views:

290

answers:

1

I am trying to create a WCF client APP that is consuming a JAVA WS that uses username_token with message protection client policy. There is a private key that is installed on the server and a public certificate file was exported from the JKS keystore file. I have installed the public key into certificate store via MMC under Personal certificates.

I am trying to create a binding that will encrypt the message and pass the username as part of the payload. I have been researching and trying the different configurations for about a day now. I found a similar situation on the msdn forum:

http://social.msdn.microsoft.com/Forums/en/wcf/thread/ce4b1bf5-8357-4e15-beb7-2e71b27d7415

This is the configuration that I am using in my app.config

 <customBinding>
   <binding name="certbinding">
                <security authenticationMode="UserNameOverTransport">
                  <secureConversationBootstrap />
                </security>
                <httpsTransport requireClientCertificate="true" />
              </binding>
    </customBinding>

  <endpoint address="https://localhost:8443/ZZZService?wsdl"
              binding="customBinding" bindingConfiguration="cbinding"   contract="XXX.YYYPortType"
              name="ServiceEndPointCfg" />

And this is the client code that I am using, this is where I am setting the client certificate:

            EndpointAddress endpointAddress = new EndpointAddress(url + "?wsdl");
            P6.WCF.Project.ProjectPortTypeClient proxy = new P6.WCF.Project.ProjectPortTypeClient("ServiceEndPointCfg", endpointAddress);
            proxy.ClientCredentials.UserName.UserName = UserName;

    proxy.ClientCredentials.ClientCertificate.SetCertificate(StoreLocation.CurrentUser, StoreName.My, X509FindType.FindByThumbprint, "67 87 ba 28 80 a6 27 f8 01 a6 53 2f 4a 43 3b 47 3e 88 5a c1");

           var projects = proxy.ReadProjects(readProjects);

This is the .NET CLient error I get: Error Log: Invalid security information.

On the Java WS side I trace the log :

SEVERE: Encryption is enabled but there is no encrypted key in the request.

I traced the SOAP headers and payload and did confirm the encrypted key is not there.

Headers: {expect=[100-continue], content-type=[text/xml; charset=utf-8], connection=[Keep-Alive], host=[localhost:8443], Content-Length=[731], vsdebuggercausalitydata=[uIDPo6hC1kng3ehImoceZNpAjXsAAAAAUBpXWdHrtkSTXPWB7oOvGZwi7MLEYUZKuRTz1XkJ3soACQAA], SOAPAction=[""], Content-Type=[text/xml; charset=utf-8]}


Payload: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"&gt;&lt;s:Header&gt;&lt;o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"&gt;&lt;o:UsernameToken u:Id="uuid-5809743b-d6e1-41a3-bc7c-66eba0a00998-1"><o:Username>admin</o:Username><o:Password>admin</o:Password></o:UsernameToken></o:Security></s:Header><s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"&gt;&lt;ReadProjects xmlns="http://xmlns.dev.com/WS/Project/V1"&gt;&lt;Field&gt;ObjectId&lt;/Field&gt;&lt;Filter&gt;Id='WS-Demo'&lt;/Filter&gt;&lt;/ReadProjects&gt;&lt;/s:Body&gt;&lt;/s:Envelope&gt;

I have also tryed some other bindings but with no success:

  <basicHttpBinding>
    <binding name="basicHttp">
      <security mode="TransportWithMessageCredential">
        <message clientCredentialType="Certificate"/>
      </security>
    </binding>            
  </basicHttpBinding>  

      <wsHttpBinding>
        <binding name="wsBinding">
          <security mode="Message">
            <message clientCredentialType="UserName"  negotiateServiceCredential="false" />
          </security>  

        </binding>
      </wsHttpBinding>

Your help will be greatly aprreciatted! Thanks!


update2:

More information, I was able to get further but still no cigar :(

I modified the app.config binding section the authenticationMode to UserNameForCertificate and specified the textMessageEncoding to use Soap1.1

modified the endpoint entry to include identity to get around some certificates warning caused due to mismatch of dns entries, that got me further.

Specified in the client code ServiceCertificate

    P6.WCF.Project.ProjectPortTypeClient proxy = new P6.WCF.Project.ProjectPortTypeClient("ProjectServiceEndPointCfg");<br/>
    proxy.ClientCredentials.UserName.UserName = UserName;<br/>


proxy.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.PeerOrChainTrust; proxy.ClientCredentials.ServiceCertificate.Authentication.TrustedStoreLocation = System.Security.Cryptography.X509Certificates.StoreLocation.LocalMachine;

    proxy.ClientCredentials.ClientCertificate.SetCertificate(StoreLocation.CurrentUser, StoreName.My, X509FindType.FindByThumbprint, "67 87 ba 28 80 a6 27 f8 01 a6 53 2f 4a 43 3b 47 3e 88 5a c1");
    proxy.ClientCredentials.ServiceCertificate.SetDefaultCertificate(StoreLocation.CurrentUser, StoreName.My, X509FindType.FindByThumbprint, "67 87 ba 28 80 a6 27 f8 01 a6 53 2f 4a 43 3b 47 3e 88 5a c1");

Now tracing the SOAP I get an encrypted message:

Payload: 2010-06-07T22:22:52.250Z2010-06-07T22:27:52.250ZZ4e6KICmJ/gBplMvSkM7Rz6IWsE=Ddoi36zRBd+82HQ5rPFxhNXu1nCI8qxRiMtTIm2ldE69AgVbdRtXsHiLKXN6Tsk96U4NjVG/OkCELn7PLHX2CGY/+MH7fDro667RMdOyjlLBzjefO1m/JLTrdGPaHEQmVub/UtriIvwCm4sY8YE35g6Ej8FhABgqQlsvwBi6f3g=024kA1uT+jG8DCnw4PWLCpBJA==9Y5iCPnq9mKvRzE91EbecA==UE2UhcjwBsETg0Ndu26Gwdvp1UQk6sLJTT8KtSO7B5oykoBGazhrzu5XAQMCQfnlnZM+u8Gq3BLiEtIHb3SWue3i18yr20z8ZwVoHwI/TSNBjdOcfvyD7PF2YxFg/wYMKgY8dnRi8XVO/zWmVLbyd2GT7N1GoaaknkdECjWjVrkdsKlP8/AyprxgRnNJmqTcXUUoamwEeMeU0Y8qfKj3sUreVmPEXOe646JP2SF6pTyVnKSEjL1+TDbhiwOemienKZyNFj+C+JuUQLp/89Cb3hYedb6jWm7JZ1YO8bUy6CqI9Ux6mFxR2n12sDDZ1o1RoxEbR7jHsJJTP0MU2O6TmU4AquJgcldHS60joZy8iCXg24NHoERVI6BnQrEN4WT19E/HkInsUVQSBYTYpRTI1ZyimOX6Y9dgGDxH7tKY4fY=qxX35B+cNLG64jgBkmop3+G1rVaQuJnkEyzENod9BvRzXAyqApPX7d3hW3KicJYdk077Ks+AXZE26HO85BqwsdxeNfx1ECXM6YdpxZzHtgqMMfGhaEZI3fh4dgxw3XLnEPa+D2N2lG4qPpxKk/s1M19acAKkaCcgu3NRZbuSHx+jXt3+oZjhITSz5ij5n7FlvKLzyI78/TOWJSrrIOuDBn9mBg1M4TL24USzt1iCGOWQjESSLkQR4u047t5TOZ14SHpdyyr9ZRc+f0QiDZi6Eg2nf+zP5dwSBuqO6KDf0Ws+4jr/g3Y8fczKcbl/gBm0TS/vrMq+uMNSYjLz85CxBZh0xqCJLcTbVKUlqjVHtq+lstSITR1R/mw/j2e1ReHzIGFAfyTS12V7Vygf2tDNbq4fxyafMHPibSDrvQ2brvS6Na04FChyIU2QAoC7Dh9e+gs1IAnLrUCyhmv05kkCxMduN1WAAysRzaghQzn8GzgkmjaiHeqtdI2XOGA6PiAvEcJqBlvL9Z/sxSPiz5K4e4j7TK/yM8ACvKD4O1nAhsSeuX+eW6rrjEW8AfrTJDVV13XHtD/E7o8jqwVUD/rZZaYQJBJGp9axgDhHTGtBDG/sKL+GWEg3/iGnLv+l/NSRMEh3m8tSCBhzePmwJy6iUq2dWYbRUsBL1yeRjutSG+HsZHQjpjmwk2+akYTEk6FoI4MEZEplE3ksNzZUxmdN8cmjNndvYZ1jXKEvzO9loGFzE+77pQyld5IRN6l06BwE7cPc9McXRu84JRvqmEXj+bpwNMGAdM4/NOOinsDDguObue6A3hrbSHZ0dnFmNzaw9qfv+PHWPHB/pWiAmJ3ZY/jBpjucZq4hczIkBlzV5QKbeatIw11ej+1Tluc5maF/FXeuvvrQCrfxVuXF2n+1x+1jXqRQfmRCVdoW5kuokLdCG0cGYt0EZeiuo8rzwNa81fgcjFX7jbcNBTIKZUhWvEXdG6pqryhz2qrpO791XGd/wIkNzUMbCfbDgKtq+zQJLoF102kzFV153h6c0r3jfZS87NBzAVQZ87aYzw1BkQubYhe8tgMtkQAQ0FR25MxzG9i4w8IoT7B3o/Y9YXDIpMY6b1dFhMp0ExUfiHYHl5MypG2hPuzHWf/Ko3yjIiHYd+d6o/9wZCyAK5Uz8/XVgM1OK+94Swkx5LeLQXtjfNu7nC2HXVeGBDypMH+/1IIxwG97We3h2JHU9J9I88l9Xk2Q8gF5TR/1K61umgMscZDWG/g+zwat0mUQtaP8L5yYxTaSCyfP/oxkjBlqyIbEoXs40nyZMnMgAnSDXMznAogPRhueKvJ1u+TzEeqMZntdYNRqL6iY/eMhZJbiwaCh74+V3ccg79R1c6L0/CIMHX0cdxpteUJbMVk8Ocegkp51efkHPd/ZVck0hX7l+u5aqGONngBd/ylYbv2+TMzCV7bJAvD/Khlvs2vLUN8KYyT8jmuBF1PygiyEJ9bXhf6B3xCnc6REtVwZa76l5MiyOQ+8pBPOHbmiFUD0CdbsiBjlQVwh+G/bAkCvV1qXOCK89MKHiaMro7CTrdplTJi5z7X/Pm2/Cfbe14ieXfm8SZ0Bnb+hVW17x+EgXOyxTywBW6sJlQqZAXtg55RlIvds3whZnD8btOQcwy71oZx7r+lscjjQjBL1OucJ05b525iJMIF41EI1iJ7sc1x39Vm0dNAtGh9fubWpUnyRimGMiLV3MNtjws7OzQsun/aLLHqqSy4lAQ0drDc4OCvOeBsCUgI=07kyxqZy7AXCol4rmwkY9wDC4LVTFqVlGMD7smF5F68L00ndc6yEvuvTKJlb9wN1u0gPfgpIpvMBL2+aio8r2e/uHiseFSEGJhiOtWjpZutmaRkZyJ8xkph2sOO1EUxWUb3X+c32PMTs2RxCGncMBQczf/zXCv9IzWCxZymv8mcIkY2F95N2/6aqWCAqOQxnbOHAH6H13hHv/RCw6kHBNV7abtoY3q9xIFfh98nkf4a5u+jfl8KzMtsSI86kiLCVgMSfS8wSHVdhimkfwT+WSk1PJAqw47WR5ZsbGdHWofbS4fc59djSIwkaWZaJ5Z4biS3rbqSuPzk76F3ItLMWXQ==

However on the JAVA WS side I get this error message:

org.apache.cxf.binding.soap.SoapFault: Username token not found while trying to perform authentication.

And the spec that the JAVA Ws uses expects to encrypt the message and pass the username as part of the payload.

Any suggestions on how to make sure the username also gets passed now? As you on the above client code I am setting the UserName.

            proxy.ClientCredentials.UserName.UserName = UserName;
A: 

Is it enough just to send the username? when we use clientCredentialType="UserName" we also set the password.

Shiraz Bhaiji
The WS requirement is to encrypt the payload, and the user name has to be passed.
Sasha