5 Interoperability with Microsoft WCF/.NET 3.5 Security Environments

This chapter contains the following sections:

Overview of Interoperability with Microsoft WCF/.NET 3.5 Security Environments
Message Transmission Optimization Mechanism (MTOM)
Username Token With Message Protection (WS-Security 1.1)
Username Token Over SSL

Overview of Interoperability with Microsoft WCF/.NET 3.5 Security Environments

In conjunction with Microsoft, Oracle has performed interoperability testing to ensure that the Web service security policies created using Oracle WSM 11g can interoperate with Web service policies configured using Microsoft Windows Communication Foundation (WCF)/.NET 3.5 Framework and vice versa.

For more information about Microsoft WCF/.NET 3.5 Framework, see http://msdn.microsoft.com/en-us/netframework/aa663324.aspx.

For more details about the predefined Oracle WSM 11g policies, see the following topics in Oracle Fusion Middleware Security and Administrator's Guide for Web Services:

"Attaching Policies to Web Services"
"Configuring Policies"
"Predefined Policies"

Table 5-1 summarizes the most common Microsoft .NET 3.5 interoperability scenarios based on the following security requirements: authentication, message protection, and transport.

Note:

In the following scenarios, ensure that you are using a keystore with v3 certificates. By default, the JDK 1.5 keytool generates keystores with v3 certificates.

In addition, ensure that the keys use the proper extensions, including DigitalSignature, Non_repudiation, Key_Encipherment, and Data_Encipherment.

Table 5-1 Interoperability With Microsoft WCF/.NET 3.5 Security Environments

Interoperability Scenario	Client—>Web Service	Oracle WSM 11g Policies	Microsoft WCF/.NET 3.5 Policies
MTOM	Microsoft WCF/.NET 3.5—>Oracle WSM 11g	oracle/wsmtom_service_policy	See Table 5-2
MTOM	Oracle WSM 11g—>Microsoft WCF/.NET 3.5	oracle/wsmtom_client_policy	See Table 5-3
Username Token with Message Protection (WS-Security 1.1)	Microsoft WCF/.NET 3.5—>Oracle WSM 11g	oracle/wss11_username_token_with_message_protection_service_policy OR oracle/wss11_saml_or_username_token_with_message_protection_service_policy	See Table 5-4
Username Token with Message Protection (WS-Security 1.1)	Oracle WSM 11g—>Microsoft WCF/.NET 3.5	oracle/wss11_username_token_with_message_protection_client_policy	See Table 5-5
Username Token Over SSL	Microsoft WCF/.NET 3.5—>Oracle WSM 11g	oracle/wss_saml_or_username_token_over_ssl_service_policy or oracle/wss_username_token_over_ssl_service_policy	See Table 5-6

Message Transmission Optimization Mechanism (MTOM)

The following sections describe how to implement MTOM, describing the following interoperability scenarios:

"Message Transmission Optimization Mechanism (MTOM)—Microsoft WCF/.NET 3.5 Client —> Oracle WSM 11g Web Service"
"Message Transmission Optimization Mechanism (MTOM)—Oracle WSM 11g Client —> Microsoft WCF/.NET 3.5 Web Service"

Message Transmission Optimization Mechanism (MTOM)—Microsoft WCF/.NET 3.5 Client —> Oracle WSM 11g Web Service

Perform the steps described in the following sections.

Table 5-2 MTOM—Microsoft WCF/.NET 3.5 Client —> Oracle WSM 11g Web Service

Web Service/Client	Steps
Web Service—Oracle WSM 11g	Perform the following steps: Attach the following policy to the Web service: oracle/wsmotom_service_policy. For more information about attaching the policy, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services. Deploy the application.
Client—Microsoft WCF/.NET 3.5	Perform the following steps: Use the SVCUtil utility to create a client proxy and configuration file from the deployed Web service. See "Example app.config File for MTOM Interoperability". Run the client program.

Web Service/Client

Steps

Web Service—Oracle WSM 11g

Perform the following steps:

Attach the following policy to the Web service: oracle/wsmotom_service_policy.

For more information about attaching the policy, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Deploy the application.

Client—Microsoft WCF/.NET 3.5

Perform the following steps:

Use the SVCUtil utility to create a client proxy and configuration file from the deployed Web service. See "Example app.config File for MTOM Interoperability".
Run the client program.

Example app.config File for MTOM Interoperability

The following provides an example of the app.config file:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
    <system.serviceModel>    
        <bindings>
            <customBinding>
                <binding name="CustomBinding_IMTOMService">                
                    <mtomMessageEncoding maxReadPoolSize="64"
                     maxWritePoolSize="16"
                        messageVersion="Soap12" maxBufferSize="65536"
                        writeEncoding="utf-8">
                        <readerQuotas maxDepth="32" maxStringContentLength=
                         "8192" maxArrayLength="16384"
                            maxBytesPerRead="4096" maxNameTableCharCount="16384" />
                    </mtomMessageEncoding>
                    <httpTransport manualAddressing="false" maxBufferPoolSize="524288"
                        maxReceivedMessageSize="65536" allowCookies="false"
                           authenticationScheme="Anonymous"
                        bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
                        keepAliveEnabled="true" maxBufferSize="65536"
                           proxyAuthenticationScheme="Anonymous"
                        realm="" transferMode="Buffered" 
                           unsafeConnectionNtlmAuthentication="false"
                        useDefaultWebProxy="true" />
                </binding>
            </customBinding>
        </bindings>
        <client>
          <endpoint address="<endpoint_url>"
              binding="customBinding" bindingConfiguration="CustomBinding_IMTOMService"
              contract="IMTOMService" name="CustomBinding_IMTOMService" >
          </endpoint>         
        </client>          
    </system.serviceModel>
</configuration>

Message Transmission Optimization Mechanism (MTOM)—Oracle WSM 11g Client —> Microsoft WCF/.NET 3.5 Web Service

Perform the steps described in the following table.

Table 5-3 MTOM—Oracle WSM 11g Client —> Microsoft WCF/.NET 3.5 Web Service

Web Service/Client Steps

Web Service/Client	Steps
WebService—Microsoft WCF/.NET 3.5 Web Service	Perform the following steps: Create a .NET Web service that employs MTOM. For more information, see "How to: Define a Windows Communication Foundation Service Contract" at `http://msdn.microsoft.com/en-us/library/ms731835.aspx`. For an example of a .NET Web service, see "Example of .NET Web Service for MTOM Interoperability". Deploy the application.
Client—Oracle WSM 11g Client	Perform the following steps: Using JDeveloper, create a SOA composite that consumes the .NET Web service. For more information, see the Developer's Guide for SOA Suite. Attach the following policy to the Web service client: oracle/wsmtom_client_policy. For more information about attaching the policy, see "Attaching Policies to Web Service Clients" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

WebService—Microsoft WCF/.NET 3.5 Web Service

Perform the following steps:

Create a .NET Web service that employs MTOM.

For more information, see "How to: Define a Windows Communication Foundation Service Contract" at http://msdn.microsoft.com/en-us/library/ms731835.aspx.

For an example of a .NET Web service, see "Example of .NET Web Service for MTOM Interoperability".
Deploy the application.

Client—Oracle WSM 11g Client

Perform the following steps:

Using JDeveloper, create a SOA composite that consumes the .NET Web service. For more information, see the Developer's Guide for SOA Suite.
Attach the following policy to the Web service client: oracle/wsmtom_client_policy.

For more information about attaching the policy, see "Attaching Policies to Web Service Clients" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

Example of .NET Web Service for MTOM Interoperability

The following provides an example of the .NET Web service for MTOM interoperability.

static void Main(string[] args)
{
    string uri = "http://host:port/TEST/MTOMService/SOA/MTOMService";
    // Step 1 of the address configuration procedure: Create a URI to serve as the base address.
    Uri baseAddress = new Uri(uri);

    // Step 2 of the hosting procedure: Create ServiceHost
    ServiceHost selfHost = new ServiceHost(typeof(MTOMService), baseAddress);
 
    try {
        HttpTransportBindingElement hb = new HttpTransportBindingElement();
        hb.ManualAddressing = false;
        hb.MaxBufferPoolSize = 2147483647;               
        hb.MaxReceivedMessageSize = 2147483647;
        hb.AllowCookies = false;
        hb.AuthenticationScheme = System.Net.AuthenticationSchemes.Anonymous;
        hb.KeepAliveEnabled = true;
        hb.MaxBufferSize = 2147483647;
        hb.ProxyAuthenticationScheme = System.Net.AuthenticationSchemes.Anonymous;
        hb.Realm = "";
        hb.TransferMode = System.ServiceModel.TransferMode.Buffered;
        hb.UnsafeConnectionNtlmAuthentication = false;
        hb.UseDefaultWebProxy = true;
        MtomMessageEncodingBindingElement me = new MtomMessageEncodingBindingElement();
        me.MaxReadPoolSize=64;
        me.MaxWritePoolSize=16;
        me.MessageVersion=System.ServiceModel.Channels.MessageVersion.Soap12;
        me.WriteEncoding = System.Text.Encoding.UTF8;
        me.MaxWritePoolSize = 2147483647;
        me.MaxBufferSize = 2147483647;
        me.ReaderQuotas.MaxArrayLength = 2147483647;
        CustomBinding binding1 = new CustomBinding();
        binding1.Elements.Add(me);
        binding1.Elements.Add(hb);
        ServiceEndpoint ep = selfHost.AddServiceEndpoint(typeof(IMTOMService), binding1, 
               "MTOMService");
        EndpointAddress myEndpointAdd = new EndpointAddress(new Uri(uri),
        EndpointIdentity.CreateDnsIdentity("WSMCert3"));               
        ep.Address = myEndpointAdd;

        // Step 4 of the hosting procedure: Enable metadata exchange.
        ServiceMetadataBehavior smb = new ServiceMetadataBehavior();
        smb.HttpGetEnabled = true;
        selfHost.Description.Behaviors.Add(smb);
        using (ServiceHost host = new ServiceHost(typeof(MTOMService)))
        {
            System.ServiceModel.Description.ServiceDescription svcDesc = 
                 selfHost.Description;
            ServiceDebugBehavior svcDebug = 
                  svcDesc.Behaviors.Find<ServiceDebugBehavior>();
            svcDebug.IncludeExceptionDetailInFaults = true;
        }
 
        // Step 5 of the hosting procedure: Start (and then stop) the service.
        selfHost.Open();
        Console.WriteLine("The service " + uri + " is ready.");
        Console.WriteLine("Press <ENTER> to terminate service.");
        Console.WriteLine();
        Console.ReadLine();
        // Close the ServiceHostBase to shutdown the service.
        selfHost.Close();
    }
    catch (CommunicationException ce)
    {
        Console.WriteLine("An exception occurred: {0}", ce.Message);
        selfHost.Abort();
    }
}

Username Token With Message Protection (WS-Security 1.1)

The following sections describe how to implement username token with message protection that conforms to WS-Security 1.1, describing the following interoperability scenarios:

"Username Token With Message Protection (WS-Security 1.1)—Microsoft WCF/.NET 3.5 Client —> Oracle WSM 11g Web Service"
"Username Token With Message Protection (WS-Security 1.1)—Oracle WSM 11g Client —> Microsoft WCF/.NET 3.5 Web Service"

Username Token With Message Protection (WS-Security 1.1)—Microsoft WCF/.NET 3.5 Client —> Oracle WSM 11g Web Service

Perform the steps described in the following sections.

Table 5-4 Username Token With Message Protection (WS-Security 1.1)—Microsoft WCF/.NET 3.5 Client —> Oracle WSM 11g Web Service

Web Service/Client Steps

Web Service/Client	Steps
Web Service—Oracle WSM 11g	Perform the following steps: Attach one of the following policies to the Web service: oracle/wss11_username_token_with_message_protection_service_policy oracle/wss11_saml_or_username_token_with_message_protection_service_policy For more information about attaching the policy, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services. Export the X.509 certificate file from the keystore on the service side to a .cer file (for example, alice.cer) using the following command: keytool -export -alias alice -file C:\alice.cer -keystore default-keystore.jks
Client—Microsoft WCF/.NET 3.5	Perform the following steps: Import the certificate file (exported previously) to the keystore on the client server using Microsoft Management Console (mmc). For information, see "How to: View Certificates with the MMC Snap-in" at `http://msdn.microsoft.com/en-us/library/ms788967.aspx`. a. Open a command prompt. b. Type mmc and press ENTER. Note that to view certificates in the local machine store, you must be in the Administrator role. c. Select File > Add/Remove snap-in. d. Select Add and Choose Certificates. e. Select Add. f. Select My user account and finish. g. Click OK. h. Expand Console Root > Certificates -Current user > Personal > Certificates. i. Right-click on Certificates and select All tasks > Import to launch Certificate import Wizard. j. Click Next, select Browse, and navigate to the .cer file that was exported previously. Click Next and accept defaults and finish the wizard. Generate a .NET client using the WSDL of the Web service. For more information, see "How to: Create a Windows Communication Foundation Client" at `http://msdn.microsoft.com/en-us/library/ms733133.aspx`. In the Solution Explorer of the client project, add a reference by right-clicking on references, selecting Add reference, and browsing to C:\Windows\Microsoft .NET framework\v3.0\Windows Communication Framework\System.Runtime.Serilaization.dll. Edit the app.config file in the .NET project to update the certificate file and disable replays, as described in "Edit the app.config File". Compile the project. Open a command prompt and cd to the project's Debug folder. Enter <client_project_name>.exe and press Enter.

Web Service—Oracle WSM 11g

Perform the following steps:

Attach one of the following policies to the Web service:

oracle/wss11_username_token_with_message_protection_service_policy

oracle/wss11_saml_or_username_token_with_message_protection_service_policy

For more information about attaching the policy, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Export the X.509 certificate file from the keystore on the service side to a .cer file (for example, alice.cer) using the following command:
```
keytool -export -alias alice -file C:\alice.cer -keystore default-keystore.jks
```

Client—Microsoft WCF/.NET 3.5

Perform the following steps:

Import the certificate file (exported previously) to the keystore on the client server using Microsoft Management Console (mmc). For information, see "How to: View Certificates with the MMC Snap-in" at http://msdn.microsoft.com/en-us/library/ms788967.aspx.

a. Open a command prompt.

b. Type mmc and press ENTER.

Note that to view certificates in the local machine store, you must be in the Administrator role.

c. Select File > Add/Remove snap-in.

d. Select Add and Choose Certificates.

e. Select Add.

f. Select My user account and finish.

g. Click OK.

h. Expand Console Root > Certificates -Current user > Personal > Certificates.

i. Right-click on Certificates and select All tasks > Import to launch Certificate import Wizard.

j. Click Next, select Browse, and navigate to the .cer file that was exported previously.

Click Next and accept defaults and finish the wizard.
Generate a .NET client using the WSDL of the Web service.

For more information, see "How to: Create a Windows Communication Foundation Client" at http://msdn.microsoft.com/en-us/library/ms733133.aspx.
In the Solution Explorer of the client project, add a reference by right-clicking on references, selecting Add reference, and browsing to C:\Windows\Microsoft .NET framework\v3.0\Windows Communication Framework\System.Runtime.Serilaization.dll.
Edit the app.config file in the .NET project to update the certificate file and disable replays, as described in "Edit the app.config File".
Compile the project.
Open a command prompt and cd to the project's Debug folder.
Enter <client_project_name>.exe and press Enter.

Edit the app.config File

Edit the app.config file to update the certificate file and disable replays, as shown in the following example (changes are identified in bold). If you follow the default key setup, then <certificate_cn> should be set to alice.

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.serviceModel>
    <behaviors>
      <endpointBehaviors>
         <behavior name="secureBehaviour">
           <clientCredentials>
             <serviceCertificate>
               <defaultCertificate findValue="<certificate_cn>" 
                storeLocation="CurrentUser" storeName="My" 
                x509FindType="FindBySubjectName"/>
             </serviceCertificate>
           </clientCredentials>
         </behavior>
      </endpointBehaviors>
    </behaviors>
  <bindings>
    <customBinding>
      <binding name="HelloWorldSoapHttp">
      <security defaultAlgorithmSuite="Basic128"  
       authenticationMode="UserNameForCertificate" 
       requireDerivedKeys="false" securityHeaderLayout="Lax" 
       includeTimestamp="true"
       keyEntropyMode="CombinedEntropy" 
       messageProtectionOrder="SignBeforeEncrypt"
       messageSecurityVersion=
"WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
       requireSignatureConfirmation="true">
     <localClientSettings 
       cacheCookies="true" 
       detectReplays="false"
       replayCacheSize="900000" 
       maxClockSkew="00:05:00" 
       maxCookieCachingTime="Infinite"
       replayWindow="00:05:00" 
       sessionKeyRenewalInterval="10:00:00"
       sessionKeyRolloverInterval="00:05:00" 
       reconnectTransportOnFailure="true"
       timestampValidityDuration="00:05:00" 
       cookieRenewalThresholdPercentage="60" />
     <localServiceSettings detectReplays="true" 
       issuedCookieLifetime="10:00:00"
       maxStatefulNegotiations="128" 
       replayCacheSize="900000" 
       maxClockSkew="00:05:00" 
       negotiationTimeout="00:01:00" 
       replayWindow="00:05:00" 
       inactivityTimeout="00:02:00"
       sessionKeyRenewalInterval="15:00:00" 
       sessionKeyRolloverInterval="00:05:00"
       reconnectTransportOnFailure="true" 
       maxPendingSessions="128"
       maxCachedCookies="1000" 
       timestampValidityDuration="00:05:00" />
     <secureConversationBootstrap /></security>
     <textMessageEncoding 
      maxReadPoolSize="64" 
      maxWritePoolSize="16"
      messageVersion="Soap11" 
      writeEncoding="utf-8">
        <readerQuotas 
         maxDepth="32" 
         maxStringContentLength="8192" 
         maxArrayLength="16384"
         maxBytesPerRead="4096" 
         maxNameTableCharCount="16384" />
     </textMessageEncoding>
     <HttpTransport 
      manualAddressing="false" 
      maxBufferPoolSize="524288"
      maxReceivedMessageSize="65536" 
      allowCookies="false" 
      authenticationScheme="Anonymous"
      bypassProxyOnLocal="false" 
      hostNameComparisonMode="StrongWildcard"
      keepAliveEnabled="true" 
      maxBufferSize="65536" 
      proxyAuthenticationScheme="Anonymous"
      realm="" 
      transferMode="Buffered" 
      unsafeConnectionNtlmAuthentication="false"
      useDefaultWebProxy="true" />
      </binding>
    </customBinding>
  </bindings>
    <client>
      <endpoint address="<endpoint_url>"
       binding="customBinding"
       bindingConfiguration="HelloWorldSoapHttp"
       contract="HelloWorld" 
       name="HelloWorldPort" 
       behaviorConfiguration="secureBehaviour" >
        <identity>
          <dns value="<certificate_cn>"/>
        </identity>
      </endpoint>
    </client>
  </system.serviceModel>
</configuration>

Username Token With Message Protection (WS-Security 1.1)—Oracle WSM 11g Client —> Microsoft WCF/.NET 3.5 Web Service

Perform the steps described in the following table.

Table 5-5 Username Token With Message Protection (WS-Security 1.1)—Oracle WSM 11g Client —> Microsoft WCF/.NET 3.5 Web Service

Web Service/Client Steps

Web Service/Client	Steps
WebService—Microsoft WCF/.NET 3.5 Web Service	Perform the following steps: Create a .NET service. For more information, see "How to: Define a Windows Communication Foundation Service Contract" at `http://msdn.microsoft.com/en-us/library/ms731835.aspx`. Be sure to create a custom binding for the Web service using the SymmetricSecurityBindingElement. For an example, see "Example .NET Web Service Client". Create and import a certificate file to the keystore on the Web service server. Using VisualStudio, the command would be similar to the following: makecert -r -pe -n "CN=wsmcert3" -sky exchange -ss my C:\wsmcert3.cer This command creates and imports a certificate in mmc. NOTE: If this command does not provide expected results, then try the following sequence of commands. You need to download Windows Developer Kit (WDK) at `http://www.microsoft.com/whdc/devtools/WDK/default.mspx`. makecert -r -pe -n "CN=wsmcert3" -sky exchange -ss my -sv wscert3.pvk C:\wsmcert3.cer pvk2pfx.exe -pvk wscert3.pvk -spc wsmcert3.cer -pfx PRF_WSMCert3.pfx -pi welcome1 Then, in mmc, import PRF_WSMCert3.pfx. Import the certificate created on the Web service server to the client server using the keytool command. For example: keytool -import -alias wsmcert3 -file C:\wsmcert3.cer -keystore <owsm_client_keystore> Right-click on the Web service Solution project under the Solutions Explorer and click Open Folder In Windows Explorer. Navigate to the bin/Debug folder. Double-click on the <project>.exe file. This command will run the Web service at the URL provided.
Client—Oracle WSM 11g Client	Perform the following steps: Using JDeveloper, create a SOA composite that consumes the .NET Web service. For more information, see the Developer's Guide for SOA Suite. In JDeveloper, create a partner link using the WSDL of the .NET service. Attach the following policy to the Web service client: oracle/wss11_username_token_with_message_protection_client_policy. For more information about attaching the policy, see "Attaching Policies to Web Service Clients" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services. Provide configurations for the csf-key and keystore.recipient.alias. You can specify this information when attaching the policy, by overriding the policy configuration. For more information, see "Attaching Clients Permitting Overrides" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services Ensure that you configure the keystore.recipient.alias as the alias of the certificate imported in step 1 (wsmcert3). For example: <wsp:PolicyReference URI="oracle/wss11_username_token_with_message_protection_client_policy" orawsp:category="security" orawsp:status="enabled"/> <property name="csf-key" type="xs:string" many="false">basic.credentials</property> <property name="keystore.recipient.alias" type="xs:string" many="false">wsmcert3</property>

WebService—Microsoft WCF/.NET 3.5 Web Service

Perform the following steps:

Create a .NET service.

For more information, see "How to: Define a Windows Communication Foundation Service Contract" at http://msdn.microsoft.com/en-us/library/ms731835.aspx.

Be sure to create a custom binding for the Web service using the SymmetricSecurityBindingElement. For an example, see "Example .NET Web Service Client".
Create and import a certificate file to the keystore on the Web service server.

Using VisualStudio, the command would be similar to the following:
```
makecert -r -pe -n "CN=wsmcert3" -sky exchange -ss my C:\wsmcert3.cer
```
This command creates and imports a certificate in mmc.

NOTE: If this command does not provide expected results, then try the following sequence of commands. You need to download Windows Developer Kit (WDK) at http://www.microsoft.com/whdc/devtools/WDK/default.mspx.
```
makecert -r -pe -n "CN=wsmcert3" -sky exchange -ss my -sv wscert3.pvk C:\wsmcert3.cer
pvk2pfx.exe -pvk wscert3.pvk -spc wsmcert3.cer -pfx PRF_WSMCert3.pfx -pi welcome1
```
Then, in mmc, import PRF_WSMCert3.pfx.
Import the certificate created on the Web service server to the client server using the keytool command. For example:
```
keytool -import -alias wsmcert3 -file C:\wsmcert3.cer -keystore <owsm_client_keystore>
```
Right-click on the Web service Solution project under the Solutions Explorer and click Open Folder In Windows Explorer.
Navigate to the bin/Debug folder.
Double-click on the <project>.exe file. This command will run the Web service at the URL provided.

Client—Oracle WSM 11g Client

Perform the following steps:

Using JDeveloper, create a SOA composite that consumes the .NET Web service. For more information, see the Developer's Guide for SOA Suite.
In JDeveloper, create a partner link using the WSDL of the .NET service.
Attach the following policy to the Web service client: oracle/wss11_username_token_with_message_protection_client_policy.

For more information about attaching the policy, see "Attaching Policies to Web Service Clients" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Provide configurations for the csf-key and keystore.recipient.alias.

You can specify this information when attaching the policy, by overriding the policy configuration. For more information, see "Attaching Clients Permitting Overrides" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services

Ensure that you configure the keystore.recipient.alias as the alias of the certificate imported in step 1 (wsmcert3). For example:
```
<wsp:PolicyReference URI="oracle/wss11_username_token_with_message_protection_client_policy"
    orawsp:category="security" orawsp:status="enabled"/>
  <property name="csf-key" type="xs:string" 
    many="false">basic.credentials</property>
  <property name="keystore.recipient.alias" type="xs:string" 
    many="false">wsmcert3</property>
```

Example .NET Web Service Client

static void Main(string[] args)
{
    // Step 1 of the address configuration procedure: Create a URI to serve as the 
    // base address.        
    // Step 2 of the hosting procedure: Create ServiceHost
    string uri = "http://<host>:<port>/TEST/NetService";
    Uri baseAddress = new Uri(uri);
 
    ServiceHost selfHost = new ServiceHost(typeof(CalculatorService), baseAddress);
 
    try
    {
        SymmetricSecurityBindingElement sm = 
            SymmetricSecurityBindingElement.CreateUserNameForCertificateBindingElement();
        sm.DefaultAlgorithmSuite = System.ServiceModel.Security.SecurityAlgorithmSuite.Basic128;
        sm.SetKeyDerivation(false);
        sm.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
        sm.IncludeTimestamp = true;
        sm.KeyEntropyMode = SecurityKeyEntropyMode.CombinedEntropy;
        sm.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
        sm.MessageSecurityVersion = 
MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10;
        sm.RequireSignatureConfirmation = true;
        sm.LocalClientSettings.CacheCookies = true;
        sm.LocalClientSettings.DetectReplays = true;
        sm.LocalClientSettings.ReplayCacheSize = 900000;
        sm.LocalClientSettings.MaxClockSkew = new TimeSpan(00, 05, 00);
        sm.LocalClientSettings.MaxCookieCachingTime = TimeSpan.MaxValue;
        sm.LocalClientSettings.ReplayWindow = new TimeSpan(00, 05, 00); ;
        sm.LocalClientSettings.SessionKeyRenewalInterval = new TimeSpan(10, 00, 00);
        sm.LocalClientSettings.SessionKeyRolloverInterval = new TimeSpan(00, 05, 00); ;
        sm.LocalClientSettings.ReconnectTransportOnFailure = true;
        sm.LocalClientSettings.TimestampValidityDuration = new TimeSpan(00, 05, 00); ;
        sm.LocalClientSettings.CookieRenewalThresholdPercentage = 60;
        sm.LocalServiceSettings.DetectReplays = false;
        sm.LocalServiceSettings.IssuedCookieLifetime = new TimeSpan(10, 00, 00);
        sm.LocalServiceSettings.MaxStatefulNegotiations = 128;
        sm.LocalServiceSettings.ReplayCacheSize = 900000;
        sm.LocalServiceSettings.MaxClockSkew = new TimeSpan(00, 05, 00);
        sm.LocalServiceSettings.NegotiationTimeout = new TimeSpan(00, 01, 00);
        sm.LocalServiceSettings.ReplayWindow = new TimeSpan(00, 05, 00);
        sm.LocalServiceSettings.InactivityTimeout = new TimeSpan(00, 02, 00);
        sm.LocalServiceSettings.SessionKeyRenewalInterval = new TimeSpan(15, 00, 00);
        sm.LocalServiceSettings.SessionKeyRolloverInterval = new TimeSpan(00, 05, 00);
        sm.LocalServiceSettings.ReconnectTransportOnFailure = true;
        sm.LocalServiceSettings.MaxPendingSessions = 128;
        sm.LocalServiceSettings.MaxCachedCookies = 1000;
        sm.LocalServiceSettings.TimestampValidityDuration = new TimeSpan(15, 00, 00);
        HttpTransportBindingElement hb = new HttpTransportBindingElement();
        hb.ManualAddressing = false;
        hb.MaxBufferPoolSize = 524288;
        hb.MaxReceivedMessageSize = 65536;
        hb.AllowCookies = false;
        hb.AuthenticationScheme = System.Net.AuthenticationSchemes.Anonymous;
        hb.KeepAliveEnabled = true;
        hb.MaxBufferSize = 65536;
        hb.ProxyAuthenticationScheme = System.Net.AuthenticationSchemes.Anonymous;
        hb.Realm = "";
        hb.TransferMode = System.ServiceModel.TransferMode.Buffered;
        hb.UnsafeConnectionNtlmAuthentication = false;
        hb.UseDefaultWebProxy = true;
        TextMessageEncodingBindingElement tb1 = new TextMessageEncodingBindingElement();
        tb1.MaxReadPoolSize = 64;
        tb1.MaxWritePoolSize = 16;
        tb1.MessageVersion = System.ServiceModel.Channels.MessageVersion.Soap12;
        tb1.WriteEncoding = System.Text.Encoding.UTF8;
        CustomBinding binding1 = new CustomBinding(sm);
        binding1.Elements.Add(tb1);
        binding1.Elements.Add(hb);
        ServiceEndpoint ep = selfHost.AddServiceEndpoint(typeof(ICalculator), binding1,
          "CalculatorService");
 
        EndpointAddress myEndpointAdd = new EndpointAddress(                    
        new Uri(uri),
        EndpointIdentity.CreateDnsIdentity("WSMCert3"));
        ep.Address = myEndpointAdd;
 
        // Step 4 of the hosting procedure: Enable metadata exchange.
        ServiceMetadataBehavior smb = new ServiceMetadataBehavior();
        smb.HttpGetEnabled = true;
        selfHost.Description.Behaviors.Add(smb);
        selfHost.Credentials.ServiceCertificate.SetCertificate(StoreLocation.CurrentUser, 
           StoreName.My,
        X509FindType.FindBySubjectName, "WSMCert3");
        selfHost.Credentials.ClientCertificate.Authentication.CertificateValidationMode =
            X509CertificateValidationMode.PeerOrChainTrust;
        selfHost.Credentials.UserNameAuthentication.UserNamePasswordValidationMode =
            UserNamePasswordValidationMode.Custom;
        CustomUserNameValidator cu = new CustomUserNameValidator();
        selfHost.Credentials.UserNameAuthentication.CustomUserNamePasswordValidator = cu;
        using (ServiceHost host = new ServiceHost(typeof(CalculatorService)))
        {
            System.ServiceModel.Description.ServiceDescription svcDesc = selfHost.Description;
            ServiceDebugBehavior svcDebug = svcDesc.Behaviors.Find<ServiceDebugBehavior>();
            svcDebug.IncludeExceptionDetailInFaults = true;
        }
 
        // Step 5 of the hosting procedure: Start (and then stop) the service.
        selfHost.Open();
        Console.WriteLine("The Calculator service is ready.");
        Console.WriteLine("Press <ENTER> to terminate service.");
        Console.WriteLine();
        Console.ReadLine();
        selfHost.Close();
    }
    catch (CommunicationException ce)
    {
         Console.WriteLine("An exception occurred: {0}", ce.Message);
         selfHost.Abort();
     }
}

Username Token Over SSL

The following sections describe how to implement username token over SSL, describing the following interoperability scenario:

"Username Token Over SSL—Microsoft WCF/.NET 3.5 Client —> Oracle WSM 11g Web Service"

Username Token Over SSL—Microsoft WCF/.NET 3.5 Client —> Oracle WSM 11g Web Service

Perform the steps described in the following sections.

Table 5-6 Username Token Over SSL—Microsoft WCF/.NET 3.5 Client —> Oracle WSM 11g Web Service

Web Service/Client Steps

Web Service/Client	Steps
Web Service—Oracle WSM 11g	Perform the following steps: Configure the server for SSL. For more information, see "Configuring SSL on WebLogic Server (One-Way)" and "Configuring SSL on WebLogic Server (Two-Way)" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services. Create a copy of one of the following policies: oracle/wss_username_token_over_ssl_service_policy oracle/wss_saml_or_username_token_over_ssl_service_policy NOTE: Oracle recommends that you do not change the predefined policies so that you will always have a known set of valid policies to work with. Edit the policy settings, as follows: a. Disable the Creation Time Required configuration setting. b. Disable the Nonce Required configuration setting. c. Leave the default configuration set for all other configuration settings. For more information, see "Creating a Web Service Policy from an Existing Policy" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services. Attach the policy. For more information about attaching the policy, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Client—Microsoft WCF/.NET 3.5	Perform the following steps: Generate a .NET client using the WSDL of the Web service. For more information, see "How to: Create a Windows Communication Foundation Client" at `http://msdn.microsoft.com/en-us/library/ms733133.aspx`. In the Solution Explorer of the client project, add a reference by right-clicking on references, selecting Add reference, and browsing to C:\Windows\Microsoft .NET framework\v3.0\Windows Communication Framework\System.Runtime.Serilaization.dll. Edit the app.config file, as described in "Edit the app.config File". Compile the project. Open a command prompt and cd to the project's Debug folder. Enter <client_project_name>.exe and press Enter.

Web Service—Oracle WSM 11g

Perform the following steps:

Configure the server for SSL.

For more information, see "Configuring SSL on WebLogic Server (One-Way)" and "Configuring SSL on WebLogic Server (Two-Way)" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Create a copy of one of the following policies:

oracle/wss_username_token_over_ssl_service_policy

oracle/wss_saml_or_username_token_over_ssl_service_policy

NOTE: Oracle recommends that you do not change the predefined policies so that you will always have a known set of valid policies to work with.

Edit the policy settings, as follows:

a. Disable the Creation Time Required configuration setting.

b. Disable the Nonce Required configuration setting.

c. Leave the default configuration set for all other configuration settings.

For more information, see "Creating a Web Service Policy from an Existing Policy" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Attach the policy.

For more information about attaching the policy, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

Client—Microsoft WCF/.NET 3.5

Perform the following steps:

Generate a .NET client using the WSDL of the Web service.

For more information, see "How to: Create a Windows Communication Foundation Client" at http://msdn.microsoft.com/en-us/library/ms733133.aspx.
In the Solution Explorer of the client project, add a reference by right-clicking on references, selecting Add reference, and browsing to C:\Windows\Microsoft .NET framework\v3.0\Windows Communication Framework\System.Runtime.Serilaization.dll.
Edit the app.config file, as described in "Edit the app.config File".
Compile the project.
Open a command prompt and cd to the project's Debug folder.
Enter <client_project_name>.exe and press Enter.

Edit the app.config File

Edit the app.config file to update the certificate file and disable replays, as shown in the following example (changes are identified in bold):

<?xml version="1.0" encoding="utf-8"?>
<configuration>
    <system.serviceModel>
        <bindings>
            <customBinding>
                <binding name="BPELProcess1Binding">
                  <security defaultAlgorithmSuite="Basic128" 
                   authenticationMode="UserNameOverTransport"
                   requireDerivedKeys="false" securityHeaderLayout="Lax" includeTimestamp="true"
                   keyEntropyMode="CombinedEntropy" messageProtectionOrder="SignBeforeEncrypt"
messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
              requireSignatureConfirmation="true">
                    <localClientSettings cacheCookies="true" detectReplays="true"
                      replayCacheSize="900000" maxClockSkew="00:05:00" 
                      maxCookieCachingTime="Infinite"
                      replayWindow="00:05:00" sessionKeyRenewalInterval="10:00:00"
                      sessionKeyRolloverInterval="00:05:00" reconnectTransportOnFailure="true"
                      timestampValidityDuration="00:05:00" 
                      cookieRenewalThresholdPercentage="60"/>
                    <localServiceSettings detectReplays="true" issuedCookieLifetime="10:00:00"
                        maxStatefulNegotiations="128" replayCacheSize="900000" 
                        maxClockSkew="00:05:00"
                        negotiationTimeout="00:01:00" replayWindow="00:05:00" 
                        inactivityTimeout="00:02:00"
                        sessionKeyRenewalInterval="15:00:00" 
                        sessionKeyRolloverInterval="00:05:00"
                        reconnectTransportOnFailure="true" maxPendingSessions="128"
                        maxCachedCookies="1000" timestampValidityDuration="00:05:00" />
                    <secureConversationBootstrap />
                  </security>
                  <textMessageEncoding maxReadPoolSize="64" maxWritePoolSize="16"
                        messageVersion="Soap11" writeEncoding="utf-8">
                        <readerQuotas maxDepth="32" maxStringContentLength="8192" 
                         maxArrayLength="16384"
                         maxBytesPerRead="4096" maxNameTableCharCount="16384" />
                  </textMessageEncoding>
                  <httpsTransport manualAddressing="false" maxBufferPoolSize="524288"
                       maxReceivedMessageSize="65536" allowCookies="false" 
                       authenticationScheme="Anonymous"
                       bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
                       keepAliveEnabled="true" maxBufferSize="65536" 
                       proxyAuthenticationScheme="Anonymous"
                       realm="" transferMode="Buffered" 
                       unsafeConnectionNtlmAuthentication="false"
                       useDefaultWebProxy="true"  requireClientCertificate="false"/>
                </binding>
            </customBinding>
        </bindings>
        <client>
            <endpoint address="
 https://host:port/soa-infra/services/default/IO_NET6/bpelprocess1_client_ep"
 binding="customBinding" bindingConfiguration="BPELProcess1Binding"
 contract="BPELProcess1" name="BPELProcess1_pt" />
        </client>
  </system.serviceModel>
</configuration>