Using the HTTP Binding Component

Endorsing Certificate

The Endorsing Certificate mechanism uses secure messages that use symmetric key for integrity and confidentiality, and an endorsing client certificate to augment the claims provided by the token associated with the message signature. The client knows the service's certificate, and requests need to be endorsed or authorized by a special identity.

Server-Side Requirements

The following server-side options need to be configured for this security mechanisms:

Client-Side Requirements

The following client-side options need to be configured for this security mechanisms:

Table 26 Endorsing Certificate Configuration Properties




Algorithm Suite 

Specifies the algorithm suite required to perform cryptographic operations with symmetric or asymmetric key-based security tokens.  

See Algorithm Suite under Table 21 for more information.

Basic 128bit 

Security Header Layout 

Specifies the layout rule to apply when adding items to the security header. Options are Strict, Lax, Lax (Timestamp First), and Lax (Timestamp Last). 

See Security Header Layout under Table 21 for more information.


Establish Secure Session (Secure Conversation) 

Secure Session enables establishes a shared security context between the consumer and provider when a multiple-message-exchange sequence is first initiated. Subsequent messages use (possibly derived) session keys that increase the overall security while reducing the security processing overhead for each message.  

For more information see Establish Secure Session under Table 21.

Select the checkbox to enable. 

Require Derived Keys for Secure Session 

Specifies that a derived key is required for Secure Session. See Require Derived Key above for more information. 

A derived key is a cryptographic key created from a password or other user data. Derived keys allow applications to create session keys as needed, eliminating the need to store a particular key. The use of the same session key for repeated message exchanges is sometimes considered a risk. To reduce that risk, enable Require Derived Keys for Secure Session.  

Select the checkbox to enable. 

Require Signature Confirmation 

Specifies that the responder process the signature in the request. Select this option to reduce the risk of attacks when the WSS Version is 1.1 .  

Select the checkbox to enable. 

Encrypt Signature 

Specifies whether the primary signature and signature confirmation elements must be encrypted.  

Select the checkbox to enable. 

Encrypt before Signing 

Specifies that the order of message protection is to encrypt the SOAP content, then sign the entire SOAP body. The encryption key and signing key must be derived from the same source key.  

If not selected, the default behavior is Sign Before Encrypt.  

Check box Selected indicates disabled.