I avoid this?
Thanks.
This seems like it should be handled natively so I am likely doing something wrong. I have a WCF client which calls an Active STS and uses the token from the RTSR to generate the WS-Security header included in the call to the RP. The RP requires that the header be signed, which seems a fair enough request. However, the WS-Security header generated by the client does not include a signature and I cannot see how to configured it to do so. The generated header is below. As can be seen it contains a signature for the assertion and the subjectconfirmationdata both of which are responsibilities of the STS. The "missing" header signature, in my limited understanding, is a responsibility of the client. So is what configuration/code that needs to be added in order to get a signature block that is a child element of the Security header much like the reference header below.
Client Generated WS-Security header
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="_0">
<u:Created>2015-08-24T21:04:41.090Z</u:Created>
<u:Expires>2015-08-24T21:09:41.090Z</u:Expires>
</u:Timestamp>
<Assertion ID="_fea24920-d64c-4758-b51e-61208cb5084f" IssueInstant="2015-08-24T21:04:40.060Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">MySTS</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_fea24920-d64c-4758-b51e-61208cb5084f">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>/tfOnmKqjmkK8gH1GMNQ/XJ5gdtwzvcJTqxwiZJ7noQ=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>dGz1dN9odSSpblmgczWWRG6tF66oonOHAVJCSC5uqjCOH+18cjJfX/duqb0sv1w0VxGsKIzR0VZ74V5Pq5MWsKQArIgEwO/wnUEOcKPI9J3KlL/IU7XLJNFtVO/ioKB4ps34S/5vZLB+WxXryz5ylBd5JvVFT7cf9R68kSxY9IurxELCGdhe/YIgJtgI6JsEoqqk7314sUZj8qrCy5zUbEVufyyStCI23OIunXPQceksa/csdaTmHFPNkYtHY8yUmyzT8aKBVKZVG2iluXySoi0TwTiVH+4ImGqXKV+VhUebCwqQwAur1IWAu+V/r7ZkW7C0384ATkMTmmLXRhom3g==</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyValue>
<RSAKeyValue>
<Modulus>2kUArhFnRE+a0oof35YUv0Pc8w+UHox/PlTxzDnp86eyiLggHj76egrVbtV6TpYXw783JUQb+NiKxm0V/f6DIeqFWvCeHfzFJaWntNwAjOULY3z0n4T5gJuHpk3/JtefBXBm2m5zW4OhvijMfU228oQ5kJDpuEmkcSgmyZwyPwbJZlLAS3agrFvMu+r7qU4O6imaCAoTt/QYHIo2TLKpprXSOFrszwJDz3I5XTGaE+peBlQueFg5XvlAlARqDfq3yCcP5Mlel1Xv6kFIv/0LBMCZ1U8zMgVQsKOGgnSXCGgyq+77nvS+MPSBc71jkSWh4FnxDFTlL1j1iGdH1BIkWQ==</Modulus>
<Exponent>AQAB</Exponent>
</RSAKeyValue>
</KeyValue>
</KeyInfo>
</ds:Signature>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">JoeTester#example.org</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
<SubjectConfirmationData a:type="KeyInfoConfirmationDataType" xmlns:a="http://www.w3.org/2001/XMLSchema-instance">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyValue>
<RSAKeyValue>
<Modulus>2kUArhFnRE+a0oof35YUv0Pc8w+UHox/PlTxzDnp86eyiLggHj76egrVbtV6TpYXw783JUQb+NiKxm0V/f6DIeqFWvCeHfzFJaWntNwAjOULY3z0n4T5gJuHpk3/JtefBXBm2m5zW4OhvijMfU228oQ5kJDpuEmkcSgmyZwyPwbJZlLAS3agrFvMu+r7qU4O6imaCAoTt/QYHIo2TLKpprXSOFrszwJDz3I5XTGaE+peBlQueFg5XvlAlARqDfq3yCcP5Mlel1Xv6kFIv/0LBMCZ1U8zMgVQsKOGgnSXCGgyq+77nvS+MPSBc71jkSWh4FnxDFTlL1j1iGdH1BIkWQ==</Modulus>
<Exponent>AQAB</Exponent>
</RSAKeyValue>
</KeyValue>
</KeyInfo>
</SubjectConfirmationData>
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2015-08-24T20:59:36.114Z" NotOnOrAfter="2015-08-24T22:09:36.114Z"/>
<AttributeStatement>
<!-- attributes where here -->
</AttributeStatement>
<AuthnStatement AuthnInstant="2015-08-24T21:04:36.130Z">
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
</o:Security>
The client side WCF Binding
<configuration>
<system.serviceModel>
<bindings>
<ws2007HttpBinding>
<binding>
<security mode="Transport">
<transport clientCredentialType="None" />
</security>
</binding>
</ws2007HttpBinding>
<customBinding>
<binding>
<security authenticationMode="IssuedTokenOverTransport" requireSignatureConfirmation="true" securityHeaderLayout="Lax" messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10" messageProtectionOrder="EncryptBeforeSign"
keyEntropyMode="CombinedEntropy" includeTimestamp="true">
<issuedTokenParameters keyType="BearerKey" tokenType="urn:oasis:names:tc:SAML:2.0:assertion">
<issuer address="" binding="ws2007HttpBinding"/>
</issuedTokenParameters>
<localClientSettings></localClientSettings>
<secureConversationBootstrap />
</security>
<mtomMessageEncoding maxBufferSize="2147483647" />
<httpsTransport requireClientCertificate="true" maxBufferPoolSize="134217728" maxReceivedMessageSize="134217728" maxBufferSize="134217728" />
</binding>
</customBinding>
</bindings>
<client>
<endpoint binding="customBinding" contract="IReplacable" name="*" />
</client>
</system.serviceModel>
</configuration>
Reference Security Header
<wsse:Security S:mustUnderstand="true" xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsu:Timestamp wsu:Id="timestamp1" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsu:Created>2015-08-21T22:34:49.138Z</wsu:Created>
<wsu:Expires>2016-08-21T22:34:49.138Z</wsu:Expires>
</wsu:Timestamp>
<saml2:Assertion ID="a956b920-4956-47c6-8a05-8a3a56e418a0" IssueInstant="2015-08-21T22:29:49.138Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">CN=SAMLUser,OU=SU,O=SAML User,L=LosAngeles,ST=CA,C=US</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#a956b920-4956-47c6-8a05-8a3a56e418a0">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>guh8xR0Vu+3X3LlLAu7SJ0wCKXw=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>2X2UmgJMLGQIzN73pxxyQZVVttnE8xAkPmScvFCX2zlrS7QdmqM+BoJswtmDImK9wAhXC0WtY17U C97Iw7brHrmNtQa3tM+4JClSCuW6SM6OjHn3qMLHiUJrpIZ1k0YAYfLcIF9S7x5lYFKUzWk+oOz1 3LMOMsjORXCssUpzd3BCOUhSSeg9+6b76ZyqTeaFqldn1OmG9jz3QS+h/vUo24h1ohKPJqEcE9sG 3Ab3LqyYv8ASVP9DsKRjOjxGKfhFT5WD9gW10IqQY2YGyYtguHfsyf05dPGBuXB8jaPZ3wgYsYXU FMmjRmuAYQkdQQRH8ju4HwtWdGnTtCQBRoqboA==</ds:SignatureValue>
<ds:KeyInfo>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>2kUArhFnRE+a0oof35YUv0Pc8w+UHox/PlTxzDnp86eyiLggHj76egrVbtV6TpYXw783JUQb+NiK xm0V/f6DIeqFWvCeHfzFJaWntNwAjOULY3z0n4T5gJuHpk3/JtefBXBm2m5zW4OhvijMfU228oQ5 kJDpuEmkcSgmyZwyPwbJZlLAS3agrFvMu+r7qU4O6imaCAoTt/QYHIo2TLKpprXSOFrszwJDz3I5 XTGaE+peBlQueFg5XvlAlARqDfq3yCcP5Mlel1Xv6kFIv/0LBMCZ1U8zMgVQsKOGgnSXCGgyq+77 nvS+MPSBc71jkSWh4FnxDFTlL1j1iGdH1BIkWQ==</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">CN=SAMLUser,OU=SU,O=SAML User,L=LosAngeles,ST=CA,C=US</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
<saml2:SubjectConfirmationData>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>2kUArhFnRE+a0oof35YUv0Pc8w+UHox/PlTxzDnp86eyiLggHj76egrVbtV6TpYXw783JUQb+NiK xm0V/f6DIeqFWvCeHfzFJaWntNwAjOULY3z0n4T5gJuHpk3/JtefBXBm2m5zW4OhvijMfU228oQ5 kJDpuEmkcSgmyZwyPwbJZlLAS3agrFvMu+r7qU4O6imaCAoTt/QYHIo2TLKpprXSOFrszwJDz3I5 XTGaE+peBlQueFg5XvlAlARqDfq3yCcP5Mlel1Xv6kFIv/0LBMCZ1U8zMgVQsKOGgnSXCGgyq+77 nvS+MPSBc71jkSWh4FnxDFTlL1j1iGdH1BIkWQ==</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</saml2:SubjectConfirmationData>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:AuthnStatement AuthnInstant="2015-08-21T22:27:49.138Z" SessionIndex="123456">
<saml2:SubjectLocality/>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:X509 </saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<!-- attributes-->
</saml2:AttributeStatement>
<saml2:AuthzDecisionStatement Decision="Permit" Resource="">
<saml2:Action Namespace="urn:oasis:names:tc:SAML:1.0:action:rwedc">Execute</saml2:Action>
<saml2:Evidence>
<saml2:Assertion ID="_3e0d08ce-a126-45e8-b602-ac0c7ea075ce" IssueInstant="2015-08-21T22:29:49.138Z" Version="2.0">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">CN=SAML User,OU=SU,O=SAML User,L=Los Angeles,ST=CA,C=US</saml2:Issuer>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">CN=SAMLUser,OU=SU,O=SAML User,L=LosAngeles,ST=CA,C=US</saml2:NameID>
</saml2:Subject>
<saml2:Conditions NotBefore="2015-08-21T21:34:49.138Z" NotOnOrAfter="2016-08-21T23:34:49.138Z"/>
<saml2:AttributeStatement>
<saml2:Attribute Name="AccessConsentPolicy" NameFormat="http://www.hhs.gov/healthit/nhin">
<saml2:AttributeValue>urn:oid:1.2.3.4</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="InstanceAccessConsentPolicy" NameFormat="http://www.hhs.gov/healthit/nhin">
<saml2:AttributeValue>urn:oid:1.2.3.4.123456789 </saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2:Evidence>
</saml2:AuthzDecisionStatement>
</saml2:Assertion>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#timestamp1">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>qs//Jxv/CVrDvTxn8hYvdSe1pbY=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>uf13RmBH95fP4o6x6eXC84+gkoLeZqLshw0ycm8t6HJP0+OtVEPZJbAw/UF2i2rzDk6oFE/Rxe1l /cks9HkIyNBEIwt2VY1hUldWfGd1cDq6Pi/H3EGuMasr42Qm8ObPCkSFqXhgowtIsSR9amo3e1KO YBsjYLnidcaZi7B1c6DjH1GozgSgdZDrYANUJr/KJ8zDDhGU09WXEuOekx41YvS4nWn/EHJbV+xf zKTN9ds+91PtFL1nnjqJT9BH4V2TvnRildsh7BeoMqQrXuePp7FxxgxCtg5tB15gDrNS1mOLorQZ 5UwqSrLp2/WkGkpzabMf2oN56lkiB6IHvsZ+Yg==</ds:SignatureValue>
<ds:KeyInfo>
<wsse:SecurityTokenReference wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">a956b920-4956-47c6-8a05-8a3a56e418a0</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
The headers are not signed since you are using bearer key token, as set in your configuration
<issuedTokenParameters keyType="BearerKey"...>
It needs to be either a symmetric key or asymmetrickey. Looking at your reference SOAP header, you'll need an asymmetrickey token.
The simplest way is to use ws2007FederationBinding. If you have to use a custom binding (as in your config), here is a sample config from MSDN at https://msdn.microsoft.com/en-us/library/aa734714(v=vs.100).aspx
<issuedTokenParameters
DefaultMessageSecurityVersion="System.ServiceModel.MessageSecurityVersion"
inclusionMode="AlwaysToInitiator/AlwaysToRecipient/Never/Once"
keySize="Integer"
keyType="AsymmetricKey/BearerKey/SymmetricKey"
tokenType="String" >
<additionalRequestParameters />
<claimTypeRequirements>
<add claimType="URI"
isOptional="Boolean" />
</claimTypeRequirements>
<issuer address="String"
binding=" " />
<issuerMetadata address="String" />
</issuedTokenParameters>
You can omit the issuer element and obtain the SAML token separately from your STS using WS-Trust, and use the token to secure your outgoing message to RP.
Java client wants to send SOAP request to my WCF service. SOAP header contains signature and certificate information, example:
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<ds:Signature Id="SIG-3767FCEC48BA3FC46A141268453194033" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="myg soapenv" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#id-3767FCEC48BA3FC46A14126804973444">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="myg" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>fsN0Bl7FcJhPTZFFOCvyIrLkcg/Oo9JhOpbv23VnnDI=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>gVdpmh...0b/1FHPatVA==</ds:SignatureValue>
<ds:KeyInfo Id="KI-3767FCEC48BA3FC46A141268453193931">
<wsse:SecurityTokenReference wsu:Id="STR-3767FCEC48BA3FC46A141268453193932">
<wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">MIIDnjCCA...7Of</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soapenv:Header>
How should look the web.config binding of my WCF service, so that SOAP body will be validated against signature in the SOAP header?
Thank you
Try this:
<customBinding>
<binding name="NewBinding0">
<textMessageEncoding messageVersion="Soap11" />
<security authenticationMode="MutualCertificate" includeTimestamp="false"
messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10">
<secureConversationBootstrap />
</security>
<httpTransport />
</binding>
</customBinding>
Make sure to decorate your contract to sign only:
[System.ServiceModel.ServiceContractAttribute(ConfigurationName=..., ProtectionLevel=System.Net.Security.ProtectionLevel.Sign)]
I'm having a problem with a .NET WCF client connecting to a Java web service using SOAP 1.1. The service requires both transport level encryption over SSL and SOAP security using the WS-Security protocol, both using the same certificate. I have the certificate installed and I can connect to the server however, I get a HTTP 500 response when I post the request.
I have been able to compare the SOAP produced by WCF with a working example from the developers of the web service. The WCF SOAP message has additional Timestamp and BinarySecurityToken elements which don't occur in the supplied example. I know almost nothing about WS-Security and very little about WCF and so I'm hoping that someone can point me in the correct direction.
Here is the configuration section for my application:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="JavaServiceSoapBinding" closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
maxBufferSize="65536" maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered"
useDefaultWebProxy="true">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="Certificate" proxyCredentialType="None"
realm="" />
<message clientCredentialType="Certificate" algorithmSuite="Default" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint address="https://service/endpoint"
binding="basicHttpBinding" bindingConfiguration="JavaServiceSoapBinding"
contract="MyCode.MyService" name="MyServicePort" behaviorConfiguration="endpointBehavior">
</endpoint>
</client>
<behaviors>
<endpointBehaviors>
<behavior name="endpointBehavior">
<clientCredentials>
<clientCertificate storeLocation="LocalMachine" storeName="My" findValue="A1A1A1A1" x509FindType="FindBySerialNumber"/>
<serviceCertificate>
<authentication certificateValidationMode="None" revocationMode="NoCheck"/>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
</system.serviceModel>
</configuration>
And this is the example SOAP header I have from the parter responsible for the service:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://webservice.connector.speechanalytics.ept.avaya.com/">
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<ds:Signature Id="Signature-5" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#id-6">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>blablabla=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
blablabla=
</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-blablabla">
<wsse:SecurityTokenReference wsu:Id="STRId-blablabla" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>CN=Dept,OU=Product,O=Company,L=Location,ST=BLA,C=BLA</ds:X509IssuerName>
<ds:X509SerialNumber>1319578157</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soapenv:Header>
<soapenv:Body wsu:Id="id-6" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
and this is the SOAP message that WCF is producing:
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="_0">
<u:Created>2012-05-21T15:02:36.448Z</u:Created>
<u:Expires>2012-05-21T15:07:36.448Z</u:Expires>
</u:Timestamp>
<o:BinarySecurityToken u:Id="uuid-abd451ed-9bff-4cd0-b9a6-38fcd6bf9e8b-1" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">blablabla==</o:BinarySecurityToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#_0">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>+blablabla=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>blablabla=</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-abd451ed-9bff-4cd0-b9a6-38fcd6bf9e8b-1"/>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
</o:Security>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
do you have any details on why the server fails? messages do not have to be exactly the same. try to see if the http 500 body contains something, or if the vendor can tell you from the logs.
next revert to a custombinding instead of a basichttpbinding (do this online automatically) and on the security element binding add attribute includeTimestamp="false".
try with this first (and get message). workign w/o BinarySecurityToken is also possible but slightly more complex at this stage.
I try to sign a message using a certificate and a private key to call a java (JBoss) web service, but the server refuses to accept my signed message. It only echoes back the same message that I've sent.
I have successfully signed the outgoing message using the certificate, and the structure of the message look alright when I compare it to an exampel message supplied by the web service creator.
I use a custom binding declared as shown below
<binding name="FSACustomServiceBinding"
closeTimeout="00:01:00"
openTimeout="00:01:00"
receiveTimeout="00:10:00"
sendTimeout="00:01:00">
<textMessageEncoding
messageVersion="Soap11" />
<security
authenticationMode="MutualCertificate"
requireDerivedKeys="false"
keyEntropyMode="ClientEntropy"
includeTimestamp="false"
securityHeaderLayout="Lax"
messageProtectionOrder="SignBeforeEncrypt"
messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10">
<secureConversationBootstrap />
</security>
<httpTransport/>
</binding>
and the resulting message looks like this
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:BinarySecurityToken u:Id="uuid-0794e8c9-f354-42de-acf2-3d2caf80ff9c-2" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">[BINARYSECURITYTOKEN]</o:BinarySecurityToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#_1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>[DIGESTVALUE]</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>[SIGNATUREVALUE]</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference><o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-0794e8c9-f354-42de-acf2-3d2caf80ff9c-2"/></o:SecurityTokenReference>
</KeyInfo>
</Signature></o:Security></s:Header>
<s:Body u:Id="_1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><list xmlns="http://etis.ford.com/services/fsa/1.0"><String_1 xmlns="">[VINNUMBER]</String_1></list></s:Body>
</s:Envelope>
An exampel message that works with the web service:
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:ns0="http://etis.ford.com/services/fsa/1.0" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<env:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" env:mustUnderstand="1">
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="token-26-1284446233382-10880960">[BINARYSECURITYTOKEN]</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#element-25-1284446233382-9656454">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>[DIGESTVALUE]</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>[SIGNATUREVALUE]</ds:SignatureValue>
<ds:KeyInfo>
<wsse:SecurityTokenReference><wsse:Reference URI="#token-26-1284446233382-10880960" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/></wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature></wsse:Security></env:Header>
<env:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="element-25-1284446233382-9656454"><ns0:list><String_1>[VINNUMBER]</String_1></ns0:list></env:Body>
</env:Envelope>
I've run out of ideas, and the web service creator doesn't supply any information what so ever as to why my message isn't accepted.
Does anyone have an idea?
Regards,
Simon
One possibility is that you are using a self signed certificate that the Jboss server does not trust.