5 Interoperability with Microsoft WCF/.NET 3.5 Security Environments

This chapter contains the following sections:

5.1 Overview of Interoperability with Microsoft WCF/.NET 3.5 Security Environments

In conjunction with Microsoft, Oracle has performed interoperability testing to ensure that the Web service security policies created using Oracle WSM 11g can interoperate with Web service policies configured using Microsoft Windows Communication Foundation (WCF)/.NET 3.5 Framework and vice versa.

For more information about Microsoft WCF/.NET 3.5 Framework, see http://msdn.microsoft.com/en-us/netframework/aa663324.aspx.

For more details about the predefined Oracle WSM 11g policies, see the following topics in Oracle Fusion Middleware Security and Administrator's Guide for Web Services:

Table 5-1 summarizes the most common Microsoft .NET 3.5 interoperability scenarios based on the following security requirements: authentication, message protection, and transport.

Note:

In the following scenarios, ensure that you are using a keystore with v3 certificates. By default, the JDK 1.5 keytool generates keystores with v1 certificates.

In addition, ensure that the keys use the proper extensions, including DigitalSignature, Non_repudiation, Key_Encipherment, and Data_Encipherment.

Table 5-1 Interoperability With Microsoft WCF/.NET 3.5 Security Environments

Interoperability Scenario Client—>Web Service Oracle WSM 11g Policies Microsoft WCF/.NET 3.5 Policies

"Message Transmission Optimization Mechanism (MTOM)"

Microsoft WCF/.NET 3.5—>Oracle WSM 11g

oracle/wsmtom_service_policy

See "Configuring Microsoft WCF/.NET 3.5 Client"

"Message Transmission Optimization Mechanism (MTOM)"

Oracle WSM 11g—>Microsoft WCF/.NET 3.5

oracle/wsmtom_client_policy

See "Configuring Microsoft WCF/.NET 3.5 Web Service"

"Username Token With Message Protection (WS-Security 1.1)"

Microsoft WCF/.NET 3.5—>Oracle WSM 11g

oracle/wss11_username_token_with_message_protection_service_policy

OR

oracle/wss11_saml_or_username_token_with_message_protection_service_policy

See "Configuring Microsoft WCF/.NET 3.5 Client"

"Username Token With Message Protection (WS-Security 1.1)"

Oracle WSM 11g—>Microsoft WCF/.NET 3.5

oracle/wss11_username_token_with_message_protection_client_policy

See "Configuring Microsoft WCF/.NET 3.5 Web Service"

"Username Token Over SSL"

Microsoft WCF/.NET 3.5—>Oracle WSM 11g

oracle/wss_saml_or_username_token_over_ssl_service_policy

OR

oracle/wss_username_token_over_ssl_service_policy

See "Configuring Microsoft WCF/.NET 3.5 Client"

"Mutual Authentication with Message Protection (WS-Security 1.1)"

Microsoft WCF/.NET 3.5—>Oracle WSM 11g

oracle/wss11_x509_token_with_message_protection_service_policy

See "Configuring Microsoft WCF/.NET 3.5 Client"

"Mutual Authentication with Message Protection (WS-Security 1.1)"

Oracle WSM 11g—>Microsoft WCF/.NET 3.5

oracle/wss11_x509_token_with_message_protection_client_policy

See "Configuring Microsoft WCF/.NET 3.5 Web Service"

"Kerberos with Message Protection"

Microsoft WCF/.NET 3.5—>Oracle WSM 11g

oracle/wss11_kerberos_with_message_protection_service_policy

See "Configuring Microsoft WCF/.NET 3.5 Client"


5.2 Message Transmission Optimization Mechanism (MTOM)

This section describes how to implement MTOM in the following interoperability scenarios:

5.2.1 Configuring Microsoft WCF/.NET 3.5 Client and Oracle WSM 11g Web Service

To configure Microsoft WCF/.NET 3.5 client and Oracle WSM 11g Web service, perform the steps described in the following sections:

5.2.1.1 Configuring Oracle WSM 11g Web Service

  1. Create a Web service application.

  2. Attach the following policy to the Web service: oracle/wsmotom_service_policy.

    For more information about attaching the policy, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

  3. Deploy the application.

5.2.1.2 Configuring Microsoft WCF/.NET 3.5 Client

  1. Use the SVCUtil utility to create a client proxy and configuration file from the deployed Web service. See "Example app.config File for MTOM Interoperability".

  2. Run the client program.

Example app.config File for MTOM Interoperability

The following provides an example of the app.config file:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
    <system.serviceModel>    
        <bindings>
            <customBinding>
                <binding name="CustomBinding_IMTOMService">                
                    <mtomMessageEncoding maxReadPoolSize="64"
                     maxWritePoolSize="16"
                        messageVersion="Soap12" maxBufferSize="65536"
                        writeEncoding="utf-8">
                        <readerQuotas maxDepth="32" maxStringContentLength=
                         "8192" maxArrayLength="16384"
                            maxBytesPerRead="4096" maxNameTableCharCount="16384" />
                    </mtomMessageEncoding>
                    <httpTransport manualAddressing="false" maxBufferPoolSize="524288"
                        maxReceivedMessageSize="65536" allowCookies="false"
                           authenticationScheme="Anonymous"
                        bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
                        keepAliveEnabled="true" maxBufferSize="65536"
                           proxyAuthenticationScheme="Anonymous"
                        realm="" transferMode="Buffered" 
                           unsafeConnectionNtlmAuthentication="false"
                        useDefaultWebProxy="true" />
                </binding>
            </customBinding>
        </bindings>
        <client>
          <endpoint address="<endpoint_url>"
              binding="customBinding" bindingConfiguration="CustomBinding_IMTOMService"
              contract="IMTOMService" name="CustomBinding_IMTOMService" >
          </endpoint>         
        </client>          
    </system.serviceModel>
</configuration>

5.2.2 Configuring Oracle WSM 11g Client and Microsoft WCF/.NET 3.5 Web Service

To configure Oracle WSM 11g client and Microsoft WCF/.NET 3.5 Web service, perform the steps described in the following sections:

5.2.2.1 Configuring Microsoft WCF/.NET 3.5 Web Service

  1. Create a .NET Web service.

    For more information, see "How to: Define a Windows Communication Foundation Service Contract" at http://msdn.microsoft.com/en-us/library/ms731835.aspx.

    For an example of a .NET Web service, see "Example of .NET Web Service for MTOM Interoperability".

  2. Deploy the application.

5.2.2.2 Configuring Oracle WSM 11g Client

  1. Using JDeveloper, create a SOA composite that consumes the .NET Web service. For more information, see the Developer's Guide for SOA Suite.

  2. Attach the following policy to the Web service client: oracle/wsmtom_client_policy.

    For more information about attaching the policy, see "Attaching Policies to Web Service Clients" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

Example of .NET Web Service for MTOM Interoperability

The following provides an example of the .NET Web service for MTOM interoperability.

static void Main(string[] args)
{
    string uri = "http://host:port/TEST/MTOMService/SOA/MTOMService";
    // Step 1 of the address configuration procedure: Create a URI to serve as the base address.
    Uri baseAddress = new Uri(uri);

    // Step 2 of the hosting procedure: Create ServiceHost
    ServiceHost selfHost = new ServiceHost(typeof(MTOMService), baseAddress);
 
    try {
        HttpTransportBindingElement hb = new HttpTransportBindingElement();
        hb.ManualAddressing = false;
        hb.MaxBufferPoolSize = 2147483647;               
        hb.MaxReceivedMessageSize = 2147483647;
        hb.AllowCookies = false;
        hb.AuthenticationScheme = System.Net.AuthenticationSchemes.Anonymous;
        hb.KeepAliveEnabled = true;
        hb.MaxBufferSize = 2147483647;
        hb.ProxyAuthenticationScheme = System.Net.AuthenticationSchemes.Anonymous;
        hb.Realm = "";
        hb.TransferMode = System.ServiceModel.TransferMode.Buffered;
        hb.UnsafeConnectionNtlmAuthentication = false;
        hb.UseDefaultWebProxy = true;
        MtomMessageEncodingBindingElement me = new MtomMessageEncodingBindingElement();
        me.MaxReadPoolSize=64;
        me.MaxWritePoolSize=16;
        me.MessageVersion=System.ServiceModel.Channels.MessageVersion.Soap12;
        me.WriteEncoding = System.Text.Encoding.UTF8;
        me.MaxWritePoolSize = 2147483647;
        me.MaxBufferSize = 2147483647;
        me.ReaderQuotas.MaxArrayLength = 2147483647;
        CustomBinding binding1 = new CustomBinding();
        binding1.Elements.Add(me);
        binding1.Elements.Add(hb);
        ServiceEndpoint ep = selfHost.AddServiceEndpoint(typeof(IMTOMService), binding1, 
               "MTOMService");
        EndpointAddress myEndpointAdd = new EndpointAddress(new Uri(uri),
        EndpointIdentity.CreateDnsIdentity("WSMCert3"));               
        ep.Address = myEndpointAdd;

        // Step 4 of the hosting procedure: Enable metadata exchange.
        ServiceMetadataBehavior smb = new ServiceMetadataBehavior();
        smb.HttpGetEnabled = true;
        selfHost.Description.Behaviors.Add(smb);
        using (ServiceHost host = new ServiceHost(typeof(MTOMService)))
        {
            System.ServiceModel.Description.ServiceDescription svcDesc = 
                 selfHost.Description;
            ServiceDebugBehavior svcDebug = 
                  svcDesc.Behaviors.Find<ServiceDebugBehavior>();
            svcDebug.IncludeExceptionDetailInFaults = true;
        }
 
        // Step 5 of the hosting procedure: Start (and then stop) the service.
        selfHost.Open();
        Console.WriteLine("The service " + uri + " is ready.");
        Console.WriteLine("Press <ENTER> to terminate service.");
        Console.WriteLine();
        Console.ReadLine();
        // Close the ServiceHostBase to shutdown the service.
        selfHost.Close();
    }
    catch (CommunicationException ce)
    {
        Console.WriteLine("An exception occurred: {0}", ce.Message);
        selfHost.Abort();
    }
}

5.3 Username Token With Message Protection (WS-Security 1.1)

This section describes how to implement username token with message protection that conforms to WS-Security 1.1 in the following interoperability scenarios:

5.3.1 Configuring Microsoft WCF/.NET 3.5 Client and Oracle WSM 11g Web Service

To configure Microsoft WCF/.NET 3.5 client and Oracle WSM 11g Web service, perform the steps described in the following sections:

5.3.1.1 Configuring Oracle WSM 11g Web Service

  1. Create a Web service application.

  2. Attach one of the following policies to the Web service:

    oracle/wss11_username_token_with_message_protection_service_policy

    oracle/wss11_saml_or_username_token_with_message_protection_service_policy

    For more information about attaching the policy, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

  3. Export the X.509 certificate file from the keystore on the service side to a .cer file (for example, alice.cer) using the following command:

    keytool -export -alias alice -file C:\alice.cer -keystore default-keystore.jks
    

5.3.1.2 Configuring Microsoft WCF/.NET 3.5 Client

  1. Import the certificate file (exported previously) to the keystore on the client server using Microsoft Management Console (mmc). For information, see "How to: View Certificates with the MMC Snap-in" at http://msdn.microsoft.com/en-us/library/ms788967.aspx.

    1. Open a command prompt.

    2. Type mmc and press ENTER.

    3. Select File > Add/Remove snap-in.

    4. Select Add and Choose Certificates.

      Note:

      To view certificates in the local machine store, you must be in the Administrator role.
    5. Select Add.

    6. Select My user account and finish.

    7. Click OK.

    8. Expand Console Root > Certificates -Current user > Personal > Certificates.

    9. Right-click on Certificates and select All tasks > Import to launch Certificate import Wizard.

    10. Click Next, select Browse, and navigate to the .cer file that was exported previously.

    11. Click Next and accept defaults and finish the wizard.

  2. Generate a .NET client using the WSDL of the Web service.

    For more information, see "How to: Create a Windows Communication Foundation Client" at http://msdn.microsoft.com/en-us/library/ms733133.aspx.

    Note:

    SVCUtil does not support some security policy assertions such as <sp:SignedParts>. As a workaround:
    • Detach the policy

    • Generate proxy using SVCUtil

    • Attach the policy back

  3. In the Solution Explorer of the client project, add a reference by right-clicking on references, selecting Add reference, and browsing to C:\Windows\Microsoft .NET framework\v3.0\Windows Communication Framework\System.Runtime.Serialization.dll.

  4. Edit the app.config file in the .NET project to update the certificate file and disable replays, as described in "Edit the app.config File".

  5. Compile the project.

  6. Open a command prompt and navigate to the project's Debug folder.

  7. Enter <client_project_name>.exe and press Enter.

Edit the app.config File

Edit the app.config file to update the certificate file and disable replays, as shown in the following example (changes are identified in bold). If you follow the default key setup, then <certificate_cn> should be set to alice.

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.serviceModel>
    <behaviors>
      <endpointBehaviors>
         <behavior name="secureBehaviour">
           <clientCredentials>
             <serviceCertificate>
               <defaultCertificate findValue="<certificate_cn>" 
                storeLocation="CurrentUser" storeName="My" 
                x509FindType="FindBySubjectName"/>
             </serviceCertificate>
           </clientCredentials>
         </behavior>
      </endpointBehaviors>
    </behaviors>
  <bindings>
    <customBinding>
      <binding name="HelloWorldSoapHttp">
      <security defaultAlgorithmSuite="Basic128"  
       authenticationMode="UserNameForCertificate" 
       requireDerivedKeys="false" securityHeaderLayout="Lax" 
       includeTimestamp="true"
       keyEntropyMode="CombinedEntropy" 
       messageProtectionOrder="SignBeforeEncrypt"
       messageSecurityVersion=
"WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
       requireSignatureConfirmation="true">
     <localClientSettings 
       cacheCookies="true" 
       detectReplays="false"
       replayCacheSize="900000" 
       maxClockSkew="00:05:00" 
       maxCookieCachingTime="Infinite"
       replayWindow="00:05:00" 
       sessionKeyRenewalInterval="10:00:00"
       sessionKeyRolloverInterval="00:05:00" 
       reconnectTransportOnFailure="true"
       timestampValidityDuration="00:05:00" 
       cookieRenewalThresholdPercentage="60" />
     <localServiceSettings detectReplays="true" 
       issuedCookieLifetime="10:00:00"
       maxStatefulNegotiations="128" 
       replayCacheSize="900000" 
       maxClockSkew="00:05:00" 
       negotiationTimeout="00:01:00" 
       replayWindow="00:05:00" 
       inactivityTimeout="00:02:00"
       sessionKeyRenewalInterval="15:00:00" 
       sessionKeyRolloverInterval="00:05:00"
       reconnectTransportOnFailure="true" 
       maxPendingSessions="128"
       maxCachedCookies="1000" 
       timestampValidityDuration="00:05:00" />
     <secureConversationBootstrap /></security>
     <textMessageEncoding 
      maxReadPoolSize="64" 
      maxWritePoolSize="16"
      messageVersion="Soap11" 
      writeEncoding="utf-8">
        <readerQuotas 
         maxDepth="32" 
         maxStringContentLength="8192" 
         maxArrayLength="16384"
         maxBytesPerRead="4096" 
         maxNameTableCharCount="16384" />
     </textMessageEncoding>
     <HttpTransport 
      manualAddressing="false" 
      maxBufferPoolSize="524288"
      maxReceivedMessageSize="65536" 
      allowCookies="false" 
      authenticationScheme="Anonymous"
      bypassProxyOnLocal="false" 
      hostNameComparisonMode="StrongWildcard"
      keepAliveEnabled="true" 
      maxBufferSize="65536" 
      proxyAuthenticationScheme="Anonymous"
      realm="" 
      transferMode="Buffered" 
      unsafeConnectionNtlmAuthentication="false"
      useDefaultWebProxy="true" />
      </binding>
    </customBinding>
  </bindings>
    <client>
      <endpoint address="<endpoint_url>"
       binding="customBinding"
       bindingConfiguration="HelloWorldSoapHttp"
       contract="HelloWorld" 
       name="HelloWorldPort" 
       behaviorConfiguration="secureBehaviour" >
        <identity>
          <dns value="<certificate_cn>"/>
        </identity>
      </endpoint>
    </client>
  </system.serviceModel>
</configuration>

5.3.2 Configuring Oracle WSM 11g Client and Microsoft WCF/.NET 3.5 Web Service

To configure Oracle WSM 11g client and Microsoft WCF/.NET 3.5 Web service, perform the steps described in the following sections:

5.3.2.1 Configuring Microsoft WCF/.NET 3.5 Web Service

  1. Create a .NET Web service.

    For more information, see "How to: Define a Windows Communication Foundation Service Contract" at http://msdn.microsoft.com/en-us/library/ms731835.aspx.

    Be sure to create a custom binding for the Web service using the SymmetricSecurityBindingElement. For an example, see "Example .NET Web Service Client".

  2. Create and import a certificate file to the keystore on the Web service server.

    Using VisualStudio, the command would be similar to the following:

    makecert -r -pe -n "CN=wsmcert3" -sky exchange -ss my C:\wsmcert3.cer
    

    This command creates and imports a certificate in mmc.

    If the command does not provide expected results, then try the following sequence of commands. You need to download Windows Developer Kit (WDK) at http://www.microsoft.com/whdc/devtools/WDK/default.mspx.

    makecert -r -pe -n "CN=wsmcert3" -sky exchange -ss my -sv wscert3.pvk C:\wsmcert3.cer
    pvk2pfx.exe -pvk wscert3.pvk -spc wsmcert3.cer -pfx PRF_WSMCert3.pfx -pi welcome1
    

    Then, in mmc, import PRF_WSMCert3.pfx.

  3. Import the certificate created on the Web service server to the client server using the keytool command. For example:

    keytool -import -alias wsmcert3 -file C:\wsmcert3.cer -keystore <owsm_client_keystore>
    
  4. Right-click on the Web service Solution project in Solutions Explorer and click Open Folder In Windows Explorer.

  5. Navigate to the bin/Debug folder.

  6. Double-click on the <project>.exe file. This command will run the Web service at the URL provided.

5.3.2.2 Configuring Oracle WSM 11g Client

  1. Using JDeveloper, create a SOA composite that consumes the .NET Web service. For more information, see the Developer's Guide for SOA Suite.

  2. In JDeveloper, create a partner link using the WSDL of the .NET service.

  3. Attach the following policy to the Web service client: oracle/wss11_username_token_with_message_protection_client_policy.

    For more information about attaching the policy, see "Attaching Policies to Web Service Clients" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

  4. Provide configurations for the csf-key and keystore.recipient.alias.

    You can specify this information when attaching the policy, by overriding the policy configuration. For more information, see "Attaching Clients Permitting Overrides" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services

    Ensure that you configure the keystore.recipient.alias as the alias of the certificate imported in step 1 (wsmcert3). For example:

    <wsp:PolicyReference URI="oracle/wss11_username_token_with_message_protection_client_policy"
        orawsp:category="security" orawsp:status="enabled"/>
      <property name="csf-key" type="xs:string" 
        many="false">basic.credentials</property>
      <property name="keystore.recipient.alias" type="xs:string" 
        many="false">wsmcert3</property>
    

5.3.2.3 Example .NET Web Service Client

static void Main(string[] args)
{
    // Step 1 of the address configuration procedure: Create a URI to serve as the 
    // base address.        
    // Step 2 of the hosting procedure: Create ServiceHost
    string uri = "http://<host>:<port>/TEST/NetService";
    Uri baseAddress = new Uri(uri);
 
    ServiceHost selfHost = new ServiceHost(typeof(CalculatorService), baseAddress);
 
    try
    {
        SymmetricSecurityBindingElement sm = 
            SymmetricSecurityBindingElement.CreateUserNameForCertificateBindingElement();
        sm.DefaultAlgorithmSuite = System.ServiceModel.Security.SecurityAlgorithmSuite.Basic128;
        sm.SetKeyDerivation(false);
        sm.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
        sm.IncludeTimestamp = true;
        sm.KeyEntropyMode = SecurityKeyEntropyMode.CombinedEntropy;
        sm.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
        sm.MessageSecurityVersion = 
        MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005
        WSSecurityPolicy11BasicSecurityProfile10;
        sm.RequireSignatureConfirmation = true;
        sm.LocalClientSettings.CacheCookies = true;
        sm.LocalClientSettings.DetectReplays = true;
        sm.LocalClientSettings.ReplayCacheSize = 900000;
        sm.LocalClientSettings.MaxClockSkew = new TimeSpan(00, 05, 00);
        sm.LocalClientSettings.MaxCookieCachingTime = TimeSpan.MaxValue;
        sm.LocalClientSettings.ReplayWindow = new TimeSpan(00, 05, 00); ;
        sm.LocalClientSettings.SessionKeyRenewalInterval = new TimeSpan(10, 00, 00);
        sm.LocalClientSettings.SessionKeyRolloverInterval = new TimeSpan(00, 05, 00); ;
        sm.LocalClientSettings.ReconnectTransportOnFailure = true;
        sm.LocalClientSettings.TimestampValidityDuration = new TimeSpan(00, 05, 00); ;
        sm.LocalClientSettings.CookieRenewalThresholdPercentage = 60;
        sm.LocalServiceSettings.DetectReplays = false;
        sm.LocalServiceSettings.IssuedCookieLifetime = new TimeSpan(10, 00, 00);
        sm.LocalServiceSettings.MaxStatefulNegotiations = 128;
        sm.LocalServiceSettings.ReplayCacheSize = 900000;
        sm.LocalServiceSettings.MaxClockSkew = new TimeSpan(00, 05, 00);
        sm.LocalServiceSettings.NegotiationTimeout = new TimeSpan(00, 01, 00);
        sm.LocalServiceSettings.ReplayWindow = new TimeSpan(00, 05, 00);
        sm.LocalServiceSettings.InactivityTimeout = new TimeSpan(00, 02, 00);
        sm.LocalServiceSettings.SessionKeyRenewalInterval = new TimeSpan(15, 00, 00);
        sm.LocalServiceSettings.SessionKeyRolloverInterval = new TimeSpan(00, 05, 00);
        sm.LocalServiceSettings.ReconnectTransportOnFailure = true;
        sm.LocalServiceSettings.MaxPendingSessions = 128;
        sm.LocalServiceSettings.MaxCachedCookies = 1000;
        sm.LocalServiceSettings.TimestampValidityDuration = new TimeSpan(15, 00, 00);
        HttpTransportBindingElement hb = new HttpTransportBindingElement();
        hb.ManualAddressing = false;
        hb.MaxBufferPoolSize = 524288;
        hb.MaxReceivedMessageSize = 65536;
        hb.AllowCookies = false;
        hb.AuthenticationScheme = System.Net.AuthenticationSchemes.Anonymous;
        hb.KeepAliveEnabled = true;
        hb.MaxBufferSize = 65536;
        hb.ProxyAuthenticationScheme = System.Net.AuthenticationSchemes.Anonymous;
        hb.Realm = "";
        hb.TransferMode = System.ServiceModel.TransferMode.Buffered;
        hb.UnsafeConnectionNtlmAuthentication = false;
        hb.UseDefaultWebProxy = true;
        TextMessageEncodingBindingElement tb1 = new TextMessageEncodingBindingElement();
        tb1.MaxReadPoolSize = 64;
        tb1.MaxWritePoolSize = 16;
        tb1.MessageVersion = System.ServiceModel.Channels.MessageVersion.Soap12;
        tb1.WriteEncoding = System.Text.Encoding.UTF8;
        CustomBinding binding1 = new CustomBinding(sm);
        binding1.Elements.Add(tb1);
        binding1.Elements.Add(hb);
        ServiceEndpoint ep = selfHost.AddServiceEndpoint(typeof(ICalculator), binding1,
          "CalculatorService");
 
        EndpointAddress myEndpointAdd = new EndpointAddress(                    
        new Uri(uri),
        EndpointIdentity.CreateDnsIdentity("WSMCert3"));
        ep.Address = myEndpointAdd;
 
        // Step 4 of the hosting procedure: Enable metadata exchange.
        ServiceMetadataBehavior smb = new ServiceMetadataBehavior();
        smb.HttpGetEnabled = true;
        selfHost.Description.Behaviors.Add(smb);
        selfHost.Credentials.ServiceCertificate.SetCertificate(StoreLocation.CurrentUser, 
           StoreName.My,
        X509FindType.FindBySubjectName, "WSMCert3");
        selfHost.Credentials.ClientCertificate.Authentication.CertificateValidationMode =
            X509CertificateValidationMode.PeerOrChainTrust;
        selfHost.Credentials.UserNameAuthentication.UserNamePasswordValidationMode =
            UserNamePasswordValidationMode.Custom;
        CustomUserNameValidator cu = new CustomUserNameValidator();
        selfHost.Credentials.UserNameAuthentication.CustomUserNamePasswordValidator = cu;
        using (ServiceHost host = new ServiceHost(typeof(CalculatorService)))
        {
            System.ServiceModel.Description.ServiceDescription svcDesc = selfHost.Description;
            ServiceDebugBehavior svcDebug = svcDesc.Behaviors.Find<ServiceDebugBehavior>();
            svcDebug.IncludeExceptionDetailInFaults = true;
        }
 
        // Step 5 of the hosting procedure: Start (and then stop) the service.
        selfHost.Open();
        Console.WriteLine("The Calculator service is ready.");
        Console.WriteLine("Press <ENTER> to terminate service.");
        Console.WriteLine();
        Console.ReadLine();
        selfHost.Close();
    }
    catch (CommunicationException ce)
    {
         Console.WriteLine("An exception occurred: {0}", ce.Message);
         selfHost.Abort();
     }
}

5.4 Username Token Over SSL

This section describes how to implement username token over SSL in the following interoperability scenario:

5.4.1 Configuring Microsoft WCF/.NET 3.5 Client and Oracle WSM 11g Web Service

To configure Microsoft WCF/.NET 3.5 client and Oracle WSM 11g Web service, perform the steps described in the following sections:

5.4.1.1 Configuring Oracle WSM 11g Web Service

  1. Configure the server for SSL.

    For more information, see "Configuring SSL on WebLogic Server (One-Way)" and "Configuring SSL on WebLogic Server (Two-Way)" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

  2. Create a copy of one of the following policies:

    oracle/wss_username_token_over_ssl_service_policy

    oracle/wss_saml_or_username_token_over_ssl_service_policy

    Note:

    Oracle recommends that you do not change the predefined policies so that you will always have a known set of valid policies to work with.

    Edit the policy settings, as follows:

    1. Disable the Creation Time Required configuration setting.

    2. Disable the Nonce Required configuration setting.

    3. Leave the default configuration set for all other configuration settings.

    For more information, see "Creating a Web Service Policy from an Existing Policy" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

  3. Attach the policy.

    For more information about attaching the policy, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

5.4.1.2 Configuring Microsoft WCF/.NET 3.5 Client

  1. Generate a .NET client using the WSDL of the Web service.

    For more information, see "How to: Create a Windows Communication Foundation Client" at http://msdn.microsoft.com/en-us/library/ms733133.aspx.

  2. In the Solution Explorer of the client project, add a reference by right-clicking on references, selecting Add reference, and browsing to C:\Windows\Microsoft .NET framework\v3.0\Windows Communication Framework\System.Runtime.Serialization.dll.

  3. Edit the app.config file, as described in "Edit the app.config File".

  4. Compile the project.

  5. Open a command prompt and navigate to the project's Debug folder.

  6. Type <client_project_name>.exe and press Enter.

Edit the app.config File

Edit the app.config file to update the certificate file and disable replays, as shown in the following example (changes are identified in bold):

<?xml version="1.0" encoding="utf-8"?>
<configuration>
    <system.serviceModel>
        <bindings>
            <customBinding>
                <binding name="BPELProcess1Binding">
                  <security defaultAlgorithmSuite="Basic128" 
                   authenticationMode="UserNameOverTransport"
                   requireDerivedKeys="false" securityHeaderLayout="Lax" includeTimestamp="true"
                   keyEntropyMode="CombinedEntropy" messageProtectionOrder="SignBeforeEncrypt"
                   messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversation
                   February2005WSSecurityPolicy11BasicSecurityProfile10"
                   requireSignatureConfirmation="true">
                    <localClientSettings cacheCookies="true" detectReplays="true"
                      replayCacheSize="900000" maxClockSkew="00:05:00" 
                      maxCookieCachingTime="Infinite"
                      replayWindow="00:05:00" sessionKeyRenewalInterval="10:00:00"
                      sessionKeyRolloverInterval="00:05:00" reconnectTransportOnFailure="true"
                      timestampValidityDuration="00:05:00" 
                      cookieRenewalThresholdPercentage="60"/>
                    <localServiceSettings detectReplays="true" issuedCookieLifetime="10:00:00"
                        maxStatefulNegotiations="128" replayCacheSize="900000" 
                        maxClockSkew="00:05:00"
                        negotiationTimeout="00:01:00" replayWindow="00:05:00" 
                        inactivityTimeout="00:02:00"
                        sessionKeyRenewalInterval="15:00:00" 
                        sessionKeyRolloverInterval="00:05:00"
                        reconnectTransportOnFailure="true" maxPendingSessions="128"
                        maxCachedCookies="1000" timestampValidityDuration="00:05:00" />
                    <secureConversationBootstrap />
                  </security>
                  <textMessageEncoding maxReadPoolSize="64" maxWritePoolSize="16"
                        messageVersion="Soap11" writeEncoding="utf-8">
                        <readerQuotas maxDepth="32" maxStringContentLength="8192" 
                         maxArrayLength="16384"
                         maxBytesPerRead="4096" maxNameTableCharCount="16384" />
                  </textMessageEncoding>
                  <httpsTransport manualAddressing="false" maxBufferPoolSize="524288"
                       maxReceivedMessageSize="65536" allowCookies="false" 
                       authenticationScheme="Anonymous"
                       bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
                       keepAliveEnabled="true" maxBufferSize="65536" 
                       proxyAuthenticationScheme="Anonymous"
                       realm="" transferMode="Buffered" 
                       unsafeConnectionNtlmAuthentication="false"
                       useDefaultWebProxy="true"  requireClientCertificate="false"/>
                </binding>
            </customBinding>
        </bindings>
        <client>
            <endpoint address="
 https://host:port/soa-infra/services/default/IO_NET6/bpelprocess1_client_ep"
 binding="customBinding" bindingConfiguration="BPELProcess1Binding"
 contract="BPELProcess1" name="BPELProcess1_pt" />
        </client>
  </system.serviceModel>
</configuration>

5.5 Mutual Authentication with Message Protection (WS-Security 1.1)

The following sections describe how to implement mutual authentication with message protection that conform to the WS-Security 1.1 standards:

Configuration Prerequisites for Interoperability

  1. Export the X.509 certificate file from the keystore on the service side to a .cer file (for example, alice.cer) using the following command:

    keytool -export -alias alice -file C:\alice.cer -keystore default-keystore.jks
    
  2. Import the certificate file (exported previously) to the keystore on the client server using Microsoft Management Console (mmc). For information, see "How to: View Certificates with the MMC Snap-in" at http://msdn.microsoft.com/en-us/library/ms788967.aspx.

    1. Open a command prompt.

    2. Type mmc and press ENTER.

    3. Select File > Add/Remove snap-in.

    4. Select Add and Choose Certificates.

      Note:

      To view certificates in the local machine store, you must be in the Administrator role.
    5. Select Add.

    6. Select My user account and finish.

    7. Click OK.

    8. Expand Console Root > Certificates -Current user > Personal > Certificates.

    9. Right-click on Certificates and select All tasks > Import to launch Certificate import Wizard.

    10. Click Next, select Browse, and navigate to the .cer file that was exported previously.

    11. Click Next and accept defaults and finish the wizard.

5.5.1 Configuring Microsoft WCF/.NET 3.5 Client and Oracle WSM 11g Web Service

To configure Microsoft WCF/.NET 3.5 client and Oracle WSM 11g Web Service, perform the steps described in the following sections:

5.5.1.1 Configuring Oracle WSM 11g Web Service

  1. Create a SOA composite and deploy it.

  2. In Enterprise Manager, clone the following policy:

    oracle/wss11_x509_token_with_message_protection_service_policy

    Rename it as follows: wss11_x509_token_with_message_protection_service_policy_net

  3. Export wss11_x509_token_with_message_protection_service_policy_net. Change encrypted="true" to "false", and import it back.

    <orasp:x509-token orasp:enc-key-ref-mech="thumbprint" orasp:is-encrypted="false" orasp:is-signed="false" orasp:sign-key-ref-mech="direct"/>
    
  4. Using Enterprise Manager, attach the policy to the Web service.

    For more information about attaching the policy, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

5.5.1.2 Configuring Microsoft WCF/.NET 3.5 Client

  1. Use the SVCUtil utility to create a client proxy (see "Sample Client Program") and configuration file from the deployed Web service.

  2. In the Solution Explorer of the client project, add a reference by right-clicking on references, selecting Add reference, and browsing to C:\Windows\Microsoft .NET framework\v3.0\Windows Communication Framework\System.Runtime.Serialization.dll.

    1. Create a configuration file: app.config. Add the following code after the <system.serviceModel> element.

        <configuration>
          <system.serviceModel>
            <behaviors>
              <endpointBehaviors>
                <behavior name="secureBehaviour">
                  <clientCredentials>
                    <serviceCertificate>
                      <defaultCertificate findValue="<certificate_cn>"
       storeLocation="CurrentUser" storeName="My"
       x509FindType="FindBySubjectName"/>
                    </serviceCertificate>
                  </clientCredentials>
                </behavior>
              </endpointBehaviors>
            </behaviors>
              <bindings>
                  <customBinding>
      
    2. Modify the endpoint behavior as follows:

      <endpoint address="http://<server>:<port>//MyWebService1SoapHttpPort"
                    binding="customBinding"
       bindingConfiguration="MyWebService1SoapHttp"
                    contract="MyWebService1" name="MyWebService1SoapHttpPort"
       behaviorConfiguration="secureBehaviour" >
                  <identity>
                    <dns value="<certificate_cn>"/>
                  </identity>
                </endpoint>
      
    3. Disable the message replay detection as follows:

      <localClientSettings cacheCookies="true" detectReplays="false"
                                  replayCacheSize="900000"
       maxClockSkew="00:05:00" maxCookieCachingTime="Infinite"
      
    4. Create a custom binding as shown below:

      <security defaultAlgorithmSuite="Basic128"
       authenticationMode="MutualCertificate"
      
    5. "Sample app.config File" provides an example of the configuration file.

  3. Compile the project.

  4. Open a command prompt and navigate to the project's Debug folder.

  5. Enter <client_project_name>.exe and press Enter.

Sample app.config File

The following provides an example of the app.config file:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
    <system.serviceModel>
      <behaviors>
        <endpointBehaviors>
          <behavior name="secureBehaviour">
            <clientCredentials>
              <serviceCertificate>
                <defaultCertificate findValue="<certificate_cn>"
                                    storeLocation="CurrentUser"
                                    storeName="My"
                                    x509FindType="FindBySubjectName"/>
              </serviceCertificate>
           
          </clientCredentials>
          </behavior>
        </endpointBehaviors>
      </behaviors>
        <bindings>
         
          <customBinding>
            <binding name="BPELProcess1Binding">
              <security defaultAlgorithmSuite="Basic128" authenticationMode="MutualCertificate"
                  requireDerivedKeys="false" securityHeaderLayout="Lax" includeTimestamp="true"
                  keyEntropyMode="CombinedEntropy" messageProtectionOrder="SignBeforeEncrypt"
                 
                  messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversation
                  February2005WSSecurityPolicy11BasicSecurityProfile10"
                  requireSignatureConfirmation="true">
                <localClientSettings cacheCookies="true" detectReplays="false"
                    replayCacheSize="900000" maxClockSkew="00:05:00"
                    maxCookieCachingTime="Infinite"
                    replayWindow="00:05:00" sessionKeyRenewalInterval="10:00:00"
                    sessionKeyRolloverInterval="00:05:00" reconnectTransportOnFailure="true"
                    timestampValidityDuration="00:05:00" cookieRenewalThresholdPercentage="60" />
                <localServiceSettings detectReplays="true" issuedCookieLifetime="10:00:00"
                    maxStatefulNegotiations="128" replayCacheSize="900000" maxClockSkew="00:05:00"
                    negotiationTimeout="00:01:00" replayWindow="00:05:00"
                    inactivityTimeout="00:02:00"
                    sessionKeyRenewalInterval="15:00:00" sessionKeyRolloverInterval="00:05:00"
                    reconnectTransportOnFailure="true" maxPendingSessions="128"
                    maxCachedCookies="1000" timestampValidityDuration="00:05:00" />
                <secureConversationBootstrap />
              </security>
              <textMessageEncoding maxReadPoolSize="64" maxWritePoolSize="16"
                  messageVersion="Soap11" writeEncoding="utf-8">
                <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
                    maxBytesPerRead="4096" maxNameTableCharCount="16384" />
              </textMessageEncoding>
              <httpTransport manualAddressing="false" maxBufferPoolSize="524288"
                  maxReceivedMessageSize="65536" allowCookies="false"
                  authenticationScheme="Anonymous"
                  bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
                  keepAliveEnabled="true" maxBufferSize="65536"
                  proxyAuthenticationScheme="Anonymous"
                  realm="" transferMode="Buffered" unsafeConnectionNtlmAuthentication="false"
                  useDefaultWebProxy="true" />
            </binding>
          </customBinding>
 
        </bindings>
        <client>
          <endpoint address="<endpoint_url>"
              binding="customBinding" bindingConfiguration="BPELProcess1Binding"
              contract="BPELProcess1" name="BPELProcess1_pt"  >      
            <identity>
              <dns value=<certificate_cn>/>
            </identity>
          </endpoint>
        </client>
        
    </system.serviceModel>
</configuration>

Sample Client Program

 namespace IO_NET10_client
{
    class Program
    {
        static void Main(string[] args)
        {
           
            BPELProcess1Client client = new BPELProcess1Client();
         
            client.ClientCredentials.ClientCertificate.SetCertificate(
                    StoreLocation.CurrentUser,
                    StoreName.My,
                    X509FindType.FindBySubjectName, "WSMCert3");
                     
             client.ClientCredentials.ServiceCertificate.SetDefaultCertificate(
                       StoreLocation.CurrentUser,
                       StoreName.My,
                    X509FindType.FindBySubjectName, "Alice");
 
            process proc = new process();
            proc.input = "Test wss11_x509_token_with_message_protection_policy - ";
            Console.WriteLine(proc.input);
            processResponse response = client.process(proc);
           
            Console.WriteLine(response.result.ToString());
            Console.WriteLine("Press <ENTER> to terminate Client.");
            Console.ReadLine();
          }
    }
}

5.5.2 Configuring Oracle WSM 11g Client and Microsoft WCF/.NET 3.5 Web Service

To configure Oracle WSM 11g client and Microsoft WCF/.NET 3.5 Web Service, perform the steps described in the following sections:

5.5.2.1 Configuring Microsoft WCF/.NET 3.5 Web Service

  1. Create a .NET Web service.

    For more information, see "How to: Define a Windows Communication Foundation Service Contract" at http://msdn.microsoft.com/en-us/library/ms731835.aspx.

    For an example of a .NET Web service, see "Example .NET Web Service Client".

  2. Create a custom binding for the Web service using the SymmetricSecurityBindingElement.

    For more information, see "How to: Create a Custom Binding Using the SecurityBindingElement" at http://msdn.microsoft.com/en-us/library/ms730305.aspx.

  3. The following is a sample of the SymmetricSecurityBindingElement object:

    SymmetricSecurityBindingElement sm =
    (SymmetricSecurityBindingElement)SecurityBindingElement.CreateMutualCertificate
    BindingElement(); 
     
    sm.DefaultAlgorithmSuite =
    System.ServiceModel.Security.SecurityAlgorithmSuite.Basic128;sm.SetKeyDerivati
    on(false);
    sm.SecurityHeaderLayout = SecurityHeaderLayout.Lax;sm.IncludeTimestamp =
    true;
    sm.KeyEntropyMode = SecurityKeyEntropyMode.CombinedEntropy; 
    sm.MessageProtectionOrder =
    MessageProtectionOrder.SignBeforeEncrypt;sm.MessageSecurityVersion =
    MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversation
    February2005WSSecurityPolicy11BasicSecurityProfile10;
    sm.RequireSignatureConfirmation =
    true;
    
  4. Deploy the application.

5.5.2.2 Configuring Oracle WSM 11g Client

  1. Using JDeveloper, create a SOA composite that consumes the .NET Web service. For more information, see the Developer's Guide for SOA Suite.

  2. In JDeveloper, create a partner link using the WSDL of the .NET service and add the import as follows:

    <wsdl:import namespace="<namespace>" location="<WSDL location>"/> 
    
  3. In Enterprise Manager, clone the policy: wss11_x509_token_with_message_protection_service_policy. Rename it as follows: wss11_x509_token_with_message_protection_service_policy_net

  4. Export wss11_x509_token_with_message_protection_service_policy_net. Change encrypted="true" to "false", and import it back

    <orasp:x509-token orasp:enc-key-ref-mech="thumbprint" orasp:is-encrypted="true"
     orasp:is-signed="false" orasp:sign-key-ref-mech="direct"/>
    
  5. Attach the policy to the Web service client.

    For more information about attaching the policy, see "Attaching Policies to Web Service Clients" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

  6. Provide configurations for the keystore.recipient.alias.

    You can specify this information when attaching the policy, by overriding the policy configuration. For more information, see "Attaching Clients Permitting Overrides" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

    Ensure that you configure the keystore.recipient.alias as the alias of the certificate imported in step 4 (wsmcert3).

  7. Invoke the Web service method from the client.

5.6 Kerberos with Message Protection

This section describes how to implement kerberos with message protection in the following interoperability scenarios:

5.6.1 Configuration Prerequisites for Interoperability

Perform the following prerequisite steps:

  1. Configure the Key Distribution Center (KDC) and Active Directory (AD). For more information, see the section "To Configure Windows Active Directory and Domain Controller" (the domain controller can serve as KDC) at http://download.oracle.com/docs/cd/E19316-01/820-3746/gisdn/index.html.

  2. Set up the Kerberos configuration file krb5.conf in c:\winnt as shown in Example 5-1.

    Example 5-1 Sample Kerberos Configuration File

    [logging]
    default = c:\log\krb5libs.log
    kdc = c:\log\krb5kdc.log
    admin_server = c:\log\kadmind.log
    [libdefaults]
    default_realm = MYCOMPANY.LOCAL
    dns_lookup_realm = false
    dns_lookup_kdc = false
    default_tkt_enctypes = rc4-hmac
    default_tgs_enctypes = rc4-hmac
    permitted_enctypes = rc4-hmac
    kdc = <hostname>
    [realms]
    MYCOMPANY.LOCAL =
    { kdc = <hostname>:<portnumber>  admin_server = <hostname>:<portnumber>
      default_domain = <domainname>
    }
     [domain_realm]
    .<domainname> = MYCOMPANY.LOCAL
     <domainname> = MYCOMPANY.LOCAL
    [appdefaults]
    pam =
    {   debug = false  ticket_lifetime = 36000  renew_lifetime = 36000  forwardable =
     true  krb4_convert = false }
    

5.6.2 Configuring Microsoft WCF/.NET 3.5 Client and Oracle WSM 11g Web Service

To configure Microsoft WCF/.NET 3.5 client and Oracle WSM 11g Web service, perform the steps described in the following sections:

5.6.2.1 Configuring Oracle WSM 11g Web Service

  1. Create a Web service application.

  2. Copy the following policy: wss11_kerberos_with_message_protection_service_policy.

  3. Edit the policy settings to set Algorithm Suite to Basic128Rsa15.

  4. Attach the policy to the web service. For more information about attaching the policy at deployment time using Fusion Middleware Control, see "Attaching Policies to Web Service Clients" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

  5. Deploy the application.

5.6.2.2 Configuring Microsoft WCF/.NET 3.5 Client

  1. Create a user in AD to represent the host where the web service is hosted. By default the user account is created with RC4-HMAC encryption. For example, foobar with user name as "HTTP/foobar".

  2. Use the following ktpass command to create a keytab file on the Windows AD machine where the KDC is running:

    ktpass -princ HTTP/foobar@MYCOMPANY.LOCAL -pass Oracle123 -mapuser foobar -out foobar.keytab -ptype KRB5_NT_PRINCIPAL -kvno 4

    where HTTP/foobar is the SPN, mapped to a user "foobar". Do not set "/desonly or cyrpto as "des-cbc-crc". MYCOMPANY.LOCAL is the default Realm for the KDC and is available in the krb5.ini file. The pass password must match the password created during the user creation.

    Use FTP binary mode to move the generated keytab file to the machine where the SOA Composite Web service is hosted.

  3. Use the following setSpn command to map the service principal to the user:

    setSpn -A HTTP/foobar@MYCOMPANY.LOCAL foobar

    setSpn -L foobar

    Only one SPN must be mapped to the user. If there are multiple SPNs mapped to the user, remove them using the command setSpn -D <spname> <username>.

  4. Use the SVCUtil utility to create a client proxy and configuration file from the deployed Web service.

    Add the files generatedProxy.cs and app.config by right clicking the application (in the Windows Explorer) and selecting Add Existing Item.

    In the endpoint element of the app.config, add an "identity" element with service principal name as "HTTP/foobar@MYCOMPANY.LOCAL" (the same value used for creating keytab).

    <client>
            <endpoint address="http://host:port/HelloServicePort"
                binding="customBinding" bindingConfiguration="NewHelloSoap12HttpPortBinding"
                contract="NewHello" name="HelloServicePort">
            <identity>
              <servicePrincipalName value ="HTTP/foobar@MYCOMPANY.LOCAL"/>
            </identity>
            </endpoint>
           
          </client>
    

    A sample binding is provided in Example 5-2.

    Example 5-2 Sample Binding

    <customBinding>
                    <binding name="NewHelloSoap12HttpPortBinding">
                        <!--Added by User: Begin-->
                      <security defaultAlgorithmSuite="Basic128"
                       authenticationMode="Kerberos"
                        requireDerivedKeys="false" securityHeaderLayout="Lax"
                        includeTimestamp="true"
                        keyEntropyMode="CombinedEntropy"
                        messageProtectionOrder="SignBeforeEncrypt"
                       messageSecurityVersion="WSSecurity11WSTrustFebruary2005
                       WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurity
                        Profile10" 
                      requireSignatureConfirmation="true">
                        <localClientSettings cacheCookies="true" detectReplays="true"
                            replayCacheSize="900000" maxClockSkew="00:05:00"
                            maxCookieCachingTime="Infinite"
                            replayWindow="00:05:00"
                            sessionKeyRenewalInterval="10:00:00"
                            sessionKeyRolloverInterval="00:05:00"
                            reconnectTransportOnFailure="true"
                            timestampValidityDuration="00:05:00"
                            cookieRenewalThresholdPercentage="60" />
                        <localServiceSettings detectReplays="true"
                            issuedCookieLifetime="10:00:00"
                            maxStatefulNegotiations="128" replayCacheSize="900000"
                            maxClockSkew="00:05:00"
                            negotiationTimeout="00:01:00" replayWindow="00:05:00"
                            inactivityTimeout="00:02:00"
                            sessionKeyRenewalInterval="15:00:00"
                            sessionKeyRolloverInterval="00:05:00"
                            reconnectTransportOnFailure="true"
                            maxPendingSessions="128"
                            maxCachedCookies="1000"
                            timestampValidityDuration="00:05:00" />
                        <secureConversationBootstrap />
                      </security>
                      <!--Added by User: End-->
                        <textMessageEncoding maxReadPoolSize="64"
                           maxWritePoolSize="16"
                            messageVersion="Soap12" writeEncoding="utf-8">
                            <readerQuotas maxDepth="32" maxStringContentLength="8192"
                              maxArrayLength="16384"
                                maxBytesPerRead="4096" maxNameTableCharCount="16384"
     />
                        </textMessageEncoding>
                      <!--Added by User: Begin-->
                      <httpTransport manualAddressing="false"
                           maxBufferPoolSize="524288"
                            maxReceivedMessageSize="65536" allowCookies="false"
                            authenticationScheme="Anonymous"
                            bypassProxyOnLocal="false"
                            hostNameComparisonMode="StrongWildcard"
                            keepAliveEnabled="true" maxBufferSize="65536"
                            proxyAuthenticationScheme="Anonymous"
                            realm="" transferMode="Buffered"
                            unsafeConnectionNtlmAuthentication="false"
                            useDefaultWebProxy="true" />
                      <!--Added by User: End-->
                    </binding>
    </customBinding>
    

    The svcutil.exe utility will not work if the Web service has an Oracle WSM policy attached to it. Detach the policy from the service before running this utility to generate the proxy and re-attach once all artifacts are generated successfully.

  5. Run the client program.