5 Interoperability with Microsoft WCF/.NET 3.5 Security Environments
This chapter includes the following sections:
-
Understanding the Interoperability of Microsoft WCF/.NET 3.5 Security Environments
-
Implementing a Message Transmission Optimization Mechanism for Microsoft WCF/.NET 3.5 Client
-
Implementing a Username Token Over SSL for Microsoft WCF/.NET 3.5 Client
-
Implementing a Kerberos with Message Protection for Microsoft WCF/.NET 3.5 Client
-
Implementing a Kerberos with Message Protection Using Derived Keys for Microsoft WCF/.NET 3.5 Client
-
Implementing a Kerberos with SPNEGO Negotiation for Microsoft WCF/.NET 3.5 Client
-
WCF/.NET 3.5 Client with Microsoft Active Directory Federation Services 2.0 (ADFS 2.0) STS
5.1 Understanding the Interoperability of Microsoft WCF/.NET 3.5 Security Environments
In conjunction with Microsoft, Oracle has performed interoperability testing to ensure that the web service security policies created using OWSM 14c can interoperate with web service policies configured using Microsoft Windows Communication Foundation (WCF)/.NET 3.5 Framework and vice versa.
For more information about Microsoft WCF/.NET 3.5 Framework, see http://msdn.microsoft.com/en-us/netframework/aa663324.aspx
.
Detailed description about OWSM predefined policies and interoperability scenarios are described in the following sections:
5.1.1 OWSM Predefined Policies for Microsoft WCF/.NET 3.5 Security Environment
Review this topic for more information on OWSM predefined policies for Microsoft WCF/.NET 3.5 security environment.
For more information about:
-
OWSM predefined policies, see "Predefined Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
-
Configuring and attaching OWSM 14c policies, see "Securing Web Services" and "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Note:
In most cases, you can attach OWSM policies in source code, before deploying an application, or you can attach policies post deployment, using WLST or Fusion Middleware Control. To simplify the instructions in this chapter, it is assumed that you are attaching policies at runtime. If a situation requires that you attach a policy before deploying, it is described that way in the instructions.
Note:
Some of the procedures described in this chapter instruct you to use the Microsoft ServiceModel Metadata Utility Tool (
SvcUtil.exe
) to create a client proxy and configuration file from the deployed web service. However,SvcUtil.exe
does not work with certain security policy assertions used with OWSM. As a workaround when generating a WCF proxy for a web service protected by an OWSM policy, do the following:-
Detach the policy.
-
Generate the proxy using
SvcUtil.exe
. -
Re-attach the policy.
For more information about
SvcUtil.exe
, seehttp://msdn.microsoft.com/en-us/library/aa347733%28v=vs.90%29.aspx
. -
5.1.2 Interoperability Scenarios for Microsoft WCF/.NET 3.5
You can review the different scenarios for interoperability between OWSM 14c and Microsoft WCF/.NET 3.5.
The most common Microsoft .NET 3.5 interoperability scenarios are based on the following security requirements: authentication, message protection, and transport.
Note:
In the following scenarios, ensure that you are using a keystore with v3 certificates. By default, the JDK 1.5 keytool generates keystores with v1 certificates.
In addition, ensure that the keys use the proper extensions, including DigitalSignature
, Non_repudiation
, Key_Encipherment
, and Data_Encipherment
.
The following table describes the OWSM 14c service policy and Microsoft WCF/.NET 3.5 client policy interoperability scenarios:
Table 5-1 OWSM 14c Service Policy and Microsoft WCF/.NET 3.5 Client Policy Interoperability
Identity Token | WS-Security Version | Message Protection | Transport Security | Service Policy | Client Policy |
---|---|---|---|---|---|
MTOM |
NA |
NA |
NA |
|
|
Username or SAML |
1.1 |
Yes |
No |
OR
|
"Configuring Microsoft WCF/.NET 3.5 Client (Username Token with Message Protection)" |
Username |
1.0 and 1.1 |
No |
Yes |
OR
|
"Configuring Microsoft WCF/.NET 3.5 Client (Username Token over SSL)" |
Mutual Authentication |
1.1 |
Yes |
No |
|
"Configuring Microsoft WCF/.NET 3.5 Client (Mutual Authentication)" |
Kerberos |
1.1 |
Yes |
No |
|
"Configuring Microsoft WCF/.NET 3.5 Client (Kerberos with Message Protection)" |
The following table describes the Microsoft WCF/.NET 3.5 service policy and OWSM 14c client policy interoperability scenarios:
Table 5-2 Microsoft WCF/.NET 3.5 Service Policy and OWSM 14c Client Policy Interoperability
Identity Token | WS-Security Version | Message Protection | Transport Security | Service Policy | Client Policy |
---|---|---|---|---|---|
MTOM |
NA |
NA |
NA |
|
|
Username |
1.1 |
Yes |
No |
"Configuring Microsoft WCF/.NET 3.5 Web Service (Username Token with Message Protection)" |
|
Mutual Authentication |
1.1 |
Yes |
No |
"Configuring a Microsoft WCF/.NET 3.5 Web Service and an OWSM 14c Client (Mutual Authentication)" |
|
5.2 Implementing a Message Transmission Optimization Mechanism for Microsoft WCF/.NET 3.5 Client
You can implement the Message Transmission Optimization Mechanism (MTOM) to achieve the interoperability between OWSM 14c Service Policy and Microsoft WCF/.NET 3.5 Client Policy and the interoperability between Microsoft WCF/.NET 3.5 Service Policy and OWSM 14c Client Policy.
The following topics describe how to implement MTOM in different interoperability scenarios:
5.2.1 Configuring an OWSM 14c Web Service and a Microsoft WCF/.NET 3.5 Client (Message Transmission Optimization Mechanism)
You can implement Message Transmission Optimization Mechanism (MTOM) using OWSM 14c web service and a Microsoft WCF/.NET 3.5 client.
The following topics describe how to configure an OWSM 14c web service and a Microsoft WCF/.NET 3.5 client to implement Message Transmission Optimization Mechanism:
5.2.1.1 Configuring OWSM 14c Web Service (MTOM)
You can create a web service application by using OWSM 14c and attach the MTOM service policy to the web service created.
To configure the OWSM 14c web service:
-
Create and deploy a web service application.
-
Attach the following policy to the web service:
oracle/wsmtom_policy
.For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
5.2.1.2 Configuring Microsoft WCF/.NET 3.5 Client (MTOM)
You can configure a Microsoft WCF/.NET 3.5 client to implement message transmission optimization mechanism for interoperability with an OWSM 14c web service.
To configure the Microsoft WCF/.NET 3.5 client:
-
Use the Microsoft SvcUtil utility to create a client proxy and configuration file from the deployed web service.
See the app.config file for MTOM interoperability sample:
<?xml version="1.0" encoding="utf-8"?> <configuration> <system.serviceModel> <bindings> <customBinding> <binding name="CustomBinding_IMTOMService"> <mtomMessageEncoding maxReadPoolSize="64" maxWritePoolSize="16" messageVersion="Soap12" maxBufferSize="65536" writeEncoding="utf-8"> <readerQuotas maxDepth="32" maxStringContentLength= "8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384" /> </mtomMessageEncoding> <httpTransport manualAddressing="false" maxBufferPoolSize="524288" maxReceivedMessageSize="65536" allowCookies="false" authenticationScheme="Anonymous" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard" keepAliveEnabled="true" maxBufferSize="65536" proxyAuthenticationScheme="Anonymous" realm="" transferMode="Buffered" unsafeConnectionNtlmAuthentication="false" useDefaultWebProxy="true" /> </binding> </customBinding> </bindings> <client> <endpoint address="<endpoint_url>" binding="customBinding" bindingConfiguration="CustomBinding_IMTOMService" contract="IMTOMService" name="CustomBinding_IMTOMService" > </endpoint> </client> </system.serviceModel> </configuration>
For more information, see
http://msdn.microsoft.com/en-us/library/aa347733%28v=vs.90%29.aspx
. -
Run the client program.
5.2.2 Configuring a Microsoft WCF/.NET 3.5 Web Service and an OWSM 14c Client (Message Transmission Optimization Mechanism)
You can implement message transmission optimization mechanism (MTOM) using Microsoft WCF/.NET 3.5 web service and an OWSM 14c client.
The following topics describe how to configure Microsoft WCF/.NET 3.5 web service and an OWSM 14c client to implement message transmission optimization mechanism (MTOM):
5.2.2.1 Configuring Microsoft WCF/.NET 3.5 Web Service (MTOM)
You can configure a Microsoft WCF/.NET 3.5 web service to implement message transmission optimization mechanism for interoperability with an OWSM 14c client.
To configure the Microsoft WCF/.NET 3.5 web service:
-
Create a .NET web service.
For an example, see the following .NET web service for MTOM interoperability sample:
static void Main(string[] args) { string uri = "http://host:port/TEST/MTOMService/SOA/MTOMService"; // Step 1 of the address configuration procedure: Create a URI to serve as the base address. Uri baseAddress = new Uri(uri); // Step 2 of the hosting procedure: Create ServiceHost ServiceHost selfHost = new ServiceHost(typeof(MTOMService), baseAddress); try { HttpTransportBindingElement hb = new HttpTransportBindingElement(); hb.ManualAddressing = false; hb.MaxBufferPoolSize = 2147483647; hb.MaxReceivedMessageSize = 2147483647; hb.AllowCookies = false; hb.AuthenticationScheme = System.Net.AuthenticationSchemes.Anonymous; hb.KeepAliveEnabled = true; hb.MaxBufferSize = 2147483647; hb.ProxyAuthenticationScheme = System.Net.AuthenticationSchemes.Anonymous; hb.Realm = ""; hb.TransferMode = System.ServiceModel.TransferMode.Buffered; hb.UnsafeConnectionNtlmAuthentication = false; hb.UseDefaultWebProxy = true; MtomMessageEncodingBindingElement me = new MtomMessageEncodingBindingElement(); me.MaxReadPoolSize=64; me.MaxWritePoolSize=16; me.MessageVersion=System.ServiceModel.Channels.MessageVersion.Soap12; me.WriteEncoding = System.Text.Encoding.UTF8; me.MaxWritePoolSize = 2147483647; me.MaxBufferSize = 2147483647; me.ReaderQuotas.MaxArrayLength = 2147483647; CustomBinding binding1 = new CustomBinding(); binding1.Elements.Add(me); binding1.Elements.Add(hb); ServiceEndpoint ep = selfHost.AddServiceEndpoint(typeof(IMTOMService), binding1, "MTOMService"); EndpointAddress myEndpointAdd = new EndpointAddress(new Uri(uri), EndpointIdentity.CreateDnsIdentity("WSMCert3")); ep.Address = myEndpointAdd; // Step 4 of the hosting procedure: Enable metadata exchange. ServiceMetadataBehavior smb = new ServiceMetadataBehavior(); smb.HttpGetEnabled = true; selfHost.Description.Behaviors.Add(smb); using (ServiceHost host = new ServiceHost(typeof(MTOMService))) { System.ServiceModel.Description.ServiceDescription svcDesc = selfHost.Description; ServiceDebugBehavior svcDebug = svcDesc.Behaviors.Find<ServiceDebugBehavior>(); svcDebug.IncludeExceptionDetailInFaults = true; } // Step 5 of the hosting procedure: Start (and then stop) the service. selfHost.Open(); Console.WriteLine("The service " + uri + " is ready."); Console.WriteLine("Press <ENTER> to terminate service."); Console.WriteLine(); Console.ReadLine(); // Close the ServiceHostBase to shutdown the service. selfHost.Close(); } catch (CommunicationException ce) { Console.WriteLine("An exception occurred: {0}", ce.Message); selfHost.Abort(); } }
For more information, see "How to: Define a Windows Communication Foundation Service Contract" at
http://msdn.microsoft.com/en-us/library/ms731835.aspx
. -
Deploy the application.
5.2.2.2 Configuring OWSM 14c Client (MTOM)
You can configure an OWSM 14c client to implement message transmission optimization mechanism for interoperability with a Microsoft WCF/.NET 3.5 web service.
To configure an OWSM 14c client:
-
Using JDeveloper, create a SOA composite that consumes the .NET web service.
For more information, see Deploying SOA Composite Applications in Oracle JDeveloper in Developing SOA Applications with Oracle SOA Suite.
-
Attach the following policy to the web service client:
oracle/wsmtom_policy
For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
5.3 Implementing a Username Token with Message Protection (WS-Security 1.1) for Microsoft WCF/.NET 3.5 Client
The Username Token with Message Protection policy conforms to the WS-Security 1.1 standard. This policy is implemented to achieve the interoperability between OWSM 14c service policy and Microsoft WCF/.NET 3.5 client policy and the interoperability between Microsoft WCF/.NET 3.5 service policy and OWSM 14c client policy.
The following topics describe how to implement username token with message protection in different interoperability scenarios:
5.3.1 Configuring an OWSM 14c Web Service and a Microsoft WCF/.NET 3.5 Client (Username Token with Message Protection)
You can implement username token with message protection that conforms to the WS-Security 1.1 standard using OWSM 14c web service and a Microsoft WCF/.NET 3.5 client.
The following topics describe how to configure an OWSM 14c web service and a Microsoft WCF/.NET 3.5 client to implement username token with message protection, both with and without secure conversation enabled:
5.3.1.1 Configuring OWSM 14c Web Service for Microsoft WCF/.NET 3.5 Client (Username Token with Message Protection)
You can configure an OWSM 14c web service to implement username token with message protection for interoperability with a Microsoft WCF/.NET 3.5 client.
To configure the OWSM 14c web service:
-
Create a web service application.
-
Select the policy to use based on whether or not you want to enable secure conversation:
If you do not want to enable secure conversation, clone either of the following policies:
oracle/wss11_username_token_with_message_protection_service_policy
oracle/wss11_saml_or_username_token_with_message_protection_service_policy
To enable secure conversation, clone the following policy:
oracle/wss11_username_token_with_message_protection_wssc_service_policy
Note:
In the case of secure conversation enabled, you will have to configure the
app.config
file somewhat differently, as described in "Configuring Microsoft WCF/.NET 3.5 Client (Username Token with Message Protection)".For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
-
Export the X.509 certificate file from the keystore on the service side to a
.cer
file (for example,alice.cer
) using the following command:keytool -export -alias alice -file C:\alice.cer -keystore default-keystore.jks
5.3.1.2 Configuring Microsoft WCF/.NET 3.5 Client (Username Token with Message Protection)
You can configure a Microsoft WCF/.NET 3.5 client to implement username token with message protection for interoperability with an OWSM 14c web service.
To configure the Microsoft WCF/.NET 3.5 client:
-
Import the certificate file (exported previously) to the keystore on the client server using Microsoft Management Console (mmc), as follows:
-
Open a command prompt.
-
Type mmc and press Enter.
-
Select File > Add/Remove snap-in.
-
Select Add and Choose Certificates.
Note:
To view certificates in the local machine store, you must be in the Administrator role.
-
Select Add.
-
Select My user account and finish.
-
Click OK.
-
Expand Console Root > Certificates -Current user > Personal > Certificates.
-
Right-click on Certificates and select All tasks > Import to launch Certificate import Wizard.
-
Click Next, select Browse, and navigate to the
.cer
file that was exported previously. -
Click Next and accept defaults and finish the wizard.
For more information, see "How to: View Certificates with the MMC Snap-in" at
http://msdn.microsoft.com/en-us/library/ms788967.aspx
. -
-
Generate a .NET client using the WSDL of the web service.
For more information, see "How to: Create a Windows Communication Foundation Client" at
http://msdn.microsoft.com/en-us/library/ms733133(v=vs.90).aspx
. -
In the Solution Explorer of the client project, add a reference by right-clicking on references, selecting Add reference, and browsing to
C:\Windows\Microsoft.NET\ framework\v3.0\Windows Communication Foundation\System.Runtime.Serialization.dll
. -
Edit the
app.config
file in the .NET project to update the certificate file and disable replays, as shown in the following sample (changes are identified in bold).<?xml version="1.0" encoding="utf-8"?> <configuration> <system.serviceModel> <behaviors> <endpointBehaviors> <behavior name="secureBehaviour"> <clientCredentials> <serviceCertificate> <defaultCertificate findValue="<certificate_cn>" storeLocation="CurrentUser" storeName="My" x509FindType="FindBySubjectName"/> </serviceCertificate> </clientCredentials> </behavior> </endpointBehaviors> </behaviors> <bindings> <customBinding> <binding name="HelloWorldSoapHttp"> <!-- To enable secrure conversation, use authenticationMode="SecureConversation" instead of the value for authenticationMode shown below --> <security authenticationMode="UserNameOverTransport" defaultAlgorithmSuite="Basic128" requireDerivedKeys="false" securityHeaderLayout="Lax" includeTimestamp="true" keyEntropyMode="CombinedEntropy" messageProtectionOrder="SignBeforeEncrypt" messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10" requireSignatureConfirmation="true"> <localClientSettings cacheCookies="true" detectReplays="false" replayCacheSize="900000" maxClockSkew="00:05:00" maxCookieCachingTime="Infinite" replayWindow="00:05:00" sessionKeyRenewalInterval="10:00:00" sessionKeyRolloverInterval="00:05:00" reconnectTransportOnFailure="true" timestampValidityDuration="00:05:00" cookieRenewalThresholdPercentage="60"/> <localServiceSettings detectReplays="true" issuedCookieLifetime="10:00:00" maxStatefulNegotiations="128" replayCacheSize="900000" maxClockSkew="00:05:00" negotiationTimeout="00:01:00" replayWindow="00:05:00" inactivityTimeout="00:02:00" sessionKeyRenewalInterval="15:00:00" sessionKeyRolloverInterval="00:05:00" reconnectTransportOnFailure="true" maxPendingSessions="128" maxCachedCookies="1000" timestampValidityDuration="00:05:00" /> <secureConversationBootstrap /> <!-- To enable secure conversation, add the following properties to the <secureConversationBootstrap> element: <secureConversationBootstrap authenticationMode="UserNameOverTransport" requireDerivedKeys="false" securityHeaderLayout="Lax" includeTimestamp="true" keyEntropyMode="CombinedEntropy" messageProtectionOrder="SignBeforeEncrypt" messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10" requireSignatureConfirmation="true"/> --> --> </security> <textMessageEncoding maxReadPoolSize="64" maxWritePoolSize="16" messageVersion="Soap11" writeEncoding="utf-8"> <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384" /> </textMessageEncoding> <HttpTransport manualAddressing="false" maxBufferPoolSize="524288" maxReceivedMessageSize="65536" allowCookies="false" authenticationScheme="Anonymous" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard" keepAliveEnabled="true" maxBufferSize="65536" proxyAuthenticationScheme="Anonymous" realm="" transferMode="Buffered" unsafeConnectionNtlmAuthentication="false" useDefaultWebProxy="true" /> </binding> </customBinding> </bindings> <client> <endpoint address="<endpoint_url>" binding="customBinding" bindingConfiguration="HelloWorldSoapHttp" contract="HelloWorld" name="HelloWorldPort" behaviorConfiguration="secureBehaviour" > <identity> <dns value="<certificate_cn>"/> </identity> </endpoint> </client> </system.serviceModel> </configuration>
If you follow the default key setup, then
<certificate_cn>
should be set toalice
. -
Edit the
app.config
file as needed to enable secure conversation or not.If you do not want to enable secure conversation, edit the
app.config
as shown in the sample:-
Set the
authenticationMode
property of the<security>
element toUserNameOverTransport
. -
Do not configure the properties of the
secureConversationBootstrap
element.
To enable secure conversation, edit the
app.config
file as shown the comments in bold italics in the sample:-
Set the
authenticationMode
property of the<security>
element toSecureConversation
. -
Configure the
secureConversationBootstrap
element with additional properties, as shown in the example.
-
-
Compile the project.
-
Open a command prompt and navigate to the project's Debug folder.
-
Enter
<client_project_name>.exe
and press Enter.
5.3.2 Configuring a Microsoft WCF/.NET 3.5 Web Service and an OWSM 14c Client (Username Token with Message Protection)
You can implement username token with message protection that conforms to the WS-Security 1.1 standard using Microsoft WCF/.NET 3.5 web service and an OWSM 14c client.
The following topics describe how to configure Microsoft WCF/.NET 3.5 web service and an OWSM 14c client to implement username token with message protection:
5.3.2.1 Configuring Microsoft WCF/.NET 3.5 Web Service (Username Token with Message Protection)
You can configure a Microsoft WCF/.NET 3.5 web service to implement username token with message protection for interoperability with an OWSM 14c client.
To configure the Microsoft WCF/.NET 3.5 web service:
-
Create a .NET web service.
Be sure to create a custom binding for the web service using the
SymmetricSecurityBindingElement
.For an example, see the following .NET web service sample:
static void Main(string[] args) { // Step 1 of the address configuration procedure: Create a URI to serve as the // base address. // Step 2 of the hosting procedure: Create ServiceHost string uri = "http://host:port/TEST/NetService"; Uri baseAddress = new Uri(uri); ServiceHost selfHost = new ServiceHost(typeof(CalculatorService), baseAddress); try { SymmetricSecurityBindingElement sm = SymmetricSecurityBindingElement.CreateUserNameForCertificateBindingElement(); sm.DefaultAlgorithmSuite = System.ServiceModel.Security.SecurityAlgorithmSuite.Basic128; sm.SetKeyDerivation(false); sm.SecurityHeaderLayout = SecurityHeaderLayout.Lax; sm.IncludeTimestamp = true; sm.KeyEntropyMode = SecurityKeyEntropyMode.CombinedEntropy; sm.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt; sm.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005 WSSecurityPolicy11BasicSecurityProfile10; sm.RequireSignatureConfirmation = true; sm.LocalClientSettings.CacheCookies = true; sm.LocalClientSettings.DetectReplays = true; sm.LocalClientSettings.ReplayCacheSize = 900000; sm.LocalClientSettings.MaxClockSkew = new TimeSpan(00, 05, 00); sm.LocalClientSettings.MaxCookieCachingTime = TimeSpan.MaxValue; sm.LocalClientSettings.ReplayWindow = new TimeSpan(00, 05, 00); ; sm.LocalClientSettings.SessionKeyRenewalInterval = new TimeSpan(10, 00, 00); sm.LocalClientSettings.SessionKeyRolloverInterval = new TimeSpan(00, 05, 00); ; sm.LocalClientSettings.ReconnectTransportOnFailure = true; sm.LocalClientSettings.TimestampValidityDuration = new TimeSpan(00, 05, 00); ; sm.LocalClientSettings.CookieRenewalThresholdPercentage = 60; sm.LocalServiceSettings.DetectReplays = false; sm.LocalServiceSettings.IssuedCookieLifetime = new TimeSpan(10, 00, 00); sm.LocalServiceSettings.MaxStatefulNegotiations = 128; sm.LocalServiceSettings.ReplayCacheSize = 900000; sm.LocalServiceSettings.MaxClockSkew = new TimeSpan(00, 05, 00); sm.LocalServiceSettings.NegotiationTimeout = new TimeSpan(00, 01, 00); sm.LocalServiceSettings.ReplayWindow = new TimeSpan(00, 05, 00); sm.LocalServiceSettings.InactivityTimeout = new TimeSpan(00, 02, 00); sm.LocalServiceSettings.SessionKeyRenewalInterval = new TimeSpan(15, 00, 00); sm.LocalServiceSettings.SessionKeyRolloverInterval = new TimeSpan(00, 05, 00); sm.LocalServiceSettings.ReconnectTransportOnFailure = true; sm.LocalServiceSettings.MaxPendingSessions = 128; sm.LocalServiceSettings.MaxCachedCookies = 1000; sm.LocalServiceSettings.TimestampValidityDuration = new TimeSpan(15, 00, 00); HttpTransportBindingElement hb = new HttpTransportBindingElement(); hb.ManualAddressing = false; hb.MaxBufferPoolSize = 524288; hb.MaxReceivedMessageSize = 65536; hb.AllowCookies = false; hb.AuthenticationScheme = System.Net.AuthenticationSchemes.Anonymous; hb.KeepAliveEnabled = true; hb.MaxBufferSize = 65536; hb.ProxyAuthenticationScheme = System.Net.AuthenticationSchemes.Anonymous; hb.Realm = ""; hb.TransferMode = System.ServiceModel.TransferMode.Buffered; hb.UnsafeConnectionNtlmAuthentication = false; hb.UseDefaultWebProxy = true; TextMessageEncodingBindingElement tb1 = new TextMessageEncodingBindingElement(); tb1.MaxReadPoolSize = 64; tb1.MaxWritePoolSize = 16; tb1.MessageVersion = System.ServiceModel.Channels.MessageVersion.Soap12; tb1.WriteEncoding = System.Text.Encoding.UTF8; CustomBinding binding1 = new CustomBinding(sm); binding1.Elements.Add(tb1); binding1.Elements.Add(hb); ServiceEndpoint ep = selfHost.AddServiceEndpoint(typeof(ICalculator), binding1, "CalculatorService"); EndpointAddress myEndpointAdd = new EndpointAddress( new Uri(uri), EndpointIdentity.CreateDnsIdentity("WSMCert3")); ep.Address = myEndpointAdd; // Step 4 of the hosting procedure: Enable metadata exchange. ServiceMetadataBehavior smb = new ServiceMetadataBehavior(); smb.HttpGetEnabled = true; selfHost.Description.Behaviors.Add(smb); selfHost.Credentials.ServiceCertificate.SetCertificate(StoreLocation.CurrentUser, StoreName.My, X509FindType.FindBySubjectName, "WSMCert3"); selfHost.Credentials.ClientCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.PeerOrChainTrust; selfHost.Credentials.UserNameAuthentication.UserNamePasswordValidationMode = UserNamePasswordValidationMode.Custom; CustomUserNameValidator cu = new CustomUserNameValidator(); selfHost.Credentials.UserNameAuthentication.CustomUserNamePasswordValidator = cu; using (ServiceHost host = new ServiceHost(typeof(CalculatorService))) { System.ServiceModel.Description.ServiceDescription svcDesc = selfHost.Description; ServiceDebugBehavior svcDebug = svcDesc.Behaviors.Find<ServiceDebugBehavior>(); svcDebug.IncludeExceptionDetailInFaults = true; } // Step 5 of the hosting procedure: Start (and then stop) the service. selfHost.Open(); Console.WriteLine("The Calculator service is ready."); Console.WriteLine("Press <ENTER> to terminate service."); Console.WriteLine(); Console.ReadLine(); selfHost.Close(); } catch (CommunicationException ce) { Console.WriteLine("An exception occurred: {0}", ce.Message); selfHost.Abort(); } }
For more information, see "How to: Define a Windows Communication Foundation Service Contract" at
http://msdn.microsoft.com/en-us/library/ms731835.aspx
. -
Create and import a certificate file to the keystore on the web service server.
Using Microsoft Visual Studio, the command would be similar to the following:
makecert -r -pe -n "CN=wsmcert3" -sky exchange -ss my C:\wsmcert3.cer
This command creates and imports a certificate in mmc.
If the command does not provide expected results, then try the following sequence of commands. You need to download Windows Developer Kit (WDK) at https://learn.microsoft.com/en-us/windows-hardware/drivers/download-the-wdk.
makecert -r -pe -n "CN=wsmcert3" -sky exchange -ss my -sv wscert3.pvk C:\wsmcert3.cer pvk2pfx.exe -pvk wscert3.pvk -spc wsmcert3.cer -pfx PRF_WSMCert3.pfx -pi password
Then, in mmc, import
PRF_WSMCert3.pfx
. -
Import the certificate created on the web service server to the client server using the
keytool
command. For example:keytool -import -alias wsmcert3 -file C:\wsmcert3.cer -keystore <owsm_client_keystore>
-
Right-click on the web service Solution project in Solutions Explorer and click Open Folder In Windows Explorer.
-
Navigate to the
bin/Debug
folder. -
Double-click the
<project>.exe
file. This command runs the web service at the URL provided.
5.3.2.2 Configuring OWSM 14c Client for Microsoft WCF/.NET 3.5 Web Service (Username Token with Message Protection)
You can configure an OWSM 14c client to implement username token with message protection for interoperability with a Microsoft WCF/.NET 3.5 web service.
To configure an OWSM 14c client:
-
Using JDeveloper, create a SOA composite that consumes the .NET web service.
For more information, see Developer's Guide for SOA Suite.
-
In JDeveloper, create a partner link using the WSDL of the .NET service.
-
Attach the following policy to the web service client:
oracle/wss11_username_token_with_message_protection_client_policy
.For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
-
Provide configurations for the
csf-key
andkeystore.recipient.alias
.You can specify this information when attaching the policy, by overriding the policy configuration.
Ensure that you configure the
keystore.recipient.alias
as the alias of the certificate imported in step 1 (wsmcert3
). For example:<wsp:PolicyReference URI="oracle/wss11_username_token_with_message_protection_client_policy" orawsp:category="security" orawsp:status="enabled"/> <property name="csf-key" type="xs:string" many="false"> basic.credentials </property> <property name="keystore.recipient.alias" type="xs:string" many="false"> wsmcert3 </property>
For more information, see "Overriding Policy Configuration Properties" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
5.4 Implementing a Username Token Over SSL for Microsoft WCF/.NET 3.5 Client
The Username Token over SSL policy conforms to the WS-Security 1.0 and 1.1 standards. This policy is implemented to achieve the interoperability between OWSM 14c service policy and Microsoft WCF/.NET 3.5 client policy.
The following topics describe how to configure an OWSM 14c web service and a Microsoft WCF/.NET 3.5 client to implement username token over SSL:
5.4.1 Configuring an OWSM 14c Web Service for Microsoft WCF/.NET 3.5 Client (Username Token over SSL)
You can implement username token over SSL using an OWSM 14c web service for Microsoft .NET 3.5 client.
To configure an OWSM 14c web service:
-
Configure the server for SSL.
For more information, see "Configuring Transport-Level Security (SSL)" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
-
Create an OWSM web service.
-
Select the policy to use based on whether or not you want to enable secure conversation.
If you do not want to enable secure conversation, use either of the following policies:
oracle/wss_username_token_over_ssl_service_policy
oracle/wss_saml_or_username_token_over_ssl_service_policy
To enable secure conversation, use the following policy:
oracle/wss_username_token_over_ssl_wssc_service_policy
Note:
In the case of secure conversation enabled, you will have to configure the
app.config
file somewhat differently, as described in "Configuring Microsoft WCF/.NET Client (Username Token over SSL)":For more information, see "Cloning a Web Service Policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
-
Edit the policy settings, as follows:
-
Disable the Creation Time Required configuration setting.
-
Disable the Nonce Required configuration setting.
-
Leave the default configuration set for all other configuration settings.
-
-
Attach the policy.
For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
5.4.2 Configuring Microsoft WCF/.NET 3.5 Client (Username Token over SSL)
You can configure the Microsoft WCF/.NET 3.5 client to implement username token over SSL for interoperability with an OWSM 14c web service.
To configure the Microsoft WCF/.NET 3.5 client:
-
Generate a .NET client using the WSDL of the web service.
For more information, see "How to: Create a Windows Communication Foundation Client" at
http://msdn.microsoft.com/en-us/library/ms733133(v=vs.90).aspx
. -
In the Solution Explorer of the client project, add a reference by right-clicking on references, selecting Add reference, and browsing to
C:\Windows\Microsoft.NET\framework\v3.0\Windows Communication Foundation\System.Runtime.Serialization.dll
. -
Edit the
app.config
, as shown in the following sample:<?xml version="1.0" encoding="utf-8"?> <configuration> <system.serviceModel> <bindings> <customBinding> <binding name="BPELProcess1Binding"> <!-- To enable secrure conversation, you must use authenticationMode="SecureConversation" instead of the value for authenticationMode shown below, under <security --> <security defaultAlgorithmSuite="Basic128" authenticationMode="UserNameOverTransport" requireDerivedKeys="false" securityHeaderLayout="Lax" includeTimestamp="true" keyEntropyMode="CombinedEntropy" messageProtectionOrder="SignBeforeEncrypt" messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversation February2005WSSecurityPolicy11BasicSecurityProfile10" requireSignatureConfirmation="true"> <localClientSettings cacheCookies="true" detectReplays="false" replayCacheSize="900000" maxClockSkew="00:05:00" maxCookieCachingTime="Infinite" replayWindow="00:05:00" sessionKeyRenewalInterval="10:00:00" sessionKeyRolloverInterval="00:05:00" reconnectTransportOnFailure="true" timestampValidityDuration="00:05:00" cookieRenewalThresholdPercentage="60"/> <localServiceSettings detectReplays="true" issuedCookieLifetime="10:00:00" maxStatefulNegotiations="128" replayCacheSize="900000" maxClockSkew="00:05:00" negotiationTimeout="00:01:00" replayWindow="00:05:00" inactivityTimeout="00:02:00" sessionKeyRenewalInterval="15:00:00" sessionKeyRolloverInterval="00:05:00" reconnectTransportOnFailure="true" maxPendingSessions="128" maxCachedCookies="1000" timestampValidityDuration="00:05:00" /> <secureConversationBootstrap /> <!-- To enable secure conversation, add the following properties to the <secureConversationBootstrap> element: <secureConversationBootstrap authenticationMode="UserNameOverTransport" requireDerivedKeys="false" securityHeaderLayout="Lax" includeTimestamp="true" keyEntropyMode="CombinedEntropy" messageProtectionOrder="SignBeforeEncrypt" messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10" requireSignatureConfirmation="true"/> --> </security> <textMessageEncoding maxReadPoolSize="64" maxWritePoolSize="16" messageVersion="Soap11" writeEncoding="utf-8"> <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384" /> </textMessageEncoding> <httpsTransport manualAddressing="false" maxBufferPoolSize="524288" maxReceivedMessageSize="65536" allowCookies="false" authenticationScheme="Anonymous" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard" keepAliveEnabled="true" maxBufferSize="65536" proxyAuthenticationScheme="Anonymous" realm="" transferMode="Buffered" unsafeConnectionNtlmAuthentication="false" useDefaultWebProxy="true" requireClientCertificate="false"/> </binding> </customBinding> </bindings> <client> <endpoint address=" https://host:port/soa-infra/services/default/IO_NET6/bpelprocess1_client_ep" binding="customBinding" bindingConfiguration="BPELProcess1Binding" contract="BPELProcess1" name="BPELProcess1_pt" /> </client> </system.serviceModel> </configuration>
-
Edit the
app.config
file as needed to enable to enable secure conversation or not.If you do not want to enable secure conversation, edit the
app.config
as shown in regular typeface in the sample.-
Set the
authenticationMode
property of the<security>
element toUserNameOverTransport
. -
Do not configure the properties of the
secureConversationBootstrap
element.
To enable secure conversation, edit the
app.config
as shown the comments in bold italics in the sample.-
Set the
authenticationMode
property of the<security>
element toSecureConversation
. -
Configure the
secureConversationBootstrap
element with additional properties, as shown in the example.
-
-
Compile the project.
-
Open a command prompt and navigate to the project's Debug folder.
-
Type
<client_project_name>.exe
and press Enter.
5.5 Implementing a Mutual Authentication with Message Protection (WS-Security 1.1) for Microsoft WCF/.NET 3.5 Client
The Mutual Authentication with Message Protection policy conforms to the WS-Security 1.1 standard. This policy is implemented to achieve the interoperability between OWSM 14c service policy and Microsoft WCF/.NET 3.5 client policy and the interoperability between Microsoft WCF/.NET 3.5 service policy and OWSM 14c client policy.
The following topics describe how to implement mutual authentication with message protection in different interoperability scenarios:
-
Configuring an OWSM 14c Web Service and a Microsoft WCF/.NET 3.5 Client (Mutual Authentication)
-
Configuring a Microsoft WCF/.NET 3.5 Web Service and an OWSM 14c Client (Mutual Authentication)
Before configuring the web service and client in either of the above scenarios, follow the instructions in Configuring Prerequisites for Interoperability (Mutual Authentication).
5.5.1 Configuring Prerequisites for Interoperability (Mutual Authentication)
Before you implement mutual authentication with message protection that conforms to the WS-Security 1.1 standards for interoperability between OWSM 14c and Microsoft WCF/.NET 3.5, you must complete a number of high-level tasks.
To configure prerequisites for interoperability:
-
Export the X.509 certificate file from the keystore on the service side to a
.cer
file (for example,alice.cer
) using the following command:keytool -export -alias alice -file C:\alice.cer -keystore default-keystore.jks
-
Import the certificate file (exported previously) to the keystore on the client server using Microsoft Management Console (mmc).
-
Open a command prompt.
-
Type mmc and press ENTER.
-
Select File > Add/Remove snap-in.
-
Select Add and Choose Certificates.
Note:
To view certificates in the local machine store, you must be in the Administrator role.
-
Select Add.
-
Select My user account and finish.
-
Click OK.
-
Expand Console Root > Certificates -Current user > Personal > Certificates.
-
Right-click on Certificates and select All tasks > Import to launch Certificate import Wizard.
-
Click Next, select Browse, and navigate to the
.cer
file that was exported previously. -
Click Next and accept defaults and finish the wizard.
For more information, see "How to: View Certificates with the MMC Snap-in" at
http://msdn.microsoft.com/en-us/library/ms788967.aspx
. -
5.5.2 Configuring an OWSM 14c Web Service and a Microsoft WCF/.NET 3.5 Client (Mutual Authentication)
You can implement mutual authentication with message protection that conform to the WS-Security 1.1 standards using OWSM 14c web service and a Microsoft WCF/.NET 3.5 client.
The following topics describe how to configure an OWSM 14c web service and a Microsoft WCF/.NET 3.5 client to implement mutual authentication with message protection:
5.5.2.1 Configuring OWSM 14c Web Service for Microsoft WCF/.NET 3.5 Client (Mutual Authentication)
You can configure an OWSM 14c web service to implement mutual authentication for interoperability with a Microsoft WCF/.NET 3.5 client.
To configure the OWSM 14c web service:
-
Create a SOA composite and deploy it.
-
Using Fusion Middleware Control, attach the following policy to the web service:
oracle/wss11_x509_token_with_message_protection_service_policy
.For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
5.5.2.2 Configuring Microsoft WCF/.NET 3.5 Client (Mutual Authentication)
You can configure a Microsoft WCF/.NET 3.5 client to implement mutual authentication for interoperability with an OWSM 14c web service.
To configure the Microsoft WCF/.NET 3.5 client:
-
Use the Microsoft SvcUtil utility to create a client proxy and configuration file from the deployed web service.
A sample of the Client Program is shown below:
namespace IO_NET10_client { class Program { static void Main(string[] args) { BPELProcess1Client client = new BPELProcess1Client(); client.ClientCredentials.ClientCertificate.SetCertificate( StoreLocation.CurrentUser, StoreName.My, X509FindType.FindBySubjectName, "WSMCert3"); client.ClientCredentials.ServiceCertificate.SetDefaultCertificate( StoreLocation.CurrentUser, StoreName.My, X509FindType.FindBySubjectName, "Alice"); process proc = new process(); proc.input = "Test wss11_x509_token_with_message_protection_policy - "; Console.WriteLine(proc.input); processResponse response = client.process(proc); Console.WriteLine(response.result.ToString()); Console.WriteLine("Press <ENTER> to terminate Client."); Console.ReadLine(); } } }
For more information, see
http://msdn.microsoft.com/en-us/library/aa347733%28v=vs.90%29.aspx
-
In the Solution Explorer of the client project, add a reference by right-clicking on references, selecting Add reference, and browsing to
C:\Windows\Microsoft.NET\ framework\v3.0\Windows Communication Foundation\System.Runtime.Serialization.dll
. -
Create an
app.config
configuration file, including the following steps.The steps listed below are called out in bold type in the example.
-
Define behaviors with credentials.
-
Create a custom binding.
-
Diable the message replay detection.
-
Modify endpoint behavior.
An example of the complete file is shown in the following app.config file sample:
<?xml version="1.0" encoding="utf-8"?> <configuration> <system.serviceModel> <!-- 1. Define behaviors with credentials ------------------------------------------- --> <behaviors> <endpointBehaviors> <behavior name="secureBehaviour"> <clientCredentials> <serviceCertificate> <defaultCertificate findValue="<certificate_cn>" storeLocation="CurrentUser" storeName="My" x509FindType="FindBySubjectName"/> </serviceCertificate> </clientCredentials> </behavior> </endpointBehaviors> </behaviors> <!-- ------------------------------------------------------------------------------- --> <bindings> <customBinding> <binding name="BPELProcess1Binding"> <!-- --- 2. Create a custom binding ------------------------------------------------- --> <security defaultAlgorithmSuite="Basic128" authenticationMode="MutualCertificate" <!-- ------------------------------------------------------------------------------- --> requireDerivedKeys="false" securityHeaderLayout="Lax" includeTimestamp="true" keyEntropyMode="CombinedEntropy" messageProtectionOrder="SignBeforeEncrypt" messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversation February2005WSSecurityPolicy11BasicSecurityProfile10" requireSignatureConfirmation="true"> <!-- --- 3. Disable the message replay detection ----------------------------------- --> <localClientSettings cacheCookies="true" detectReplays="false" replayCacheSize="900000" maxClockSkew="00:05:00" maxCookieCachingTime="Infinite" <!-- ------------------------------------------------------------------------------- --> replayWindow="00:05:00" sessionKeyRenewalInterval="10:00:00" sessionKeyRolloverInterval="00:05:00" reconnectTransportOnFailure="true" timestampValidityDuration="00:05:00" cookieRenewalThresholdPercentage="60" /> <localServiceSettings detectReplays="true" issuedCookieLifetime="10:00:00" maxStatefulNegotiations="128" replayCacheSize="900000" maxClockSkew="00:05:00" negotiationTimeout="00:01:00" replayWindow="00:05:00" inactivityTimeout="00:02:00" sessionKeyRenewalInterval="15:00:00" sessionKeyRolloverInterval="00:05:00" reconnectTransportOnFailure="true" maxPendingSessions="128" maxCachedCookies="1000" timestampValidityDuration="00:05:00" /> <secureConversationBootstrap /> </security> <textMessageEncoding maxReadPoolSize="64" maxWritePoolSize="16" messageVersion="Soap11" writeEncoding="utf-8"> <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384" /> </textMessageEncoding> <httpTransport manualAddressing="false" maxBufferPoolSize="524288" maxReceivedMessageSize="65536" allowCookies="false" authenticationScheme="Anonymous" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard" keepAliveEnabled="true" maxBufferSize="65536" proxyAuthenticationScheme="Anonymous" realm="" transferMode="Buffered" unsafeConnectionNtlmAuthentication="false" useDefaultWebProxy="true" /> </binding> </customBinding> </bindings> <client> <!-- - 4. Modify endpoint behavior ------------------------------------------------- --> <endpoint address="http://<server>:<port>//MyWebService1SoapHttpPort" binding="customBinding" bindingConfiguration="MyWebService1SoapHttp" contract="MyWebService1" name="MyWebService1SoapHttpPort" behaviorConfiguration="secureBehaviour" > <identity> <dns value="<certificate_cn>"/> </identity> </endpoint> <!-- ------------------------------------------------------------------------------- --> </client> </system.serviceModel> </configuration>
-
-
Compile the project.
-
Open a command prompt and navigate to the project's Debug folder.
-
Enter
<client_project_name>.exe
and press Enter.
5.5.3 Configuring a Microsoft WCF/.NET 3.5 Web Service and an OWSM 14c Client (Mutual Authentication)
You can implement mutual authentication with message protection that conform to the WS-Security 1.1 standards using Microsoft WCF/.NET 3.5 web service and an OWSM 14c client.
To configure a Microsoft WCF/.NET 3.5 web service and an OWSM 14c client:
5.6 Implementing a Kerberos with Message Protection for Microsoft WCF/.NET 3.5 Client
The Kerberos with Message Protection policy conforms to the WS-Security 1.1 standard. This policy is implemented to achieve the interoperability between OWSM 14c service policy and Microsoft WCF/.NET 3.5 client policy.
The following topics describe how to configure an OWSM 14c web service and a Microsoft WCF/.NET 3.5 client to implement Kerberos with message protection:
5.6.1 Performing Prerequisite Tasks for Interoperability (Kerberos with Message Protection)
Before you implement Kerberos with message protection for interoperability between OWSM 14c and Microsoft WCF/.NET 3.5, you must complete a number of high-level tasks.
To configure prerequisites for interoperability:
5.6.2 Configuring an OWSM 14c Web Service and a Microsoft WCF/.NET 3.5 Client (Kerberos with Message Protection)
You can implement Kerberos with message protection using OWSM 14c web service and a Microsoft WCF/.NET 3.5 client.
The following topics describe how to configure an OWSM 14c web service and a Microsoft WCF/.NET 3.5 client to implement Kerberos with message protection:
5.6.2.1 Configuring OWSM 14c Web Service for Microsoft WCF/.NET 3.5 Client (Kerberos with Message Protection)
You can configure an OWSM 14c web service to implement Kerberos with message protection for interoperability with a Microsoft WCF/.NET 3.5 client.
To configure the OWSM 14c web service:
-
Create and deploy a web service application.
-
Clone the following policy:
oracle/wss11_kerberos_token_with_message_protection_service_policy
.For more information, see "Cloning a Web Service Policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
-
Edit the policy settings to set Algorithm Suite to
Basic128Rsa15
. -
Attach the policy to the web service.
For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
5.6.2.2 Configuring Microsoft WCF/.NET 3.5 Client (Kerberos with Message Protection)
You can configure a Microsoft WCF/.NET 3.5 client to implement Kerberos with message protection for interoperability with an OWSM 14c web service.
To configure the Microsoft WCF/.NET 3.5 client:
-
Create a user in AD to represent the host where the web service is hosted. By default the user account is created with RC4-HMAC encryption. For example, foobar with user name is
HTTP/foobar
. -
Use the following ktpass command to create a keytab file on the Windows AD machine where the KDC is running:
ktpass -princ HTTP/foobar@MYCOMPANY.LOCAL -pass Oracle123 -mapuser foobar -out foobar.keytab -ptype KRB5_NT_PRINCIPAL -kvno 4
where
HTTP/foobar
is the SPN, mapped to a user "foobar". Do not set "/desonly or cyrpto as "des-cbc-crc". MYCOMPANY.LOCAL is the default Realm for the KDC and is available in thekrb5.ini
file. The pass password must match the password created during the user creation.Use FTP binary mode to move the generated keytab file to the machine where the SOA Composite web service is hosted.
-
Use the following
setSpn
command to map the service principal to the user:setSpn -A HTTP/foobar@MYCOMPANY.LOCAL foobar
setSpn -L foobar
Only one SPN must be mapped to the user. If there are multiple SPNs mapped to the user, remove them using the command
setSpn -D <spname> <username>
. -
Use the Microsoft svcutil utility to create a client proxy and configuration file from the deployed web service.
Add the files
generatedProxy.cs
andapp.config
by right clicking the application (in the Windows Explorer) and selecting Add Existing Item.In the endpoint element of the
app.config
, add an "identity" element with service principal name as "HTTP/foobar@MYCOMPANY.LOCAL" (the same value used for creating keytab).<client> <endpoint address="http://host:port/HelloServicePort" binding="customBinding" bindingConfiguration="NewHelloSoap12HttpPortBinding" contract="NewHello" name="HelloServicePort"> <identity> <servicePrincipalName value ="HTTP/foobar@MYCOMPANY.LOCAL"/> </identity> </endpoint> </client>
See the following Custom Binding sample:
<customBinding> <binding name="NewHelloSoap12HttpPortBinding"> <!--Added by User: Begin--> <security defaultAlgorithmSuite="Basic128" authenticationMode="Kerberos" requireDerivedKeys="false" securityHeaderLayout="Lax" includeTimestamp="true" keyEntropyMode="CombinedEntropy" messageProtectionOrder="SignBeforeEncrypt" messageSecurityVersion="WSSecurity11WSTrustFebruary2005 WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurity Profile10" requireSignatureConfirmation="true"> <localClientSettings cacheCookies="true" detectReplays="true" replayCacheSize="900000" maxClockSkew="00:05:00" maxCookieCachingTime="Infinite" replayWindow="00:05:00" sessionKeyRenewalInterval="10:00:00" sessionKeyRolloverInterval="00:05:00" reconnectTransportOnFailure="true" timestampValidityDuration="00:05:00" cookieRenewalThresholdPercentage="60" /> <localServiceSettings detectReplays="true" issuedCookieLifetime="10:00:00" maxStatefulNegotiations="128" replayCacheSize="900000" maxClockSkew="00:05:00" negotiationTimeout="00:01:00" replayWindow="00:05:00" inactivityTimeout="00:02:00" sessionKeyRenewalInterval="15:00:00" sessionKeyRolloverInterval="00:05:00" reconnectTransportOnFailure="true" maxPendingSessions="128" maxCachedCookies="1000" timestampValidityDuration="00:05:00" /> <secureConversationBootstrap /> </security> <!--Added by User: End--> <textMessageEncoding maxReadPoolSize="64" maxWritePoolSize="16" messageVersion="Soap12" writeEncoding="utf-8"> <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384" /> </textMessageEncoding> <!--Added by User: Begin--> <httpTransport manualAddressing="false" maxBufferPoolSize="524288" maxReceivedMessageSize="65536" allowCookies="false" authenticationScheme="Anonymous" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard" keepAliveEnabled="true" maxBufferSize="65536" proxyAuthenticationScheme="Anonymous" realm="" transferMode="Buffered" unsafeConnectionNtlmAuthentication="false" useDefaultWebProxy="true" /> <!--Added by User: End--> </binding> </customBinding>
For more information, see
http://msdn.microsoft.com/en-us/library/aa347733%28v=vs.90%29.aspx
. -
Run the client program.
5.7 Implementing a Kerberos with Message Protection Using Derived Keys for Microsoft WCF/.NET 3.5 Client
The Kerberos with Message Protection Using Derived Keys policy conforms to the WS-Security 1.1 standard. This policy is implemented to achieve the interoperability between OWSM 14c service policy and Microsoft WCF/.NET 3.5 client policy.
The following topics describe how to configure an OWSM 14c web service and a Microsoft WCF/.NET 3.5 client to implement Kerberos with message protection using derived keys:
5.7.1 Configuring Prerequisites for Interoperability (Kerberos with Message Protection Using Derived Keys)
Before you implement Kerberos with message protection using derived keys for interoperability between OWSM 14c and Microsoft WCF/.NET 3.5, you must complete a number of high-level tasks.
To configure prerequisites for interoperability:
5.7.2 Configuring an OWSM 14c Web Service and a Microsoft WCF/.NET 3.5 Client (Kerberos with Message Protection)
You can implement Kerberos with message protection using OWSM 14c web service and a Microsoft WCF/.NET 3.5 client.
To configure an OWSM 14c web service and a Microsoft WCF/.NET 3.5 client:
5.8 Implementing a Kerberos with SPNEGO Negotiation for Microsoft WCF/.NET 3.5 Client
The Kerberos with SPNEGO Negotiation policy conforms to the WS-Security 1.1 standard. This policy is implemented to achieve the interoperability between OWSM 14c service policy and Microsoft WCF/.NET 3.5 client policy.
The following topics describe how to configure an OWSM 14c web service and a Microsoft WCF/.NET 3.5 client to implement Kerberos with SPNEGO negotiation:
5.8.1 Configuring OWSM 14c Web Service for Microsoft WCF/.NET 3.5 Client (Kerberos with SPNEGO Negotiation)
You can configure an OWSM 14c web service to implement Kerberos with SPNEGO negotiation for interoperability with a Microsoft WCF/.NET 3.5 client.
To configure OWSM 14c web service:
-
Create and deploy a web service application.
-
Create a policy that uses the
http_spnego_token_service_template
assertion template.For more information, see Configuring Kerberos With SPNEGO Negotiation in Securing Web Services and Managing Policies with Oracle Web Services Manager.
-
Attach the policy to the web service.
5.8.2 Configuring Microsoft WCF/.NET 3.5 Client (Kerberos with SPNEGO Negotiation)
You can configure a Microsoft WCF/.NET 3.5 client to implement Kerberos with SPNEGO negotiation for interoperability with an OWSM 14c web service.
To configure the Microsoft WCF/.NET 3.5 client:
-
Use the Microsoft SvcUtil utility to create a client proxy and configuration file from the deployed web service.
For more information, see
http://msdn.microsoft.com/en-us/library/aa347733%28v=vs.90%29.aspx
. -
Add the files generatedProxy.cs and app.config by right clicking the application (in the Windows Explorer) and selecting Add Existing Item.
-
Edit the
app.config
file as shown in the following sample:<configuration> <system.serviceModel> <bindings> <basicHttpBinding> <binding name="BPELProcessBinding"> <security mode= "TransportCredentialOnly"> <transport clientCredentialType="Windows"/> </security> </binding> </basicHttpBinding> </bindings> <client> <endpoint address="http://host:port/soa-infra/services/default/SOAProxy/bpelpro cess_client_ep" binding="basicHttpBinding" bindingConfiguration="BPELProcessBinding" contract="BPELProcess" name="BPELProcess_pt" <identity> <servicePrincipalName value ="HTTP/host:port@MYCOMPANY.LOCAL" /> </identity> </endpoint> </client> </system.serviceModel> </configuration>
In this listing, note that the values of the contract and name attributes of the endpoint element are obtained from the
generatedProxy.cs
file. -
Compile the client.
-
After attaching the OWSM policy to the deployed web service, run the client.
5.9 Implementing a Kerberos with SPNEGO Negotiation and Credential Delegation for Microsoft WCF/.NET 3.5 Client
The Kerberos with SPNEGO Negotiation and Credential Delegation policy conforms to the WS-Security 1.1 standard. This policy is implemented to achieve the interoperability between OWSM 14c service policy and Microsoft WCF/.NET 3.5 client policy.
The following topics describe how to configure an OWSM 14c web service and .NET 3.5 Client to implement Kerberos with SPNEGO negotiation and credential delegation:
5.9.1 Configuring OWSM 14c Web Service for Microsoft WCF/.NET 3.5 Client (Kerberos with SPNEGO and Credential Delegation)
You can configure an OWSM 14c web service to implement Kerberos with SPNEGO and credential delegation for interoperability with a Microsoft WCF/.NET 3.5 client.
To configure an OWSM 14c web service:
-
Create and deploy a web service application.
-
Create a policy that uses the
http_spnego_token_service_template
assertion template.For more information, see Configuring Kerberos with SPNEGO Negotiation in Securing Web Services and Managing Policies with Oracle Web Services Manager.
-
Attach the policy to the web service.
-
Set the value of the
credential.delegation
configuration setting totrue
.You can specify this information when attaching the policy, by overriding the policy configuration.
For more information, see Overriding Policy Configuration Properties in Securing Web Services and Managing Policies with Oracle Web Services Manager.
5.9.2 Configuring Microsoft WCF/.NET 3.5 Client (Kerberos SPNEGO and Credential Delegation)
You can configure a Microsoft WCF/.NET 3.5 client to implement Kerberos SPNEGO and credential delegation for interoperability with an OWSM 14c web service.
To configure the Microsoft WCF/.NET 3.5 client:
-
Use the Microsoft SvcUtil utility to create a client proxy and configuration file from the deployed web service.
For more information, see
http://msdn.microsoft.com/en-us/library/aa347733%28v=vs.90%29.aspx
. -
Add the files
generatedProxy.cs
andapp.config
by right clicking the application (in the Windows Explorer) and selecting Add Existing Item. -
Edit the
app.config
file as shown in the following app.config file sample:<configuration> <system.serviceModel> <bindings> <basicHttpBinding> <binding name="BPELProcess1Binding"> <security mode= "TransportCredentialOnly"> <transport clientCredentialType="Windows"/> </security> </binding> </basicHttpBinding> </bindings> <client> <endpoint address="http://host:port/soa-infra/services/default/SOAProxy/bpelpro cess1_client_ep" binding="basicHttpBinding" bindingConfiguration="BPELProcess1Binding" contract="BPELProcess1" name="BPELProcess1_pt" behaviorConfiguration="CredentialDelegation"> <identity> <servicePrincipalName value ="HTTP/host:port@MYCOMPANY.LOCAL" /> </identity> </endpoint> </client> <behaviors> <endpointBehaviors> <behavior name="CredentialDelegation"> <clientCredentials> <windows allowedImpersonationLevel="Delegation" allowNtlm="false"/> </clientCredentials> </behavior> </endpointBehaviors> </behaviors> </system.serviceModel> </configuration>
In the example, note that the values of the contract and name attributes of the endpoint element are obtained from the
generatedProxy.cs
file. -
Compile the client.
-
After attaching the OWSM policy to the deployed web service, run the client.
5.10 WCF/.NET 3.5 Client with Microsoft Active Directory Federation Services 2.0 (ADFS 2.0) STS
A policy utilizing SAML bearer token over one-way SSL enables a WCF/.NET 3.5 client to secure communication with Microsoft Active Directory Federation Services 2.0 (ADFS 2.0) secure token service (STS).
Note:
The SAML sender vouches token is not supported in this use case.
The procedure described in this section assumes that you install and configure ADFS 2.0 on a Windows Server 2008 or Windows Server 2008 R2 system. This system is set up in the STS role.
The section includes the following topics:
5.10.1 Installing and Configuring Active Directory Federation Services (ADFS) 2.0
You can install and configure Active Directory Federation Services (ADFS) 2.0 on a Windows Server 2008 or a Windows Server R2 system.
To install and configure Active Directory Federation Services (ADFS) 2.0:
-
Install and configure Active Directory.
For more information, see
http://technet.microsoft.com/en-us/windowsserver
. -
Install ADFS 2.0 and configure it using the wizard.
As you configure ADFS 2.0 using the wizard, on the Server Role page be sure to click Federation server.
For more information, see
http://technet.microsoft.com/en-us/windowsserver/dd448613
.For download information, see https://www.microsoft.com/en-us/download/.
-
Create and configure a self-signed server authentication certificate in IIS and bind it to the default Web site using the Internet Information Services (IIS) Manager console. When done, enable SSL server authentication.
The AD FS 2.0 Setup Wizard automatically installed the Web server (IIS) server role on the system.
Creating a self-signed server authentication certificate is described generally in
http://technet.microsoft.com/en-us/library/cc771041%28v=ws.10%29.aspx
. The steps in this section provides use case-specific information.-
Open the Internet Information Services (IIS) Manager console.
-
On the Start menu, click All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
-
In the console tree, click the root node that contains the name of the system, and then, in the details pane, double-click the icon named Server Certificates in the IIS grouping.
-
In the Actions pane, click Create Self-Signed Certificate.
-
In the console tree, click Default Web Site.
-
In the Actions pane, click Bindings.
-
In the Site Bindings dialog box, click Add.
-
In the Add Site Binding dialog box, select https in the Type drop-down list. Select the certificate you just created in the SSL certificate drop-down list, click OK, and then click Close.
-
Close the Internet Information Services (IIS) Manager console. Enable SSL Server Authentication.
-
-
Configure the system as a standalone federation server.
For more information, see
http://technet.microsoft.com/en-us/library/ee913579%28v=ws.10%29.aspx
. -
Export the ADFS 2.0 token-signing certificate.
For a self-signed certificate, select DER encoded binary X.509 (
.cer
).If the signing certificate is not self-signed, select Cryptographic Message Syntax Standard – PKCS 7 certificates (.p7b) and check Include all the certificates in the certification path if possible.
For more information, see
http://technet.microsoft.com/en-us/library/dd378922%28v=ws.10%29.aspx#BKMK_4
. -
Create users and include an email address. You later enable the STS to send the email address as the subject name id in the outgoing SAML assertions for the service.
Follow these steps to add a sample user to Active Directory. Make sure to set the email address for each user.
-
Log in to the system with domain administrator credentials.
-
Click Start, click Administrative Tools, and then click Active Directory Users and Computers.
-
In the console tree, right-click the Users folder. Click New, and then click User.
-
On the New Object – User page, add the user, and then click Next.
-
Provide a password, clear the User must change password at next logon check box, and then click Next.
-
Click Finish.
-
In the right-most pane of Active Directory Users and Computers, right-click the new user object, and then click Properties.
-
On the General tab, in the E-mail box, type the email address of the user, and then click OK.
-
5.10.2 Configuring ADFS 2.0 STS as Trusted SAML Token Issuer
You can add the STS signing certificates in the trusted STS servers to ensure ADFS 2.0 STS as a trusted SAML token issuer.
To configure OWSM to trust the SAML assertions issued by an ADFS 2.0 STS:
5.10.3 Configuring Users in Oracle Internet Directory
For each user, configure the mail attribute to match the user e-mail address set in ADFS.
For information on configuring users in Oracle Internet Directory, see “Managing Directory Entries for Creating a User” in Administering Oracle Internet Directory.
5.10.4 Attaching the Policy
OWSM supports a number of security policies that can be attached directly to a web service.
Attach any of the following OWSM policies to the web service:
-
oracle/wss_sts_issued_saml_bearer_token_over_ssl_service_policy
-
oracle/wss_saml_token_bearer_over_ssl_service_policy
-
oracle/wss11_saml_or_username_token_with_message_protection_service_policy
These policies enforce message protection (integrity and confidentiality) and SAML-based authentication using credentials provided in SAML tokens with the bearer confirmation method in the WS-Security SOAP header. They also verify that the transport protocol provides SSL message protection.
See "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager for information on attaching policies.
5.10.5 Registering the Web Service as a Relying Party in ADFS 2.0
You can configure ADFS 2.0 to issue the SAML assertion to the web service with the email address or the name ID (SAM-Account-Name) as the subject name id. This section provides use case-specific information.
For general information on relying parties, see http://technet.microsoft.com/en-us/library/dd807108%28v=ws.10%29.aspx
.
To add the web service as a relying party:
5.10.5.1 Configuring the Claim Rules for the Service
You can enable the STS to send the email address or the name ID as the subject name id
in the outgoing SAML assertions for the service. This section provides use case-specific information.
See http://technet.microsoft.com/en-us/library/ee913578%28v=ws.10%29.aspx
for general information on claim rules. See http://technet.microsoft.com/en-us/library/dd807115%28v=ws.10%29.aspx
to create a rule to send LDAP attributes as claims.
To create a chain of two claim rules with different templates:
5.10.6 Securing WCF/.NET 3.5 Client with ADFS 2.0
You can implement multiple security and authentication mechanisms to secure the WCF/.NET 3.5 client.
To secure WCF/.NET 3.5 client with ADFS 2.0:
-
Install .NET 3.5 and Microsoft Visual Studio 2008.
-
Import the SSL server certificates for STS and the service into Windows.
If the SSL server certificate for STS or the service is not issued from a trusted CA, or self-signed, then it needs to be imported with MMC tool, as described in "Configuring Microsoft WCF/.NET 3.5 Client (Username Token with Message Protection)".
-
Create and configure the WCF Client.
ADFS 2.0 STS supports multiple security and authentication mechanisms for token insurance. Each is exposed as a separate endpoint. For username/password authentication, two endpoints are provided:
-
http://<adfs.domain>/adfs/services/trust/13/username
— This endpoint is for username token with message protection. -
https://<adfs.domain>/adfs/services/trust/13/usernamemixed
— This endpoint is for username token with transport protection (SSL).
The WCF client uses the
https://<adfs.domain>/adfs/services/trust/13/usernamemixed
endpoint for username token on SSL to obtain the SAML bearer token for the service.-
Generate the WCF Client with the service WSDL.
See
http://msdn.microsoft.com/en-us/library/ms733133(v=vs.90)
for information on creating a Windows Communication Foundation client. -
Configure the client with
ws2007FederationHttpBinding
:In the Solution Explorer of the client project, add a reference by right-clicking on references, selecting Add reference, and browsing to
C:
\Windows\Microsoft.NET\framework\v3.0\Windows Communication Foundation\System.Runtime.Serialization.dll
.Edit the
app.config
file. (Seehttp://msdn.microsoft.com/en-us/library/bb472490.aspx
for information on WS 2007 Federation HTTP Binding.) Consider the following sample:<?xml version="1.0" encoding="utf-8"?> <configuration> <system.serviceModel> <behaviors> <endpointBehaviors> <behavior name="secureBehaviour"> <clientCredentials> <serviceCertificate> <defaultCertificate findValue="weblogic" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName"/> </serviceCertificate> </clientCredentials> </behavior> </endpointBehaviors> </behaviors> <bindings> <ws2007FederationHttpBinding> <binding name="JaxWsWss11SamlOrUsernameOrSamlBearerOverSSLSoapHttp"> <security mode="TransportWithMessageCredential"> <message negotiateServiceCredential="false" algorithmSuite="Basic128" issuedTokenType ="http://docs.oasis-open.org/wss/oasis-wss-saml-token- profile-1.1#SAMLV1.1" issuedKeyType="BearerKey"> <issuer address ="https://
domain-name
/adfs/services/trust/13/usernamemixed" binding ="ws2007HttpBinding" bindingConfiguration="ADFSUsernameMixed"/> </message> </security> </binding> </ws2007FederationHttpBinding> <ws2007HttpBinding> <binding name="ADFSUsernameMixed"> <security mode="TransportWithMessageCredential"> <message clientCredentialType="UserName" establishSecurityContext="false" /> </security> </binding> </ws2007HttpBinding> </bindings> <client> <endpoint address="https://myhost.example.com:8002/JaxWsWss11SamlOrUsernameOrSamlBearerOverSSL/JaxWsWss11Sam lOrUsernameOrSamlBearerOverSSLService" binding="ws2007FederationHttpBinding" bindingConfiguration="JaxWsWss11SamlOrUsernameOrSamlBearerOverSSLSoapHttp" contract="JaxWsWss11SamlOrUsernameOrSamlBearerOverSSL" name="JaxWsWss11SamlOrUsernameOrSamlBearerOverSSLPort"> <identity> <dns value="weblogic" /> </identity> </endpoint> </client> </system.serviceModel> </configuration> -
Edit the
program.cs
file to make the service call.If not already present, create a
.cs
file in the project and name itprogram.cs
(or any name of your choice.) Edit it to match the following:using System; using System.Collections.Generic; using System.Linq; using System.Text; using System.ServiceModel; namespace Client { class Program { static void Main(string[] args) { JaxWsWss11SamlOrUsernameOrSamlBearerOverSSLClient client = New JaxWsWss11SamlOrUsernameOrSamlBearerOverSSLClient(); client.ClientCredentials.UserName.UserName = "joe"; client.ClientCredentials.UserName.Password = "password"; System.Net.ServicePointManager.ServerCertificateValidationCallback = ((sender, certificate, chain, sslPolicyErrors) => true); Console.WriteLine(client.echo("Hello")); Console.Read(); } } }
In this sample
program.cs
file:joe
is the username andpassword
is the password used by the client to authenticate to the STS.System.Net.ServicePointManager.ServerCertificateValidationCallback = ((sender, certificate, chain, sslPolicyErrors) => true);
has been added to validate the server side self-signed certificate. This is not required if the server certificate is issued by a trusted CA. If using a self-signed certificate for testing, add this method to validate the certificate on the client side.
-