使用客户端证书签名 XMLDsig、WS-Security 或 XADES 配置 WCF
[英]Configure WCF with client certificate signing XMLDsig, WS-Security or XADES
问题描述
Using VS2019, ASP.NET project running .net 4.0.
使用 VS2019,运行 .net 4.0 的 ASP.NET 项目。
I created the soap client adding the Service Reference to the wsdl file.我创建了肥皂客户端,将服务引用添加到 wsdl 文件。 Now I'm configuring the certificate and calls method.现在我正在配置证书和调用方法。
This way worked in the old soap server, but now the soap server changed.这种方式在旧的soap服务器中有效,但现在soap服务器发生了变化。 I tested with SoapUI using the same Basic Auth configuration and works perfectly, but not with my .Net 4.0 client...我使用相同的基本身份验证配置对 SoapUI 进行了测试,并且运行良好,但不适用于我的 .Net 4.0 客户端...
Web.config网页配置
<system.serviceModel>
<bindings>
<customBinding>
<binding name="PLATAFORMA">
<textMessageEncoding messageVersion="Soap11WSAddressing10" />
<security
authenticationMode="MutualCertificateDuplex"
messageProtectionOrder="SignBeforeEncrypt"
messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10">
<secureConversationBootstrap />
</security>
<httpsTransport />
</binding>
</customBinding>
</bindings>
<behaviors>
<endpointBehaviors>
<behavior name="CERT">
<clientCredentials>
<clientCertificate findValue="ClientCert" storeLocation="CurrentUser" storeName="My" x509FindType="FindBySubjectName" />
<serviceCertificate>
<defaultCertificate findValue="*.ServerCert.com" storeLocation="CurrentUser" storeName="My" x509FindType="FindBySubjectName" />
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<client>
<endpoint
address="endpointURI"
binding="customBinding"
bindingConfiguration="PLATAFORMA"
behaviorConfiguration="CERT"
contract="ServiceReference1.RequestPort1"
name="Request.Request1">
<identity>
<dns value="*.ServerCert.com" />
</identity>
</endpoint>
</client>
</system.serviceModel>
XML Outoing header (catched with intercerptor): XML Outoing 标头(用拦截器捕获):
<s:Envelope xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
<s:Header>
<a:Action s:mustUnderstand="1">peticionSincrona</a:Action>
<a:MessageID>urn:uuid:e3a5c4bd-f159-48c1-8f3f-cf22da6b7e3b</a:MessageID>
<ActivityId CorrelationId="035f2491-0772-4b1e-a286-9be30720d5ea" xmlns="http://schemas.microsoft.com/2004/09/ServiceModel/Diagnostics">4d7f76c2-0486-4a81-93ad-32aecf02b035</ActivityId>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<VsDebuggerCausalityData xmlns="http://schemas.microsoft.com/vstudio/diagnostics/servicemodelsink">uIDPo9ph/BcvvnBFuLQYdch+LyYAAAAAHsOKxYeqzk+Do5pQmamNIPUdiXOiYjpBl1dsV5pp+SMACQAA</VsDebuggerCausalityData>
</s:Header>
I understand that some information is needed, how can I specify to sign as XMLDsig?我知道需要一些信息,我如何指定签名为 XMLDsig? why is not soap/envelope/encoding?为什么不是肥皂/信封/编码? I need help to configure the soap client.我需要帮助来配置soap 客户端。
The server return error 500 with a default tomcat error, is not even soapenv:fault or similar.服务器返回错误 500 并带有默认的 tomcat 错误,甚至不是 soapenv:fault 或类似的。 I think the request envelope is not generating properly.我认为请求信封没有正确生成。
EDIT : Must be over soap11编辑:必须超过soap11
1 个解决方案
解决方案1
1 已采纳 2020-03-13 07:23:17
Is this the client configuration generated after changing the SOAP server?这是更改SOAP服务器后生成的客户端配置吗? If it requires the Basic authentication, why do we not need to provide username/password, but just need to provide a client certificate(according to the binding type)?如果需要Basic认证,为什么不需要提供用户名/密码,只需要提供客户端证书(根据绑定类型)? I suggest you re-generate a client proxy class by adding service reference.建议您通过添加服务引用重新生成客户端代理类。 this also generates a proper configuration in the webconfig file.这也会在webconfig文件中生成正确的配置。
Besides, since the server changes, the server's certificate used to implement HTTPS security may also change, so the default certificate we provide on the client-side should also be changed.另外,由于服务器发生变化,用于实现HTTPS安全的服务器证书也可能发生变化,所以我们在客户端提供的默认证书也应该发生变化。
<serviceCertificate>
<defaultCertificate findValue="*.ServerCert.com" storeLocation="CurrentUser" storeName="My" x509FindType="FindBySubjectName" />
</serviceCertificate>
Mutual certificate authentication requires a trust relationship between the client and the server.相互证书认证需要客户端和服务器之间的信任关系。
<security
authenticationMode="MutualCertificateDuplex"
Not only do we need to install a client certificate on the new server in order to trust the client, we also need to install the server's certificate on the client-side.为了信任客户端,我们不仅需要在新服务器上安装客户端证书,还需要在客户端安装服务器的证书。 For details,欲知详情,
https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/transport-security-with-certificate-authentication https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/transport-security-with-certificate-authentication
https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/message-security-with-a-certificate-client https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/message-security-with-a-certificate-client
Feel free to let me know if there is anything I can help with.如果有什么我可以帮忙的,请随时告诉我。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.