Skip Headers
Oracle® Fusion Middleware Interoperability Guide for Oracle Web Services Manager
11g Release 1 (11.1.1.7)

Part Number E16098-07
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

5 Interoperability with Microsoft WCF/.NET 3.5 Security Environments

This chapter contains the following sections:

5.1 Overview of Interoperability with Microsoft WCF/.NET 3.5 Security Environments

In conjunction with Microsoft, Oracle has performed interoperability testing to ensure that the Web service security policies created using Oracle WSM 11g can interoperate with Web service policies configured using Microsoft Windows Communication Foundation (WCF)/.NET 3.5 Framework and vice versa.

For more information about Microsoft WCF/.NET 3.5 Framework, see http://msdn.microsoft.com/en-us/netframework/aa663324.aspx.

For more details about the predefined Oracle WSM 11g policies, see the following topics in Oracle Fusion Middleware Security and Administrator's Guide for Web Services:

Table 5-1 summarizes the most common Microsoft .NET 3.5 interoperability scenarios based on the following security requirements: authentication, message protection, and transport.

Note:

In the following scenarios, ensure that you are using a keystore with v3 certificates. By default, the JDK 1.5 keytool generates keystores with v1 certificates.

In addition, ensure that the keys use the proper extensions, including DigitalSignature, Non_repudiation, Key_Encipherment, and Data_Encipherment.

Table 5-1 Interoperability With Microsoft WCF/.NET 3.5 Security Environments

Interoperability Scenario Client—>Web Service Oracle WSM 11g Policies Microsoft WCF/.NET 3.5 Policies

"Message Transmission Optimization Mechanism (MTOM)"

Microsoft WCF/.NET 3.5—>Oracle WSM 11g

oracle/wsmtom_service_policy

See "Configuring Microsoft WCF/.NET 3.5 Client"

"Message Transmission Optimization Mechanism (MTOM)"

Oracle WSM 11g—>Microsoft WCF/.NET 3.5

oracle/wsmtom_client_policy

See "Configuring Microsoft WCF/.NET 3.5 Web Service"

"Username Token With Message Protection (WS-Security 1.1)"

Microsoft WCF/.NET 3.5—>Oracle WSM 11g

oracle/wss11_username_token_with_message_protection_service_policy

OR

oracle/wss11_saml_or_username_token_with_message_protection_service_policy

See "Configuring Microsoft WCF/.NET 3.5 Client"

"Username Token With Message Protection (WS-Security 1.1)"

Oracle WSM 11g—>Microsoft WCF/.NET 3.5

oracle/wss11_username_token_with_message_protection_client_policy

See "Configuring Microsoft WCF/.NET 3.5 Web Service"

"Username Token Over SSL"

Microsoft WCF/.NET 3.5—>Oracle WSM 11g

oracle/wss_saml_or_username_token_over_ssl_service_policy

OR

oracle/wss_username_token_over_ssl_service_policy

See "Configuring Microsoft WCF/.NET 3.5 Client"

"Mutual Authentication with Message Protection (WS-Security 1.1)"

Microsoft WCF/.NET 3.5—>Oracle WSM 11g

oracle/wss11_x509_token_with_message_protection_service_policy

See "Configuring Microsoft WCF/.NET 3.5 Client"

"Mutual Authentication with Message Protection (WS-Security 1.1)"

Oracle WSM 11g—>Microsoft WCF/.NET 3.5

oracle/wss11_x509_token_with_message_protection_client_policy

See "Configuring Microsoft WCF/.NET 3.5 Web Service"

"Kerberos with Message Protection"

Microsoft WCF/.NET 3.5—>Oracle WSM 11g

oracle/wss11_kerberos_with_message_protection_service_policy

See "Configuring Microsoft WCF/.NET 3.5 Client"


5.2 Message Transmission Optimization Mechanism (MTOM)

This section describes how to implement MTOM in the following interoperability scenarios:

5.2.1 Configuring Microsoft WCF/.NET 3.5 Client and Oracle WSM 11g Web Service

To configure Microsoft WCF/.NET 3.5 client and Oracle WSM 11g Web service, perform the steps described in the following sections:

5.2.1.1 Configuring Oracle WSM 11g Web Service

  1. Create a Web service application.

  2. Attach the following policy to the Web service: oracle/wsmotom_service_policy.

    For more information about attaching the policy, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

  3. Deploy the application.

5.2.1.2 Configuring Microsoft WCF/.NET 3.5 Client

  1. Use the SVCUtil utility to create a client proxy and configuration file from the deployed Web service. See "Example app.config File for MTOM Interoperability".

  2. Run the client program.

Example app.config File for MTOM Interoperability

The following provides an example of the app.config file:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
    <system.serviceModel>    
        <bindings>
            <customBinding>
                <binding name="CustomBinding_IMTOMService">                
                    <mtomMessageEncoding maxReadPoolSize="64"
                     maxWritePoolSize="16"
                        messageVersion="Soap12" maxBufferSize="65536"
                        writeEncoding="utf-8">
                        <readerQuotas maxDepth="32" maxStringContentLength=
                         "8192" maxArrayLength="16384"
                            maxBytesPerRead="4096" maxNameTableCharCount="16384" />
                    </mtomMessageEncoding>
                    <httpTransport manualAddressing="false" maxBufferPoolSize="524288"
                        maxReceivedMessageSize="65536" allowCookies="false"
                           authenticationScheme="Anonymous"
                        bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
                        keepAliveEnabled="true" maxBufferSize="65536"
                           proxyAuthenticationScheme="Anonymous"
                        realm="" transferMode="Buffered" 
                           unsafeConnectionNtlmAuthentication="false"
                        useDefaultWebProxy="true" />
                </binding>
            </customBinding>
        </bindings>
        <client>
          <endpoint address="<endpoint_url>"
              binding="customBinding" bindingConfiguration="CustomBinding_IMTOMService"
              contract="IMTOMService" name="CustomBinding_IMTOMService" >
          </endpoint>         
        </client>          
    </system.serviceModel>
</configuration>

5.2.2 Configuring Oracle WSM 11g Client and Microsoft WCF/.NET 3.5 Web Service

To configure Oracle WSM 11g client and Microsoft WCF/.NET 3.5 Web service, perform the steps described in the following sections:

5.2.2.1 Configuring Microsoft WCF/.NET 3.5 Web Service

  1. Create a .NET Web service.

    For more information, see "How to: Define a Windows Communication Foundation Service Contract" at http://msdn.microsoft.com/en-us/library/ms731835.aspx.

    For an example of a .NET Web service, see "Example of .NET Web Service for MTOM Interoperability".

  2. Deploy the application.

5.2.2.2 Configuring Oracle WSM 11g Client

  1. Using JDeveloper, create a SOA composite that consumes the .NET Web service. For more information, see the Developer's Guide for SOA Suite.

  2. Attach the following policy to the Web service client: oracle/wsmtom_client_policy.

    For more information about attaching the policy, see "Attaching Policies to Web Service Clients" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

Example of .NET Web Service for MTOM Interoperability

The following provides an example of the .NET Web service for MTOM interoperability.

static void Main(string[] args)
{
    string uri = "http://host:port/TEST/MTOMService/SOA/MTOMService";
    // Step 1 of the address configuration procedure: Create a URI to serve as the base address.
    Uri baseAddress = new Uri(uri);

    // Step 2 of the hosting procedure: Create ServiceHost
    ServiceHost selfHost = new ServiceHost(typeof(MTOMService), baseAddress);
 
    try {
        HttpTransportBindingElement hb = new HttpTransportBindingElement();
        hb.ManualAddressing = false;
        hb.MaxBufferPoolSize = 2147483647;               
        hb.MaxReceivedMessageSize = 2147483647;
        hb.AllowCookies = false;
        hb.AuthenticationScheme = System.Net.AuthenticationSchemes.Anonymous;
        hb.KeepAliveEnabled = true;
        hb.MaxBufferSize = 2147483647;
        hb.ProxyAuthenticationScheme = System.Net.AuthenticationSchemes.Anonymous;
        hb.Realm = "";
        hb.TransferMode = System.ServiceModel.TransferMode.Buffered;
        hb.UnsafeConnectionNtlmAuthentication = false;
        hb.UseDefaultWebProxy = true;
        MtomMessageEncodingBindingElement me = new MtomMessageEncodingBindingElement();
        me.MaxReadPoolSize=64;
        me.MaxWritePoolSize=16;
        me.MessageVersion=System.ServiceModel.Channels.MessageVersion.Soap12;
        me.WriteEncoding = System.Text.Encoding.UTF8;
        me.MaxWritePoolSize = 2147483647;
        me.MaxBufferSize = 2147483647;
        me.ReaderQuotas.MaxArrayLength = 2147483647;
        CustomBinding binding1 = new CustomBinding();
        binding1.Elements.Add(me);
        binding1.Elements.Add(hb);
        ServiceEndpoint ep = selfHost.AddServiceEndpoint(typeof(IMTOMService), binding1, 
               "MTOMService");
        EndpointAddress myEndpointAdd = new EndpointAddress(new Uri(uri),
        EndpointIdentity.CreateDnsIdentity("WSMCert3"));               
        ep.Address = myEndpointAdd;

        // Step 4 of the hosting procedure: Enable metadata exchange.
        ServiceMetadataBehavior smb = new ServiceMetadataBehavior();
        smb.HttpGetEnabled = true;
        selfHost.Description.Behaviors.Add(smb);
        using (ServiceHost host = new ServiceHost(typeof(MTOMService)))
        {
            System.ServiceModel.Description.ServiceDescription svcDesc = 
                 selfHost.Description;
            ServiceDebugBehavior svcDebug = 
                  svcDesc.Behaviors.Find<ServiceDebugBehavior>();
            svcDebug.IncludeExceptionDetailInFaults = true;
        }
 
        // Step 5 of the hosting procedure: Start (and then stop) the service.
        selfHost.Open();
        Console.WriteLine("The service " + uri + " is ready.");
        Console.WriteLine("Press <ENTER> to terminate service.");
        Console.WriteLine();
        Console.ReadLine();
        // Close the ServiceHostBase to shutdown the service.
        selfHost.Close();
    }
    catch (CommunicationException ce)
    {
        Console.WriteLine("An exception occurred: {0}", ce.Message);
        selfHost.Abort();
    }
}

5.3 Username Token With Message Protection (WS-Security 1.1)

This section describes how to implement username token with message protection that conforms to WS-Security 1.1 in the following interoperability scenarios:

5.3.1 Configuring Microsoft WCF/.NET 3.5 Client and Oracle WSM 11g Web Service

To configure Microsoft WCF/.NET 3.5 client and Oracle WSM 11g Web service, perform the steps described in the following sections:

5.3.1.1 Configuring Oracle WSM 11g Web Service

  1. Create a Web service application.

  2. Attach one of the following policies to the Web service:

    oracle/wss11_username_token_with_message_protection_service_policy

    oracle/wss11_saml_or_username_token_with_message_protection_service_policy

    For more information about attaching the policy, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

  3. Export the X.509 certificate file from the keystore on the service side to a .cer file (for example, alice.cer) using the following command:

    keytool -export -alias alice -file C:\alice.cer -keystore default-keystore.jks
    

5.3.1.2 Configuring Microsoft WCF/.NET 3.5 Client

  1. Import the certificate file (exported previously) to the keystore on the client server using Microsoft Management Console (mmc). For information, see "How to: View Certificates with the MMC Snap-in" at http://msdn.microsoft.com/en-us/library/ms788967.aspx.

    1. Open a command prompt.

    2. Type mmc and press ENTER.

    3. Select File > Add/Remove snap-in.

    4. Select Add and Choose Certificates.

      Note:

      To view certificates in the local machine store, you must be in the Administrator role.

    5. Select Add.

    6. Select My user account and finish.

    7. Click OK.

    8. Expand Console Root > Certificates -Current user > Personal > Certificates.

    9. Right-click on Certificates and select All tasks > Import to launch Certificate import Wizard.

    10. Click Next, select Browse, and navigate to the .cer file that was exported previously.

    11. Click Next and accept defaults and finish the wizard.

  2. Generate a .NET client using the WSDL of the Web service.

    For more information, see "How to: Create a Windows Communication Foundation Client" at http://msdn.microsoft.com/en-us/library/ms733133.aspx.

    Note:

    SVCUtil does not support some security policy assertions such as <sp:SignedParts>. As a workaround:

    • Detach the policy

    • Generate proxy using SVCUtil

    • Attach the policy back

  3. In the Solution Explorer of the client project, add a reference by right-clicking on references, selecting Add reference, and browsing to C:\Windows\Microsoft .NET framework\v3.0\Windows Communication Framework\System.Runtime.Serialization.dll.

  4. Edit the app.config file in the .NET project to update the certificate file and disable replays, as described in "Edit the app.config File".

  5. Compile the project.

  6. Open a command prompt and navigate to the project's Debug folder.

  7. Enter <client_project_name>.exe and press Enter.

Edit the app.config File

Edit the app.config file to update the certificate file and disable replays, as shown in the following example (changes are identified in bold). If you follow the default key setup, then <certificate_cn> should be set to alice.

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.serviceModel>
    <behaviors>
      <endpointBehaviors>
         <behavior name="secureBehaviour">
           <clientCredentials>
             <serviceCertificate>
               <defaultCertificate findValue="<certificate_cn>" 
                storeLocation="CurrentUser" storeName="My" 
                x509FindType="FindBySubjectName"/>
             </serviceCertificate>
           </clientCredentials>
         </behavior>
      </endpointBehaviors>
    </behaviors>
  <bindings>
    <customBinding>
      <binding name="HelloWorldSoapHttp">
      <security defaultAlgorithmSuite="Basic128"  
       authenticationMode="UserNameForCertificate" 
       requireDerivedKeys="false" securityHeaderLayout="Lax" 
       includeTimestamp="true"
       keyEntropyMode="CombinedEntropy" 
       messageProtectionOrder="SignBeforeEncrypt"
       messageSecurityVersion=
"WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
       requireSignatureConfirmation="true">
     <localClientSettings 
       cacheCookies="true" 
       detectReplays="false"
       replayCacheSize="900000" 
       maxClockSkew="00:05:00" 
       maxCookieCachingTime="Infinite"
       replayWindow="00:05:00" 
       sessionKeyRenewalInterval="10:00:00"
       sessionKeyRolloverInterval="00:05:00" 
       reconnectTransportOnFailure="true"
       timestampValidityDuration="00:05:00" 
       cookieRenewalThresholdPercentage="60" />
     <localServiceSettings detectReplays="true" 
       issuedCookieLifetime="10:00:00"
       maxStatefulNegotiations="128" 
       replayCacheSize="900000" 
       maxClockSkew="00:05:00" 
       negotiationTimeout="00:01:00" 
       replayWindow="00:05:00" 
       inactivityTimeout="00:02:00"
       sessionKeyRenewalInterval="15:00:00" 
       sessionKeyRolloverInterval="00:05:00"
       reconnectTransportOnFailure="true" 
       maxPendingSessions="128"
       maxCachedCookies="1000" 
       timestampValidityDuration="00:05:00" />
     <secureConversationBootstrap /></security>
     <textMessageEncoding 
      maxReadPoolSize="64" 
      maxWritePoolSize="16"
      messageVersion="Soap11" 
      writeEncoding="utf-8">
        <readerQuotas 
         maxDepth="32" 
         maxStringContentLength="8192" 
         maxArrayLength="16384"
         maxBytesPerRead="4096" 
         maxNameTableCharCount="16384" />
     </textMessageEncoding>
     <HttpTransport 
      manualAddressing="false" 
      maxBufferPoolSize="524288"
      maxReceivedMessageSize="65536" 
      allowCookies="false" 
      authenticationScheme="Anonymous"
      bypassProxyOnLocal="false" 
      hostNameComparisonMode="StrongWildcard"
      keepAliveEnabled="true" 
      maxBufferSize="65536" 
      proxyAuthenticationScheme="Anonymous"
      realm="" 
      transferMode="Buffered" 
      unsafeConnectionNtlmAuthentication="false"
      useDefaultWebProxy="true" />
      </binding>
    </customBinding>
  </bindings>
    <client>
      <endpoint address="<endpoint_url>"
       binding="customBinding"
       bindingConfiguration="HelloWorldSoapHttp"
       contract="HelloWorld" 
       name="HelloWorldPort" 
       behaviorConfiguration="secureBehaviour" >
        <identity>
          <dns value="<certificate_cn>"/>
        </identity>
      </endpoint>
    </client>
  </system.serviceModel>
</configuration>

5.3.2 Configuring Oracle WSM 11g Client and Microsoft WCF/.NET 3.5 Web Service

To configure Oracle WSM 11g client and Microsoft WCF/.NET 3.5 Web service, perform the steps described in the following sections:

5.3.2.1 Configuring Microsoft WCF/.NET 3.5 Web Service

  1. Create a .NET Web service.

    For more information, see "How to: Define a Windows Communication Foundation Service Contract" at http://msdn.microsoft.com/en-us/library/ms731835.aspx.

    Be sure to create a custom binding for the Web service using the SymmetricSecurityBindingElement. For an example, see "Example .NET Web Service Client".

  2. Create and import a certificate file to the keystore on the Web service server.

    Using VisualStudio, the command would be similar to the following:

    makecert -r -pe -n "CN=wsmcert3" -sky exchange -ss my C:\wsmcert3.cer
    

    This command creates and imports a certificate in mmc.

    If the command does not provide expected results, then try the following sequence of commands. You need to download Windows Developer Kit (WDK) at http://www.microsoft.com/whdc/devtools/WDK/default.mspx.

    makecert -r -pe -n "CN=wsmcert3" -sky exchange -ss my -sv wscert3.pvk C:\wsmcert3.cer
    pvk2pfx.exe -pvk wscert3.pvk -spc wsmcert3.cer -pfx PRF_WSMCert3.pfx -pi welcome1
    

    Then, in mmc, import PRF_WSMCert3.pfx.

  3. Import the certificate created on the Web service server to the client server using the keytool command. For example:

    keytool -import -alias wsmcert3 -file C:\wsmcert3.cer -keystore <owsm_client_keystore>
    
  4. Right-click on the Web service Solution project in Solutions Explorer and click Open Folder In Windows Explorer.

  5. Navigate to the bin/Debug folder.

  6. Double-click on the <project>.exe file. This command will run the Web service at the URL provided.

5.3.2.2 Configuring Oracle WSM 11g Client

  1. Using JDeveloper, create a SOA composite that consumes the .NET Web service. For more information, see the Developer's Guide for SOA Suite.

  2. In JDeveloper, create a partner link using the WSDL of the .NET service.

  3. Attach the following policy to the Web service client: oracle/wss11_username_token_with_message_protection_client_policy.

    For more information about attaching the policy, see "Attaching Policies to Web Service Clients" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

  4. Provide configurations for the csf-key and keystore.recipient.alias.

    You can specify this information when attaching the policy, by overriding the policy configuration. For more information, see "Attaching Clients Permitting Overrides" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services

    Ensure that you configure the keystore.recipient.alias as the alias of the certificate imported in step 1 (wsmcert3). For example:

    <wsp:PolicyReference URI="oracle/wss11_username_token_with_message_protection_client_policy"
        orawsp:category="security" orawsp:status="enabled"/>
      <property name="csf-key" type="xs:string" 
        many="false">basic.credentials</property>
      <property name="keystore.recipient.alias" type="xs:string" 
        many="false">wsmcert3</property>
    

5.3.2.3 Example .NET Web Service Client

static void Main(string[] args)
{
    // Step 1 of the address configuration procedure: Create a URI to serve as the 
    // base address.        
    // Step 2 of the hosting procedure: Create ServiceHost
    string uri = "http://<host>:<port>/TEST/NetService";
    Uri baseAddress = new Uri(uri);
 
    ServiceHost selfHost = new ServiceHost(typeof(CalculatorService), baseAddress);
 
    try
    {
        SymmetricSecurityBindingElement sm = 
            SymmetricSecurityBindingElement.CreateUserNameForCertificateBindingElement();
        sm.DefaultAlgorithmSuite = System.ServiceModel.Security.SecurityAlgorithmSuite.Basic128;
        sm.SetKeyDerivation(false);
        sm.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
        sm.IncludeTimestamp = true;
        sm.KeyEntropyMode = SecurityKeyEntropyMode.CombinedEntropy;
        sm.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
        sm.MessageSecurityVersion = 
        MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005
        WSSecurityPolicy11BasicSecurityProfile10;
        sm.RequireSignatureConfirmation = true;
        sm.LocalClientSettings.CacheCookies = true;
        sm.LocalClientSettings.DetectReplays = true;
        sm.LocalClientSettings.ReplayCacheSize = 900000;
        sm.LocalClientSettings.MaxClockSkew = new TimeSpan(00, 05, 00);
        sm.LocalClientSettings.MaxCookieCachingTime = TimeSpan.MaxValue;
        sm.LocalClientSettings.ReplayWindow = new TimeSpan(00, 05, 00); ;
        sm.LocalClientSettings.SessionKeyRenewalInterval = new TimeSpan(10, 00, 00);
        sm.LocalClientSettings.SessionKeyRolloverInterval = new TimeSpan(00, 05, 00); ;
        sm.LocalClientSettings.ReconnectTransportOnFailure = true;
        sm.LocalClientSettings.TimestampValidityDuration = new TimeSpan(00, 05, 00); ;
        sm.LocalClientSettings.CookieRenewalThresholdPercentage = 60;
        sm.LocalServiceSettings.DetectReplays = false;
        sm.LocalServiceSettings.IssuedCookieLifetime = new TimeSpan(10, 00, 00);
        sm.LocalServiceSettings.MaxStatefulNegotiations = 128;
        sm.LocalServiceSettings.ReplayCacheSize = 900000;
        sm.LocalServiceSettings.MaxClockSkew = new TimeSpan(00, 05, 00);
        sm.LocalServiceSettings.NegotiationTimeout = new TimeSpan(00, 01, 00);
        sm.LocalServiceSettings.ReplayWindow = new TimeSpan(00, 05, 00);
        sm.LocalServiceSettings.InactivityTimeout = new TimeSpan(00, 02, 00);
        sm.LocalServiceSettings.SessionKeyRenewalInterval = new TimeSpan(15, 00, 00);
        sm.LocalServiceSettings.SessionKeyRolloverInterval = new TimeSpan(00, 05, 00);
        sm.LocalServiceSettings.ReconnectTransportOnFailure = true;
        sm.LocalServiceSettings.MaxPendingSessions = 128;
        sm.LocalServiceSettings.MaxCachedCookies = 1000;
        sm.LocalServiceSettings.TimestampValidityDuration = new TimeSpan(15, 00, 00);
        HttpTransportBindingElement hb = new HttpTransportBindingElement();
        hb.ManualAddressing = false;
        hb.MaxBufferPoolSize = 524288;
        hb.MaxReceivedMessageSize = 65536;
        hb.AllowCookies = false;
        hb.AuthenticationScheme = System.Net.AuthenticationSchemes.Anonymous;
        hb.KeepAliveEnabled = true;
        hb.MaxBufferSize = 65536;
        hb.ProxyAuthenticationScheme = System.Net.AuthenticationSchemes.Anonymous;
        hb.Realm = "";
        hb.TransferMode = System.ServiceModel.TransferMode.Buffered;
        hb.UnsafeConnectionNtlmAuthentication = false;
        hb.UseDefaultWebProxy = true;
        TextMessageEncodingBindingElement tb1 = new TextMessageEncodingBindingElement();
        tb1.MaxReadPoolSize = 64;
        tb1.MaxWritePoolSize = 16;
        tb1.MessageVersion = System.ServiceModel.Channels.MessageVersion.Soap12;
        tb1.WriteEncoding = System.Text.Encoding.UTF8;
        CustomBinding binding1 = new CustomBinding(sm);
        binding1.Elements.Add(tb1);
        binding1.Elements.Add(hb);
        ServiceEndpoint ep = selfHost.AddServiceEndpoint(typeof(ICalculator), binding1,
          "CalculatorService");
 
        EndpointAddress myEndpointAdd = new EndpointAddress(                    
        new Uri(uri),
        EndpointIdentity.CreateDnsIdentity("WSMCert3"));
        ep.Address = myEndpointAdd;
 
        // Step 4 of the hosting procedure: Enable metadata exchange.
        ServiceMetadataBehavior smb = new ServiceMetadataBehavior();
        smb.HttpGetEnabled = true;
        selfHost.Description.Behaviors.Add(smb);
        selfHost.Credentials.ServiceCertificate.SetCertificate(StoreLocation.CurrentUser, 
           StoreName.My,
        X509FindType.FindBySubjectName, "WSMCert3");
        selfHost.Credentials.ClientCertificate.Authentication.CertificateValidationMode =
            X509CertificateValidationMode.PeerOrChainTrust;
        selfHost.Credentials.UserNameAuthentication.UserNamePasswordValidationMode =
            UserNamePasswordValidationMode.Custom;
        CustomUserNameValidator cu = new CustomUserNameValidator();
        selfHost.Credentials.UserNameAuthentication.CustomUserNamePasswordValidator = cu;
        using (ServiceHost host = new ServiceHost(typeof(CalculatorService)))
        {
            System.ServiceModel.Description.ServiceDescription svcDesc = selfHost.Description;
            ServiceDebugBehavior svcDebug = svcDesc.Behaviors.Find<ServiceDebugBehavior>();
            svcDebug.IncludeExceptionDetailInFaults = true;
        }
 
        // Step 5 of the hosting procedure: Start (and then stop) the service.
        selfHost.Open();
        Console.WriteLine("The Calculator service is ready.");
        Console.WriteLine("Press <ENTER> to terminate service.");
        Console.WriteLine();
        Console.ReadLine();
        selfHost.Close();
    }
    catch (CommunicationException ce)
    {
         Console.WriteLine("An exception occurred: {0}", ce.Message);
         selfHost.Abort();
     }
}

5.4 Username Token Over SSL

This section describes how to implement username token over SSL in the following interoperability scenario:

5.4.1 Configuring Microsoft WCF/.NET 3.5 Client and Oracle WSM 11g Web Service

To configure Microsoft WCF/.NET 3.5 client and Oracle WSM 11g Web service, perform the steps described in the following sections:

5.4.1.1 Configuring Oracle WSM 11g Web Service

  1. Configure the server for SSL.

    For more information, see "Configuring SSL on WebLogic Server (One-Way)" and "Configuring SSL on WebLogic Server (Two-Way)" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

  2. Create a copy of one of the following policies:

    oracle/wss_username_token_over_ssl_service_policy

    oracle/wss_saml_or_username_token_over_ssl_service_policy

    Note:

    Oracle recommends that you do not change the predefined policies so that you will always have a known set of valid policies to work with.

    Edit the policy settings, as follows:

    1. Disable the Creation Time Required configuration setting.

    2. Disable the Nonce Required configuration setting.

    3. Leave the default configuration set for all other configuration settings.

    For more information, see "Creating a Web Service Policy from an Existing Policy" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

  3. Attach the policy.

    For more information about attaching the policy, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

5.4.1.2 Configuring Microsoft WCF/.NET 3.5 Client

  1. Generate a .NET client using the WSDL of the Web service.

    For more information, see "How to: Create a Windows Communication Foundation Client" at http://msdn.microsoft.com/en-us/library/ms733133.aspx.

  2. In the Solution Explorer of the client project, add a reference by right-clicking on references, selecting Add reference, and browsing to C:\Windows\Microsoft .NET framework\v3.0\Windows Communication Framework\System.Runtime.Serialization.dll.

  3. Edit the app.config file, as described in "Edit the app.config File".

  4. Compile the project.

  5. Open a command prompt and navigate to the project's Debug folder.

  6. Type <client_project_name>.exe and press Enter.

Edit the app.config File

Edit the app.config file to update the certificate file and disable replays, as shown in the following example (changes are identified in bold):

<?xml version="1.0" encoding="utf-8"?>
<configuration>
    <system.serviceModel>
        <bindings>
            <customBinding>
                <binding name="BPELProcess1Binding">
                  <security defaultAlgorithmSuite="Basic128" 
                   authenticationMode="UserNameOverTransport"
                   requireDerivedKeys="false" securityHeaderLayout="Lax" includeTimestamp="true"
                   keyEntropyMode="CombinedEntropy" messageProtectionOrder="SignBeforeEncrypt"
                   messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversation
                   February2005WSSecurityPolicy11BasicSecurityProfile10"
                   requireSignatureConfirmation="true">
                    <localClientSettings cacheCookies="true" detectReplays="true"
                      replayCacheSize="900000" maxClockSkew="00:05:00" 
                      maxCookieCachingTime="Infinite"
                      replayWindow="00:05:00" sessionKeyRenewalInterval="10:00:00"
                      sessionKeyRolloverInterval="00:05:00" reconnectTransportOnFailure="true"
                      timestampValidityDuration="00:05:00" 
                      cookieRenewalThresholdPercentage="60"/>
                    <localServiceSettings detectReplays="true" issuedCookieLifetime="10:00:00"
                        maxStatefulNegotiations="128" replayCacheSize="900000" 
                        maxClockSkew="00:05:00"
                        negotiationTimeout="00:01:00" replayWindow="00:05:00" 
                        inactivityTimeout="00:02:00"
                        sessionKeyRenewalInterval="15:00:00" 
                        sessionKeyRolloverInterval="00:05:00"
                        reconnectTransportOnFailure="true" maxPendingSessions="128"
                        maxCachedCookies="1000" timestampValidityDuration="00:05:00" />
                    <secureConversationBootstrap />
                  </security>
                  <textMessageEncoding maxReadPoolSize="64" maxWritePoolSize="16"
                        messageVersion="Soap11" writeEncoding="utf-8">
                        <readerQuotas maxDepth="32" maxStringContentLength="8192" 
                         maxArrayLength="16384"
                         maxBytesPerRead="4096" maxNameTableCharCount="16384" />
                  </textMessageEncoding>
                  <httpsTransport manualAddressing="false" maxBufferPoolSize="524288"
                       maxReceivedMessageSize="65536" allowCookies="false" 
                       authenticationScheme="Anonymous"
                       bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
                       keepAliveEnabled="true" maxBufferSize="65536" 
                       proxyAuthenticationScheme="Anonymous"
                       realm="" transferMode="Buffered" 
                       unsafeConnectionNtlmAuthentication="false"
                       useDefaultWebProxy="true"  requireClientCertificate="false"/>
                </binding>
            </customBinding>
        </bindings>
        <client>
            <endpoint address="
 https://host:port/soa-infra/services/default/IO_NET6/bpelprocess1_client_ep"
 binding="customBinding" bindingConfiguration="BPELProcess1Binding"
 contract="BPELProcess1" name="BPELProcess1_pt" />
        </client>
  </system.serviceModel>
</configuration>

5.5 Mutual Authentication with Message Protection (WS-Security 1.1)

The following sections describe how to implement mutual authentication with message protection that conform to the WS-Security 1.1 standards:

Configuration Prerequisites for Interoperability

  1. Export the X.509 certificate file from the keystore on the service side to a .cer file (for example, alice.cer) using the following command:

    keytool -export -alias alice -file C:\alice.cer -keystore default-keystore.jks
    
  2. Import the certificate file (exported previously) to the keystore on the client server using Microsoft Management Console (mmc). For information, see "How to: View Certificates with the MMC Snap-in" at http://msdn.microsoft.com/en-us/library/ms788967.aspx.

    1. Open a command prompt.

    2. Type mmc and press ENTER.

    3. Select File > Add/Remove snap-in.

    4. Select Add and Choose Certificates.

      Note:

      To view certificates in the local machine store, you must be in the Administrator role.

    5. Select Add.

    6. Select My user account and finish.

    7. Click OK.

    8. Expand Console Root > Certificates -Current user > Personal > Certificates.

    9. Right-click on Certificates and select All tasks > Import to launch Certificate import Wizard.

    10. Click Next, select Browse, and navigate to the .cer file that was exported previously.

    11. Click Next and accept defaults and finish the wizard.

5.5.1 Configuring Microsoft WCF/.NET 3.5 Client and Oracle WSM 11g Web Service

To configure Microsoft WCF/.NET 3.5 client and Oracle WSM 11g Web Service, perform the steps described in the following sections:

5.5.1.1 Configuring Oracle WSM 11g Web Service

  1. Create a SOA composite and deploy it.

  2. In Enterprise Manager, clone the following policy:

    oracle/wss11_x509_token_with_message_protection_service_policy

    Rename it as follows: wss11_x509_token_with_message_protection_service_policy_net

  3. Export wss11_x509_token_with_message_protection_service_policy_net. Change encrypted="true" to "false", and import it back.

    <orasp:x509-token orasp:enc-key-ref-mech="thumbprint" orasp:is-encrypted="false" orasp:is-signed="false" orasp:sign-key-ref-mech="direct"/>
    
  4. Using Enterprise Manager, attach the policy to the Web service.

    For more information about attaching the policy, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

5.5.1.2 Configuring Microsoft WCF/.NET 3.5 Client

  1. Use the SVCUtil utility to create a client proxy (see "Sample Client Program") and configuration file from the deployed Web service.

  2. In the Solution Explorer of the client project, add a reference by right-clicking on references, selecting Add reference, and browsing to C:\Windows\Microsoft .NET framework\v3.0\Windows Communication Framework\System.Runtime.Serialization.dll.

    1. Create a configuration file: app.config. Add the following code after the <system.serviceModel> element.

      <configuration>
          <system.serviceModel>
            <behaviors>
              <endpointBehaviors>
                <behavior name="secureBehaviour">
                  <clientCredentials>
                    <serviceCertificate>
                      <defaultCertificate findValue="<certificate_cn>"
       storeLocation="CurrentUser" storeName="My"
       x509FindType="FindBySubjectName"/>
                    </serviceCertificate>
                  </clientCredentials>
                </behavior>
              </endpointBehaviors>
            </behaviors>
              <bindings>
                  <customBinding>
      
    2. Modify the endpoint behavior as follows:

      <endpoint address="http://<server>:<port>//MyWebService1SoapHttpPort"
                    binding="customBinding"
       bindingConfiguration="MyWebService1SoapHttp"
                    contract="MyWebService1" name="MyWebService1SoapHttpPort"
       behaviorConfiguration="secureBehaviour" >
                  <identity>
                    <dns value="<certificate_cn>"/>
                  </identity>
                </endpoint>
      
    3. Disable the message replay detection as follows:

      <localClientSettings cacheCookies="true" detectReplays="false"
                                  replayCacheSize="900000"
       maxClockSkew="00:05:00" maxCookieCachingTime="Infinite"
      
    4. Create a custom binding as shown below:

      <security defaultAlgorithmSuite="Basic128"
       authenticationMode="MutualCertificate"
      
    5. "Sample app.config File" provides an example of the configuration file.

  3. Compile the project.

  4. Open a command prompt and navigate to the project's Debug folder.

  5. Enter <client_project_name>.exe and press Enter.

Sample app.config File

The following provides an example of the app.config file:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
    <system.serviceModel>
      <behaviors>
        <endpointBehaviors>
          <behavior name="secureBehaviour">
            <clientCredentials>
              <serviceCertificate>
                <defaultCertificate findValue="<certificate_cn>"
                                    storeLocation="CurrentUser"
                                    storeName="My"
                                    x509FindType="FindBySubjectName"/>
              </serviceCertificate>
           
          </clientCredentials>
          </behavior>
        </endpointBehaviors>
      </behaviors>
        <bindings>
         
          <customBinding>
            <binding name="BPELProcess1Binding">
              <security defaultAlgorithmSuite="Basic128" authenticationMode="MutualCertificate"
                  requireDerivedKeys="false" securityHeaderLayout="Lax" includeTimestamp="true"
                  keyEntropyMode="CombinedEntropy" messageProtectionOrder="SignBeforeEncrypt"
                 
                  messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversation
                  February2005WSSecurityPolicy11BasicSecurityProfile10"
                  requireSignatureConfirmation="true">
                <localClientSettings cacheCookies="true" detectReplays="false"
                    replayCacheSize="900000" maxClockSkew="00:05:00"
                    maxCookieCachingTime="Infinite"
                    replayWindow="00:05:00" sessionKeyRenewalInterval="10:00:00"
                    sessionKeyRolloverInterval="00:05:00" reconnectTransportOnFailure="true"
                    timestampValidityDuration="00:05:00" cookieRenewalThresholdPercentage="60" />
                <localServiceSettings detectReplays="true" issuedCookieLifetime="10:00:00"
                    maxStatefulNegotiations="128" replayCacheSize="900000" maxClockSkew="00:05:00"
                    negotiationTimeout="00:01:00" replayWindow="00:05:00"
                    inactivityTimeout="00:02:00"
                    sessionKeyRenewalInterval="15:00:00" sessionKeyRolloverInterval="00:05:00"
                    reconnectTransportOnFailure="true" maxPendingSessions="128"
                    maxCachedCookies="1000" timestampValidityDuration="00:05:00" />
                <secureConversationBootstrap />
              </security>
              <textMessageEncoding maxReadPoolSize="64" maxWritePoolSize="16"
                  messageVersion="Soap11" writeEncoding="utf-8">
                <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
                    maxBytesPerRead="4096" maxNameTableCharCount="16384" />
              </textMessageEncoding>
              <httpTransport manualAddressing="false" maxBufferPoolSize="524288"
                  maxReceivedMessageSize="65536" allowCookies="false"
                  authenticationScheme="Anonymous"
                  bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
                  keepAliveEnabled="true" maxBufferSize="65536"
                  proxyAuthenticationScheme="Anonymous"
                  realm="" transferMode="Buffered" unsafeConnectionNtlmAuthentication="false"
                  useDefaultWebProxy="true" />
            </binding>
          </customBinding>
 
        </bindings>
        <client>
          <endpoint address="<endpoint_url>"
              binding="customBinding" bindingConfiguration="BPELProcess1Binding"
              contract="BPELProcess1" name="BPELProcess1_pt"  >      
            <identity>
              <dns value=<certificate_cn>/>
            </identity>
          </endpoint>
        </client>
        
    </system.serviceModel>
</configuration>

Sample Client Program

namespace IO_NET10_client
{
    class Program
    {
        static void Main(string[] args)
        {
           
            BPELProcess1Client client = new BPELProcess1Client();
         
            client.ClientCredentials.ClientCertificate.SetCertificate(
                    StoreLocation.CurrentUser,
                    StoreName.My,
                    X509FindType.FindBySubjectName, "WSMCert3");
                     
             client.ClientCredentials.ServiceCertificate.SetDefaultCertificate(
                       StoreLocation.CurrentUser,
                       StoreName.My,
                    X509FindType.FindBySubjectName, "Alice");
 
            process proc = new process();
            proc.input = "Test wss11_x509_token_with_message_protection_policy - ";
            Console.WriteLine(proc.input);
            processResponse response = client.process(proc);
           
            Console.WriteLine(response.result.ToString());
            Console.WriteLine("Press <ENTER> to terminate Client.");
            Console.ReadLine();
          }
    }
}

5.5.2 Configuring Oracle WSM 11g Client and Microsoft WCF/.NET 3.5 Web Service

To configure Oracle WSM 11g client and Microsoft WCF/.NET 3.5 Web Service, perform the steps described in the following sections:

5.5.2.1 Configuring Microsoft WCF/.NET 3.5 Web Service

  1. Create a .NET Web service.

    For more information, see "How to: Define a Windows Communication Foundation Service Contract" at http://msdn.microsoft.com/en-us/library/ms731835.aspx.

    For an example of a .NET Web service, see "Example .NET Web Service Client".

  2. Create a custom binding for the Web service using the SymmetricSecurityBindingElement.

    For more information, see "How to: Create a Custom Binding Using the SecurityBindingElement" at http://msdn.microsoft.com/en-us/library/ms730305.aspx.

  3. The following is a sample of the SymmetricSecurityBindingElement object:

    SymmetricSecurityBindingElement sm =
    (SymmetricSecurityBindingElement)SecurityBindingElement.CreateMutualCertificate
    BindingElement(); 
     
    sm.DefaultAlgorithmSuite =
    System.ServiceModel.Security.SecurityAlgorithmSuite.Basic128;sm.SetKeyDerivati
    on(false);
    sm.SecurityHeaderLayout = SecurityHeaderLayout.Lax;sm.IncludeTimestamp =
    true;
    sm.KeyEntropyMode = SecurityKeyEntropyMode.CombinedEntropy; 
    sm.MessageProtectionOrder =
    MessageProtectionOrder.SignBeforeEncrypt;sm.MessageSecurityVersion =
    MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversation
    February2005WSSecurityPolicy11BasicSecurityProfile10;
    sm.RequireSignatureConfirmation =
    true;
    
  4. Deploy the application.

5.5.2.2 Configuring Oracle WSM 11g Client

  1. Using JDeveloper, create a SOA composite that consumes the .NET Web service. For more information, see the Developer's Guide for SOA Suite.

  2. In JDeveloper, create a partner link using the WSDL of the .NET service and add the import as follows:

    <wsdl:import namespace="<namespace>" location="<WSDL location>"/> 
    
  3. In Enterprise Manager, clone the policy: wss11_x509_token_with_message_protection_service_policy. Rename it as follows: wss11_x509_token_with_message_protection_service_policy_net

  4. Export wss11_x509_token_with_message_protection_service_policy_net. Change encrypted="true" to "false", and import it back

    <orasp:x509-token orasp:enc-key-ref-mech="thumbprint" orasp:is-encrypted="true"
     orasp:is-signed="false" orasp:sign-key-ref-mech="direct"/>
    
  5. Attach the policy to the Web service client.

    For more information about attaching the policy, see "Attaching Policies to Web Service Clients" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

  6. Provide configurations for the keystore.recipient.alias.

    You can specify this information when attaching the policy, by overriding the policy configuration. For more information, see "Attaching Clients Permitting Overrides" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

    Ensure that you configure the keystore.recipient.alias as the alias of the certificate imported in step 4 (wsmcert3).

  7. Invoke the Web service method from the client.

5.6 Kerberos with Message Protection

This section describes how to implement kerberos with message protection in the following interoperability scenarios:

5.6.1 Configuration Prerequisites for Interoperability

Perform the following prerequisite steps:

  1. Configure the Key Distribution Center (KDC) and Active Directory (AD). For more information, see the section "To Configure Windows Active Directory and Domain Controller" (the domain controller can serve as KDC) at http://download.oracle.com/docs/cd/E19316-01/820-3746/gisdn/index.html.

  2. Set up the Kerberos configuration file krb5.conf in c:\winnt as shown in Example 5-1.

    Example 5-1 Sample Kerberos Configuration File

    [logging]
    default = c:\log\krb5libs.log
    kdc = c:\log\krb5kdc.log
    admin_server = c:\log\kadmind.log
    [libdefaults]
    default_realm = MYCOMPANY.LOCAL
    dns_lookup_realm = false
    dns_lookup_kdc = false
    default_tkt_enctypes = rc4-hmac
    default_tgs_enctypes = rc4-hmac
    permitted_enctypes = rc4-hmac
    kdc = <hostname>
    [realms]
    MYCOMPANY.LOCAL =
    { kdc = <hostname>:<portnumber>  admin_server = <hostname>:<portnumber>
      default_domain = <domainname>
    }
     [domain_realm]
    .<domainname> = MYCOMPANY.LOCAL
     <domainname> = MYCOMPANY.LOCAL
    [appdefaults]
    pam =
    {   debug = false  ticket_lifetime = 36000  renew_lifetime = 36000  forwardable =
     true  krb4_convert = false }
    

5.6.2 Configuring Microsoft WCF/.NET 3.5 Client and Oracle WSM 11g Web Service

To configure Microsoft WCF/.NET 3.5 client and Oracle WSM 11g Web service, perform the steps described in the following sections:

5.6.2.1 Configuring Oracle WSM 11g Web Service

  1. Create a Web service application.

  2. Copy the following policy: wss11_kerberos_with_message_protection_service_policy.

  3. Edit the policy settings to set Algorithm Suite to Basic128Rsa15.

  4. Attach the policy to the web service. For more information about attaching the policy at deployment time using Fusion Middleware Control, see "Attaching Policies to Web Service Clients" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

  5. Deploy the application.

5.6.2.2 Configuring Microsoft WCF/.NET 3.5 Client

  1. Create a user in AD to represent the host where the web service is hosted. By default the user account is created with RC4-HMAC encryption. For example, foobar with user name as "HTTP/foobar".

  2. Use the following ktpass command to create a keytab file on the Windows AD machine where the KDC is running:

    ktpass -princ HTTP/foobar@MYCOMPANY.LOCAL -pass Oracle123 -mapuser foobar -out foobar.keytab -ptype KRB5_NT_PRINCIPAL -kvno 4

    where HTTP/foobar is the SPN, mapped to a user "foobar". Do not set "/desonly or cyrpto as "des-cbc-crc". MYCOMPANY.LOCAL is the default Realm for the KDC and is available in the krb5.ini file. The pass password must match the password created during the user creation.

    Use FTP binary mode to move the generated keytab file to the machine where the SOA Composite Web service is hosted.

  3. Use the following setSpn command to map the service principal to the user:

    setSpn -A HTTP/foobar@MYCOMPANY.LOCAL foobar

    setSpn -L foobar

    Only one SPN must be mapped to the user. If there are multiple SPNs mapped to the user, remove them using the command setSpn -D <spname> <username>.

  4. Use the SVCUtil utility to create a client proxy and configuration file from the deployed Web service.

    Add the files generatedProxy.cs and app.config by right clicking the application (in the Windows Explorer) and selecting Add Existing Item.

    In the endpoint element of the app.config, add an "identity" element with service principal name as "HTTP/foobar@MYCOMPANY.LOCAL" (the same value used for creating keytab).

    <client>
            <endpoint address="http://host:port/HelloServicePort"
                binding="customBinding" bindingConfiguration="NewHelloSoap12HttpPortBinding"
                contract="NewHello" name="HelloServicePort">
            <identity>
              <servicePrincipalName value ="HTTP/foobar@MYCOMPANY.LOCAL"/>
            </identity>
            </endpoint>
           
          </client>
    

    A sample binding is provided in Example 5-2.

    Example 5-2 Sample Binding

    <customBinding>
                    <binding name="NewHelloSoap12HttpPortBinding">
                        <!--Added by User: Begin-->
                      <security defaultAlgorithmSuite="Basic128"
                       authenticationMode="Kerberos"
                        requireDerivedKeys="false" securityHeaderLayout="Lax"
                        includeTimestamp="true"
                        keyEntropyMode="CombinedEntropy"
                        messageProtectionOrder="SignBeforeEncrypt"
                       messageSecurityVersion="WSSecurity11WSTrustFebruary2005
                       WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurity
                        Profile10" 
                      requireSignatureConfirmation="true">
                        <localClientSettings cacheCookies="true" detectReplays="true"
                            replayCacheSize="900000" maxClockSkew="00:05:00"
                            maxCookieCachingTime="Infinite"
                            replayWindow="00:05:00"
                            sessionKeyRenewalInterval="10:00:00"
                            sessionKeyRolloverInterval="00:05:00"
                            reconnectTransportOnFailure="true"
                            timestampValidityDuration="00:05:00"
                            cookieRenewalThresholdPercentage="60" />
                        <localServiceSettings detectReplays="true"
                            issuedCookieLifetime="10:00:00"
                            maxStatefulNegotiations="128" replayCacheSize="900000"
                            maxClockSkew="00:05:00"
                            negotiationTimeout="00:01:00" replayWindow="00:05:00"
                            inactivityTimeout="00:02:00"
                            sessionKeyRenewalInterval="15:00:00"
                            sessionKeyRolloverInterval="00:05:00"
                            reconnectTransportOnFailure="true"
                            maxPendingSessions="128"
                            maxCachedCookies="1000"
                            timestampValidityDuration="00:05:00" />
                        <secureConversationBootstrap />
                      </security>
                      <!--Added by User: End-->
                        <textMessageEncoding maxReadPoolSize="64"
                           maxWritePoolSize="16"
                            messageVersion="Soap12" writeEncoding="utf-8">
                            <readerQuotas maxDepth="32" maxStringContentLength="8192"
                              maxArrayLength="16384"
                                maxBytesPerRead="4096" maxNameTableCharCount="16384"
     />
                        </textMessageEncoding>
                      <!--Added by User: Begin-->
                      <httpTransport manualAddressing="false"
                           maxBufferPoolSize="524288"
                            maxReceivedMessageSize="65536" allowCookies="false"
                            authenticationScheme="Anonymous"
                            bypassProxyOnLocal="false"
                            hostNameComparisonMode="StrongWildcard"
                            keepAliveEnabled="true" maxBufferSize="65536"
                            proxyAuthenticationScheme="Anonymous"
                            realm="" transferMode="Buffered"
                            unsafeConnectionNtlmAuthentication="false"
                            useDefaultWebProxy="true" />
                      <!--Added by User: End-->
                    </binding>
    </customBinding>
    

    The svcutil.exe utility will not work if the Web service has an Oracle WSM policy attached to it. Detach the policy from the service before running this utility to generate the proxy and re-attach once all artifacts are generated successfully.

  5. Run the client program.

5.7 WCF/.NET 3.5 client with Microsoft Active Directory Federation Services 2.0 (ADFS 2.0) STS

This section describes securing a WCF/.NET 3.5 client with Microsoft Active Directory Federation Services 2.0 (ADFS 2.0) secure token service (STS), using a policy utilizing SAML bearer token over one-way SSL.

Note:

The SAML sender vouches token is not supported in this use case.

This procedure described in this section assumes that you install and configure ADFS 2.0 on a Windows Server 2008 or Windows Server 2008 R2 system. This system is set up in the STS role.

The following topics are described:

5.7.1 Install and Configure Active Directory Federation Services (ADFS) 2.0

This section describes how to install and configure ADFS 2.0.

The following topics are described:

5.7.1.1 Install and Configure Active Directory

Install and configure Active Directory. See http://technet.microsoft.com/en-us/windowsserver for related links and information.

5.7.1.2 Install ADFS 2.0

Install ADFS 2.0 and configure it using the wizard. See http://technet.microsoft.com/en-us/windowsserver/dd448613 for related links and information. See http://go.microsoft.com/fwlink/?linkid=151338 for download information.

As you configure ADFS 2.0 using the wizard, on the Server Role page be sure to click Federation server.

5.7.1.3 Create and Configure a Self-Signed Server Authentication Certificate

Create and configure a self-signed server authentication certificate in IIS and bind it to the default Web site using the Internet Information Services (IIS) Manager console. When done, enable SSL server authentication.

The AD FS 2.0 Setup Wizard automatically installed the Web server (IIS) server role on the system.

Creating a self-signed server authentication certificate is described generally in http://technet.microsoft.com/en-us/library/cc771041%28v=ws.10%29.aspx. The steps in this section provides usecase-specific information.

  1. Open the Internet Information Services (IIS) Manager console.

  2. On the Start menu, click All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

  3. In the console tree, click the root node that contains the name of the system, and then, in the details pane, double-click the icon named Server Certificates in the IIS grouping.

  4. In the Actions pane, click Create Self-Signed Certificate.

  5. In the console tree, click Default Web Site.

  6. In the Actions pane, click Bindings.

  7. In the Site Bindings dialog box, click Add.

  8. In the Add Site Binding dialog box, select https in the Type drop-down list. Select the certificate you just created in the SSL certificate drop-down list, click OK, and then click Close.

  9. Close the Internet Information Services (IIS) Manager console. Enable SSL Server Authentication.

5.7.1.4 Configure the System as a Standalone Federation Server

Configure the system as a standalone federation server, as described in http://technet.microsoft.com/en-us/library/ee913579%28v=ws.10%29.aspx.

5.7.1.5 Export ADFS 2.0 Token-Signing Certificate

Export the ADFS 2.0 token-signing certificate, as described in http://technet.microsoft.com/en-us/library/dd378922%28v=ws.10%29.aspx#BKMK_4.

For a self-signed certificate, select DER encoded binary X.509 (.cer).

If the signing certificate is not self-signed, select Cryptographic Message Syntax Standard – PKCS 7 certificates (.p7b) and check Include all the certificates in the certification path if possible.

5.7.1.6 Create Users with Email Address

Create users and include an email address. You later enable the STS to send the email address as the subject name id in the outgoing SAML assertions for the service.

Follow these steps to add a sample user to Active Directory. Make sure to set the email address for each user.

  1. Log in to the system with domain administrator credentials.

  2. Click Start, click Administrative Tools, and then click Active Directory Users and Computers.

  3. In the console tree, right-click the Users folder. Click New, and then click User.

  4. On the New Object – User page, add the user, and then click Next.

  5. Provide a password, clear the User must change password at next logon check box, and then click Next.

  6. Click Finish.

  7. In the right-most pane of Active Directory Users and Computers, right-click the new user object, and then click Properties.

  8. On the General tab, in the E-mail box, type the email address of the user, and then click OK.

5.7.2 Configure ADFS 2.0 STS As Trusted SAML Token Issuer

Perform the following steps to configure Oracle WSM to trust the SAML assertions issued by an ADFS 2.0 STS:

  1. Get the STS signing certificates you exported in Section 5.7.1.5, "Export ADFS 2.0 Token-Signing Certificate".

    For a .p7b file for a certificate chain, open the file in IE and copy each certificate in the chain in a .cer file.

  2. Import the certificates into the location of the default keystore using keytool.

    keytool –importcert –file <sts-signing-certs-file> –trustcacerts –alias <alias> –keystore default-keystore.jks

  3. Add http://domain-name/adfs/services/trust as a SAML trusted issuer.

    See "Defining Trusted Issuers and Trusted Distinguished Name List for Signing Certificates" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services for the steps to follow.

  4. Add the Subject DN (as defined in RFC 2253) of the STS certificate in the Trusted STS Servers section. Use a string that conforms to RFC 2253, such as CN=abc. You can use the mechanism of your choice, such as keytool, to view the certificate and determine the Subject DN.

    See "Defining Trusted Issuers and Trusted Distinguished Name List for Signing Certificates" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services for the steps to follow.

5.7.3 Configure Users in Oracle Internet Directory

For each user, configure the mail attribute to match the user email address set in ADFS.

See Managing Directory Entries for Creating a User in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory for information on configuring users in Oracle Internet Directory.

5.7.4 Attach the Policy

Attach the Oracle WSM oracle/wss11_saml_or_username_token_with_message_protection_service_policy or oracle/wss_saml_token_bearer_over_ssl_service_policy policy to the Web service.

These policies enforce message protection (integrity and confidentiality) and SAML-based authentication using credentials provided in SAML tokens with the bearer confirmation method in the WS-Security SOAP header. They also verify that the transport protocol provides SSL message protection.

See "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services for information on attaching policies.

5.7.5 Register the Web Service as a Relying Party in ADFS 2.0

Configure ADFS 2.0 to issue the SAML assertion to the Web service with the email address or the name ID (SAM-Account-Name) as the subject name id.

See http://technet.microsoft.com/en-us/library/dd807108%28v=ws.10%29.aspx for general information on relying parties.

This section provides usecase-specific information.

Add the Web Service as a Relying Party

  1. In the AD FS 2.0 Management console, click AD FS 2.0.

  2. In the details pane, click Add a trusted relying party to start the Add Relying Party Wizard.

  3. On the Welcome page, click Start to begin.

  4. Select Enter data about the relying party manually.

  5. Provide a display name and enter any notes you want.

  6. Select ADFS 2.0 Profile.

  7. On the Configure Certificate page, click Next.

    Configuring a token encryption certificate on this page is optional. Configure one on this page if you require that the token be encrypted. If you do not configure a token encryption certificate, the token issued by STS is not encrypted for the service.

  8. WS-Trust is always enabled. Click Next.

  9. For the Relying Party Trust Identifier, enter the service URL and click Add.

  10. Permit all users to access this relying party.

  11. Click Next and then Close.

Configure the Claim Rules for the Service

To enable the STS to send the email address or the name ID as the subject name id in the outgoing SAML assertions for the service, use the steps in this section to create a chain of two claim rules with different templates.

See http://technet.microsoft.com/en-us/library/ee913578%28v=ws.10%29.aspx for general information on claim rules. See http://technet.microsoft.com/en-us/library/dd807115%28v=ws.10%29.aspx to create a rule to send LDAP attributes as claims.

This section provides usecase-specific information.

  1. Right-click on the Relying Party for the service and select Edit Claim Rules.

  2. On the Issuance Transform Rules tab select Add Rule.

  3. Select Send LDAP Attribute as Claims as the claim rule template to use.

  4. Give the Claim a name, such as Get LDAP Attributes.

  5. Set the Attribute Store to Active Directory, the LDAP Attribute to E-Mail-Addresses, and the Outgoing Claim Type to E-mail Address.

    If you want to instead use the name ID as the subject name ID, under LDAP Attribute, select SAM-Account-Name.

  6. Select Finish.

  7. If you use the name ID as the subject name ID, click OK to close the property page and save the changes to the relying party trust.

    If you use the email address as the subject name ID, continue to add a rule.

  8. Select Add Rule.

  9. Select Transform an Incoming Claim as the claim rule template to use.

  10. Give it a name, such as Email to Name ID.

  11. Set the Incoming claim type as E-mail Address. (It must match the Outgoing Claim Type in the previous rule.)

  12. Set the Outgoing claim type as Name ID and the Outgoing name ID format as Email (urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress).

  13. Pass through all claim values and click Finish.

  14. Click OK to close the property page and save the changes to the relying party trust.

5.7.6 Secure WCF/.NET 3.5 Client with ADFS 2.0

Perform the following steps to secure WCF/.NET 3.5 Client with ADFS 2.0:

  1. Install .NET 3.5 and Visual Studio 2008.

  2. Import the SSL server certificates for STS and the service into Windows.

    If the SSL server certificate for STS or the service is not issued from a trusted CA, or self-signed, then it needs to be imported with MMC tool, as described in Section 5.6.1, "Configuration Prerequisites for Interoperability".

  3. Create and Configure the WCF Client.

    ADFS 2.0 STS supports multiple security and authentication mechanisms for token insurance. Each is exposed as a separate endpoint. For username/password authentication, two endpoints are provided:

    • http://<adfs.domain>/adfs/services/trust/13/username — This endpoint is for username token with message protection.

    • https://<adfs.domain>/adfs/services/trust/13/usernamemixed — This endpoint is for username token with transport protection (SSL).

    The WCF client uses the https://<adfs.domain>/adfs/services/trust/13/usernamemixed endpoint for username token on SSL to obtain the SAML bearer token for the service.

    1. Generate the WCF Client with the service WSDL.

      See http://msdn.microsoft.com/en-us/library/ms733133(v=vs.90) for information on creating a Windows Communication Foundation client.

      Note:

      SVCUtil does not support the security policy with policy alternatives as advertised for the OWSM policy oracle/wss11_saml_or_username_token_with_message_protection_service_policy, or the oracle/wss_saml_bearer_token_over_ssl_service_policy policy. To work around this:

      1. Detach the policy for the service.

      2. Generate a proxy using SVCUtil.

      3. Attach the policy back to the service.

    2. Configure the client with ws2007FederationHttpBinding:

      In the Solution Explorer of the client project, add a reference by right-clicking on references, selecting Add reference, and browsing to C:\Windows\Microsoft .NET framework\v3.0\Windows Communication Framework\System.Runtime.Serialization.dll.

      Edit the app.config file. (See http://msdn.microsoft.com/en-us/library/bb472490.aspx for information on WS 2007 Federation HTTP Binding.) Consider the following sample:

      <?xml version="1.0" encoding="utf-8"?>
      <configuration>
          <system.serviceModel>
              <behaviors>
                <endpointBehaviors>
                  <behavior name="secureBehaviour">
                    <clientCredentials>
                      <serviceCertificate>
             <defaultCertificate findValue="weblogic"  
                  storeLocation="LocalMachine" 
                  storeName="My" 
                  x509FindType="FindBySubjectName"/>
                      </serviceCertificate>
                    </clientCredentials>
                  </behavior>
                </endpointBehaviors>
              </behaviors>
            <bindings>
              <ws2007FederationHttpBinding>
                <binding name="JaxWsWss11SamlOrUsernameOrSamlBearerOverSSLSoapHttp">
                  <security mode="TransportWithMessageCredential">
                    <message negotiateServiceCredential="false"
                             algorithmSuite="Basic128"
                         issuedTokenType ="http://docs.oasis-open.org/wss/oasis-wss-saml-token-
       
      profile-1.1#SAMLV1.1"
                         issuedKeyType="BearerKey">
                      <issuer address ="https://domain-name/adfs/services/trust/13/usernamemixed"
                              binding ="ws2007HttpBinding" 
       
      bindingConfiguration="ADFSUsernameMixed"/>
                    </message>
                  </security>
                </binding>
              </ws2007FederationHttpBinding>
              <ws2007HttpBinding>
                <binding name="ADFSUsernameMixed">
                  <security mode="TransportWithMessageCredential">
                    <message clientCredentialType="UserName" establishSecurityContext="false" />
                  </security>
                </binding>
              </ws2007HttpBinding>
            </bindings>
              <client>
                <endpoint 
       
      address="https://adc2170989:8002/JaxWsWss11SamlOrUsernameOrSamlBearerOverSSL/JaxWsWss11Sam
       
       
      lOrUsernameOrSamlBearerOverSSLService"
                    binding="ws2007FederationHttpBinding" 
       
      bindingConfiguration="JaxWsWss11SamlOrUsernameOrSamlBearerOverSSLSoapHttp"
                    contract="JaxWsWss11SamlOrUsernameOrSamlBearerOverSSL" 
       
       
      name="JaxWsWss11SamlOrUsernameOrSamlBearerOverSSLPort">
                  <identity>
                    <dns value="weblogic" />
                  </identity>
                </endpoint>
            </client>
          </system.serviceModel>
      </configuration>
      
    3. Edit the program.cs file to make the service call.

      If not already present, create a .cs file in the project and name it program.cs (or any name of your choice.) Edit it to match the following:

      using System;
      using System.Collections.Generic;
      using System.Linq;
      using System.Text;
      using System.ServiceModel;
       
      namespace Client
      {
          class Program
          {
              static void Main(string[] args)
              {
                  JaxWsWss11SamlOrUsernameOrSamlBearerOverSSLClient client = 
                     New JaxWsWss11SamlOrUsernameOrSamlBearerOverSSLClient();
       
                  client.ClientCredentials.UserName.UserName = "joe";
                  client.ClientCredentials.UserName.Password = "eoj";
       
                                  
       
       
      System.Net.ServicePointManager.ServerCertificateValidationCallback =
                     ((sender, certificate, chain, sslPolicyErrors) => true);
                  
       
                  Console.WriteLine(client.echo("Hello"));
                  Console.Read();
              }
       
          }
      }
      

      In this sample program.cs file:

      • joe is the username and eoj is the password used by the client to authenticate to the STS.

      • System.Net.ServicePointManager.ServerCertificateValidationCallback = ((sender, certificate, chain, sslPolicyErrors) => true); has been added to validate the server side self-signed certificate. This is not required if the server certificate is issued by a trusted CA. If using a self-signed certificate for testing, add this method to validate the certificate on the client side.