tags:

views:

22

answers:

1

I try to create WCF client to WSE 3.0 service. I have already working WSE3.0 client to the same service. Here is it's configurations:

 <microsoft.web.services3>
  <security>
   <timeToleranceInSeconds value="10000"/>
   <x509 allowTestRoot="true" verifyTrust="true" storeLocation="CurrentUser"/>
   <binarySecurityTokenManager>
    <add valueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"&gt;
     <keyAlgorithm name="RSA15"/>
    </add>
   </binarySecurityTokenManager>
  </security>
 </microsoft.web.services3>

And the policy for the service client created in such a way:

  MutualCertificate10Assertion assertion = new MutualCertificate10Assertion()
  {
    EstablishSecurityContext = false,
    RenewExpiredSecurityContext = true,
    RequireSignatureConfirmation = false,
    MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt,
    RequireDerivedKeys = false,
    TtlInSeconds = 300
  };

  assertion.ClientX509TokenProvider = new X509TokenProvider(StoreLocation.LocalMachine, StoreName.My, "ClientCerfiticateName", X509FindType.FindBySubjectName);
  assertion.ServiceX509TokenProvider = new X509TokenProvider(StoreLocation.LocalMachine, StoreName.My, "ServiceCerfiticateName", X509FindType.FindBySubjectName);

  //protection
    assertion.Protection.Request.SignatureOptions = SignatureOptions.IncludeAddressing | SignatureOptions.IncludeTimestamp | SignatureOptions.IncludeSoapBody;
    assertion.Protection.Request.EncryptBody = true;

    assertion.Protection.Response.SignatureOptions = SignatureOptions.IncludeAddressing | SignatureOptions.IncludeTimestamp | SignatureOptions.IncludeSoapBody;
    assertion.Protection.Response.EncryptBody = true;

    assertion.Protection.Fault.SignatureOptions = SignatureOptions.IncludeAddressing | SignatureOptions.IncludeTimestamp | SignatureOptions.IncludeSoapBody;
    assertion.Protection.Fault.EncryptBody = false;

  this.Policy = new Policy(new TraceAssertion(serviceUri), assertion, new RequireActionHeaderAssertion()); 

Now I try to use it to create WCF client. I used these recommendations (http://msdn.microsoft.com/en-us/library/ms730299.aspx). I generated types form the service and the client contract, then created WseHttpBinding class derived from Binding, after that I tried to create this custom binding and initialize client and service certificates:

 string clientCertificateName = "ClientCertificateName";
 string serviceCertificateName = "ServiceCertificateName";

 Uri uri = new Uri("http://WantedService.asmx"));

  EndpointAddress address = new EndpointAddress(uri,
                         EndpointIdentity.CreateDnsIdentity(serviceCertificateName ));

  WseHttpBinding binding = new WseHttpBinding()
  {
    SecurityAssertion = WseSecurityAssertion.MutualCertificate10,
    EstablishSecurityContext = false,
    RequireSignatureConfirmation = false,
    MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt,
    RequireDerivedKeys = false
  };

  WantedServiceClient client = new CreativeGroupCurrencyServiceClient(binding, address);

// Set up certificates      
client.ClientCredentials.ServiceCertificate.SetScopedCertificate(
                             StoreLocation.LocalMachine,
                             StoreName.My,
                             X509FindType.FindBySubjectName,
                             serviceCertificateName , 
                            uri);

  client.ClientCredentials.ClientCertificate.SetCertificate(
                             StoreLocation.LocalMachine,
                             StoreName.My,
                             X509FindType.FindBySubjectName,
                             clientCertificateName);

  WantedMethodResponse response = client.WantedMethod(new GetCurrenciesRequest());

But an exception occurred:

System.Xml.XmlException: Cannot read the token from the 'SignatureConfirmation' element with the 'http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd' namespace for BinarySecretSecurityToken, with a '' ValueType. If this element is expected to be valid, ensure that security is configured to consume tokens with the name, namespace and value type specified.

Why does not it work? And why the scheme is 1.1? Should I use WS Secure 1.1 in at MessageSecurityVersion for secure binding element? And which one? I tried this:

  WseHttpBinding binding = new WseHttpBinding()
  {
    SecurityAssertion = WseSecurityAssertion.MutualCertificate11,
    ...
  };

Which one uses WS Security 1.1 - MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11 (while configuring in WseHttpBinding) but it failed also:

System.ServiceModel.Security.MessageSecurityException: Signature confirmation is not expected in the security header.

I don't know what could I even do now! It seems I tried everything!

A: 

According to this article there is an error in the msdn article on wcf wse compatibility. Specifically with respect to the message versions. This could be what is causing you problems.

Shiraz Bhaiji