1. Interoperability Solutions Guide for Oracle Web Services Manager
  2. Interoperability with Microsoft WCF/.NET 4.5 Security Environments

6 Interoperability with Microsoft WCF/.NET 4.5 Security Environments

Oracle Web Services Manager (OWSM) is interoperable with Microsoft WCF/.NET 4.5 security environments. Policies that conform to the WS-Security 1.1 standard are attached to web services, to achieve the interoperability between OWSM and Microsoft WCF/.NET 4.5 security environments.

This chapter includes the following sections:

6.1 Understanding the Interoperability of Microsoft WCF/.NET 4.5 Security Environments

Oracle has performed interoperability testing to ensure that the web service security policies created using OWSM 12c can interoperate with web service policies configured using Microsoft Windows Communication Foundation (WCF)/.NET 4.5 Framework and vice versa.

For more information about the Microsoft .NET 4.5 (and earlier) Framework, see ".NET Development" at http://msdn.microsoft.com/en-us/library/ff361664%28v=vs.110%29.aspx.

OWSM predefined policies and interoperability scenarios are described in the following sections:

6.1.1 OWSM Predefined Policies for Microsoft WCF/.NET 4.5 Security Environment

Review this topic for more information on OWSM predefined policies for Microsoft WCF/.NET 4.5 security environment.

For more information about:

Note:

In most cases, you can attach OWSM policies in source code, before deploying an application, or you can attach policies post deployment, using WLST or Fusion Middleware Control. To simplify the instructions in this chapter, it is assumed that you are attaching policies post deployment. If a situation requires that you attach a policy before deploying, it is described that way in the instructions.

Note:

Some of the procedures described in this chapter instruct you to use the Microsoft ServiceModel Metadata Utility Tool (SvcUtil.exe) to create a client proxy and configuration file from the deployed web service. However, SvcUtil.exe does not work with certain security policy assertions used with OWSM. As a workaround when generating a WCF proxy for a web service protected by an OWSM policy, do the following:

  • Detach the policy.

  • Generate the proxy using SvcUtil.exe.

  • Re-attach the policy.

For more information about SvcUtil.exe, see http://msdn.microsoft.com/en-us/library/aa347733%28v=vs.110%29.aspx.

6.1.2 Interoperability Scenarios for Microsoft WCF/.NET 4.5

You can review the different scenarios for interoperability between OWSM 12c and Microsoft WCF/.NET 4.5.

The most common Microsoft .NET 4.5 interoperability scenarios are based on the following security requirements: authentication, message protection, and transport.

Note:

In the following scenarios, ensure that you are using a keystore with v3 certificates. By default, the JDK 1.5 keytool generates keystores with v1 certificates.

In addition, ensure that the keys use the proper extensions, including DigitalSignature, Non_repudiation, Key_Encipherment, and Data_Encipherment.

The following table describes the OWSM 12c service policy and Microsoft WCF/.NET 4.5 client policy interoperability scenarios:

Table 6-1 OWSM 12c Service Policy and Microsoft WCF/.NET 4.5 Client Policy Interoperability

Identity Token WS-Security Version Message Protection Transport Security Service Policy Client Policy

MTOM

NA

NA

NA

oracle/wsmtom_policy

"Configuring an OWSM 12c Web Service and a Microsoft WCF/.NET 4.5 Client (Message Transmission Optimization Mechanism)"

Username or SAML

1.1

Yes

No

oracle/wss11_username_token_with_message_protection_service_policy

OR

oracle/wss11_saml_or_username_token_with_message_protection_service_policy

"Configuring Microsoft WCF/.NET 4.5 Client (Username Token with Message Protection)"

Username

1.0 and 1.1

No

Yes

oracle/wss_saml_or_username_token_over_ssl_service_policy

OR

oracle/wss_username_token_over_ssl_service_policy

"Configuring Microsoft WCF/.NET 4.5 Client (Username Token over SSL)"

Mutual Authentication

1.1

Yes

No

oracle/wss11_x509_token_with_message_protection_service_policy

"Configuring Microsoft WCF/.NET 4.5 Client (Mutual Authentication with Message Protection)"

Kerberos

1.1

Yes

No

oracle/wss11_kerberos_token_with_message_protection_service_policy

"Configuring Microsoft WCF/.NET 4.5 Client (Kerberos with Message Protection)"

SAML Bearer

1.0

No

Yes

oracle/wss_sts_issued_saml_bearer_token_over_ssl_service_policy

OR

oracle/wss_saml_token_bearer_over_ssl_service_policy

"Securing WCF/.NET 4.5 Client with ADFS 2.0"

The following table describes the Microsoft WCF/.NET 4.5 service policy and OWSM 12c client policy interoperability scenarios:

Table 6-2 Microsoft WCF/.NET 4.5 Service Policy and OWSM 12c Client Policy Interoperability

Identity Token WS-Security Version Message Protection Transport Security Service Policy Client Policy

MTOM

NA

NA

NA

"Configuring Microsoft WCF/.NET 4.5 Web Service (MTOM)"

oracle/wsmtom_policy

Username

1.1

Yes

No

"Configuring Microsoft WCF/.NET 4.5 Web Service (Username Token with Message Protection)"

oracle/wss11_username_token_with_message_protection_client_policy

Username Token Over SSL

1.0

No

Yes

"Configuring Microsoft WCF/.NET 4.5 Web Service (Username Token over SSL)"

oracle/wss_username_token_over_ssl_client_policy

Mutual Authentication

1.1

Yes

No

"Configuring a Microsoft WCF/.NET 4.5 Web Service and an OWSM 12c Client (Mutual Authentication With Message Protection)"

oracle/wss11_x509_token_with_message_protection_client_policy

6.2 Implementing a Message Transmission Optimization Mechanism for Microsoft WCF/.NET 4.5 Client

You can implement the Message Transmission Optimization Mechanism (MTOM) to achieve the interoperability between OWSM 12c service policy and Microsoft WCF/.NET 4.5 client policy and the interoperability between Microsoft WCF/.NET 4.5 service policy and OWSM 12c client policy.

The following topics describe how to implement MTOM in different interoperability scenarios:

6.2.1 Configuring an OWSM 12c Web Service and a Microsoft WCF/.NET 4.5 Client (Message Transmission Optimization Mechanism)

You can implement Message Transmission Optimization Mechanism (MTOM) using an OWSM 12c web service and a Microsoft WCF/.NET 4.5 client.

To configure an OWSM 12c web service and a Microsoft WCF/.NET 4.5 client:

  1. Create and deploy a web service application.

    For more information, see "Deploying Web Service Applications" in Administering Web Services.

  2. Attach the following policy to the web service: oracle/wsmtom_policy.

    For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

  3. To configure the Microsoft WCF/.NET 4.5 client, use the Microsoft SvcUtil utility to create a client proxy and configuration file from the deployed web service.

    See the following app.config file for MTOM interoperability sample: 

    <?xml version="1.0" encoding="utf-8"?>
<configuration>
    <system.serviceModel>    
        <bindings>
            <customBinding>
                <binding name="CustomBinding_IMTOMService">                
                    <mtomMessageEncoding maxReadPoolSize="64"
                     maxWritePoolSize="16"
                        messageVersion="Soap12" maxBufferSize="65536"
                        writeEncoding="utf-8">
                        <readerQuotas maxDepth="32" maxStringContentLength=
                         "8192" maxArrayLength="16384"
                            maxBytesPerRead="4096" maxNameTableCharCount="16384" />
                    </mtomMessageEncoding>
                    <httpTransport manualAddressing="false" maxBufferPoolSize="524288"
                        maxReceivedMessageSize="65536" allowCookies="false"
                           authenticationScheme="Anonymous"
                        bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
                        keepAliveEnabled="true" maxBufferSize="65536"
                           proxyAuthenticationScheme="Anonymous"
                        realm="" transferMode="Buffered" 
                           unsafeConnectionNtlmAuthentication="false"
                        useDefaultWebProxy="true" />
                </binding>
            </customBinding>
        </bindings>
        <client>
          <endpoint address="<endpoint_url>"
              binding="customBinding" bindingConfiguration="CustomBinding_IMTOMService"
              contract="IMTOMService" name="CustomBinding_IMTOMService" >
          </endpoint>         
        </client>          
    </system.serviceModel>
</configuration>

    For more information, see "ServiceModel Metadata Utility Tool (Svcutil.exe)" at http://msdn.microsoft.com/en-us/library/aa347733%28v=vs.110%29.aspx.

  4. Run the client program.

6.2.2 Configuring a Microsoft WCF/.NET 4.5 Web Service and an OWSM 12c Client (Message Transmission Optimization Mechanism)

You can implement Message Transmission Optimization Mechanism (MTOM) using Microsoft WCF/.NET 4.5 web service and an OWSM 12c client.

The following topics describe how to configure a Microsoft WCF/.NET 4.5 web service and an OWSM 12c client to implement Message Transmission Optimization Mechanism:

6.2.2.1 Configuring Microsoft WCF/.NET 4.5 Web Service (MTOM)

You can configure a Microsoft WCF/.NET 4.5 web service to implement message transmission optimization mechanism for interoperability with an OWSM 12c client.

To configure the Microsoft WCF/.NET 4.5 web service:

  1. Create a .NET web service.

    For an example, see the following .NET web service for MTOM interoperability sample: 

    static void Main(string[] args)
{
    string uri = "http://host:port/TEST/MTOMService/SOA/MTOMService";
    // Step 1 of the address configuration procedure: Create a URI to serve as the base address.
    Uri baseAddress = new Uri(uri);

    // Step 2 of the hosting procedure: Create ServiceHost
    ServiceHost selfHost = new ServiceHost(typeof(MTOMService), baseAddress);
 
    try {
        HttpTransportBindingElement hb = new HttpTransportBindingElement();
        hb.ManualAddressing = false;
        hb.MaxBufferPoolSize = 2147483647;               
        hb.MaxReceivedMessageSize = 2147483647;
        hb.AllowCookies = false;
        hb.AuthenticationScheme = System.Net.AuthenticationSchemes.Anonymous;
        hb.KeepAliveEnabled = true;
        hb.MaxBufferSize = 2147483647;
        hb.ProxyAuthenticationScheme = System.Net.AuthenticationSchemes.Anonymous;
        hb.Realm = "";
        hb.TransferMode = System.ServiceModel.TransferMode.Buffered;
        hb.UnsafeConnectionNtlmAuthentication = false;
        hb.UseDefaultWebProxy = true;
        MtomMessageEncodingBindingElement me = new MtomMessageEncodingBindingElement();
        me.MaxReadPoolSize=64;
        me.MaxWritePoolSize=16;
        me.MessageVersion=System.ServiceModel.Channels.MessageVersion.Soap12;
        me.WriteEncoding = System.Text.Encoding.UTF8;
        me.MaxWritePoolSize = 2147483647;
        me.MaxBufferSize = 2147483647;
        me.ReaderQuotas.MaxArrayLength = 2147483647;
        CustomBinding binding1 = new CustomBinding();
        binding1.Elements.Add(me);
        binding1.Elements.Add(hb);
        ServiceEndpoint ep = selfHost.AddServiceEndpoint(typeof(IMTOMService), binding1, 
               "MTOMService");
        EndpointAddress myEndpointAdd = new EndpointAddress(new Uri(uri),
        EndpointIdentity.CreateDnsIdentity("WSMCert3"));               
        ep.Address = myEndpointAdd;

        // Step 4 of the hosting procedure: Enable metadata exchange.
        ServiceMetadataBehavior smb = new ServiceMetadataBehavior();
        smb.HttpGetEnabled = true;
        selfHost.Description.Behaviors.Add(smb);
        using (ServiceHost host = new ServiceHost(typeof(MTOMService)))
        {
            System.ServiceModel.Description.ServiceDescription svcDesc = 
                 selfHost.Description;
            ServiceDebugBehavior svcDebug = 
                  svcDesc.Behaviors.Find<ServiceDebugBehavior>();
            svcDebug.IncludeExceptionDetailInFaults = true;
        }
 
        // Step 5 of the hosting procedure: Start (and then stop) the service.
        selfHost.Open();
        Console.WriteLine("The service " + uri + " is ready.");
        Console.WriteLine("Press <ENTER> to terminate service.");
        Console.WriteLine();
        Console.ReadLine();
        // Close the ServiceHostBase to shutdown the service.
        selfHost.Close();
    }
    catch (CommunicationException ce)
    {
        Console.WriteLine("An exception occurred: {0}", ce.Message);
        selfHost.Abort();
    }
}

    For more information, see "How to: Define a Windows Communication Foundation Service Contract" at http://msdn.microsoft.com/en-us/library/ms731835.aspx.

  2. Deploy the application.

6.2.2.2 Configuring OWSM 12c Client for Microsoft WCF/.NET 4.5 Web Service (Message Transmission Optimization Mechanism)

You can configure an OWSM 12c client to implement message transmission optimization mechanism for interoperability with a Microsoft WCF/.NET 4.5 web service.

To configure an OWSM 12c client:

  1. Using JDeveloper, create a SOA composite that consumes the .NET web service.

    For more information, see Developer's Guide for SOA Suite.

  2. Attach the following policy to the web service client: oracle/wsmtom_policy.

    For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

6.3 Implementing a Username Token with Message Protection (WS-Security 1.1) for Microsoft WCF/.NET 4.5 Client

The Username Token with Message Protection policy conforms to the WS-Security 1.1 standard. This policy is implemented to achieve the interoperability between OWSM 12c service policy and Microsoft WCF/.NET 4.5 client policy and the interoperability between Microsoft WCF/.NET 4.5 service policy and OWSM 12c client policy.

The following topics describe how to implement username token with message protection in different interoperability scenarios:

6.3.1 Configuring an OWSM 12c Web Service and a Microsoft WCF/.NET 4.5 Client (Username Token with Message Protection)

You can implement username token with message protection that conforms to the WS-Security 1.1 standard using OWSM 12c web service and a Microsoft WCF/.NET 4.5 client.

The following topics describe how to configure an OWSM 12c web service and a Microsoft WCF/.NET 4.5 client to implement username token with message protection, both with and without secure conversation enabled:

6.3.1.1 Configuring OWSM 12c Web Service for Microsoft WCF/.NET 4.5 Client (Username Token with Message Protection)

You can configure an OWSM 12c web service to implement username token with message protection for interoperability with a Microsoft WCF/.NET 4.5 client.

To configure the OWSM 12c web service:

  1. Create a SOAP 1.2 compliant web service application.

  2. Select the policy to use based on whether or not you want to enable secure conversation:

    1. If you do not want to enable secure conversation, clone either of the following policies:

      oracle/wss11_saml_or_username_token_with_message_protection_service_policy

      oracle/wss11_username_token_with_message_protection_service_policy

      Note:

      In the case of secure conversation not enabled, you will have to set the establishSecurityContext property to false for the client, as described in "Configuring Microsoft WCF/.NET 4.5 Client (Username Token with Message Protection)".

    2. To enable secure conversation, clone the following policy:

      oracle/wss11_username_token_with_message_protection_wssc_service_policy

    For more information, see "Cloning a Web Service Policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

  3. Edit the policy configuration settings of the cloned policy from step 2, above, as follows:

    1. Enable the X509 Token Derived Keys configuration setting.

    2. Enable the Encrypt Signature configuration setting.

    3. Disable the Confirm Signature configuration setting.

    4. Leave the default configuration set for all other configuration settings.

    Attach the policy to the web service. For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

  4. Also attach the following policy:

    oracle/wsaddr_policy

  5. Export the X.509 certificate file from the keystore on the service side to a .cer file (for example, alice.cer) using the following command: 

    keytool -export -alias alice -file C:\alice.cer -keystore default-keystore.jks

    For more information, see "keytool - Key and Certificate Management Tool" at http://docs.oracle.com/javase/6/docs/technotes/tools/windows/keytool.html.

6.3.1.2 Configuring Microsoft WCF/.NET 4.5 Client (Username Token with Message Protection)

You can configure a Microsoft WCF/.NET 4.5 client to implement username token with message protection for interoperability with an OWSM 12c web service.

To configure the Microsoft WCF/.NET 4.5 client:

  1. Import the certificate file (exported previously) to the keystore on the client server using Microsoft Management Console (mmc), as follows:

    1. Open a command prompt.

    2. Type mmc and press Enter.

    3. Select File > Add/Remove snap-in.

    4. Select Add and Choose Certificates.

      Note:

      To view certificates in the local machine store, you must be in the Administrator role.

    5. Select Add.

    6. Select My user account and finish.

    7. Click OK.

    8. Expand Console Root > Certificates -Current user > Personal > Certificates.

    9. Right-click on Certificates and select All tasks > Import to launch Certificate import Wizard.

    10. Click Next, select Browse, and navigate to the .cer file that was exported previously.

    11. Click Next and accept defaults and finish the wizard.

    For more information, see "How to: View Certificates with the MMC Snap-in" at http://msdn.microsoft.com/en-us/library/ms788967.aspx.

  2. Generate a .NET client using the WSDL of the web service.

    Note:

    You may have to set WS-Addressing action headers to prevent the client from sending implicit wsa:Action headers, as described in "Implicitly Associating WS-Addressing Action Properties" in Developing JAX-WS Web Services for Oracle WebLogic Server.

    For more information, see "How to: Create a Windows Communication Foundation Client" at http://msdn.microsoft.com/en-us/library/ms733133(v=vs.110).aspx

  3. Edit the app.config file in the .NET project to update the certificate file and disable replays, as shown in the following sample (Changes are identified in bold). If you follow the default key setup, then <certificate_cn> should be set to alice. 

    <?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.serviceModel>
    <behaviors>
      <endpointBehaviors>
         <behavior name="secureBehaviour">
           <clientCredentials>
             <serviceCertificate>
               <defaultCertificate findValue="<certificate_cn>" 
                storeLocation="CurrentUser" storeName="My" 
                x509FindType="FindBySubjectName"/>
             </serviceCertificate>
           </clientCredentials>
         </behavior>
      </endpointBehaviors>
    </behaviors>
    <bindings>
      <ws2007HttpBinding>
        <binding name="Wss11UsernameTokenWithMessageProtectionWSSCServicePortBinding" >
          <security mode="Message">
            <message clientCredentialType="UserName"
                negotiateServiceCredential="false" 
                algorithmSuite="Basic128"
                establishSecurityContext="true" />
                <!-- extablishSecurityContext is true by default and therefore does not 
                have to be specified to enable secure conversation.
                Set establishSecurityContext to false if secure conversation is not enabled -->
          </security>
        </binding>
      </ws2007HttpBinding>
    </bindings>
  <client>
    <endpoint address="http://10.244.167.70:7003/OWSMTestApp-Project1-context-root/ws11_username_token_with_message_protection_wsscPort?wsdl" 
        behaviorConfiguration="PMCert"
        binding="ws2007HttpBinding" 
        bindingConfiguration="Wss11UsernameTokenWithMessageProtectionWSSCServicePortBinding"   
        contract="ServiceReference1.ws11_username_token_with_message_protection_wssc" 
        name="ws11_username_token_with_message_protection_wsscPort">
      <identity>
        <dns value="orakey" />
      </identity>
    </endpoint>
  </client>
  </system.serviceModel>
</configuration>

  4. The establishSecurityContext property in the app.config file must be set according to whether you are enabling secure conversation.

    By default, establishSecurityContext is set to true, enabling secure conversation. If you are not enabling secure conversation, set establishSecurityContext to false.

    For example, see the sample (lines in bold italic).

  5. Compile the project.

  6. Open a command prompt and navigate to the project's Debug folder.

  7. Enter <client_project_name>.exe and press Enter.

6.3.2 Configuring a Microsoft WCF/.NET 4.5 Web Service and an OWSM 12c Client (Username Token with Message Protection)

You can implement username token with message protection that conforms to the WS-Security 1.1 standard using Microsoft WCF/.NET 4.5 web service and an OWSM 12c client.

The following topics describe how to configure a Microsoft WCF/.NET 4.5 web service and an OWSM 12c client to implement username token with message protection:

6.3.2.1 Configuring Microsoft WCF/.NET 4.5 Web Service (Username Token with Message Protection)

You can configure a Microsoft WCF/.NET 4.5 web service to implement username token with message protection for interoperability with an OWSM 12c client.

To configure the Microsoft WCF/.NET 4.5 web service:

  1. Create a .NET web service.

    1. Create a custom binding for the web service using the SymmetricSecurityBindingElement, as shown in the following .NET web service sample. This example shows a web service without secure conversation enabled. 

      static void Main(string[] args)
{
    // Step 1 of the address configuration procedure: Create a URI to serve as the 
    // base address.        
    // Step 2 of the hosting procedure: Create ServiceHost
    string uri = "http://host:port/TEST/NetService";
    Uri baseAddress = new Uri(uri);
 
    ServiceHost selfHost = new ServiceHost(typeof(CalculatorService), baseAddress);
 
    try
    {
        SymmetricSecurityBindingElement sm = 
            SymmetricSecurityBindingElement.CreateUserNameForCertificateBindingElement();
        sm.DefaultAlgorithmSuite = System.ServiceModel.Security.SecurityAlgorithmSuite.Basic128;
        sm.SetKeyDerivation(false);
        sm.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
        sm.IncludeTimestamp = true;
        sm.KeyEntropyMode = SecurityKeyEntropyMode.CombinedEntropy;
        sm.MessageSecurityVersion = 
        MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005
        WSSecurityPolicy11BasicSecurityProfile10;
        sm.LocalClientSettings.CacheCookies = true;
        sm.LocalClientSettings.DetectReplays = true;
        sm.LocalClientSettings.ReplayCacheSize = 900000;
        sm.LocalClientSettings.MaxClockSkew = new TimeSpan(00, 05, 00);
        sm.LocalClientSettings.MaxCookieCachingTime = TimeSpan.MaxValue;
        sm.LocalClientSettings.ReplayWindow = new TimeSpan(00, 05, 00); ;
        sm.LocalClientSettings.SessionKeyRenewalInterval = new TimeSpan(10, 00, 00);
        sm.LocalClientSettings.SessionKeyRolloverInterval = new TimeSpan(00, 05, 00); ;
        sm.LocalClientSettings.ReconnectTransportOnFailure = true;
        sm.LocalClientSettings.TimestampValidityDuration = new TimeSpan(00, 05, 00); ;
        sm.LocalClientSettings.CookieRenewalThresholdPercentage = 60;
        sm.LocalServiceSettings.DetectReplays = false;
        sm.LocalServiceSettings.IssuedCookieLifetime = new TimeSpan(10, 00, 00);
        sm.LocalServiceSettings.MaxStatefulNegotiations = 128;
        sm.LocalServiceSettings.ReplayCacheSize = 900000;
        sm.LocalServiceSettings.MaxClockSkew = new TimeSpan(00, 05, 00);
        sm.LocalServiceSettings.NegotiationTimeout = new TimeSpan(00, 01, 00);
        sm.LocalServiceSettings.ReplayWindow = new TimeSpan(00, 05, 00);
        sm.LocalServiceSettings.InactivityTimeout = new TimeSpan(00, 02, 00);
        sm.LocalServiceSettings.SessionKeyRenewalInterval = new TimeSpan(15, 00, 00);
        sm.LocalServiceSettings.SessionKeyRolloverInterval = new TimeSpan(00, 05, 00);
        sm.LocalServiceSettings.ReconnectTransportOnFailure = true;
        sm.LocalServiceSettings.MaxPendingSessions = 128;
        sm.LocalServiceSettings.MaxCachedCookies = 1000;
        sm.LocalServiceSettings.TimestampValidityDuration = new TimeSpan(15, 00, 00);
        HttpTransportBindingElement hb = new HttpTransportBindingElement();
        hb.ManualAddressing = false;
        hb.MaxBufferPoolSize = 524288;
        hb.MaxReceivedMessageSize = 65536;
        hb.AllowCookies = false;
        hb.AuthenticationScheme = System.Net.AuthenticationSchemes.Anonymous;
        hb.KeepAliveEnabled = true;
        hb.MaxBufferSize = 65536;
        hb.ProxyAuthenticationScheme = System.Net.AuthenticationSchemes.Anonymous;
        hb.Realm = "";
        hb.TransferMode = System.ServiceModel.TransferMode.Buffered;
        hb.UnsafeConnectionNtlmAuthentication = false;
        hb.UseDefaultWebProxy = true;
        TextMessageEncodingBindingElement tb1 = new TextMessageEncodingBindingElement();
        tb1.MaxReadPoolSize = 64;
        tb1.MaxWritePoolSize = 16;
        tb1.MessageVersion = System.ServiceModel.Channels.MessageVersion.Soap12;
        tb1.WriteEncoding = System.Text.Encoding.UTF8;
        CustomBinding binding1 = new CustomBinding(sm);
        binding1.Elements.Add(tb1);
        binding1.Elements.Add(hb);
        ServiceEndpoint ep = selfHost.AddServiceEndpoint(typeof(ICalculator), binding1,
          "CalculatorService");
 
        EndpointAddress myEndpointAdd = new EndpointAddress(                    
        new Uri(uri),
        EndpointIdentity.CreateDnsIdentity("WSMCert3"));
        ep.Address = myEndpointAdd;
 
        // Step 4 of the hosting procedure: Enable metadata exchange.
        ServiceMetadataBehavior smb = new ServiceMetadataBehavior();
        smb.HttpGetEnabled = true;
        selfHost.Description.Behaviors.Add(smb);
        selfHost.Credentials.ServiceCertificate.SetCertificate(StoreLocation.CurrentUser, 
           StoreName.My,
        X509FindType.FindBySubjectName, "WSMCert3");
        selfHost.Credentials.ClientCertificate.Authentication.CertificateValidationMode =
            X509CertificateValidationMode.PeerOrChainTrust;
        selfHost.Credentials.UserNameAuthentication.UserNamePasswordValidationMode =
            UserNamePasswordValidationMode.Custom;
        CustomUserNameValidator cu = new CustomUserNameValidator();
        selfHost.Credentials.UserNameAuthentication.CustomUserNamePasswordValidator = cu;
        using (ServiceHost host = new ServiceHost(typeof(CalculatorService)))
        {
            System.ServiceModel.Description.ServiceDescription svcDesc = selfHost.Description;
            ServiceDebugBehavior svcDebug = svcDesc.Behaviors.Find<ServiceDebugBehavior>();
            svcDebug.IncludeExceptionDetailInFaults = true;
        }
 
        // Step 5 of the hosting procedure: Start (and then stop) the service.
        selfHost.Open();
        Console.WriteLine("The Calculator service is ready.");
        Console.WriteLine("Press <ENTER> to terminate service.");
        Console.WriteLine();
        Console.ReadLine();
        selfHost.Close();
    }
    catch (CommunicationException ce)
    {
         Console.WriteLine("An exception occurred: {0}", ce.Message);
         selfHost.Abort();
     }
}

    To enable secure conversation, make the following adjustments to the code in the example:

    1. Create another SymmetricSecurityBindingElement element based on the one created (sm), for example: 

      SymmetricSecurityBindingElement scsm = SymmetricSecurityBindingElement.createSecureConversationBindingELement(sm, false)

    2. Create a new custom binding:

      CustomBinding binding1 = new CustomBinding(scsm);

    For more information, see "How to: Define a Windows Communication Foundation Service Contract" at http://msdn.microsoft.com/en-us/library/ms731835.aspx.

  2. Create and import a certificate file to the keystore on the web service server.

    Using Microsoft Visual Studio, the command would be similar to the following:

    makecert -r -pe -n "CN=wsmcert3" -sky exchange -ss my C:\wsmcert3.cer

    This command creates and imports a certificate in mmc. If the command does not provide expected results, then try the following sequence of commands. You need to download Windows Developer Kit (WDK) at http://www.microsoft.com/whdc/devtools/WDK/default.mspx. 

    makecert -r -pe -n "CN=wsmcert3" -sky exchange -ss my -sv wscert3.pvk C:\wsmcert3.cer
pvk2pfx.exe -pvk wscert3.pvk -spc wsmcert3.cer -pfx PRF_WSMCert3.pfx -pi password

    Then, in mmc, import PRF_WSMCert3.pfx.

  3. Import the certificate created on the web service server to the client server using the keytool command. For example: 

    keytool -import -alias wsmcert3 -file C:\wsmcert3.cer -keystore <owsm_client_keystore>

    For more information, see "keytool - Key and Certificate Management Tool" at http://docs.oracle.com/javase/6/docs/technotes/tools/windows/keytool.html.

  4. Right-click on the web service Solution project in Solutions Explorer and click Open Folder In Windows Explorer.

  5. Navigate to the bin/Debug folder.

  6. Double-click the <project>.exe file. This command runs the web service at the URL provided.

6.3.2.2 Configuring OWSM 12c Client for Microsoft WCF/.NET 4.5 Web Service (Username Token With Message Protection)

You can configure an OWSM 12c client to implement username token with message protection for interoperability with a Microsoft WCF/.NET 4.5 web service.

To configure the OWSM 12c client:

  1. Using JDeveloper, create a SOA composite that consumes the .NET web service.

    For more information, see Deploying SOA Composite Applications in Oracle JDeveloper in Developing SOA Applications with Oracle SOA Suite.

  2. In JDeveloper, create a partner link using the WSDL of the .NET service.

  3. Attach the following policy to the web service client: oracle/wss11_username_token_with_message_protection_client_policy.

    For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

  4. Provide configurations for the csf-key and keystore.recipient.alias.

    You can specify this information when attaching the policy, by overriding the policy configuration. For more information.

    Ensure that you configure the keystore.recipient.alias as the alias of the certificate imported in step 1 (wsmcert3). For example: 

    <wsp:PolicyReference 
      URI="oracle/wss11_username_token_with_message_protection_client_policy"
      orawsp:category="security" 
      orawsp:status="enabled"/>
   <property 
      name="csf-key" 
      type="xs:string" 
      many="false">
      basic.credentials
   </property>
   <property 
      name="keystore.recipient.alias" 
      type="xs:string" 
      many="false">
      wsmcert3
   </property>

    For more information, see "Overriding Policy Configuration Properties" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

6.4 Implementing a Username Token Over SSL for Microsoft WCF/.NET 4.5 Client

The Username Token over SSL (with and without secure conversation enabled) policy conforms to the WS-Security 1.0 and 1.1 standards. This policy is implemented to achieve the interoperability between OWSM 12c service policy and Microsoft WCF/.NET 4.5 client policy and the interoperability between Microsoft WCF/.NET 4.5 service policy and OWSM 12c client policy.

The following topics describe how to implement username token over SSL in the following interoperability scenario:

6.4.1 Configuring an OWSM 12c Web Service and a Microsoft WCF/.NET 4.5 Client (Username Token Over SSL)

You can implement username token over SSL both with and without secure conversation enabled, using an OWSM 12c web service and a Microsoft WCF/.NET 4.5 client.

The following topics describe how to configure an OWSM 12c web service and a Microsoft WCF/.NET 4.5 client to implement username token over SSL:

6.4.1.1 Configuring OWSM 12c Web Service for Microsoft WCF/.NET 4.5 Client (Username Token over SSL)

You can configure an OWSM 12c web service to implement username token over SSL for interoperability with a Microsoft WCF/.NET 4.5 client.

To configure the OWSM 12c web service:

  1. Configure the server for SSL.

    For more information, see "Configuring Transport-Level Security (SSL)" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

  2. Create an OWSM web service.

  3. Select the policy to use based on whether or not you want to enable secure conversation:

    If you do not want to enable secure conversation, attach any of the following policies:

    oracle/wss_username_token_over_ssl_service_policy

    oracle/wss_saml_or_username_token_over_ssl_service_policy

    oracle/wss11_saml_or_username_token_with_message_protection_service_policy

    Note:

    In the case of secure conversation not enabled, you will have to set the establishSecurityContext property to false for the client, as described in "Configuring Microsoft WCF/.NET 4.5 Client (Username Token with Message Protection)".

    For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager and "Predefined Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

  4. Specify that addressing is to be used, as follows:

    For an Oracle Infrastructure web service:

    Attach the following policy:

    oracle/wssaddr_policy

    For a Java EE web service:

    Only a subset of OWSM security policies are supported for Java EE web services and clients, so you cannot attach oracle/wssaddr_policy to a Java EE web service. Rather you must add addressing information using the @Addressing annotation in the source code for the service, as shown in the following example: 

    package oracle.wsm.qa.wls.service.soap12;
import javax.jws.WebMethod;
import javax.jws.WebParam;
import javax.jws.WebService;
import javax.xml.ws.BindingType;
import javax.xml.ws.soap.Addressing;
import javax.xml.ws.soap.SOAPBinding;
import weblogic.wsee.jws.jaxws.owsm.SecurityPolicy;
@WebService
@BindingType(SOAPBinding.SOAP12HTTP_BINDING)
@Addressing(enabled=true)
public class wss_username_token_over_ssl {
  public wss_username_token_over_ssl() {
    super();
  }
  @WebMethod
  public String sayHello(@WebParam(name = "arg0") String name){
    return "hello "+ name;
  }
}

    For more information, see the following:

6.4.1.2 Configuring Microsoft WCF/.NET 4.5 Client (Username Token over SSL)

You can configure a Microsoft WCF/.NET 4.5 client to implement username token over SSL for interoperability with an OWSM 12c web service.

To configure the Microsoft WCF/.NET 4.5 client:

  1. Generate a .NET client using the WSDL of the web service.

    For more information, see "How to: Create a Windows Communication Foundation Client" at http://msdn.microsoft.com/en-us/library/ms733133(v=vs.110).aspx.

  2. The establishSecurityContext property in the app.config file must be set according to whether you are enabling secure conversation.

    By default, establishSecurityContext is set to true, enabling secure conversation. If you are not enabling secure conversation, set establishSecurityContext to false.

    For example, see the following sample (lines in bold italic): 

    <configuration>
  <system.serviceModel>
    <bindings> 
      <ws2007HttpBinding> 
        <binding name="wss_username_over_ssl_client"> 
          <security mode="TransportWithMessageCredential"> 
            <transport clientCredentialType="None" /> 
            <message clientCredentialType="UserName" 
                negotiateServiceCredential="false" 
                establishSecurityContext="true" />
                <!-- extablishSecurityContext is true by default and therefore does not 
                have to be specified to enable secure conversation.
                Set establishSecurityContext to false if secure conversation is not enabled -->
          </security> 
        </binding> 
      </ws2007HttpBinding> 
    </bindings> 
    <client> 
      <endpoint address="https://10.244.167.70:7004/OWSMTestApp-Project1-context-root/wss_username_token_over_sslPort" 
          binding="ws2007HttpBinding" 
          bindingConfiguration="wss_username_over_ssl_client" 
          contract="ServiceReference1.wss_username_token_over_ssl" 
          name="wss_username_token_over_sslPort" /> 
    </client>
  </system.serviceModel>
</configuration>

  3. Compile the project.

  4. Open a command prompt and navigate to the project's Debug folder.

  5. Type <client_project_name>.exe and press Enter.

6.4.2 Configuring a Microsoft WCF/.NET 4.5 Web Service and an OWSM 12c Client (Username Token Over SSL)

You can implement username token over SSL using Microsoft WCF/.NET 4.5 web service and an OWSM 12c client.

The following topics describe how to configure a Microsoft WCF/.NET 4.5 web service and an OWSM 12c client to implement username token over SSL:

6.4.2.1 Configuring Microsoft WCF/.NET 4.5 Web Service (Username Token Over SSL)

You can configure a Microsoft WCF/.NET 4.5 web service to implement username token over SSL for interoperability with an OWSM 12c client.

To configure the Microsoft WCF/.NET 4.5 web service:

  1. Configure the server for SSL.

    For more information, see "Configuring Transport-Level Security (SSL)" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

  2. Create a .NET web service.

    1. Create a custom binding for the web service using the SecurityBindingElement, as shown in the following .NET web service example. This example shows a web service without secure conversation enabled. 

      static void Main(string[] args)
{
    // Step 1 of the address configuration procedure: Create a URI to serve as the 
    // base address.        
    // Step 2 of the hosting procedure: Create ServiceHost
    string uri = "http://host:port/TEST/NetService";
    Uri baseAddress = new Uri(uri);
 
    ServiceHost selfHost = new ServiceHost(typeof(CalculatorService), baseAddress);
 
    try
    {
        SecurityBindingElement sm =
            SecurityBindingElement.CreateUserNameOverTransportBindingElement();
        sm.DefaultAlgorithmSuite = System.ServiceModel.Security.SecurityAlgorithmSuite.Basic128;
        sm.SetKeyDerivation(false);
        sm.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
        sm.IncludeTimestamp = true;
        sm.KeyEntropyMode = SecurityKeyEntropyMode.CombinedEntropy;
        sm.MessageSecurityVersion = 
        MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005
        WSSecurityPolicy11BasicSecurityProfile10;
        sm.LocalClientSettings.CacheCookies = true;
        sm.LocalClientSettings.DetectReplays = true;
        sm.LocalClientSettings.ReplayCacheSize = 900000;
        sm.LocalClientSettings.MaxClockSkew = new TimeSpan(00, 05, 00);
        sm.LocalClientSettings.MaxCookieCachingTime = TimeSpan.MaxValue;
        sm.LocalClientSettings.ReplayWindow = new TimeSpan(00, 05, 00); ;
        sm.LocalClientSettings.SessionKeyRenewalInterval = new TimeSpan(10, 00, 00);
        sm.LocalClientSettings.SessionKeyRolloverInterval = new TimeSpan(00, 05, 00); ;
        sm.LocalClientSettings.ReconnectTransportOnFailure = true;
        sm.LocalClientSettings.TimestampValidityDuration = new TimeSpan(00, 05, 00); ;
        sm.LocalClientSettings.CookieRenewalThresholdPercentage = 60;
        sm.LocalServiceSettings.DetectReplays = false;
        sm.LocalServiceSettings.IssuedCookieLifetime = new TimeSpan(10, 00, 00);
        sm.LocalServiceSettings.MaxStatefulNegotiations = 128;
        sm.LocalServiceSettings.ReplayCacheSize = 900000;
        sm.LocalServiceSettings.MaxClockSkew = new TimeSpan(00, 05, 00);
        sm.LocalServiceSettings.NegotiationTimeout = new TimeSpan(00, 01, 00);
        sm.LocalServiceSettings.ReplayWindow = new TimeSpan(00, 05, 00);
        sm.LocalServiceSettings.InactivityTimeout = new TimeSpan(00, 02, 00);
        sm.LocalServiceSettings.SessionKeyRenewalInterval = new TimeSpan(15, 00, 00);
        sm.LocalServiceSettings.SessionKeyRolloverInterval = new TimeSpan(00, 05, 00);
        sm.LocalServiceSettings.ReconnectTransportOnFailure = true;
        sm.LocalServiceSettings.MaxPendingSessions = 128;
        sm.LocalServiceSettings.MaxCachedCookies = 1000;
        sm.LocalServiceSettings.TimestampValidityDuration = new TimeSpan(15, 00, 00);
        HttpTransportBindingElement hb = new HttpTransportBindingElement();
        hb.ManualAddressing = false;
        hb.MaxBufferPoolSize = 524288;
        hb.MaxReceivedMessageSize = 65536;
        hb.AllowCookies = false;
        hb.AuthenticationScheme = System.Net.AuthenticationSchemes.Anonymous;
        hb.KeepAliveEnabled = true;
        hb.MaxBufferSize = 65536;
        hb.ProxyAuthenticationScheme = System.Net.AuthenticationSchemes.Anonymous;
        hb.Realm = "";
        hb.TransferMode = System.ServiceModel.TransferMode.Buffered;
        hb.UnsafeConnectionNtlmAuthentication = false;
        hb.UseDefaultWebProxy = true;
        TextMessageEncodingBindingElement tb1 = new TextMessageEncodingBindingElement();
        tb1.MaxReadPoolSize = 64;
        tb1.MaxWritePoolSize = 16;
        tb1.MessageVersion = System.ServiceModel.Channels.MessageVersion.Soap12;
        tb1.WriteEncoding = System.Text.Encoding.UTF8;
        CustomBinding binding1 = new CustomBinding(sm);
        binding1.Elements.Add(tb1);
        binding1.Elements.Add(hb);
        ServiceEndpoint ep = selfHost.AddServiceEndpoint(typeof(ICalculator), binding1,
          "CalculatorService");
 
        EndpointAddress myEndpointAdd = new EndpointAddress(                    
        new Uri(uri),
        EndpointIdentity.CreateDnsIdentity("WSMCert3"));
        ep.Address = myEndpointAdd;
 
        // Step 4 of the hosting procedure: Enable metadata exchange.
        ServiceMetadataBehavior smb = new ServiceMetadataBehavior();
        smb.HttpGetEnabled = true;
        selfHost.Description.Behaviors.Add(smb);
        selfHost.Credentials.ServiceCertificate.SetCertificate(StoreLocation.CurrentUser, 
           StoreName.My,
        X509FindType.FindBySubjectName, "WSMCert3");
        selfHost.Credentials.ClientCertificate.Authentication.CertificateValidationMode =
            X509CertificateValidationMode.PeerOrChainTrust;
        selfHost.Credentials.UserNameAuthentication.UserNamePasswordValidationMode =
            UserNamePasswordValidationMode.Custom;
        CustomUserNameValidator cu = new CustomUserNameValidator();
        selfHost.Credentials.UserNameAuthentication.CustomUserNamePasswordValidator = cu;
        using (ServiceHost host = new ServiceHost(typeof(CalculatorService)))
        {
            System.ServiceModel.Description.ServiceDescription svcDesc = selfHost.Description;
            ServiceDebugBehavior svcDebug = svcDesc.Behaviors.Find<ServiceDebugBehavior>();
            svcDebug.IncludeExceptionDetailInFaults = true;
        }
 
        // Step 5 of the hosting procedure: Start (and then stop) the service.
        selfHost.Open();
        Console.WriteLine("The Calculator service is ready.");
        Console.WriteLine("Press <ENTER> to terminate service.");
        Console.WriteLine();
        Console.ReadLine();
        selfHost.Close();
    }
    catch (CommunicationException ce)
    {
         Console.WriteLine("An exception occurred: {0}", ce.Message);
         selfHost.Abort();
     }
}

    To enable secure conversation, make the following adjustments to the code in the example:

    1. Create another SecurityBindingElement element based on the one created (sm), for example: 

      SecurityBindingElement scsm = SecurityBindingElement.createSecureConversationBindingElement(sm)

    2. Create the custom binding with scsm: 

      CustomBinding binding1 = new CustomBinding(scsm);

    For more information, see "How to: Define a Windows Communication Foundation Service Contract" at http://msdn.microsoft.com/en-us/library/ms731835.aspx.

6.4.2.2 Configuring OWSM 12c Client for Microsoft WCF/.NET 4.5 Client (Username Token over SSL)

You can configure an OWSM 12c client to implement username token over SSL for interoperability with a Microsoft WCF/.NET 4.5 web service.

To configure an OWSM 12c client:

  1. Generate an OWSM client using the WSDL of the web service.

    For more information, see Developer's Guide for SOA Suite.

  2. Attach the following policy to the client:

    oracle/wss_username_token_over_ssl_client_policy

    For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

6.5 Implementing a Mutual Authentication with Message Protection (WS-Security 1.1) for Microsoft WCF/.NET 4.5 Client

The Mutual Authentication with Message Protection policy conforms to the WS-Security 1.1 standard. This policy is implemented to achieve the interoperability between OWSM 12c service policy and Microsoft WCF/.NET 4.5 client policy and the interoperability between Microsoft WCF/.NET 4.5 service policy and OWSM 12c client policy.

The following topics describe how to implement mutual authentication with message protection in different interoperability scenarios:

Before configuring the web service and client in either of the above scenarios, follow the instructions in Performing Configuration Prerequisites for Mutual Authentication with Message Protection.

6.5.1 Performing Configuration Prerequisites for Mutual Authentication with Message Protection

Before you implement mutual authentication with message protection that conforms to the WS-Security 1.1 standards for interoperability between OWSM 12c and Microsoft WCF/.NET 4.5, you must complete a number of high-level tasks.

To configure prerequisites for interoperability:

  1. Export the X.509 certificate file from the keystore on the service side to a .cer file (for example, alice.cer) using the following command:
    keytool -export -alias alice -file C:\alice.cer -keystore default-keystore.jks

    For more information, see "keytool - Key and Certificate Management Tool" at http://docs.oracle.com/javase/6/docs/technotes/tools/windows/keytool.html.

  2. Import the certificate file (exported previously) to the keystore on the client server using Microsoft Management Console (mmc). See step 1 in "Configuring Microsoft WCF/.NET 4.5 Client (Username Token with Message Protection)" for specific instructions.

    For more information, "How to: View Certificates with the MMC Snap-in" at http://msdn.microsoft.com/en-us/library/ms788967.aspx.

6.5.2 Configuring an OWSM 12c Web Service and a Microsoft WCF/.NET 4.5 Client (Mutual Authentication with Message Protection)

You can implement mutual authentication with message protection that conform to the WS-Security 1.1 standards using an OWSM 12c web service and a Microsoft WCF/.NET 4.5 client.

The following topics describe how to configure an OWSM 12c web service and a Microsoft WCF/.NET 4.5 client to implement mutual authentication with message protection.

6.5.2.1 Configuring OWSM 12c Web Service for Microsoft WCF/.NET 4.5 Client (Mutual Authentication with Message Protection)

You can configure an OWSM 12c web service to implement mutual authentication with message protection for interoperability with a Microsoft WCF/.NET 4.5 client.

To configure the OWSM 12c web service:

  1. Create a SOAP 1.2 compliant SOA composite and deploy it.

  2. Using Fusion Middleware Control, attach the following policy to the web service:

    oracle/wss11_x509_token_with_message_protection_service_policy

    For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

  3. Export wss11_x509_token_with_message_protection_service_policy_net. Change encrypted="true" to "false", and import it back. 

    <orasp:x509-token 
   orasp:enc-key-ref-mech="thumbprint" 
   orasp:is-encrypted="false" 
   orasp:is-signed="false" 
   orasp:sign-key-ref-mech="direct"/>

    For more information, see the following links:

  4. Attach the policy to the web service.

    For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

  5. Attach the following policy:

    oracle/wsaddr_policy

6.5.2.2 Configuring Microsoft WCF/.NET 4.5 Client (Mutual Authentication with Message Protection)

You can configure a Microsoft WCF/.NET 4.5 client to implement mutual authentication with message protection for interoperability with an OWSM 12c web service.

To configure the Microsoft WCF/.NET 4.5 client:

  1. Use the Microsoft SvcUtil utility to create a client proxy (see "Client Program") and configuration file from the deployed web service.

    See the following Client Program sample: 

     namespace IO_NET10_client
{
    class Program
    {
        static void Main(string[] args)
        {
           
            BPELProcess1Client client = new BPELProcess1Client();
         
            client.ClientCredentials.ClientCertificate.SetCertificate(
                    StoreLocation.CurrentUser,
                    StoreName.My,
                    X509FindType.FindBySubjectName, "WSMCert3");
                     
             client.ClientCredentials.ServiceCertificate.SetDefaultCertificate(
                       StoreLocation.CurrentUser,
                       StoreName.My,
                    X509FindType.FindBySubjectName, "Alice");
 
            process proc = new process();
            proc.input = "Test wss11_x509_token_with_message_protection_policy - ";
            Console.WriteLine(proc.input);
            processResponse response = client.process(proc);
           
            Console.WriteLine(response.result.ToString());
            Console.WriteLine("Press <ENTER> to terminate Client.");
            Console.ReadLine();
          }
    }
}

    For more information, see http://msdn.microsoft.com/en-us/library/aa347733%28v=vs.110%29.aspx.

  2. Create a app.config configuration file, as shown in the following sample. 

    <?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.serviceModel>
    <behaviors>
      <endpointBehaviors>
        <behavior name="secureBehaviour">
          <clientCredentials>
            <serviceCertificate>
              <defaultCertificate findValue="<certificate_cn>"
                                  storeLocation="CurrentUser"
                                  storeName="My"
                                  x509FindType="FindBySubjectName"/>
            </serviceCertificate>
          </clientCredentials>
        </behavior>
      </endpointBehaviors>
    </behaviors>
      <bindings> 
        <ws2007HttpBinding> 
          <binding name="wss_username_over_ssl_client"> 
            <security mode="TransportWithMessageCredential"> 
            <transport clientCredentialType="None" /> 
            <message clientCredentialType="UserName" 
                negotiateServiceCredential="false" 
                establishSecurityContext="false" /> 
            </security> 
          </binding> 
        </ws2007HttpBinding> 
     </bindings> 
        <client>
          <endpoint address="http://<server>:<port>//MyWebService1SoapHttpPort"
                binding="ws2007HttpBinding"
                contract="MyWebService1" 
                name="MyWebService1SoapHttpPort"
                behaviorConfiguration="secureBehaviour" >
            <identity>
              <dns value="<certificate_cn>"/>
            </identity>
          </endpoint>
        </client>
    </system.serviceModel>
</configuration>

  3. Compile the project.

  4. Open a command prompt and navigate to the project's Debug folder.

  5. Enter <client_project_name>.exe and press Enter.

6.5.3 Configuring a Microsoft WCF/.NET 4.5 Web Service and an OWSM 12c Client (Mutual Authentication with Message Protection)

You can implement mutual authentication with message protection that conform to the WS-Security 1.1 standards using Microsoft WCF/.NET 4.5 web service and an OWSM 12c client.

To configure a Microsoft WCF/.NET 4.5 web service and an OWSM 12c client:

  1. Create a .NET web service.

    For more information, see How to: Define a Windows Communication Foundation Service Contract" at http://msdn.microsoft.com/en-us/library/ms731835%28v=vs.90%29.aspx.

  2. Create a custom binding for the web service using the SymmetricSecurityBindingElement.

    The following is a sample of the SymmetricSecurityBindingElement object:

    SymmetricSecurityBindingElement sm =
(SymmetricSecurityBindingElement)SecurityBindingElement.CreateMutualCertificate
BindingElement(); 
sm.DefaultAlgorithmSuite =
System.ServiceModel.Security.SecurityAlgorithmSuite.Basic128;sm.SetKeyDerivati
on(false);
sm.SecurityHeaderLayout = SecurityHeaderLayout.Lax;sm.IncludeTimestamp =
true;
sm.KeyEntropyMode = SecurityKeyEntropyMode.CombinedEntropy; 
sm.MessageProtectionOrder =
MessageProtectionOrder.SignBeforeEncrypt;sm.MessageSecurityVersion =
MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversation
February2005WSSecurityPolicy11BasicSecurityProfile10;
sm.RequireSignatureConfirmation =
true;

    For more information, see "How to: Create a Custom Binding Using the SecurityBindingElement" at http://msdn.microsoft.com/en-us/library/ms730305%28v=vs.90%29.aspx.

  3. Deploy the application.
  4. To configure OWSM 12c Client, using JDeveloper, create a SOA composite that consumes the .NET web service.

    For more information, see Developer's Guide for SOA Suite.

  5. In JDeveloper, create a partner link using the WSDL of the .NET service and add the import as follows:
    <wsdl:import namespace="<namespace>" location="<WSDL location>"/>
  6. In Fusion Middleware Control, attach the following policy to the web service client:

    oracle/wss11_x509_token_with_message_protection_client_policy.

    For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

  7. Provide configurations for the keystore.recipient.alias.

    You can specify this information when attaching the policy, by overriding the policy configuration.

    Ensure that you configure the keystore.recipient.alias as the alias of the certificate imported in step 4 (wsmcert3).

    For more information, see "Overriding Policy Configuration Properties" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

  8. Invoke the web service method from the client.

6.6 Implementing a Kerberos with Message Protection for Microsoft WCF/.NET 4.5 Client

The Kerberos with Message Protection policy conforms to the WS-Security 1.1 standard. This policy is implemented to achieve the interoperability between OWSM 12c service policy and Microsoft WCF/.NET 4.5 client policy.

The following topics describe how to configure an OWSM 12c web service and a Microsoft WCF/.NET 4.5 client to implement Kerberos with message protection:

6.6.1 Performing Prerequisite Tasks for Kerberos with Message Protection Interoperability

Before you implement Kerberos with message protection for interoperability between OWSM 12c web service and Microsoft WCF/.NET 4.5 client, you must complete a number of high-level tasks.

To configure prerequisites for interoperability:

  1. Configure the Key Distribution Center (KDC) and Active Directory (AD).

    For more information, see "To Configure Windows Active Directory and Domain Controller" (the domain controller can serve as KDC) at http://download.oracle.com/docs/cd/E19316-01/820-3746/gisdn/index.html.

  2. Set up the Kerberos configuration file krb5.conf in c:\winnt as shown in the following Kerberos configuration file sample.
    [logging]
default = c:\log\krb5libs.log
kdc = c:\log\krb5kdc.log
admin_server = c:\log\kadmind.log
[libdefaults]
default_realm = MYCOMPANY.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
permitted_enctypes = rc4-hmac
kdc = hostname
[realms]
MYCOMPANY.LOCAL =
{ kdc = host:port  admin_server = host:port
  default_domain = <domainname>
}
 [domain_realm]
.<domainname> = MYCOMPANY.LOCAL
 <domainname> = MYCOMPANY.LOCAL
[appdefaults]
pam =
{   debug = false  ticket_lifetime = 36000  renew_lifetime = 36000  forwardable =
 true  krb4_convert = false }

6.6.2 Configuring an OWSM 12c Web Service and a Microsoft WCF/.NET 4.5 Client (Kerberos with Message Protection)

You can implement Kerberos with message protection using an OWSM 12c web service and a Microsoft WCF/.NET 4.5 client.

The following topics describe how to configure an OWSM 12c web service and a Microsoft WCF/.NET 4.5 client to implement Kerberos with message protection:

6.6.2.1 Configuring OWSM 12c Web Service for Microsoft WCF/.NET 4.5 Client (Kerberos with Message Protection)

You can configure an OWSM 12c web service to implement Kerberos with message protection for interoperability with a Microsoft WCF/.NET 4.5 client.

To configure an OWSM 12c web service:

  1. Create and deploy a web service application.

    For more information, see "Deploying Web Service Applications" in Administering Web Services.

  2. Clone the following policy: oracle/wss11_kerberos_token_with_message_protection_service_policy.

    For more information, see "Cloning a Web Service Policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

  3. Edit the policy settings to set Algorithm Suite to Basic128Rsa15.

  4. Attach the policy to the web service.

    For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

6.6.2.2 Configuring Microsoft WCF/.NET 4.5 Client (Kerberos with Message Protection)

You can configure a Microsoft WCF/.NET 4.5 client to implement Kerberos with message protection for interoperability with an OWSM 12c web service.

To configure the Microsoft WCF/.NET 4.5 client:

  1. Create a user in AD to represent the host where the web service is hosted. By default the user account is created with RC4-HMAC encryption. For example, foobar with user name is HTTP/foobar.

  2. Use the following ktpass command to create a keytab file on the Windows AD machine where the KDC is running:

    ktpass -princ HTTP/foobar@MYCOMPANY.LOCAL -pass Oracle123 -mapuser foobar -out foobar.keytab -ptype KRB5_NT_PRINCIPAL -kvno 4

    where HTTP/foobar is the SPN, mapped to a user "foobar". Do not set "/desonly or cyrpto as "des-cbc-crc". MYCOMPANY.LOCAL is the default Realm for the KDC and is available in the krb5.ini file. The pass password must match the password created during the user creation.

    Use FTP binary mode to move the generated keytab file to the machine where the SOA Composite web service is hosted.

  3. setSpn -L foobar

    setSpn -A HTTP/foobar@MYCOMPANY.LOCAL foobar

    Only one SPN must be mapped to the user. If there are multiple SPNs mapped to the user, remove them using the command setSpn -D <spname> <username>.

    Use the following setSpn command to map the service principal to the user:

    setSpn -A HTTP/foobar@MYCOMPANY.LOCAL foobar

    setSpn -L foobar

    Only one SPN must be mapped to the user. If there are multiple SPNs mapped to the user, remove them using the command setSpn -D <spname> <username>.

  4. Use the Microsoft SvcUtil utility to create a client proxy and configuration file from the deployed web service.

    Add the files generatedProxy.cs and app.config by right clicking the application (in the Windows Explorer) and selecting Add Existing Item.

    In the endpoint element of the app.config, add an "identity" element with service principal name as "HTTP/foobar@MYCOMPANY.LOCAL" (the same value used for creating keytab). 

    <client>
        <endpoint address="http://host:port/HelloServicePort"
            binding="customBinding" bindingConfiguration="NewHelloSoap12HttpPortBinding"
            contract="NewHello" name="HelloServicePort">
        <identity>
          <servicePrincipalName value ="HTTP/foobar@MYCOMPANY.LOCAL"/>
        </identity>
        </endpoint>
       
      </client>

    See the following Custom Binding sample: 

    <customBinding>
  <binding name="NewHelloSoap12HttpPortBinding">
      <!--Added by User: Begin-->
      <security defaultAlgorithmSuite="Basic128"
        authenticationMode="Kerberos"
        requireDerivedKeys="false" securityHeaderLayout="Lax"
        includeTimestamp="true"
        keyEntropyMode="CombinedEntropy"
        messageProtectionOrder="SignBeforeEncrypt"
        messageSecurityVersion="WSSecurity11WSTrustFebruary2005
        WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurity
          Profile10" 
        requireSignatureConfirmation="true">
      <localClientSettings cacheCookies="true" detectReplays="true"
          replayCacheSize="900000" maxClockSkew="00:05:00"
          maxCookieCachingTime="Infinite"
          replayWindow="00:05:00"
          sessionKeyRenewalInterval="10:00:00"
          sessionKeyRolloverInterval="00:05:00"
          reconnectTransportOnFailure="true"
          timestampValidityDuration="00:05:00"
          cookieRenewalThresholdPercentage="60" />
                <localServiceSettings detectReplays="true"
          issuedCookieLifetime="10:00:00"
          maxStatefulNegotiations="128" replayCacheSize="900000"
          maxClockSkew="00:05:00"
          negotiationTimeout="00:01:00" replayWindow="00:05:00"
          inactivityTimeout="00:02:00"
          sessionKeyRenewalInterval="15:00:00"
          sessionKeyRolloverInterval="00:05:00"
          reconnectTransportOnFailure="true"
          maxPendingSessions="128"
          maxCachedCookies="1000"
          timestampValidityDuration="00:05:00" />
                  <secureConversationBootstrap />
                </security>
              <!--Added by User: End-->
                <textMessageEncoding maxReadPoolSize="64"
                   maxWritePoolSize="16"
                   messageVersion="Soap12" writeEncoding="utf-8">
                <readerQuotas maxDepth="32" maxStringContentLength="8192"
                   maxArrayLength="16384"
                   maxBytesPerRead="4096" maxNameTableCharCount="16384" />
                </textMessageEncoding>
              <!--Added by User: Begin-->
              <httpTransport manualAddressing="false"
                   maxBufferPoolSize="524288"
                   maxReceivedMessageSize="65536" allowCookies="false"
                   authenticationScheme="Anonymous"
                   bypassProxyOnLocal="false"
                   hostNameComparisonMode="StrongWildcard"
                   keepAliveEnabled="true" maxBufferSize="65536"
                   proxyAuthenticationScheme="Anonymous"
                   realm="" transferMode="Buffered"
                   unsafeConnectionNtlmAuthentication="false"
                   useDefaultWebProxy="true" />
                <!--Added by User: End-->
           </binding>
</customBinding>

    For more information, see http://msdn.microsoft.com/en-us/library/aa347733%28v=vs.110%29.aspx.

  5. Run the client program.

6.7 Implementing a Kerberos with Message Protection Using Derived Keys for Microsoft WCF/.NET 4.5 Client

The Kerberos with Message Protection Using Derived Keys policy conforms to the WS-Security 1.1 standard. This policy is implemented to achieve the interoperability between OWSM 12c service policy and Microsoft WCF/.NET 4.5 client policy.

The following topics describe how to configure an OWSM 12c web service and a Microsoft WCF/.NET 4.5 client to implement Kerberos with message protection using derived keys:

6.7.1 Performing Configuration Prerequisites Task for Kerberos with Message Protection Using Derived Keys

Before you implement Kerberos with message protection using derived keys for interoperability between OWSM 12c web service and a Microsoft WCF/.NET 4.5 client, you must complete a number of high-level tasks.

To configure prerequisites for interoperability:

  1. Configure the Key Distribution Center (KDC) and Active Directory (AD).

    For more information, see the following topics:

  2. Set up the Kerberos configuration file krb5.conf in c:\winnt as shown in the following Kerberos Configuration File sample:
    [logging]
default = c:\log\krb5libs.log
kdc = c:\log\krb5kdc.log
admin_server = c:\log\kadmind.log
[libdefaults]
default_realm = MYCOMPANY.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
permitted_enctypes = rc4-hmac
kdc = hostname
[realms]
MYCOMPANY.LOCAL =
{ kdc = host:port  admin_server = host:port
  default_domain = <domainname>
}
 [domain_realm]
.<domainname> = MYCOMPANY.LOCAL
 <domainname> = MYCOMPANY.LOCAL
[appdefaults]
pam =
{   debug = false  ticket_lifetime = 36000  renew_lifetime = 36000  forwardable =
 true  krb4_convert = false }

6.7.2 Configuring an OWSM 12c Web Service and a Microsoft WCF/.NET 4.5 Client (Kerberos Message with Derived Keys)

You can implement Kerberos with message protection using derived keys using an OWSM 12c web service and a Microsoft WCF/.NET 4.5 client.

The following topics describe how to configure an OWSM 12c web service and a Microsoft WCF/.NET 4.5 client to implement Kerberos with message protection using derived keys:

6.7.2.1 Configuring OWSM 12c Web Service for Microsoft WCF/.NET 4.5 Client (Kerberos with Message Protection Using Derived Keys)

You can configure an OWSM 12c web service to implement Kerberos with message protection using derived keys for interoperability with a Microsoft WCF/.NET 4.5 client.

To configure an OWSM 12c web service:

  1. Create and deploy a web service application.

    For more information, see "Deploying Web Service Applications" in Administering Web Services.

  2. Clone the following policy: wss11_kerberos_token_with_message_protection_basic128_service_policy.

    For more information, see "Cloning a Web Service Policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

  3. Edit the policy settings to enable the Derived Keys option.

  4. Attach the policy to the web service.

    For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

6.7.2.2 Configuring Microsoft WCF/.NET 4.5 Client (Kerberos with Message Protection Using Derived Keys)

You can configure a Microsoft WCF/.NET 4.5 client to implement Kerberos with message protection using derived keys for interoperability with an OWSM 12c web service.

To configure the Microsoft WCF/.NET 4.5 client:

  1. Create a user in AD to represent the host where the web service is hosted. By default the user account is created with RC4-HMAC encryption. For example, foobar with user name as "HTTP/foobar".

  2. Use the following ktpass command to create a keytab file on the Windows AD machine where the KDC is running:

    ktpass -princ HTTP/foobar@MYCOMPANY.LOCAL -pass Oracle123 -mapuser foobar -out foobar.keytab -ptype KRB5_NT_PRINCIPAL -kvno 4

    where HTTP/foobar is the SPN, mapped to a user "foobar". Do not set "/desonly or cyrpto as "des-cbc-crc". MYCOMPANY.LOCAL is the default Realm for the KDC and is available in the krb5.ini file. The pass password must match the password created during the user creation.

    Use FTP binary mode to move the generated keytab file to the machine where the SOA Composite web service is hosted.

  3. Use the following setSpn command to map the service principal to the user:

    setSpn -A HTTP/foobar@MYCOMPANY.LOCAL foobar

    setSpn -L foobar

    Only one SPN must be mapped to the user. If there are multiple SPNs mapped to the user, remove them using the command setSpn -D <spname> <username>.

  4. Use the Microsoft SvcUtil utility to create a client proxy and configuration file from the deployed web service.

    Add the files generatedProxy.cs and app.config by right clicking the application (in the Windows Explorer) and selecting Add Existing Item.

    In the endpoint element of the app.config, add an "identity" element with service principal name as "HTTP/foobar@MYCOMPANY.LOCAL" (the same value used for creating keytab). 

    <client>
        <endpoint address="http://host:port/HelloServicePort"
            binding="customBinding" bindingConfiguration="NewHelloSoap12HttpPortBinding"
            contract="NewHello" name="HelloServicePort">
        <identity>
          <servicePrincipalName value ="HTTP/foobar@MYCOMPANY.LOCAL"/>
        </identity>
        </endpoint>
      </client>

    See the following Custom Binding sample: 

    <customBinding>
  <binding name="NewHelloSoap12HttpPortBinding">
    <!--Added by User: Begin-->
    <security defaultAlgorithmSuite="Basic128"
      authenticationMode="Kerberos"
      requireDerivedKeys="true" securityHeaderLayout="Lax"
      includeTimestamp="true"
      keyEntropyMode="CombinedEntropy"
      messageProtectionOrder="SignBeforeEncrypt"
      messageSecurityVersion="WSSecurity11WSTrustFebruary2005
      WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurity
      Profile10" 
      requireSignatureConfirmation="true">
    <localClientSettings cacheCookies="true" detectReplays="true"
        replayCacheSize="900000" maxClockSkew="00:05:00"
        maxCookieCachingTime="Infinite"
        replayWindow="00:05:00"
        sessionKeyRenewalInterval="10:00:00"
        sessionKeyRolloverInterval="00:05:00"
        reconnectTransportOnFailure="true"
        timestampValidityDuration="00:05:00"
        cookieRenewalThresholdPercentage="60" />
      <localServiceSettings detectReplays="true"
        issuedCookieLifetime="10:00:00"
        maxStatefulNegotiations="128" replayCacheSize="900000"
        maxClockSkew="00:05:00"
        negotiationTimeout="00:01:00" replayWindow="00:05:00"
        inactivityTimeout="00:02:00"
        sessionKeyRenewalInterval="15:00:00"
        sessionKeyRolloverInterval="00:05:00"
        reconnectTransportOnFailure="true"
        maxPendingSessions="128"
        maxCachedCookies="1000"
        timestampValidityDuration="00:05:00" />
      <secureConversationBootstrap />
    </security>
  <!--Added by User: End-->
      <textMessageEncoding maxReadPoolSize="64"
        maxWritePoolSize="16"
        messageVersion="Soap12" writeEncoding="utf-8">
          <readerQuotas maxDepth="32" maxStringContentLength="8192"
            maxArrayLength="16384"
            maxBytesPerRead="4096" maxNameTableCharCount="16384" />
      </textMessageEncoding>
          <!--Added by User: Begin-->
      <httpTransport manualAddressing="false"
        maxBufferPoolSize="524288"
        maxReceivedMessageSize="65536" allowCookies="false"
        authenticationScheme="Anonymous"
        bypassProxyOnLocal="false"
        hostNameComparisonMode="StrongWildcard"
        keepAliveEnabled="true" maxBufferSize="65536"
        proxyAuthenticationScheme="Anonymous"
        realm="" transferMode="Buffered"
        unsafeConnectionNtlmAuthentication="false"
        useDefaultWebProxy="true" />
      <!--Added by User: End-->
  </binding>
</customBinding>

  5. Run the client program.

6.8 Implementing a Kerberos with SPNEGO Negotiation for Microsoft WCF/.NET 4.5 Client

The Kerberos with SPNEGO Negotiation policy conforms to the WS-Security 1.1 standard. This policy is implemented to achieve the interoperability between OWSM 12c Service Policy and Microsoft WCF/.NET 4.5 Client Policy.

The following topics describe how to configure an OWSM 12c web service and a Microsoft WCF/.NET 4.5 Client to implement Kerberos with SPNEGO negotiation:

6.8.1 Configuring OWSM 12c Web Service for Microsoft WCF/.NET 4.5 Client (Kerberos with SPNEGO Negotiation)

You can configure an OWSM 12c web service to implement Kerberos with SPNEGO negotiation for interoperability with a Microsoft WCF/.NET 4.5 client.

To configure the OWSM 12c web service:

  1. Create and deploy a web service application.

    For more information, see "Deploying Web Service Applications" in Administering Web Services.

  2. Create a policy that uses the http_spnego_token_service_template assertion template.

    For more information, see "Configuring Kerberos With SPNEGO Negotiation" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

  3. Attach the policy to the web service.

6.8.2 Configuring Microsoft WCF/.NET 4.5 Client (Kerberos with SPNEGO Negotiation)

You can configure a Microsoft WCF/.NET 4.5 client to implement Kerberos with SPNEGO negotiation for interoperability with an OWSM 12c web service.

To configure the Microsoft WCF/.NET 4.5 client:

  1. Use the Microsoft SvcUtil utility to create a client proxy and configuration file from the deployed web service.

    For more information, see http://msdn.microsoft.com/en-us/library/aa347733%28v=vs.110%29.aspx.

  2. Add the files generatedProxy.cs and app.config by right clicking the application (in the Windows Explorer) and selecting Add Existing Item.

  3. Edit the app.config file as shown in the following sample: 

    <configuration>
  <system.serviceModel>
    <bindings>
      <basicHttpBinding>
        <binding name="BPELProcessBinding">
          <security mode= "TransportCredentialOnly">
            <transport clientCredentialType="Windows"/>
          </security>
        </binding>
      </basicHttpBinding>
    </bindings>
    <client>
      <endpoint 
          address="http://host:port/soa-infra/services/default/SOAProxy/bpelpro
cess_client_ep"
          binding="basicHttpBinding" 
          bindingConfiguration="BPELProcessBinding"
          contract="BPELProcess" name="BPELProcess_pt" 
        <identity>
          <servicePrincipalName value ="HTTP/host:port@MYCOMPANY.LOCAL" />
        </identity>
      </endpoint>
    </client>
  </system.serviceModel>
</configuration>

    In this listing, note that the values of the contract and name attributes of the endpoint element are obtained from the generatedProxy.cs file.

  4. Compile the client.

  5. After attaching the OWSM policy to the deployed web service, run the client.

6.9 Implementing a Kerberos with SPNEGO Negotiation and Credential Delegation for Microsoft WCF/.NET 4.5 Client

The Kerberos with SPNEGO Negotiation and Credential Delegation policy conforms to the WS-Security 1.1 standard. This policy is implemented to achieve the interoperability between OWSM 12c service policy and Microsoft WCF/.NET 4.5 client policy.

To configure the OWSM 12c web service:

  1. Create and deploy a web service application.

    For more information, see "Deploying Web Service Applications" in Administering Web Services.

  2. Create a policy that uses the http_spnego_token_service_template assertion template.
  3. Attach the policy to the web service.
  4. Set the value of the credential.delegation configuration setting to true.

    You can specify this information when attaching the policy, by overriding the policy configuration.

    For more information, see "Overriding Policy Configuration Properties" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

  5. To configure Microsoft WCF/.NET 4.5 client, use the Microsoft SvcUtil utility to create a client proxy and configuration file from the deployed web service.
  6. Add the files generatedProxy.cs and app.config by right clicking the application (in the Windows Explorer) and selecting Add Existing Item.
  7. Edit the app.config file as shown in the following example.
    <configuration>
  <system.serviceModel>
    <bindings>
      <basicHttpBinding>
        <binding name="BPELProcess1Binding">
          <security mode= "TransportCredentialOnly">
            <transport clientCredentialType="Windows"/>
          </security>
        </binding>
      </basicHttpBinding>
    </bindings>
    <client>
      <endpoint 
          address="http://host:port/soa-infra/services/default/SOAProxy/bpelpro
cess1_client_ep"
          binding="basicHttpBinding" 
          bindingConfiguration="BPELProcess1Binding"
          contract="BPELProcess1" name="BPELProcess1_pt" 
          behaviorConfiguration="CredentialDelegation">
        <identity>
          <servicePrincipalName value ="HTTP/host:port@MYCOMPANY.LOCAL" />
        </identity>
      </endpoint>
    </client>
    <behaviors>
      <endpointBehaviors>
        <behavior name="CredentialDelegation">
          <clientCredentials>
            <windows allowedImpersonationLevel="Delegation"
              allowNtlm="false"/>
          </clientCredentials>
        </behavior>
      </endpointBehaviors>
    </behaviors>
  </system.serviceModel>
</configuration>

    In the example, note that the values of the contract and name attributes of the endpoint element are obtained from the generatedProxy.cs file.

  8. Compile the client.
  9. After attaching the OWSM policy to the deployed web service, run the client.

6.10 WCF/.NET 4.5 Client with Microsoft Active Directory Federation Services 2.0 (ADFS 2.0) STS

You can secure a WCF/.NET 4.5 client with Microsoft Active Directory Federation Services 2.0 (ADFS 2.0) secure token service (STS), using securities policies.

The following policies are used to secure a WCF/.NET 4.5 client with ADFS 2.0:

  • oracle/wss_sts_issued_saml_bearer_token_over_ssl_service_policy

  • oracle/wss_saml_token_bearer_over_ssl_service_policy

  • oracle/wss11_saml_or_username_token_with_message_protection_service_policy

Note:

The SAML sender vouches token is not supported in this use case.

The procedure described in this section are based on an ADFS 2.0 installation on Windows Server 2008 or Windows Server 2008 R2.

The following topics describe how to install and configure ADFS 2.0:

6.10.1 Installing and Configuring Active Directory Federation Services (ADFS) 2.0

You can install and configure ADFS 2.0 on a Windows Server 2008 or Windows Server 2008 R2 system.

To install and configure Active Directory Federation Services (ADFS) 2.0:

  1. Set up the system in STS role.
  2. Create and configure a self-signed server authentication certificate in Internet Information Services (IIS) and bind it to the default Web site using the IIS Manager console. When done, enable SSL server authentication.

    Note:

    The ADFS 2.0 Setup Wizard automatically installs the web server (IIS) server role on the system.

  3. Configure ADFS 2.0 as a stand-alone federation server.
  4. Export the ADFS 2.0 token-signing certificate.

    For a self-signed certificate, select DER encoded binary X.509 (.cer).

    If the signing certificate is not self-signed, select Cryptographic Message Syntax Standard – PKCS 7 certificates (.p7b) and specify that all certificates in the certification path should be included.

  5. Create users and include an e-mail address. You later enable the STS to send the e-mail address as the subject name id in the outgoing SAML assertions for the service.

For more information, see the following:

6.10.2 Configuring OWSM to Trust SAML Assertions Issued by an ADFS 2.0 STS

You can add the STS signing certificates in the trusted STS servers to ensure ADFS 2.0 STS as a trusted SAML token issuer.

To configure OWSM to trust the SAML assertions issued by an ADFS 2.0 STS:

  1. Get the STS signing certificates you exported in "Install and Configure Active Directory Federation Services (ADFS) 2.0".

    For a .p7b file for a certificate chain, open the file in IE and copy each certificate in the chain in a .cer file.

  2. Import the certificates into the location of the default keystore using keytool.

    keytool –importcert –file <sts-signing-certs-file> –trustcacerts –alias <alias> –keystore default-keystore.jks

    For more information, see "keytool - Key and Certificate Management Tool" at http://docs.oracle.com/javase/6/docs/technotes/tools/windows/keytool.html.

  3. Add http://domain-name/adfs/services/trust as a SAML trusted issuer.
  4. Add the Subject DN (as defined in RFC 2253) of the STS certificate in the Trusted STS Servers section. Use a string that conforms to RFC 2253, such as CN=abc. You can use the mechanism of your choice, such as keytool, to view the certificate and determine the Subject DN.

    For more information, refer to the following topics:

6.10.3 Configuring Users in Oracle Internet Directory

For each user, configure the mail attribute to match the user e-mail address set in ADFS.

For information on configuring users in Oracle Internet Directory, see “Managing Directory Entries for Creating a User” in Administering Oracle Internet Directory.

6.10.4 Attaching the Policy to the Web Service

OWSM supports a number of security policies that can be attached directly to a web service.

Attach any of the following OWSM policies to the web service:

  • oracle/wss_sts_issued_saml_bearer_token_over_ssl_service_policy

  • oracle/wss_saml_token_bearer_over_ssl_service_policy

  • oracle/wss11_saml_or_username_token_with_message_protection_service_policy

For more information, see:

6.10.5 Registering the Web Service as a Relying Party in ADFS 2.0

You can configure ADFS 2.0 to issue the SAML assertion to the web service with the e-mail address or the name ID (SAM-Account-Name) as the subject name ID.

To configure ADFS 2.0 as a relying party:

  1. Add the web service as a relying party.

    For more information, see Create a Relying Party Trust Manually" at http://technet.microsoft.com/en-us/library/dd807108.aspx.

  2. Configure the claim rules for the service.

    Enable the STS to send the e-mail address or the name ID as the subject name id in the outgoing SAML assertions for the service, create a chain of two claim rules with different templates.

    To enable the STS to send the e-mail address or the name ID as the subject name id in the outgoing SAML assertions for the service, use the steps in this section to create a chain of two claim rules with different templates.

    For more information, see the following topics:

6.10.6 Securing WCF/.NET 4.5 Client with ADFS 2.0

You can implement multiple security and authentication mechanisms to secure the WCF/.NET 4.5 client.

To secure the WCF/.NET 4.5 client with ADFS 2.0:

  1. Import the SSL server certificates for STS and the service into Windows.

    If the SSL server certificate for STS or the service is not issued from a trusted CA, or self-signed, then it needs to be imported with MMC tool, as described in step 1 in "Configuring Microsoft WCF/.NET 4.5 Client (Username Token with Message Protection)".

    For more information, see "How to: View Certificates with the MMC Snap-in" at http://msdn.microsoft.com/en-us/library/ms788967.aspx.

  2. Create and configure the WCF./NET client, as described in steps 3 and 4, below.

    ADFS 2.0 STS supports multiple security and authentication mechanisms for token insurance. Each is exposed as a separate endpoint. For username/password authentication, two endpoints are provided:

    • http://<adfs.domain>/adfs/services/trust/13/username — This endpoint is for username token with message protection.

    • https://<adfs.domain>/adfs/services/trust/13/usernamemixed — This endpoint is for username token with transport protection (SSL).

    The WCF client uses the https://<adfs.domain>/adfs/services/trust/13/usernamemixed endpoint for username token on SSL to obtain the SAML bearer token for the service.

  3. Generate the WCF Client with the service WSDL.

    For more information, see "How to: Create a Windows Communication Foundation Client" at http://msdn.microsoft.com/en-us/library/ms733133(v=vs.110).aspx.

  4. Configure the client with ws2007FederationHttpBinding, and edit the app.config file, as follows.

    Example 6–16 shows a sample app.config for use with a web service using the following policies:

    • oracle/wss_sts_issued_saml_bearer_token_over_ssl_service_policy

    • oracle/wss_saml_token_bearer_over_ssl_service_policy

    • oracle/wss11_saml_or_username_token_with_message_protection_service_policy

    For more information, see "WS 2007 Federation HTTP Binding" at http://msdn.microsoft.com/en-us/library/bb472490.aspx

  5. Edit the program.cs file to make the service call.

    If not already present, create a .cs file in the project and name it program.cs (or any name of your choice.) Edit it to match the code in Example 6–17.

    In this example:

    joe is the username and password is the password used by the client to authenticate to the STS.

    System.Net.ServicePointManager.ServerCertificateValidationCallback = ((sender, certificate, chain, sslPolicyErrors) => true); has been added to validate the server side self-signed certificate. This is not required if the server certificate is issued by a trusted CA. If using a self-signed certificate for testing, add this method to validate the certificate on the client side.

    See the following app.config File to Implement Varieties of SAML-Based Authentication sample: 

    <?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.serviceModel>
    <behaviors>
      <endpointBehaviors>
        <behavior name="secureBehaviour">
          <clientCredentials>
            <serviceCertificate>
              <defaultCertificate findValue="weblogic"  
                  storeLocation="LocalMachine" 
                  storeName="My" 
                  x509FindType="FindBySubjectName"/>
            </serviceCertificate>
          </clientCredentials>
        </behavior>
      </endpointBehaviors>
    </behaviors>
    <bindings>
      <ws2007FederationHttpBinding>
        <binding name="JaxWsWss11SamlOrUsernameOrSamlBearerOverSSLSoapHttp">
          <security mode="TransportWithMessageCredential">
            <message negotiateServiceCredential="false"
                 algorithmSuite="Basic128"
                 issuedTokenType ="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1"
                 issuedKeyType="BearerKey">
              <issuer address ="https://domain-name/adfs/services/trust/13/usernamemixed"
                      binding ="ws2007HttpBinding"
					                      bindingConfiguration="ADFSUsernameMixed"/>
             </message>
          </security>
        </binding>
      </ws2007FederationHttpBinding>
      <ws2007HttpBinding>
        <binding name="ADFSUsernameMixed">
          <security mode="TransportWithMessageCredential">
            <message clientCredentialType="UserName" 
                     establishSecurityContext="false" />
          </security>
        </binding>
      </ws2007HttpBinding>
    </bindings>
    <client>
      <endpoint address="https://host:8002/JaxWsWss11SamlOrUsernameOrSamlBearerOverSSL/JaxWsWss11SamlOrUsernameOrSamlBearerOverSSLService"
          binding="ws2007FederationHttpBinding" 
          bindingConfiguration="JaxWsWss11SamlOrUsernameOrSamlBearerOverSSLSoapHttp"
          contract="JaxWsWss11SamlOrUsernameOrSamlBearerOverSSL" 
          name="JaxWsWss11SamlOrUsernameOrSamlBearerOverSSLPort">
            <identity>
              <dns value="weblogic" />
            </identity>
          </endpoint>
    </client>
  </system.serviceModel>
</configuration>

    See the following pregram.cs File sample: 

    using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.ServiceModel;
 
namespace Client
{
    class Program
    {
        static void Main(string[] args)
        {
            JaxWsWss11SamlOrUsernameOrSamlBearerOverSSLClient client = 
               New JaxWsWss11SamlOrUsernameOrSamlBearerOverSSLClient();
 
            client.ClientCredentials.UserName.UserName = "joe";
            client.ClientCredentials.UserName.Password = "password";
 
                  
 
 
System.Net.ServicePointManager.ServerCertificateValidationCallback =
               ((sender, certificate, chain, sslPolicyErrors) => true);
            
 
            Console.WriteLine(client.echo("Hello"));
            Console.Read();
        }
 
    }
}