stackoom
  简体   繁体   中英

Configure WCF with client certificate signing XMLDsig, WS-Security or XADES

 原文  2020-03-12 15:11:36       asp.net/ wcf/ soap/ x509certificate/ ws-security

Question

Using VS2019, ASP.NET project running .net 4.0.

I created the soap client adding the Service Reference to the wsdl file. Now I'm configuring the certificate and calls method.

This way worked in the old soap server, but now the soap server changed. I tested with SoapUI using the same Basic Auth configuration and works perfectly, but not with my .Net 4.0 client...

Web.config

<system.serviceModel>
<bindings>
  <customBinding>
     <binding name="PLATAFORMA">
  <textMessageEncoding messageVersion="Soap11WSAddressing10" />
  <security 
    authenticationMode="MutualCertificateDuplex" 
    messageProtectionOrder="SignBeforeEncrypt"
    messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10">
    <secureConversationBootstrap />
  </security>
      <httpsTransport />
    </binding>
  </customBinding>
</bindings> 
  <behaviors>
    <endpointBehaviors>
      <behavior name="CERT">
        <clientCredentials>
          <clientCertificate findValue="ClientCert" storeLocation="CurrentUser" storeName="My" x509FindType="FindBySubjectName" />
            <serviceCertificate>
              <defaultCertificate findValue="*.ServerCert.com" storeLocation="CurrentUser" storeName="My" x509FindType="FindBySubjectName" />
            </serviceCertificate>
          </clientCredentials>  
      </behavior>
    </endpointBehaviors>
  </behaviors>
  <client>
    <endpoint
      address="endpointURI"
          binding="customBinding"
          bindingConfiguration="PLATAFORMA"
      behaviorConfiguration="CERT"
      contract="ServiceReference1.RequestPort1"
      name="Request.Request1">
      <identity>
        <dns value="*.ServerCert.com" />
      </identity>
    </endpoint>
  </client>
</system.serviceModel>

XML Outoing header (catched with intercerptor): 

<s:Envelope xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
  <s:Header>
    <a:Action s:mustUnderstand="1">peticionSincrona</a:Action>
    <a:MessageID>urn:uuid:e3a5c4bd-f159-48c1-8f3f-cf22da6b7e3b</a:MessageID>
    <ActivityId CorrelationId="035f2491-0772-4b1e-a286-9be30720d5ea" xmlns="http://schemas.microsoft.com/2004/09/ServiceModel/Diagnostics">4d7f76c2-0486-4a81-93ad-32aecf02b035</ActivityId>
    <a:ReplyTo>
      <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
    </a:ReplyTo>
    <VsDebuggerCausalityData xmlns="http://schemas.microsoft.com/vstudio/diagnostics/servicemodelsink">uIDPo9ph/BcvvnBFuLQYdch+LyYAAAAAHsOKxYeqzk+Do5pQmamNIPUdiXOiYjpBl1dsV5pp+SMACQAA</VsDebuggerCausalityData>
  </s:Header>

I understand that some information is needed, how can I specify to sign as XMLDsig? why is not soap/envelope/encoding? I need help to configure the soap client.

The server return error 500 with a default tomcat error, is not even soapenv:fault or similar. I think the request envelope is not generating properly.

EDIT : Must be over soap11

1 answers

solution1
 1 ACCPTED  2020-03-13 07:23:17

Is this the client configuration generated after changing the SOAP server? If it requires the Basic authentication, why do we not need to provide username/password, but just need to provide a client certificate(according to the binding type)? I suggest you re-generate a client proxy class by adding service reference. this also generates a proper configuration in the webconfig file.
Besides, since the server changes, the server's certificate used to implement HTTPS security may also change, so the default certificate we provide on the client-side should also be changed.

<serviceCertificate>
              <defaultCertificate findValue="*.ServerCert.com" storeLocation="CurrentUser" storeName="My" x509FindType="FindBySubjectName" />
            </serviceCertificate>

Mutual certificate authentication requires a trust relationship between the client and the server.

<security 
    authenticationMode="MutualCertificateDuplex"

Not only do we need to install a client certificate on the new server in order to trust the client, we also need to install the server's certificate on the client-side. For details,
https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/transport-security-with-certificate-authentication
https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/message-security-with-a-certificate-client
Feel free to let me know if there is anything I can help with.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question implementing Ws-security within WCF proxy Timestamp, WS-Security issue on client WCF: Matching a specific WS-Security scheme (Signature, Encrypt, UserPass) No WS-Security header found How to configure WCF to use HTTP with Client Certificate? How to specify that the Timestamp that's part of WS-Security needs to be signed + fix error that client did not sign timestamp with id xxx? generate WS-security usernameToken header in Visual studio 2010 WS-Security using the ASMX file in ASP.NET 3.5 Certificate for WCF message security Is it possible to use Excel/Access to consume a SOAP based web service using WS-Security?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM