This chapter contains the following sections:
Overview of Interoperability with Microsoft WCF/.NET 3.5 Security Environments
Mutual Authentication with Message Protection (WS-Security 1.1)
In conjunction with Microsoft, Oracle has performed interoperability testing to ensure that the Web service security policies created using Oracle WSM 11g can interoperate with Web service policies configured using Microsoft Windows Communication Foundation (WCF)/.NET 3.5 Framework and vice versa.
For more information about Microsoft WCF/.NET 3.5 Framework, see http://msdn.microsoft.com/en-us/netframework/aa663324.aspx.
For more details about the predefined Oracle WSM 11g policies, see the following topics in Oracle Fusion Middleware Security and Administrator's Guide for Web Services:
Table 5-1 summarizes the most common Microsoft .NET 3.5 interoperability scenarios based on the following security requirements: authentication, message protection, and transport.
Note:
In the following scenarios, ensure that you are using a keystore with v3 certificates. By default, the JDK 1.5 keytool generates keystores with v1 certificates.In addition, ensure that the keys use the proper extensions, including DigitalSignature, Non_repudiation, Key_Encipherment, and Data_Encipherment.
Table 5-1 Interoperability With Microsoft WCF/.NET 3.5 Security Environments
| Interoperability Scenario | Client—>Web Service | Oracle WSM 11g Policies | Microsoft WCF/.NET 3.5 Policies |
|---|---|---|---|
|
Microsoft WCF/.NET 3.5—>Oracle WSM 11g |
oracle/wsmtom_service_policy |
||
|
Oracle WSM 11g—>Microsoft WCF/.NET 3.5 |
oracle/wsmtom_client_policy |
||
|
Microsoft WCF/.NET 3.5—>Oracle WSM 11g |
oracle/wss11_username_token_with_message_protection_service_policy OR oracle/wss11_saml_or_username_token_with_message_protection_service_policy |
||
|
Oracle WSM 11g—>Microsoft WCF/.NET 3.5 |
oracle/wss11_username_token_with_message_protection_client_policy |
||
|
Microsoft WCF/.NET 3.5—>Oracle WSM 11g |
oracle/wss_saml_or_username_token_over_ssl_service_policy OR oracle/wss_username_token_over_ssl_service_policy |
||
|
"Mutual Authentication with Message Protection (WS-Security 1.1)" |
Microsoft WCF/.NET 3.5—>Oracle WSM 11g |
oracle/wss11_x509_token_with_message_protection_service_policy |
|
|
"Mutual Authentication with Message Protection (WS-Security 1.1)" |
Oracle WSM 11g—>Microsoft WCF/.NET 3.5 |
oracle/wss11_x509_token_with_message_protection_client_policy |
|
|
Microsoft WCF/.NET 3.5—>Oracle WSM 11g |
oracle/wss11_kerberos_with_message_protection_service_policy |
This section describes how to implement MTOM in the following interoperability scenarios:
"Configuring Microsoft WCF/.NET 3.5 Client and Oracle WSM 11g Web Service"
"Configuring Oracle WSM 11g Client and Microsoft WCF/.NET 3.5 Web Service"
To configure Microsoft WCF/.NET 3.5 client and Oracle WSM 11g Web service, perform the steps described in the following sections:
Create a Web service application.
Attach the following policy to the Web service: oracle/wsmotom_service_policy.
For more information about attaching the policy, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Deploy the application.
Use the SVCUtil utility to create a client proxy and configuration file from the deployed Web service. See "Example app.config File for MTOM Interoperability".
Run the client program.
Example app.config File for MTOM Interoperability
The following provides an example of the app.config file:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.serviceModel>
<bindings>
<customBinding>
<binding name="CustomBinding_IMTOMService">
<mtomMessageEncoding maxReadPoolSize="64"
maxWritePoolSize="16"
messageVersion="Soap12" maxBufferSize="65536"
writeEncoding="utf-8">
<readerQuotas maxDepth="32" maxStringContentLength=
"8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
</mtomMessageEncoding>
<httpTransport manualAddressing="false" maxBufferPoolSize="524288"
maxReceivedMessageSize="65536" allowCookies="false"
authenticationScheme="Anonymous"
bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
keepAliveEnabled="true" maxBufferSize="65536"
proxyAuthenticationScheme="Anonymous"
realm="" transferMode="Buffered"
unsafeConnectionNtlmAuthentication="false"
useDefaultWebProxy="true" />
</binding>
</customBinding>
</bindings>
<client>
<endpoint address="<endpoint_url>"
binding="customBinding" bindingConfiguration="CustomBinding_IMTOMService"
contract="IMTOMService" name="CustomBinding_IMTOMService" >
</endpoint>
</client>
</system.serviceModel>
</configuration>
To configure Oracle WSM 11g client and Microsoft WCF/.NET 3.5 Web service, perform the steps described in the following sections:
Create a .NET Web service.
For more information, see "How to: Define a Windows Communication Foundation Service Contract" at http://msdn.microsoft.com/en-us/library/ms731835.aspx.
For an example of a .NET Web service, see "Example of .NET Web Service for MTOM Interoperability".
Deploy the application.
Using JDeveloper, create a SOA composite that consumes the .NET Web service. For more information, see the Developer's Guide for SOA Suite.
Attach the following policy to the Web service client: oracle/wsmtom_client_policy.
For more information about attaching the policy, see "Attaching Policies to Web Service Clients" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Example of .NET Web Service for MTOM Interoperability
The following provides an example of the .NET Web service for MTOM interoperability.
static void Main(string[] args)
{
string uri = "http://host:port/TEST/MTOMService/SOA/MTOMService";
// Step 1 of the address configuration procedure: Create a URI to serve as the base address.
Uri baseAddress = new Uri(uri);
// Step 2 of the hosting procedure: Create ServiceHost
ServiceHost selfHost = new ServiceHost(typeof(MTOMService), baseAddress);
try {
HttpTransportBindingElement hb = new HttpTransportBindingElement();
hb.ManualAddressing = false;
hb.MaxBufferPoolSize = 2147483647;
hb.MaxReceivedMessageSize = 2147483647;
hb.AllowCookies = false;
hb.AuthenticationScheme = System.Net.AuthenticationSchemes.Anonymous;
hb.KeepAliveEnabled = true;
hb.MaxBufferSize = 2147483647;
hb.ProxyAuthenticationScheme = System.Net.AuthenticationSchemes.Anonymous;
hb.Realm = "";
hb.TransferMode = System.ServiceModel.TransferMode.Buffered;
hb.UnsafeConnectionNtlmAuthentication = false;
hb.UseDefaultWebProxy = true;
MtomMessageEncodingBindingElement me = new MtomMessageEncodingBindingElement();
me.MaxReadPoolSize=64;
me.MaxWritePoolSize=16;
me.MessageVersion=System.ServiceModel.Channels.MessageVersion.Soap12;
me.WriteEncoding = System.Text.Encoding.UTF8;
me.MaxWritePoolSize = 2147483647;
me.MaxBufferSize = 2147483647;
me.ReaderQuotas.MaxArrayLength = 2147483647;
CustomBinding binding1 = new CustomBinding();
binding1.Elements.Add(me);
binding1.Elements.Add(hb);
ServiceEndpoint ep = selfHost.AddServiceEndpoint(typeof(IMTOMService), binding1,
"MTOMService");
EndpointAddress myEndpointAdd = new EndpointAddress(new Uri(uri),
EndpointIdentity.CreateDnsIdentity("WSMCert3"));
ep.Address = myEndpointAdd;
// Step 4 of the hosting procedure: Enable metadata exchange.
ServiceMetadataBehavior smb = new ServiceMetadataBehavior();
smb.HttpGetEnabled = true;
selfHost.Description.Behaviors.Add(smb);
using (ServiceHost host = new ServiceHost(typeof(MTOMService)))
{
System.ServiceModel.Description.ServiceDescription svcDesc =
selfHost.Description;
ServiceDebugBehavior svcDebug =
svcDesc.Behaviors.Find<ServiceDebugBehavior>();
svcDebug.IncludeExceptionDetailInFaults = true;
}
// Step 5 of the hosting procedure: Start (and then stop) the service.
selfHost.Open();
Console.WriteLine("The service " + uri + " is ready.");
Console.WriteLine("Press <ENTER> to terminate service.");
Console.WriteLine();
Console.ReadLine();
// Close the ServiceHostBase to shutdown the service.
selfHost.Close();
}
catch (CommunicationException ce)
{
Console.WriteLine("An exception occurred: {0}", ce.Message);
selfHost.Abort();
}
}
This section describes how to implement username token with message protection that conforms to WS-Security 1.1 in the following interoperability scenarios:
"Configuring Microsoft WCF/.NET 3.5 Client and Oracle WSM 11g Web Service"
"Configuring Oracle WSM 11g Client and Microsoft WCF/.NET 3.5 Web Service"
To configure Microsoft WCF/.NET 3.5 client and Oracle WSM 11g Web service, perform the steps described in the following sections:
Create a Web service application.
Attach one of the following policies to the Web service:
oracle/wss11_username_token_with_message_protection_service_policy
oracle/wss11_saml_or_username_token_with_message_protection_service_policy
For more information about attaching the policy, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Export the X.509 certificate file from the keystore on the service side to a .cer file (for example, alice.cer) using the following command:
keytool -export -alias alice -file C:\alice.cer -keystore default-keystore.jks
Import the certificate file (exported previously) to the keystore on the client server using Microsoft Management Console (mmc). For information, see "How to: View Certificates with the MMC Snap-in" at http://msdn.microsoft.com/en-us/library/ms788967.aspx.
Open a command prompt.
Type mmc and press ENTER.
Select File > Add/Remove snap-in.
Select Add and Choose Certificates.
Note:
To view certificates in the local machine store, you must be in the Administrator role.Select Add.
Select My user account and finish.
Click OK.
Expand Console Root > Certificates -Current user > Personal > Certificates.
Right-click on Certificates and select All tasks > Import to launch Certificate import Wizard.
Click Next, select Browse, and navigate to the .cer file that was exported previously.
Click Next and accept defaults and finish the wizard.
Generate a .NET client using the WSDL of the Web service.
For more information, see "How to: Create a Windows Communication Foundation Client" at http://msdn.microsoft.com/en-us/library/ms733133.aspx.
Note:
SVCUtil does not support some security policy assertions such as <sp:SignedParts>. As a workaround:Detach the policy
Generate proxy using SVCUtil
Attach the policy back
In the Solution Explorer of the client project, add a reference by right-clicking on references, selecting Add reference, and browsing to C:\Windows\Microsoft .NET framework\v3.0\Windows Communication Framework\System.Runtime.Serialization.dll.
Edit the app.config file in the .NET project to update the certificate file and disable replays, as described in "Edit the app.config File".
Compile the project.
Open a command prompt and navigate to the project's Debug folder.
Enter <client_project_name>.exe and press Enter.
Edit the app.config file to update the certificate file and disable replays, as shown in the following example (changes are identified in bold). If you follow the default key setup, then <certificate_cn> should be set to alice.
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.serviceModel>
<behaviors>
<endpointBehaviors>
<behavior name="secureBehaviour">
<clientCredentials>
<serviceCertificate>
<defaultCertificate findValue="<certificate_cn>"
storeLocation="CurrentUser" storeName="My"
x509FindType="FindBySubjectName"/>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<customBinding>
<binding name="HelloWorldSoapHttp">
<security defaultAlgorithmSuite="Basic128"
authenticationMode="UserNameForCertificate"
requireDerivedKeys="false" securityHeaderLayout="Lax"
includeTimestamp="true"
keyEntropyMode="CombinedEntropy"
messageProtectionOrder="SignBeforeEncrypt"
messageSecurityVersion=
"WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
requireSignatureConfirmation="true">
<localClientSettings
cacheCookies="true"
detectReplays="false"
replayCacheSize="900000"
maxClockSkew="00:05:00"
maxCookieCachingTime="Infinite"
replayWindow="00:05:00"
sessionKeyRenewalInterval="10:00:00"
sessionKeyRolloverInterval="00:05:00"
reconnectTransportOnFailure="true"
timestampValidityDuration="00:05:00"
cookieRenewalThresholdPercentage="60" />
<localServiceSettings detectReplays="true"
issuedCookieLifetime="10:00:00"
maxStatefulNegotiations="128"
replayCacheSize="900000"
maxClockSkew="00:05:00"
negotiationTimeout="00:01:00"
replayWindow="00:05:00"
inactivityTimeout="00:02:00"
sessionKeyRenewalInterval="15:00:00"
sessionKeyRolloverInterval="00:05:00"
reconnectTransportOnFailure="true"
maxPendingSessions="128"
maxCachedCookies="1000"
timestampValidityDuration="00:05:00" />
<secureConversationBootstrap /></security>
<textMessageEncoding
maxReadPoolSize="64"
maxWritePoolSize="16"
messageVersion="Soap11"
writeEncoding="utf-8">
<readerQuotas
maxDepth="32"
maxStringContentLength="8192"
maxArrayLength="16384"
maxBytesPerRead="4096"
maxNameTableCharCount="16384" />
</textMessageEncoding>
<HttpTransport
manualAddressing="false"
maxBufferPoolSize="524288"
maxReceivedMessageSize="65536"
allowCookies="false"
authenticationScheme="Anonymous"
bypassProxyOnLocal="false"
hostNameComparisonMode="StrongWildcard"
keepAliveEnabled="true"
maxBufferSize="65536"
proxyAuthenticationScheme="Anonymous"
realm=""
transferMode="Buffered"
unsafeConnectionNtlmAuthentication="false"
useDefaultWebProxy="true" />
</binding>
</customBinding>
</bindings>
<client>
<endpoint address="<endpoint_url>"
binding="customBinding"
bindingConfiguration="HelloWorldSoapHttp"
contract="HelloWorld"
name="HelloWorldPort"
behaviorConfiguration="secureBehaviour" >
<identity>
<dns value="<certificate_cn>"/>
</identity>
</endpoint>
</client>
</system.serviceModel>
</configuration>
To configure Oracle WSM 11g client and Microsoft WCF/.NET 3.5 Web service, perform the steps described in the following sections:
Create a .NET Web service.
For more information, see "How to: Define a Windows Communication Foundation Service Contract" at http://msdn.microsoft.com/en-us/library/ms731835.aspx.
Be sure to create a custom binding for the Web service using the SymmetricSecurityBindingElement. For an example, see "Example .NET Web Service Client".
Create and import a certificate file to the keystore on the Web service server.
Using VisualStudio, the command would be similar to the following:
makecert -r -pe -n "CN=wsmcert3" -sky exchange -ss my C:\wsmcert3.cer
This command creates and imports a certificate in mmc.
If the command does not provide expected results, then try the following sequence of commands. You need to download Windows Developer Kit (WDK) at http://www.microsoft.com/whdc/devtools/WDK/default.mspx.
makecert -r -pe -n "CN=wsmcert3" -sky exchange -ss my -sv wscert3.pvk C:\wsmcert3.cer pvk2pfx.exe -pvk wscert3.pvk -spc wsmcert3.cer -pfx PRF_WSMCert3.pfx -pi welcome1
Then, in mmc, import PRF_WSMCert3.pfx.
Import the certificate created on the Web service server to the client server using the keytool command. For example:
keytool -import -alias wsmcert3 -file C:\wsmcert3.cer -keystore <owsm_client_keystore>
Right-click on the Web service Solution project in Solutions Explorer and click Open Folder In Windows Explorer.
Navigate to the bin/Debug folder.
Double-click on the <project>.exe file. This command will run the Web service at the URL provided.
Using JDeveloper, create a SOA composite that consumes the .NET Web service. For more information, see the Developer's Guide for SOA Suite.
In JDeveloper, create a partner link using the WSDL of the .NET service.
Attach the following policy to the Web service client: oracle/wss11_username_token_with_message_protection_client_policy.
For more information about attaching the policy, see "Attaching Policies to Web Service Clients" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Provide configurations for the csf-key and keystore.recipient.alias.
You can specify this information when attaching the policy, by overriding the policy configuration. For more information, see "Attaching Clients Permitting Overrides" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services
Ensure that you configure the keystore.recipient.alias as the alias of the certificate imported in step 1 (wsmcert3). For example:
<wsp:PolicyReference URI="oracle/wss11_username_token_with_message_protection_client_policy"
orawsp:category="security" orawsp:status="enabled"/>
<property name="csf-key" type="xs:string"
many="false">basic.credentials</property>
<property name="keystore.recipient.alias" type="xs:string"
many="false">wsmcert3</property>
static void Main(string[] args)
{
// Step 1 of the address configuration procedure: Create a URI to serve as the
// base address.
// Step 2 of the hosting procedure: Create ServiceHost
string uri = "http://<host>:<port>/TEST/NetService";
Uri baseAddress = new Uri(uri);
ServiceHost selfHost = new ServiceHost(typeof(CalculatorService), baseAddress);
try
{
SymmetricSecurityBindingElement sm =
SymmetricSecurityBindingElement.CreateUserNameForCertificateBindingElement();
sm.DefaultAlgorithmSuite = System.ServiceModel.Security.SecurityAlgorithmSuite.Basic128;
sm.SetKeyDerivation(false);
sm.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
sm.IncludeTimestamp = true;
sm.KeyEntropyMode = SecurityKeyEntropyMode.CombinedEntropy;
sm.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
sm.MessageSecurityVersion =
MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005
WSSecurityPolicy11BasicSecurityProfile10;
sm.RequireSignatureConfirmation = true;
sm.LocalClientSettings.CacheCookies = true;
sm.LocalClientSettings.DetectReplays = true;
sm.LocalClientSettings.ReplayCacheSize = 900000;
sm.LocalClientSettings.MaxClockSkew = new TimeSpan(00, 05, 00);
sm.LocalClientSettings.MaxCookieCachingTime = TimeSpan.MaxValue;
sm.LocalClientSettings.ReplayWindow = new TimeSpan(00, 05, 00); ;
sm.LocalClientSettings.SessionKeyRenewalInterval = new TimeSpan(10, 00, 00);
sm.LocalClientSettings.SessionKeyRolloverInterval = new TimeSpan(00, 05, 00); ;
sm.LocalClientSettings.ReconnectTransportOnFailure = true;
sm.LocalClientSettings.TimestampValidityDuration = new TimeSpan(00, 05, 00); ;
sm.LocalClientSettings.CookieRenewalThresholdPercentage = 60;
sm.LocalServiceSettings.DetectReplays = false;
sm.LocalServiceSettings.IssuedCookieLifetime = new TimeSpan(10, 00, 00);
sm.LocalServiceSettings.MaxStatefulNegotiations = 128;
sm.LocalServiceSettings.ReplayCacheSize = 900000;
sm.LocalServiceSettings.MaxClockSkew = new TimeSpan(00, 05, 00);
sm.LocalServiceSettings.NegotiationTimeout = new TimeSpan(00, 01, 00);
sm.LocalServiceSettings.ReplayWindow = new TimeSpan(00, 05, 00);
sm.LocalServiceSettings.InactivityTimeout = new TimeSpan(00, 02, 00);
sm.LocalServiceSettings.SessionKeyRenewalInterval = new TimeSpan(15, 00, 00);
sm.LocalServiceSettings.SessionKeyRolloverInterval = new TimeSpan(00, 05, 00);
sm.LocalServiceSettings.ReconnectTransportOnFailure = true;
sm.LocalServiceSettings.MaxPendingSessions = 128;
sm.LocalServiceSettings.MaxCachedCookies = 1000;
sm.LocalServiceSettings.TimestampValidityDuration = new TimeSpan(15, 00, 00);
HttpTransportBindingElement hb = new HttpTransportBindingElement();
hb.ManualAddressing = false;
hb.MaxBufferPoolSize = 524288;
hb.MaxReceivedMessageSize = 65536;
hb.AllowCookies = false;
hb.AuthenticationScheme = System.Net.AuthenticationSchemes.Anonymous;
hb.KeepAliveEnabled = true;
hb.MaxBufferSize = 65536;
hb.ProxyAuthenticationScheme = System.Net.AuthenticationSchemes.Anonymous;
hb.Realm = "";
hb.TransferMode = System.ServiceModel.TransferMode.Buffered;
hb.UnsafeConnectionNtlmAuthentication = false;
hb.UseDefaultWebProxy = true;
TextMessageEncodingBindingElement tb1 = new TextMessageEncodingBindingElement();
tb1.MaxReadPoolSize = 64;
tb1.MaxWritePoolSize = 16;
tb1.MessageVersion = System.ServiceModel.Channels.MessageVersion.Soap12;
tb1.WriteEncoding = System.Text.Encoding.UTF8;
CustomBinding binding1 = new CustomBinding(sm);
binding1.Elements.Add(tb1);
binding1.Elements.Add(hb);
ServiceEndpoint ep = selfHost.AddServiceEndpoint(typeof(ICalculator), binding1,
"CalculatorService");
EndpointAddress myEndpointAdd = new EndpointAddress(
new Uri(uri),
EndpointIdentity.CreateDnsIdentity("WSMCert3"));
ep.Address = myEndpointAdd;
// Step 4 of the hosting procedure: Enable metadata exchange.
ServiceMetadataBehavior smb = new ServiceMetadataBehavior();
smb.HttpGetEnabled = true;
selfHost.Description.Behaviors.Add(smb);
selfHost.Credentials.ServiceCertificate.SetCertificate(StoreLocation.CurrentUser,
StoreName.My,
X509FindType.FindBySubjectName, "WSMCert3");
selfHost.Credentials.ClientCertificate.Authentication.CertificateValidationMode =
X509CertificateValidationMode.PeerOrChainTrust;
selfHost.Credentials.UserNameAuthentication.UserNamePasswordValidationMode =
UserNamePasswordValidationMode.Custom;
CustomUserNameValidator cu = new CustomUserNameValidator();
selfHost.Credentials.UserNameAuthentication.CustomUserNamePasswordValidator = cu;
using (ServiceHost host = new ServiceHost(typeof(CalculatorService)))
{
System.ServiceModel.Description.ServiceDescription svcDesc = selfHost.Description;
ServiceDebugBehavior svcDebug = svcDesc.Behaviors.Find<ServiceDebugBehavior>();
svcDebug.IncludeExceptionDetailInFaults = true;
}
// Step 5 of the hosting procedure: Start (and then stop) the service.
selfHost.Open();
Console.WriteLine("The Calculator service is ready.");
Console.WriteLine("Press <ENTER> to terminate service.");
Console.WriteLine();
Console.ReadLine();
selfHost.Close();
}
catch (CommunicationException ce)
{
Console.WriteLine("An exception occurred: {0}", ce.Message);
selfHost.Abort();
}
}
This section describes how to implement username token over SSL in the following interoperability scenario:
To configure Microsoft WCF/.NET 3.5 client and Oracle WSM 11g Web service, perform the steps described in the following sections:
Configure the server for SSL.
For more information, see "Configuring SSL on WebLogic Server (One-Way)" and "Configuring SSL on WebLogic Server (Two-Way)" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Create a copy of one of the following policies:
oracle/wss_username_token_over_ssl_service_policy
oracle/wss_saml_or_username_token_over_ssl_service_policy
Note:
Oracle recommends that you do not change the predefined policies so that you will always have a known set of valid policies to work with.Edit the policy settings, as follows:
Disable the Creation Time Required configuration setting.
Disable the Nonce Required configuration setting.
Leave the default configuration set for all other configuration settings.
For more information, see "Creating a Web Service Policy from an Existing Policy" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Attach the policy.
For more information about attaching the policy, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Generate a .NET client using the WSDL of the Web service.
For more information, see "How to: Create a Windows Communication Foundation Client" at http://msdn.microsoft.com/en-us/library/ms733133.aspx.
In the Solution Explorer of the client project, add a reference by right-clicking on references, selecting Add reference, and browsing to C:\Windows\Microsoft .NET framework\v3.0\Windows Communication Framework\System.Runtime.Serialization.dll.
Edit the app.config file, as described in "Edit the app.config File".
Compile the project.
Open a command prompt and navigate to the project's Debug folder.
Type <client_project_name>.exe and press Enter.
Edit the app.config file to update the certificate file and disable replays, as shown in the following example (changes are identified in bold):
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.serviceModel>
<bindings>
<customBinding>
<binding name="BPELProcess1Binding">
<security defaultAlgorithmSuite="Basic128"
authenticationMode="UserNameOverTransport"
requireDerivedKeys="false" securityHeaderLayout="Lax" includeTimestamp="true"
keyEntropyMode="CombinedEntropy" messageProtectionOrder="SignBeforeEncrypt"
messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversation
February2005WSSecurityPolicy11BasicSecurityProfile10"
requireSignatureConfirmation="true">
<localClientSettings cacheCookies="true" detectReplays="true"
replayCacheSize="900000" maxClockSkew="00:05:00"
maxCookieCachingTime="Infinite"
replayWindow="00:05:00" sessionKeyRenewalInterval="10:00:00"
sessionKeyRolloverInterval="00:05:00" reconnectTransportOnFailure="true"
timestampValidityDuration="00:05:00"
cookieRenewalThresholdPercentage="60"/>
<localServiceSettings detectReplays="true" issuedCookieLifetime="10:00:00"
maxStatefulNegotiations="128" replayCacheSize="900000"
maxClockSkew="00:05:00"
negotiationTimeout="00:01:00" replayWindow="00:05:00"
inactivityTimeout="00:02:00"
sessionKeyRenewalInterval="15:00:00"
sessionKeyRolloverInterval="00:05:00"
reconnectTransportOnFailure="true" maxPendingSessions="128"
maxCachedCookies="1000" timestampValidityDuration="00:05:00" />
<secureConversationBootstrap />
</security>
<textMessageEncoding maxReadPoolSize="64" maxWritePoolSize="16"
messageVersion="Soap11" writeEncoding="utf-8">
<readerQuotas maxDepth="32" maxStringContentLength="8192"
maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
</textMessageEncoding>
<httpsTransport manualAddressing="false" maxBufferPoolSize="524288"
maxReceivedMessageSize="65536" allowCookies="false"
authenticationScheme="Anonymous"
bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
keepAliveEnabled="true" maxBufferSize="65536"
proxyAuthenticationScheme="Anonymous"
realm="" transferMode="Buffered"
unsafeConnectionNtlmAuthentication="false"
useDefaultWebProxy="true" requireClientCertificate="false"/>
</binding>
</customBinding>
</bindings>
<client>
<endpoint address="
https://host:port/soa-infra/services/default/IO_NET6/bpelprocess1_client_ep"
binding="customBinding" bindingConfiguration="BPELProcess1Binding"
contract="BPELProcess1" name="BPELProcess1_pt" />
</client>
</system.serviceModel>
</configuration>
The following sections describe how to implement mutual authentication with message protection that conform to the WS-Security 1.1 standards:
"Configuring Microsoft WCF/.NET 3.5 Client and Oracle WSM 11g Web Service"
"Configuring Oracle WSM 11g Client and Microsoft WCF/.NET 3.5 Web Service"
Configuration Prerequisites for Interoperability
Export the X.509 certificate file from the keystore on the service side to a .cer file (for example, alice.cer) using the following command:
keytool -export -alias alice -file C:\alice.cer -keystore default-keystore.jks
Import the certificate file (exported previously) to the keystore on the client server using Microsoft Management Console (mmc). For information, see "How to: View Certificates with the MMC Snap-in" at http://msdn.microsoft.com/en-us/library/ms788967.aspx.
Open a command prompt.
Type mmc and press ENTER.
Select File > Add/Remove snap-in.
Select Add and Choose Certificates.
Note:
To view certificates in the local machine store, you must be in the Administrator role.Select Add.
Select My user account and finish.
Click OK.
Expand Console Root > Certificates -Current user > Personal > Certificates.
Right-click on Certificates and select All tasks > Import to launch Certificate import Wizard.
Click Next, select Browse, and navigate to the .cer file that was exported previously.
Click Next and accept defaults and finish the wizard.
To configure Microsoft WCF/.NET 3.5 client and Oracle WSM 11g Web Service, perform the steps described in the following sections:
Create a SOA composite and deploy it.
In Enterprise Manager, clone the following policy:
oracle/wss11_x509_token_with_message_protection_service_policy
Rename it as follows: wss11_x509_token_with_message_protection_service_policy_net
Export wss11_x509_token_with_message_protection_service_policy_net. Change encrypted="true" to "false", and import it back.
<orasp:x509-token orasp:enc-key-ref-mech="thumbprint" orasp:is-encrypted="false" orasp:is-signed="false" orasp:sign-key-ref-mech="direct"/>
Using Enterprise Manager, attach the policy to the Web service.
For more information about attaching the policy, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Use the SVCUtil utility to create a client proxy (see "Sample Client Program") and configuration file from the deployed Web service.
In the Solution Explorer of the client project, add a reference by right-clicking on references, selecting Add reference, and browsing to C:\Windows\Microsoft .NET framework\v3.0\Windows Communication Framework\System.Runtime.Serialization.dll.
Create a configuration file: app.config. Add the following code after the <system.serviceModel> element.
<configuration>
<system.serviceModel>
<behaviors>
<endpointBehaviors>
<behavior name="secureBehaviour">
<clientCredentials>
<serviceCertificate>
<defaultCertificate findValue="<certificate_cn>"
storeLocation="CurrentUser" storeName="My"
x509FindType="FindBySubjectName"/>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<customBinding>
Modify the endpoint behavior as follows:
<endpoint address="http://<server>:<port>//MyWebService1SoapHttpPort"
binding="customBinding"
bindingConfiguration="MyWebService1SoapHttp"
contract="MyWebService1" name="MyWebService1SoapHttpPort"
behaviorConfiguration="secureBehaviour" >
<identity>
<dns value="<certificate_cn>"/>
</identity>
</endpoint>
Disable the message replay detection as follows:
<localClientSettings cacheCookies="true" detectReplays="false"
replayCacheSize="900000"
maxClockSkew="00:05:00" maxCookieCachingTime="Infinite"
Create a custom binding as shown below:
<security defaultAlgorithmSuite="Basic128" authenticationMode="MutualCertificate"
"Sample app.config File" provides an example of the configuration file.
Compile the project.
Open a command prompt and navigate to the project's Debug folder.
Enter <client_project_name>.exe and press Enter.
The following provides an example of the app.config file:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.serviceModel>
<behaviors>
<endpointBehaviors>
<behavior name="secureBehaviour">
<clientCredentials>
<serviceCertificate>
<defaultCertificate findValue="<certificate_cn>"
storeLocation="CurrentUser"
storeName="My"
x509FindType="FindBySubjectName"/>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<customBinding>
<binding name="BPELProcess1Binding">
<security defaultAlgorithmSuite="Basic128" authenticationMode="MutualCertificate"
requireDerivedKeys="false" securityHeaderLayout="Lax" includeTimestamp="true"
keyEntropyMode="CombinedEntropy" messageProtectionOrder="SignBeforeEncrypt"
messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversation
February2005WSSecurityPolicy11BasicSecurityProfile10"
requireSignatureConfirmation="true">
<localClientSettings cacheCookies="true" detectReplays="false"
replayCacheSize="900000" maxClockSkew="00:05:00"
maxCookieCachingTime="Infinite"
replayWindow="00:05:00" sessionKeyRenewalInterval="10:00:00"
sessionKeyRolloverInterval="00:05:00" reconnectTransportOnFailure="true"
timestampValidityDuration="00:05:00" cookieRenewalThresholdPercentage="60" />
<localServiceSettings detectReplays="true" issuedCookieLifetime="10:00:00"
maxStatefulNegotiations="128" replayCacheSize="900000" maxClockSkew="00:05:00"
negotiationTimeout="00:01:00" replayWindow="00:05:00"
inactivityTimeout="00:02:00"
sessionKeyRenewalInterval="15:00:00" sessionKeyRolloverInterval="00:05:00"
reconnectTransportOnFailure="true" maxPendingSessions="128"
maxCachedCookies="1000" timestampValidityDuration="00:05:00" />
<secureConversationBootstrap />
</security>
<textMessageEncoding maxReadPoolSize="64" maxWritePoolSize="16"
messageVersion="Soap11" writeEncoding="utf-8">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
</textMessageEncoding>
<httpTransport manualAddressing="false" maxBufferPoolSize="524288"
maxReceivedMessageSize="65536" allowCookies="false"
authenticationScheme="Anonymous"
bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
keepAliveEnabled="true" maxBufferSize="65536"
proxyAuthenticationScheme="Anonymous"
realm="" transferMode="Buffered" unsafeConnectionNtlmAuthentication="false"
useDefaultWebProxy="true" />
</binding>
</customBinding>
</bindings>
<client>
<endpoint address="<endpoint_url>"
binding="customBinding" bindingConfiguration="BPELProcess1Binding"
contract="BPELProcess1" name="BPELProcess1_pt" >
<identity>
<dns value=<certificate_cn>/>
</identity>
</endpoint>
</client>
</system.serviceModel>
</configuration>
namespace IO_NET10_client
{
class Program
{
static void Main(string[] args)
{
BPELProcess1Client client = new BPELProcess1Client();
client.ClientCredentials.ClientCertificate.SetCertificate(
StoreLocation.CurrentUser,
StoreName.My,
X509FindType.FindBySubjectName, "WSMCert3");
client.ClientCredentials.ServiceCertificate.SetDefaultCertificate(
StoreLocation.CurrentUser,
StoreName.My,
X509FindType.FindBySubjectName, "Alice");
process proc = new process();
proc.input = "Test wss11_x509_token_with_message_protection_policy - ";
Console.WriteLine(proc.input);
processResponse response = client.process(proc);
Console.WriteLine(response.result.ToString());
Console.WriteLine("Press <ENTER> to terminate Client.");
Console.ReadLine();
}
}
}
To configure Oracle WSM 11g client and Microsoft WCF/.NET 3.5 Web Service, perform the steps described in the following sections:
Create a .NET Web service.
For more information, see "How to: Define a Windows Communication Foundation Service Contract" at http://msdn.microsoft.com/en-us/library/ms731835.aspx.
For an example of a .NET Web service, see "Example .NET Web Service Client".
Create a custom binding for the Web service using the SymmetricSecurityBindingElement.
For more information, see "How to: Create a Custom Binding Using the SecurityBindingElement" at http://msdn.microsoft.com/en-us/library/ms730305.aspx.
The following is a sample of the SymmetricSecurityBindingElement object:
SymmetricSecurityBindingElement sm = (SymmetricSecurityBindingElement)SecurityBindingElement.CreateMutualCertificate BindingElement(); sm.DefaultAlgorithmSuite = System.ServiceModel.Security.SecurityAlgorithmSuite.Basic128;sm.SetKeyDerivati on(false); sm.SecurityHeaderLayout = SecurityHeaderLayout.Lax;sm.IncludeTimestamp = true; sm.KeyEntropyMode = SecurityKeyEntropyMode.CombinedEntropy; sm.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;sm.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversation February2005WSSecurityPolicy11BasicSecurityProfile10; sm.RequireSignatureConfirmation = true;
Deploy the application.
Using JDeveloper, create a SOA composite that consumes the .NET Web service. For more information, see the Developer's Guide for SOA Suite.
In JDeveloper, create a partner link using the WSDL of the .NET service and add the import as follows:
<wsdl:import namespace="<namespace>" location="<WSDL location>"/>
In Enterprise Manager, clone the policy: wss11_x509_token_with_message_protection_service_policy. Rename it as follows: wss11_x509_token_with_message_protection_service_policy_net
Export wss11_x509_token_with_message_protection_service_policy_net. Change encrypted="true" to "false", and import it back
<orasp:x509-token orasp:enc-key-ref-mech="thumbprint" orasp:is-encrypted="true" orasp:is-signed="false" orasp:sign-key-ref-mech="direct"/>
Attach the policy to the Web service client.
For more information about attaching the policy, see "Attaching Policies to Web Service Clients" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Provide configurations for the keystore.recipient.alias.
You can specify this information when attaching the policy, by overriding the policy configuration. For more information, see "Attaching Clients Permitting Overrides" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Ensure that you configure the keystore.recipient.alias as the alias of the certificate imported in step 4 (wsmcert3).
Invoke the Web service method from the client.
This section describes how to implement kerberos with message protection in the following interoperability scenarios:
Perform the following prerequisite steps:
Configure the Key Distribution Center (KDC) and Active Directory (AD). For more information, see the section "To Configure Windows Active Directory and Domain Controller" (the domain controller can serve as KDC) at https://download.oracle.com/docs/cd/E19316-01/820-3746/gisdn/index.html.
Set up the Kerberos configuration file krb5.conf in c:\winnt as shown in Example 5-1.
Example 5-1 Sample Kerberos Configuration File
[logging]
default = c:\log\krb5libs.log
kdc = c:\log\krb5kdc.log
admin_server = c:\log\kadmind.log
[libdefaults]
default_realm = MYCOMPANY.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
permitted_enctypes = rc4-hmac
kdc = <hostname>
[realms]
MYCOMPANY.LOCAL =
{ kdc = <hostname>:<portnumber> admin_server = <hostname>:<portnumber>
default_domain = <domainname>
}
[domain_realm]
.<domainname> = MYCOMPANY.LOCAL
<domainname> = MYCOMPANY.LOCAL
[appdefaults]
pam =
{ debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable =
true krb4_convert = false }
To configure Microsoft WCF/.NET 3.5 client and Oracle WSM 11g Web service, perform the steps described in the following sections:
Create a Web service application.
Copy the following policy: wss11_kerberos_with_message_protection_service_policy.
Edit the policy settings to set Algorithm Suite to Basic128Rsa15.
Attach the policy to the web service. For more information about attaching the policy at deployment time using Fusion Middleware Control, see "Attaching Policies to Web Service Clients" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Deploy the application.
Create a user in AD to represent the host where the web service is hosted. By default the user account is created with RC4-HMAC encryption. For example, foobar with user name as "HTTP/foobar".
Use the following ktpass command to create a keytab file on the Windows AD machine where the KDC is running:
ktpass -princ HTTP/foobar@MYCOMPANY.LOCAL -pass Oracle123 -mapuser foobar -out foobar.keytab -ptype KRB5_NT_PRINCIPAL -kvno 4
where HTTP/foobar is the SPN, mapped to a user "foobar". Do not set "/desonly or cyrpto as "des-cbc-crc". MYCOMPANY.LOCAL is the default Realm for the KDC and is available in the krb5.ini file. The pass password must match the password created during the user creation.
Use FTP binary mode to move the generated keytab file to the machine where the SOA Composite Web service is hosted.
Use the following setSpn command to map the service principal to the user:
setSpn -A HTTP/foobar@MYCOMPANY.LOCAL foobar
setSpn -L foobar
Only one SPN must be mapped to the user. If there are multiple SPNs mapped to the user, remove them using the command setSpn -D <spname> <username>.
Use the SVCUtil utility to create a client proxy and configuration file from the deployed Web service.
Add the files generatedProxy.cs and app.config by right clicking the application (in the Windows Explorer) and selecting Add Existing Item.
In the endpoint element of the app.config, add an "identity" element with service principal name as "HTTP/foobar@MYCOMPANY.LOCAL" (the same value used for creating keytab).
<client>
<endpoint address="http://host:port/HelloServicePort"
binding="customBinding" bindingConfiguration="NewHelloSoap12HttpPortBinding"
contract="NewHello" name="HelloServicePort">
<identity>
<servicePrincipalName value ="HTTP/foobar@MYCOMPANY.LOCAL"/>
</identity>
</endpoint>
</client>
A sample binding is provided in Example 5-2.
<customBinding>
<binding name="NewHelloSoap12HttpPortBinding">
<!--Added by User: Begin-->
<security defaultAlgorithmSuite="Basic128"
authenticationMode="Kerberos"
requireDerivedKeys="false" securityHeaderLayout="Lax"
includeTimestamp="true"
keyEntropyMode="CombinedEntropy"
messageProtectionOrder="SignBeforeEncrypt"
messageSecurityVersion="WSSecurity11WSTrustFebruary2005
WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurity
Profile10"
requireSignatureConfirmation="true">
<localClientSettings cacheCookies="true" detectReplays="true"
replayCacheSize="900000" maxClockSkew="00:05:00"
maxCookieCachingTime="Infinite"
replayWindow="00:05:00"
sessionKeyRenewalInterval="10:00:00"
sessionKeyRolloverInterval="00:05:00"
reconnectTransportOnFailure="true"
timestampValidityDuration="00:05:00"
cookieRenewalThresholdPercentage="60" />
<localServiceSettings detectReplays="true"
issuedCookieLifetime="10:00:00"
maxStatefulNegotiations="128" replayCacheSize="900000"
maxClockSkew="00:05:00"
negotiationTimeout="00:01:00" replayWindow="00:05:00"
inactivityTimeout="00:02:00"
sessionKeyRenewalInterval="15:00:00"
sessionKeyRolloverInterval="00:05:00"
reconnectTransportOnFailure="true"
maxPendingSessions="128"
maxCachedCookies="1000"
timestampValidityDuration="00:05:00" />
<secureConversationBootstrap />
</security>
<!--Added by User: End-->
<textMessageEncoding maxReadPoolSize="64"
maxWritePoolSize="16"
messageVersion="Soap12" writeEncoding="utf-8">
<readerQuotas maxDepth="32" maxStringContentLength="8192"
maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384"
/>
</textMessageEncoding>
<!--Added by User: Begin-->
<httpTransport manualAddressing="false"
maxBufferPoolSize="524288"
maxReceivedMessageSize="65536" allowCookies="false"
authenticationScheme="Anonymous"
bypassProxyOnLocal="false"
hostNameComparisonMode="StrongWildcard"
keepAliveEnabled="true" maxBufferSize="65536"
proxyAuthenticationScheme="Anonymous"
realm="" transferMode="Buffered"
unsafeConnectionNtlmAuthentication="false"
useDefaultWebProxy="true" />
<!--Added by User: End-->
</binding>
</customBinding>
The svcutil.exe utility will not work if the Web service has an Oracle WSM policy attached to it. Detach the policy from the service before running this utility to generate the proxy and re-attach once all artifacts are generated successfully.
Run the client program.