tags:

views:

27

answers:

1
+1  Q: 

how to add encryption to soap header using a username token profile in wcf

I have a working USername token profile working using WCF, I am trying to add support for encryption on the client call, the webservice is expecting an encrypted soap header. I installed a certificate in my Local store using MMC. In my c# code below I have code that loads the certificate and assigns it to the proxy. I am not sure what other settings i need in my custombindings or what am i missing in my c# code. Any suggestions?

app.config:

<customBinding>
<binding name="cbinding">
  <security authenticationMode="UserNameOverTransport" includeTimestamp="false">
    <secureConversationBootstrap  />

  </security>

  <textMessageEncoding  messageVersion="Soap11" />
  <httpsTransport />
</binding>

<endpoint address="https://localhost:8443/p6ws/services/ProjectService?wsdl"
  binding="customBinding" bindingConfiguration="cbinding" contract="P6.WCF.Project.ProjectPortType"
  name="ProjectServiceEndPointCfg">
 </endpoint>

My C# code:

        ProjectPortTypeClient proxy = new ProjectPortTypeClient("ProjectServiceCertificateEndPointCfgUT", endpointAddress);
        proxy.ClientCredentials.UserName.UserName = UserName;
        proxy.ClientCredentials.UserName.Password= Password;

        proxy.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.PeerOrChainTrust;
        proxy.ClientCredentials.ServiceCertificate.Authentication.TrustedStoreLocation = System.Security.Cryptography.X509Certificates.StoreLocation.LocalMachine;

        // Set the certificate
        proxy.ClientCredentials.ClientCertificate.SetCertificate(StoreLocation.CurrentUser, StoreName.My, X509FindType.FindByThumbprint, "13 d3 6e f1 26 5e 5f 74 be f2 bb f5 57 a4 47 cf e7 1a c6 0a");
        proxy.ClientCredentials.ServiceCertificate.SetDefaultCertificate(StoreLocation.CurrentUser, StoreName.My, X509FindType.FindByThumbprint, "13 d3 6e f1 26 5e 5f 74 be f2 bb f5 57 a4 47 cf e7 1a c6 0a");

        ReadProjects readProjects = new ReadProjects();
+1  A: 

Although soap requests can be encrypted, you are better off using HTTPS. HTTPS is easier to implement and more secure because it protects the entire transport layer.

Rook  2010-10-27 16:56:50
I am a consumer of the web service, I have a requirement to encrypt the soap header. I have it working with HTTPS already, but need to get the HTTP protocol with encryption to work as well.
AZ49  2010-10-27 19:13:08
@user489100 the link i posted has c# code to encrypt the soap message. Encrypted http is usually https...
Rook  2010-10-27 22:03:03
Any chance you have a link for doing this using WCF policy?
AZ49  2010-10-28 13:15:17

related questions

How to implement password protection for individual files?
Encrypting appSettings in web.config
Usefulness of SQL Server "with encryption" statement
How can I use a key blob generated from Win32 CryptoAPI in my .NET application?
CodeReview: Tiny Encryption Algorithm for arbitrary sized data
Simple encryption implementation in C
Which hard disk encryption software to choose?
Passing untampered data from Flash app to server?
How do I prevent replay attacks?
Is there a best .NET algorithm for credit card encryption?
Encrypt data from users in web applications
How to encrypt one message for multiple recipients?
Two-way password encryption without ssl
What's the answer to this Microsoft PDC challenge?
GPG: How does key signing work and how is it done?
Secure Online Highscore Lists for Non-Web Games
Programmatically encrypting a config-file in .NET
How do I use 3des encryption/decryption in Java?
Encryption in C# Web-Services
Suitable alternative to CryptEncrypt
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
C# - CryptographicException: Padding is invalid and cannot be removed
How can I encode xml files to xfdl (base64-gzip)?
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
Encrypting Passwords