This chapter describes interoperability of Oracle Web Services Manager (OWSM) with Microsoft WCF/.NET 3.5 security environments.
Note:
A subset of the interoperability scenarios within this chapter employ SOA applications which will be supported in a future release of Oracle Fusion Middleware 12c. For this release, you can substitute an ADF or Java EE application in these scenarios.
This chapter contains the following sections:
Section 5.1, "Overview of Interoperability with Microsoft WCF/.NET 3.5 Security Environments"
Section 5.2, "Message Transmission Optimization Mechanism (MTOM)"
Section 5.3, "Username Token With Message Protection (WS-Security 1.1)"
Section 5.5, "Mutual Authentication with Message Protection (WS-Security 1.1)"
Section 5.7, "Kerberos with Message Protection Using Derived Keys"
Section 5.9, "Kerberos with SPNEGO Negotiation and Credential Delegation"
In conjunction with Microsoft, Oracle has performed interoperability testing to ensure that the Web service security policies created using OWSM 12c can interoperate with Web service policies configured using Microsoft Windows Communication Foundation (WCF)/.NET 3.5 Framework and vice versa.
For more information about Microsoft WCF/.NET 3.5 Framework, see http://msdn.microsoft.com/en-us/netframework/aa663324.aspx.
For more information about:
OWSM predefined policies, see "Predefined Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Configuring and attaching OWSM 12c policies, see "Securing Web Services" and "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Table 5-1 and Table 5-2 summarize the most common Microsoft .NET 3.5 interoperability scenarios based on the following security requirements: authentication, message protection, and transport.
Note:
In the following scenarios, ensure that you are using a keystore with v3 certificates.
In addition, ensure that the keys use the proper extensions, including DigitalSignature, Non_repudiation, Key_Encipherment, and Data_Encipherment.
Table 5-1 OWSM 12c Service Policy and Microsoft WCF/.NET 3.5 Client Policy Interoperability
| Identity Token | WS-Security Version | Message Protection | Transport Security | Service Policy | Client Policy |
|---|---|---|---|---|---|
|
MTOM |
NA |
NA |
NA |
|
|
|
Username or SAML |
1.1 |
Yes |
No |
OR
|
|
|
Username |
1.0 and 1.1 |
No |
Yes |
OR
|
|
|
Mutual Authentication |
1.1 |
Yes |
No |
|
|
|
Kerberos |
1.1 |
Yes |
No |
|
Table 5-2 Microsoft WCF/.NET 3.5 Service Policy and OWSM 12c Client Policy Interoperability
| Identity Token | WS-Security Version | Message Protection | Transport Security | Service Policy | Client Policy |
|---|---|---|---|---|---|
|
MTOM |
NA |
NA |
NA |
|
|
|
Username |
1.1 |
Yes |
No |
|
|
|
Mutual Authentication |
1.1 |
Yes |
No |
|
This section describes how to implement MTOM in the following interoperability scenarios:
"Configuring Microsoft WCF/.NET 3.5 Client and OWSM 12c Web Service"
"Configuring OWSM 12c Client and Microsoft WCF/.NET 3.5 Web Service"
To configure Microsoft WCF/.NET 3.5 client and OWSM 12c Web service, perform the steps described in the following sections:
Create a Web service application.
Attach the following policy to the Web service: oracle/wsmtom_service_policy.
For more information about attaching the policy, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Deploy the application.
Use the SVCUtil utility to create a client proxy and configuration file from the deployed Web service. See "Example app.config File for MTOM Interoperability".
Run the client program.
Example app.config File for MTOM Interoperability
The following provides an example of the app.config file:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.serviceModel>
<bindings>
<customBinding>
<binding name="CustomBinding_IMTOMService">
<mtomMessageEncoding maxReadPoolSize="64"
maxWritePoolSize="16"
messageVersion="Soap12" maxBufferSize="65536"
writeEncoding="utf-8">
<readerQuotas maxDepth="32" maxStringContentLength=
"8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
</mtomMessageEncoding>
<httpTransport manualAddressing="false" maxBufferPoolSize="524288"
maxReceivedMessageSize="65536" allowCookies="false"
authenticationScheme="Anonymous"
bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
keepAliveEnabled="true" maxBufferSize="65536"
proxyAuthenticationScheme="Anonymous"
realm="" transferMode="Buffered"
unsafeConnectionNtlmAuthentication="false"
useDefaultWebProxy="true" />
</binding>
</customBinding>
</bindings>
<client>
<endpoint address="<endpoint_url>"
binding="customBinding" bindingConfiguration="CustomBinding_IMTOMService"
contract="IMTOMService" name="CustomBinding_IMTOMService" >
</endpoint>
</client>
</system.serviceModel>
</configuration>
To configure OWSM 12c client and Microsoft WCF/.NET 3.5 Web service, perform the steps described in the following sections:
Create a .NET Web service.
For more information, see "How to: Define a Windows Communication Foundation Service Contract" at http://msdn.microsoft.com/en-us/library/ms731835.aspx.
For an example of a .NET Web service, see "Example of .NET Web Service for MTOM Interoperability".
Deploy the application.
Using JDeveloper, create a SOA composite that consumes the .NET Web service. For more information, see the Developer's Guide for SOA Suite.
Attach the following policy to the Web service client: oracle/wsmtom_policy.
For more information about attaching the policy, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Example of .NET Web Service for MTOM Interoperability
The following provides an example of the .NET Web service for MTOM interoperability.
static void Main(string[] args)
{
string uri = "http://host:port/TEST/MTOMService/SOA/MTOMService";
// Step 1 of the address configuration procedure: Create a URI to serve as the base address.
Uri baseAddress = new Uri(uri);
// Step 2 of the hosting procedure: Create ServiceHost
ServiceHost selfHost = new ServiceHost(typeof(MTOMService), baseAddress);
try {
HttpTransportBindingElement hb = new HttpTransportBindingElement();
hb.ManualAddressing = false;
hb.MaxBufferPoolSize = 2147483647;
hb.MaxReceivedMessageSize = 2147483647;
hb.AllowCookies = false;
hb.AuthenticationScheme = System.Net.AuthenticationSchemes.Anonymous;
hb.KeepAliveEnabled = true;
hb.MaxBufferSize = 2147483647;
hb.ProxyAuthenticationScheme = System.Net.AuthenticationSchemes.Anonymous;
hb.Realm = "";
hb.TransferMode = System.ServiceModel.TransferMode.Buffered;
hb.UnsafeConnectionNtlmAuthentication = false;
hb.UseDefaultWebProxy = true;
MtomMessageEncodingBindingElement me = new MtomMessageEncodingBindingElement();
me.MaxReadPoolSize=64;
me.MaxWritePoolSize=16;
me.MessageVersion=System.ServiceModel.Channels.MessageVersion.Soap12;
me.WriteEncoding = System.Text.Encoding.UTF8;
me.MaxWritePoolSize = 2147483647;
me.MaxBufferSize = 2147483647;
me.ReaderQuotas.MaxArrayLength = 2147483647;
CustomBinding binding1 = new CustomBinding();
binding1.Elements.Add(me);
binding1.Elements.Add(hb);
ServiceEndpoint ep = selfHost.AddServiceEndpoint(typeof(IMTOMService), binding1,
"MTOMService");
EndpointAddress myEndpointAdd = new EndpointAddress(new Uri(uri),
EndpointIdentity.CreateDnsIdentity("WSMCert3"));
ep.Address = myEndpointAdd;
// Step 4 of the hosting procedure: Enable metadata exchange.
ServiceMetadataBehavior smb = new ServiceMetadataBehavior();
smb.HttpGetEnabled = true;
selfHost.Description.Behaviors.Add(smb);
using (ServiceHost host = new ServiceHost(typeof(MTOMService)))
{
System.ServiceModel.Description.ServiceDescription svcDesc =
selfHost.Description;
ServiceDebugBehavior svcDebug =
svcDesc.Behaviors.Find<ServiceDebugBehavior>();
svcDebug.IncludeExceptionDetailInFaults = true;
}
// Step 5 of the hosting procedure: Start (and then stop) the service.
selfHost.Open();
Console.WriteLine("The service " + uri + " is ready.");
Console.WriteLine("Press <ENTER> to terminate service.");
Console.WriteLine();
Console.ReadLine();
// Close the ServiceHostBase to shutdown the service.
selfHost.Close();
}
catch (CommunicationException ce)
{
Console.WriteLine("An exception occurred: {0}", ce.Message);
selfHost.Abort();
}
}
This section describes how to implement username token with message protection that conforms to WS-Security 1.1 in the following interoperability scenarios:
"Configuring Microsoft WCF/.NET 3.5 Client and OWSM 12c Web Service"
"Configuring OWSM 12c Client and Microsoft WCF/.NET 3.5 Web Service"
To configure Microsoft WCF/.NET 3.5 client and OWSM 12c Web service, perform the steps described in the following sections:
Create a Web service application.
Attach one of the following policies to the Web service:
oracle/wss11_username_token_with_message_protection_service_policy
oracle/wss11_saml_or_username_token_with_message_protection_service_policy
For more information about attaching the policy, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Export the X.509 certificate file from the keystore on the service side to a .cer file (for example, alice.cer) using the following command:
keytool -export -alias alice -file C:\alice.cer -keystore default-keystore.jks
Import the certificate file (exported previously) to the keystore on the client server using Microsoft Management Console (mmc). For information, see "How to: View Certificates with the MMC Snap-in" at http://msdn.microsoft.com/en-us/library/ms788967.aspx.
Open a command prompt.
Type mmc and press ENTER.
Select File > Add/Remove snap-in.
Select Add and Choose Certificates.
Note:
To view certificates in the local machine store, you must be in the Administrator role.
Select Add.
Select My user account and finish.
Click OK.
Expand Console Root > Certificates -Current user > Personal > Certificates.
Right-click on Certificates and select All tasks > Import to launch Certificate import Wizard.
Click Next, select Browse, and navigate to the .cer file that was exported previously.
Click Next and accept defaults and finish the wizard.
Generate a .NET client using the WSDL of the Web service.
For more information, see "How to: Create a Windows Communication Foundation Client" at http://msdn.microsoft.com/en-us/library/ms733133.aspx.
Note:
SVCUtil does not support some security policy assertions such as <sp:SignedParts>. As a workaround:
Detach the policy
Generate proxy using SVCUtil
Attach the policy back
In the Solution Explorer of the client project, add a reference by right-clicking on references, selecting Add reference, and browsing to C:\Windows\Microsoft .NET framework\v3.0\Windows Communication Framework\System.Runtime.Serialization.dll.
Edit the app.config file in the .NET project to update the certificate file and disable replays, as described in "Edit the app.config File".
Compile the project.
Open a command prompt and navigate to the project's Debug folder.
Enter <client_project_name>.exe and press Enter.
Edit the app.config file to update the certificate file and disable replays, as shown in the following example (changes are identified in bold). If you follow the default key setup, then <certificate_cn> should be set to alice.
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.serviceModel>
<behaviors>
<endpointBehaviors>
<behavior name="secureBehaviour">
<clientCredentials>
<serviceCertificate>
<defaultCertificate findValue="<certificate_cn>"
storeLocation="CurrentUser" storeName="My"
x509FindType="FindBySubjectName"/>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<customBinding>
<binding name="HelloWorldSoapHttp">
<security defaultAlgorithmSuite="Basic128"
authenticationMode="UserNameForCertificate"
requireDerivedKeys="false" securityHeaderLayout="Lax"
includeTimestamp="true"
keyEntropyMode="CombinedEntropy"
messageProtectionOrder="SignBeforeEncrypt"
messageSecurityVersion=
"WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
requireSignatureConfirmation="true">
<localClientSettings
cacheCookies="true"
detectReplays="false"
replayCacheSize="900000"
maxClockSkew="00:05:00"
maxCookieCachingTime="Infinite"
replayWindow="00:05:00"
sessionKeyRenewalInterval="10:00:00"
sessionKeyRolloverInterval="00:05:00"
reconnectTransportOnFailure="true"
timestampValidityDuration="00:05:00"
cookieRenewalThresholdPercentage="60" />
<localServiceSettings detectReplays="true"
issuedCookieLifetime="10:00:00"
maxStatefulNegotiations="128"
replayCacheSize="900000"
maxClockSkew="00:05:00"
negotiationTimeout="00:01:00"
replayWindow="00:05:00"
inactivityTimeout="00:02:00"
sessionKeyRenewalInterval="15:00:00"
sessionKeyRolloverInterval="00:05:00"
reconnectTransportOnFailure="true"
maxPendingSessions="128"
maxCachedCookies="1000"
timestampValidityDuration="00:05:00" />
<secureConversationBootstrap /></security>
<textMessageEncoding
maxReadPoolSize="64"
maxWritePoolSize="16"
messageVersion="Soap11"
writeEncoding="utf-8">
<readerQuotas
maxDepth="32"
maxStringContentLength="8192"
maxArrayLength="16384"
maxBytesPerRead="4096"
maxNameTableCharCount="16384" />
</textMessageEncoding>
<HttpTransport
manualAddressing="false"
maxBufferPoolSize="524288"
maxReceivedMessageSize="65536"
allowCookies="false"
authenticationScheme="Anonymous"
bypassProxyOnLocal="false"
hostNameComparisonMode="StrongWildcard"
keepAliveEnabled="true"
maxBufferSize="65536"
proxyAuthenticationScheme="Anonymous"
realm=""
transferMode="Buffered"
unsafeConnectionNtlmAuthentication="false"
useDefaultWebProxy="true" />
</binding>
</customBinding>
</bindings>
<client>
<endpoint address="<endpoint_url>"
binding="customBinding"
bindingConfiguration="HelloWorldSoapHttp"
contract="HelloWorld"
name="HelloWorldPort"
behaviorConfiguration="secureBehaviour" >
<identity>
<dns value="<certificate_cn>"/>
</identity>
</endpoint>
</client>
</system.serviceModel>
</configuration>
To configure OWSM 12c client and Microsoft WCF/.NET 3.5 Web service, perform the steps described in the following sections:
Create a .NET Web service.
For more information, see "How to: Define a Windows Communication Foundation Service Contract" at http://msdn.microsoft.com/en-us/library/ms731835.aspx.
Be sure to create a custom binding for the Web service using the SymmetricSecurityBindingElement. For an example, see "Example .NET Web Service Client".
Create and import a certificate file to the keystore on the Web service server.
Using VisualStudio, the command would be similar to the following:
makecert -r -pe -n "CN=wsmcert3" -sky exchange -ss my C:\wsmcert3.cer
This command creates and imports a certificate in mmc.
If the command does not provide expected results, then try the following sequence of commands. You need to download Windows Developer Kit (WDK) at http://www.microsoft.com/whdc/devtools/WDK/default.mspx.
makecert -r -pe -n "CN=wsmcert3" -sky exchange -ss my -sv wscert3.pvk C:\wsmcert3.cer pvk2pfx.exe -pvk wscert3.pvk -spc wsmcert3.cer -pfx PRF_WSMCert3.pfx -pi welcome1
Then, in mmc, import PRF_WSMCert3.pfx.
Import the certificate created on the Web service server to the client server using the keytool command. For example:
keytool -import -alias wsmcert3 -file C:\wsmcert3.cer -keystore <owsm_client_keystore>
Right-click on the Web service Solution project in Solutions Explorer and click Open Folder In Windows Explorer.
Navigate to the bin/Debug folder.
Double-click on the <project>.exe file. This command will run the Web service at the URL provided.
Using JDeveloper, create a SOA composite that consumes the .NET Web service. For more information, see the Developer's Guide for SOA Suite.
In JDeveloper, create a partner link using the WSDL of the .NET service.
Attach the following policy to the Web service client: oracle/wss11_username_token_with_message_protection_client_policy.
For more information about attaching the policy, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Provide configurations for the csf-key and keystore.recipient.alias.
You can specify this information when attaching the policy, by overriding the policy configuration. For more information, see "Overriding Policy Configuration Properties" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Ensure that you configure the keystore.recipient.alias as the alias of the certificate imported in step 1 (wsmcert3). For example:
<wsp:PolicyReference URI="oracle/wss11_username_token_with_message_protection_client_policy"
orawsp:category="security" orawsp:status="enabled"/>
<property name="csf-key" type="xs:string"
many="false">basic.credentials</property>
<property name="keystore.recipient.alias" type="xs:string"
many="false">wsmcert3</property>
static void Main(string[] args)
{
// Step 1 of the address configuration procedure: Create a URI to serve as the
// base address.
// Step 2 of the hosting procedure: Create ServiceHost
string uri = "http://<host>:<port>/TEST/NetService";
Uri baseAddress = new Uri(uri);
ServiceHost selfHost = new ServiceHost(typeof(CalculatorService), baseAddress);
try
{
SymmetricSecurityBindingElement sm =
SymmetricSecurityBindingElement.CreateUserNameForCertificateBindingElement();
sm.DefaultAlgorithmSuite = System.ServiceModel.Security.SecurityAlgorithmSuite.Basic128;
sm.SetKeyDerivation(false);
sm.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
sm.IncludeTimestamp = true;
sm.KeyEntropyMode = SecurityKeyEntropyMode.CombinedEntropy;
sm.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
sm.MessageSecurityVersion =
MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005
WSSecurityPolicy11BasicSecurityProfile10;
sm.RequireSignatureConfirmation = true;
sm.LocalClientSettings.CacheCookies = true;
sm.LocalClientSettings.DetectReplays = true;
sm.LocalClientSettings.ReplayCacheSize = 900000;
sm.LocalClientSettings.MaxClockSkew = new TimeSpan(00, 05, 00);
sm.LocalClientSettings.MaxCookieCachingTime = TimeSpan.MaxValue;
sm.LocalClientSettings.ReplayWindow = new TimeSpan(00, 05, 00); ;
sm.LocalClientSettings.SessionKeyRenewalInterval = new TimeSpan(10, 00, 00);
sm.LocalClientSettings.SessionKeyRolloverInterval = new TimeSpan(00, 05, 00); ;
sm.LocalClientSettings.ReconnectTransportOnFailure = true;
sm.LocalClientSettings.TimestampValidityDuration = new TimeSpan(00, 05, 00); ;
sm.LocalClientSettings.CookieRenewalThresholdPercentage = 60;
sm.LocalServiceSettings.DetectReplays = false;
sm.LocalServiceSettings.IssuedCookieLifetime = new TimeSpan(10, 00, 00);
sm.LocalServiceSettings.MaxStatefulNegotiations = 128;
sm.LocalServiceSettings.ReplayCacheSize = 900000;
sm.LocalServiceSettings.MaxClockSkew = new TimeSpan(00, 05, 00);
sm.LocalServiceSettings.NegotiationTimeout = new TimeSpan(00, 01, 00);
sm.LocalServiceSettings.ReplayWindow = new TimeSpan(00, 05, 00);
sm.LocalServiceSettings.InactivityTimeout = new TimeSpan(00, 02, 00);
sm.LocalServiceSettings.SessionKeyRenewalInterval = new TimeSpan(15, 00, 00);
sm.LocalServiceSettings.SessionKeyRolloverInterval = new TimeSpan(00, 05, 00);
sm.LocalServiceSettings.ReconnectTransportOnFailure = true;
sm.LocalServiceSettings.MaxPendingSessions = 128;
sm.LocalServiceSettings.MaxCachedCookies = 1000;
sm.LocalServiceSettings.TimestampValidityDuration = new TimeSpan(15, 00, 00);
HttpTransportBindingElement hb = new HttpTransportBindingElement();
hb.ManualAddressing = false;
hb.MaxBufferPoolSize = 524288;
hb.MaxReceivedMessageSize = 65536;
hb.AllowCookies = false;
hb.AuthenticationScheme = System.Net.AuthenticationSchemes.Anonymous;
hb.KeepAliveEnabled = true;
hb.MaxBufferSize = 65536;
hb.ProxyAuthenticationScheme = System.Net.AuthenticationSchemes.Anonymous;
hb.Realm = "";
hb.TransferMode = System.ServiceModel.TransferMode.Buffered;
hb.UnsafeConnectionNtlmAuthentication = false;
hb.UseDefaultWebProxy = true;
TextMessageEncodingBindingElement tb1 = new TextMessageEncodingBindingElement();
tb1.MaxReadPoolSize = 64;
tb1.MaxWritePoolSize = 16;
tb1.MessageVersion = System.ServiceModel.Channels.MessageVersion.Soap12;
tb1.WriteEncoding = System.Text.Encoding.UTF8;
CustomBinding binding1 = new CustomBinding(sm);
binding1.Elements.Add(tb1);
binding1.Elements.Add(hb);
ServiceEndpoint ep = selfHost.AddServiceEndpoint(typeof(ICalculator), binding1,
"CalculatorService");
EndpointAddress myEndpointAdd = new EndpointAddress(
new Uri(uri),
EndpointIdentity.CreateDnsIdentity("WSMCert3"));
ep.Address = myEndpointAdd;
// Step 4 of the hosting procedure: Enable metadata exchange.
ServiceMetadataBehavior smb = new ServiceMetadataBehavior();
smb.HttpGetEnabled = true;
selfHost.Description.Behaviors.Add(smb);
selfHost.Credentials.ServiceCertificate.SetCertificate(StoreLocation.CurrentUser,
StoreName.My,
X509FindType.FindBySubjectName, "WSMCert3");
selfHost.Credentials.ClientCertificate.Authentication.CertificateValidationMode =
X509CertificateValidationMode.PeerOrChainTrust;
selfHost.Credentials.UserNameAuthentication.UserNamePasswordValidationMode =
UserNamePasswordValidationMode.Custom;
CustomUserNameValidator cu = new CustomUserNameValidator();
selfHost.Credentials.UserNameAuthentication.CustomUserNamePasswordValidator = cu;
using (ServiceHost host = new ServiceHost(typeof(CalculatorService)))
{
System.ServiceModel.Description.ServiceDescription svcDesc = selfHost.Description;
ServiceDebugBehavior svcDebug = svcDesc.Behaviors.Find<ServiceDebugBehavior>();
svcDebug.IncludeExceptionDetailInFaults = true;
}
// Step 5 of the hosting procedure: Start (and then stop) the service.
selfHost.Open();
Console.WriteLine("The Calculator service is ready.");
Console.WriteLine("Press <ENTER> to terminate service.");
Console.WriteLine();
Console.ReadLine();
selfHost.Close();
}
catch (CommunicationException ce)
{
Console.WriteLine("An exception occurred: {0}", ce.Message);
selfHost.Abort();
}
}
This section describes how to implement username token over SSL in the following interoperability scenario:
To configure Microsoft WCF/.NET 3.5 client and OWSM 12c Web service, perform the steps described in the following sections:
Configure the server for SSL.
For more information, see "Configuring Transport-Level Security (SSL)" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Create a copy of one of the following policies:
oracle/wss_username_token_over_ssl_service_policy
oracle/wss_saml_or_username_token_over_ssl_service_policy
Note:
Oracle recommends that you do not change the predefined policies so that you will always have a known set of valid policies to work with.
Edit the policy settings, as follows:
Disable the Creation Time Required configuration setting.
Disable the Nonce Required configuration setting.
Leave the default configuration set for all other configuration settings.
For more information, see "Cloning a Web Service Policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Attach the policy.
For more information about attaching the policy, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Generate a .NET client using the WSDL of the Web service.
For more information, see "How to: Create a Windows Communication Foundation Client" at http://msdn.microsoft.com/en-us/library/ms733133.aspx.
In the Solution Explorer of the client project, add a reference by right-clicking on references, selecting Add reference, and browsing to C:\Windows\Microsoft .NET framework\v3.0\Windows Communication Framework\System.Runtime.Serialization.dll.
Edit the app.config file, as described in "Edit the app.config File".
Compile the project.
Open a command prompt and navigate to the project's Debug folder.
Type <client_project_name>.exe and press Enter.
Edit the app.config file to update the certificate file and disable replays, as shown in the following example (changes are identified in bold):
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.serviceModel>
<bindings>
<customBinding>
<binding name="BPELProcess1Binding">
<security defaultAlgorithmSuite="Basic128"
authenticationMode="UserNameOverTransport"
requireDerivedKeys="false" securityHeaderLayout="Lax" includeTimestamp="true"
keyEntropyMode="CombinedEntropy" messageProtectionOrder="SignBeforeEncrypt"
messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversation
February2005WSSecurityPolicy11BasicSecurityProfile10"
requireSignatureConfirmation="true">
<localClientSettings cacheCookies="true" detectReplays="true"
replayCacheSize="900000" maxClockSkew="00:05:00"
maxCookieCachingTime="Infinite"
replayWindow="00:05:00" sessionKeyRenewalInterval="10:00:00"
sessionKeyRolloverInterval="00:05:00" reconnectTransportOnFailure="true"
timestampValidityDuration="00:05:00"
cookieRenewalThresholdPercentage="60"/>
<localServiceSettings detectReplays="true" issuedCookieLifetime="10:00:00"
maxStatefulNegotiations="128" replayCacheSize="900000"
maxClockSkew="00:05:00"
negotiationTimeout="00:01:00" replayWindow="00:05:00"
inactivityTimeout="00:02:00"
sessionKeyRenewalInterval="15:00:00"
sessionKeyRolloverInterval="00:05:00"
reconnectTransportOnFailure="true" maxPendingSessions="128"
maxCachedCookies="1000" timestampValidityDuration="00:05:00" />
<secureConversationBootstrap />
</security>
<textMessageEncoding maxReadPoolSize="64" maxWritePoolSize="16"
messageVersion="Soap11" writeEncoding="utf-8">
<readerQuotas maxDepth="32" maxStringContentLength="8192"
maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
</textMessageEncoding>
<httpsTransport manualAddressing="false" maxBufferPoolSize="524288"
maxReceivedMessageSize="65536" allowCookies="false"
authenticationScheme="Anonymous"
bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
keepAliveEnabled="true" maxBufferSize="65536"
proxyAuthenticationScheme="Anonymous"
realm="" transferMode="Buffered"
unsafeConnectionNtlmAuthentication="false"
useDefaultWebProxy="true" requireClientCertificate="false"/>
</binding>
</customBinding>
</bindings>
<client>
<endpoint address="
https://host:port/soa-infra/services/default/IO_NET6/bpelprocess1_client_ep"
binding="customBinding" bindingConfiguration="BPELProcess1Binding"
contract="BPELProcess1" name="BPELProcess1_pt" />
</client>
</system.serviceModel>
</configuration>
The following sections describe how to implement mutual authentication with message protection that conform to the WS-Security 1.1 standards:
"Configuring Microsoft WCF/.NET 3.5 Client and OWSM 12c Web Service"
"Configuring OWSM 12c Client and Microsoft WCF/.NET 3.5 Web Service"
Configuration Prerequisites for Interoperability
Export the X.509 certificate file from the keystore on the service side to a .cer file (for example, alice.cer) using the following command:
keytool -export -alias alice -file C:\alice.cer -keystore default-keystore.jks
Import the certificate file (exported previously) to the keystore on the client server using Microsoft Management Console (mmc). For information, see "How to: View Certificates with the MMC Snap-in" at http://msdn.microsoft.com/en-us/library/ms788967.aspx.
Open a command prompt.
Type mmc and press ENTER.
Select File > Add/Remove snap-in.
Select Add and Choose Certificates.
Note:
To view certificates in the local machine store, you must be in the Administrator role.
Select Add.
Select My user account and finish.
Click OK.
Expand Console Root > Certificates -Current user > Personal > Certificates.
Right-click on Certificates and select All tasks > Import to launch Certificate import Wizard.
Click Next, select Browse, and navigate to the .cer file that was exported previously.
Click Next and accept defaults and finish the wizard.
To configure Microsoft WCF/.NET 3.5 client and OWSM 12c Web Service, perform the steps described in the following sections:
Create a SOA composite and deploy it.
In Enterprise Manager, clone the following policy:
oracle/wss11_x509_token_with_message_protection_service_policy
Rename it as follows: wss11_x509_token_with_message_protection_service_policy_net
Export wss11_x509_token_with_message_protection_service_policy_net. Change encrypted="true" to "false", and import it back.
<orasp:x509-token orasp:enc-key-ref-mech="thumbprint" orasp:is-encrypted="false" orasp:is-signed="false" orasp:sign-key-ref-mech="direct"/>
Using Enterprise Manager, attach the policy to the Web service.
For more information about attaching the policy, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Use the SVCUtil utility to create a client proxy (see "Sample Client Program") and configuration file from the deployed Web service.
In the Solution Explorer of the client project, add a reference by right-clicking on references, selecting Add reference, and browsing to C:\Windows\Microsoft .NET framework\v3.0\Windows Communication Framework\System.Runtime.Serialization.dll.
Create a configuration file: app.config. Add the following code after the <system.serviceModel> element.
<configuration>
<system.serviceModel>
<behaviors>
<endpointBehaviors>
<behavior name="secureBehaviour">
<clientCredentials>
<serviceCertificate>
<defaultCertificate findValue="<certificate_cn>"
storeLocation="CurrentUser" storeName="My"
x509FindType="FindBySubjectName"/>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<customBinding>
Modify the endpoint behavior as follows:
<endpoint address="http://<server>:<port>//MyWebService1SoapHttpPort"
binding="customBinding"
bindingConfiguration="MyWebService1SoapHttp"
contract="MyWebService1" name="MyWebService1SoapHttpPort"
behaviorConfiguration="secureBehaviour" >
<identity>
<dns value="<certificate_cn>"/>
</identity>
</endpoint>
Disable the message replay detection as follows:
<localClientSettings cacheCookies="true" detectReplays="false"
replayCacheSize="900000"
maxClockSkew="00:05:00" maxCookieCachingTime="Infinite"
Create a custom binding as shown below:
<security defaultAlgorithmSuite="Basic128" authenticationMode="MutualCertificate"
"Sample app.config File" provides an example of the configuration file.
Compile the project.
Open a command prompt and navigate to the project's Debug folder.
Enter <client_project_name>.exe and press Enter.
The following provides an example of the app.config file:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.serviceModel>
<behaviors>
<endpointBehaviors>
<behavior name="secureBehaviour">
<clientCredentials>
<serviceCertificate>
<defaultCertificate findValue="<certificate_cn>"
storeLocation="CurrentUser"
storeName="My"
x509FindType="FindBySubjectName"/>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<customBinding>
<binding name="BPELProcess1Binding">
<security defaultAlgorithmSuite="Basic128" authenticationMode="MutualCertificate"
requireDerivedKeys="false" securityHeaderLayout="Lax" includeTimestamp="true"
keyEntropyMode="CombinedEntropy" messageProtectionOrder="SignBeforeEncrypt"
messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversation
February2005WSSecurityPolicy11BasicSecurityProfile10"
requireSignatureConfirmation="true">
<localClientSettings cacheCookies="true" detectReplays="false"
replayCacheSize="900000" maxClockSkew="00:05:00"
maxCookieCachingTime="Infinite"
replayWindow="00:05:00" sessionKeyRenewalInterval="10:00:00"
sessionKeyRolloverInterval="00:05:00" reconnectTransportOnFailure="true"
timestampValidityDuration="00:05:00" cookieRenewalThresholdPercentage="60" />
<localServiceSettings detectReplays="true" issuedCookieLifetime="10:00:00"
maxStatefulNegotiations="128" replayCacheSize="900000" maxClockSkew="00:05:00"
negotiationTimeout="00:01:00" replayWindow="00:05:00"
inactivityTimeout="00:02:00"
sessionKeyRenewalInterval="15:00:00" sessionKeyRolloverInterval="00:05:00"
reconnectTransportOnFailure="true" maxPendingSessions="128"
maxCachedCookies="1000" timestampValidityDuration="00:05:00" />
<secureConversationBootstrap />
</security>
<textMessageEncoding maxReadPoolSize="64" maxWritePoolSize="16"
messageVersion="Soap11" writeEncoding="utf-8">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
</textMessageEncoding>
<httpTransport manualAddressing="false" maxBufferPoolSize="524288"
maxReceivedMessageSize="65536" allowCookies="false"
authenticationScheme="Anonymous"
bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
keepAliveEnabled="true" maxBufferSize="65536"
proxyAuthenticationScheme="Anonymous"
realm="" transferMode="Buffered" unsafeConnectionNtlmAuthentication="false"
useDefaultWebProxy="true" />
</binding>
</customBinding>
</bindings>
<client>
<endpoint address="<endpoint_url>"
binding="customBinding" bindingConfiguration="BPELProcess1Binding"
contract="BPELProcess1" name="BPELProcess1_pt" >
<identity>
<dns value=<certificate_cn>/>
</identity>
</endpoint>
</client>
</system.serviceModel>
</configuration>
namespace IO_NET10_client
{
class Program
{
static void Main(string[] args)
{
BPELProcess1Client client = new BPELProcess1Client();
client.ClientCredentials.ClientCertificate.SetCertificate(
StoreLocation.CurrentUser,
StoreName.My,
X509FindType.FindBySubjectName, "WSMCert3");
client.ClientCredentials.ServiceCertificate.SetDefaultCertificate(
StoreLocation.CurrentUser,
StoreName.My,
X509FindType.FindBySubjectName, "Alice");
process proc = new process();
proc.input = "Test wss11_x509_token_with_message_protection_policy - ";
Console.WriteLine(proc.input);
processResponse response = client.process(proc);
Console.WriteLine(response.result.ToString());
Console.WriteLine("Press <ENTER> to terminate Client.");
Console.ReadLine();
}
}
}
To configure OWSM 12c client and Microsoft WCF/.NET 3.5 Web Service, perform the steps described in the following sections:
Create a .NET Web service.
For more information, see "How to: Define a Windows Communication Foundation Service Contract" at http://msdn.microsoft.com/en-us/library/ms731835.aspx.
For an example of a .NET Web service, see "Example .NET Web Service Client".
Create a custom binding for the Web service using the SymmetricSecurityBindingElement.
For more information, see "How to: Create a Custom Binding Using the SecurityBindingElement" at http://msdn.microsoft.com/en-us/library/ms730305.aspx.
The following is a sample of the SymmetricSecurityBindingElement object:
SymmetricSecurityBindingElement sm = (SymmetricSecurityBindingElement)SecurityBindingElement.CreateMutualCertificate BindingElement(); sm.DefaultAlgorithmSuite = System.ServiceModel.Security.SecurityAlgorithmSuite.Basic128;sm.SetKeyDerivati on(false); sm.SecurityHeaderLayout = SecurityHeaderLayout.Lax;sm.IncludeTimestamp = true; sm.KeyEntropyMode = SecurityKeyEntropyMode.CombinedEntropy; sm.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;sm.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversation February2005WSSecurityPolicy11BasicSecurityProfile10; sm.RequireSignatureConfirmation = true;
Deploy the application.
Using JDeveloper, create a SOA composite that consumes the .NET Web service. For more information, see the Developer's Guide for SOA Suite.
In JDeveloper, create a partner link using the WSDL of the .NET service and add the import as follows:
<wsdl:import namespace="<namespace>" location="<WSDL location>"/>
In Enterprise Manager, clone the policy: wss11_x509_token_with_message_protection_service_policy. Rename it as follows: wss11_x509_token_with_message_protection_service_policy_net
Export wss11_x509_token_with_message_protection_service_policy_net. Change encrypted="true" to "false", and import it back
<orasp:x509-token orasp:enc-key-ref-mech="thumbprint" orasp:is-encrypted="true" orasp:is-signed="false" orasp:sign-key-ref-mech="direct"/>
Attach the policy to the Web service client.
For more information about attaching the policy, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Provide configurations for the keystore.recipient.alias.
You can specify this information when attaching the policy, by overriding the policy configuration. For more information, see "Overriding Policy Configuration Properties" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Ensure that you configure the keystore.recipient.alias as the alias of the certificate imported in step 4 (wsmcert3).
Invoke the Web service method from the client.
This section describes how to implement kerberos with message protection in the following interoperability scenarios:
Perform the following prerequisite steps:
Configure the Key Distribution Center (KDC) and Active Directory (AD). For more information, see the section "To Configure Windows Active Directory and Domain Controller" (the domain controller can serve as KDC) at http://download.oracle.com/docs/cd/E19316-01/820-3746/gisdn/index.html.
Set up the Kerberos configuration file krb5.conf in c:\winnt as shown in Example 5-1.
Example 5-1 Sample Kerberos Configuration File
[logging]
default = c:\log\krb5libs.log
kdc = c:\log\krb5kdc.log
admin_server = c:\log\kadmind.log
[libdefaults]
default_realm = MYCOMPANY.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
permitted_enctypes = rc4-hmac
kdc = <hostname>
[realms]
MYCOMPANY.LOCAL =
{ kdc = <hostname>:<portnumber> admin_server = <hostname>:<portnumber>
default_domain = <domainname>
}
[domain_realm]
.<domainname> = MYCOMPANY.LOCAL
<domainname> = MYCOMPANY.LOCAL
[appdefaults]
pam =
{ debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable =
true krb4_convert = false }
To configure Microsoft WCF/.NET 3.5 client and OWSM 12c Web service, perform the steps described in the following sections:
Create a Web service application.
Copy the following policy: wss11_kerberos_with_message_protection_service_policy.
Edit the policy settings to set Algorithm Suite to Basic128Rsa15.
Attach the policy to the web service. For more information about attaching the policy at deployment time using Fusion Middleware Control, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Deploy the application.
Create a user in AD to represent the host where the web service is hosted. By default the user account is created with RC4-HMAC encryption. For example, foobar with user name as "HTTP/foobar".
Use the following ktpass command to create a keytab file on the Windows AD machine where the KDC is running:
ktpass -princ HTTP/foobar@MYCOMPANY.LOCAL -pass Oracle123 -mapuser foobar -out foobar.keytab -ptype KRB5_NT_PRINCIPAL -kvno 4
where HTTP/foobar is the SPN, mapped to a user "foobar". Do not set "/desonly or cyrpto as "des-cbc-crc". MYCOMPANY.LOCAL is the default Realm for the KDC and is available in the krb5.ini file. The pass password must match the password created during the user creation.
Use FTP binary mode to move the generated keytab file to the machine where the SOA Composite Web service is hosted.
Use the following setSpn command to map the service principal to the user:
setSpn -A HTTP/foobar@MYCOMPANY.LOCAL foobar
setSpn -L foobar
Only one SPN must be mapped to the user. If there are multiple SPNs mapped to the user, remove them using the command setSpn -D <spname> <username>.
Use the SVCUtil utility to create a client proxy and configuration file from the deployed Web service.
Add the files generatedProxy.cs and app.config by right clicking the application (in the Windows Explorer) and selecting Add Existing Item.
In the endpoint element of the app.config, add an "identity" element with service principal name as "HTTP/foobar@MYCOMPANY.LOCAL" (the same value used for creating keytab).
<client>
<endpoint address="http://host:port/HelloServicePort"
binding="customBinding" bindingConfiguration="NewHelloSoap12HttpPortBinding"
contract="NewHello" name="HelloServicePort">
<identity>
<servicePrincipalName value ="HTTP/foobar@MYCOMPANY.LOCAL"/>
</identity>
</endpoint>
</client>
A sample binding is provided in Example 5-2.
<customBinding>
<binding name="NewHelloSoap12HttpPortBinding">
<!--Added by User: Begin-->
<security defaultAlgorithmSuite="Basic128"
authenticationMode="Kerberos"
requireDerivedKeys="false" securityHeaderLayout="Lax"
includeTimestamp="true"
keyEntropyMode="CombinedEntropy"
messageProtectionOrder="SignBeforeEncrypt"
messageSecurityVersion="WSSecurity11WSTrustFebruary2005
WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurity
Profile10"
requireSignatureConfirmation="true">
<localClientSettings cacheCookies="true" detectReplays="true"
replayCacheSize="900000" maxClockSkew="00:05:00"
maxCookieCachingTime="Infinite"
replayWindow="00:05:00"
sessionKeyRenewalInterval="10:00:00"
sessionKeyRolloverInterval="00:05:00"
reconnectTransportOnFailure="true"
timestampValidityDuration="00:05:00"
cookieRenewalThresholdPercentage="60" />
<localServiceSettings detectReplays="true"
issuedCookieLifetime="10:00:00"
maxStatefulNegotiations="128" replayCacheSize="900000"
maxClockSkew="00:05:00"
negotiationTimeout="00:01:00" replayWindow="00:05:00"
inactivityTimeout="00:02:00"
sessionKeyRenewalInterval="15:00:00"
sessionKeyRolloverInterval="00:05:00"
reconnectTransportOnFailure="true"
maxPendingSessions="128"
maxCachedCookies="1000"
timestampValidityDuration="00:05:00" />
<secureConversationBootstrap />
</security>
<!--Added by User: End-->
<textMessageEncoding maxReadPoolSize="64"
maxWritePoolSize="16"
messageVersion="Soap12" writeEncoding="utf-8">
<readerQuotas maxDepth="32" maxStringContentLength="8192"
maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384"
/>
</textMessageEncoding>
<!--Added by User: Begin-->
<httpTransport manualAddressing="false"
maxBufferPoolSize="524288"
maxReceivedMessageSize="65536" allowCookies="false"
authenticationScheme="Anonymous"
bypassProxyOnLocal="false"
hostNameComparisonMode="StrongWildcard"
keepAliveEnabled="true" maxBufferSize="65536"
proxyAuthenticationScheme="Anonymous"
realm="" transferMode="Buffered"
unsafeConnectionNtlmAuthentication="false"
useDefaultWebProxy="true" />
<!--Added by User: End-->
</binding>
</customBinding>
The svcutil.exe utility will not work if the Web service has an OWSM policy attached to it. Detach the policy from the service before running this utility to generate the proxy and re-attach once all artifacts are generated successfully.
Run the client program.
This section describes how to implement kerberos with message protection in the following interoperability scenarios:
Perform the following prerequisite steps:
Configure the Key Distribution Center (KDC) and Active Directory (AD). For more information, see the section "To Configure Windows Active Directory and Domain Controller" (the domain controller can serve as KDC) at http://download.oracle.com/docs/cd/E19316-01/820-3746/gisdn/index.html.
Set up the Kerberos configuration file krb5.conf in c:\winnt as shown in Example 5-1.
Example 5-3 Sample Kerberos Configuration File
[logging]
default = c:\log\krb5libs.log
kdc = c:\log\krb5kdc.log
admin_server = c:\log\kadmind.log
[libdefaults]
default_realm = MYCOMPANY.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
permitted_enctypes = rc4-hmac
kdc = <hostname>
[realms]
MYCOMPANY.LOCAL =
{ kdc = <hostname>:<portnumber> admin_server = <hostname>:<portnumber>
default_domain = <domainname>
}
[domain_realm]
.<domainname> = MYCOMPANY.LOCAL
<domainname> = MYCOMPANY.LOCAL
[appdefaults]
pam =
{ debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable =
true krb4_convert = false }
To configure Microsoft WCF/.NET 3.5 client and OWSM 12c Web service, perform the steps described in the following sections:
Create a Web service application.
Copy the following policy: wss11_kerberos_token_with_message_protection_basic128_service_policy.
Edit the policy settings to enable the Derived Keys option.
Attach the policy to the web service. For more information about attaching the policy at deployment time using Fusion Middleware Control, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Deploy the application.
Create a user in AD to represent the host where the web service is hosted. By default the user account is created with RC4-HMAC encryption. For example, foobar with user name as "HTTP/foobar".
Use the following ktpass command to create a keytab file on the Windows AD machine where the KDC is running:
ktpass -princ HTTP/foobar@MYCOMPANY.LOCAL -pass Oracle123 -mapuser foobar -out foobar.keytab -ptype KRB5_NT_PRINCIPAL -kvno 4
where HTTP/foobar is the SPN, mapped to a user "foobar". Do not set "/desonly or cyrpto as "des-cbc-crc". MYCOMPANY.LOCAL is the default Realm for the KDC and is available in the krb5.ini file. The pass password must match the password created during the user creation.
Use FTP binary mode to move the generated keytab file to the machine where the SOA Composite Web service is hosted.
Use the following setSpn command to map the service principal to the user:
setSpn -A HTTP/foobar@MYCOMPANY.LOCAL foobar
setSpn -L foobar
Only one SPN must be mapped to the user. If there are multiple SPNs mapped to the user, remove them using the command setSpn -D <spname> <username>.
Use the SVCUtil utility to create a client proxy and configuration file from the deployed Web service.
Note:
The SVCUtil utility will not work if the Web service has an OWSM policy attached to it. Detach the policy from the service before running this utility to generate the proxy and re-attach once all artifacts are generated successfully.
Add the files generatedProxy.cs and app.config by right clicking the application (in the Windows Explorer) and selecting Add Existing Item.
In the endpoint element of the app.config, add an "identity" element with service principal name as "HTTP/foobar@MYCOMPANY.LOCAL" (the same value used for creating keytab).
<client>
<endpoint address="http://host:port/HelloServicePort"
binding="customBinding" bindingConfiguration="NewHelloSoap12HttpPortBinding"
contract="NewHello" name="HelloServicePort">
<identity>
<servicePrincipalName value ="HTTP/foobar@MYCOMPANY.LOCAL"/>
</identity>
</endpoint>
</client>
A sample binding is provided in Example 5-2.
<customBinding>
<binding name="NewHelloSoap12HttpPortBinding">
<!--Added by User: Begin-->
<security defaultAlgorithmSuite="Basic128"
authenticationMode="Kerberos"
requireDerivedKeys="true" securityHeaderLayout="Lax"
includeTimestamp="true"
keyEntropyMode="CombinedEntropy"
messageProtectionOrder="SignBeforeEncrypt"
messageSecurityVersion="WSSecurity11WSTrustFebruary2005
WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurity
Profile10"
requireSignatureConfirmation="true">
<localClientSettings cacheCookies="true" detectReplays="true"
replayCacheSize="900000" maxClockSkew="00:05:00"
maxCookieCachingTime="Infinite"
replayWindow="00:05:00"
sessionKeyRenewalInterval="10:00:00"
sessionKeyRolloverInterval="00:05:00"
reconnectTransportOnFailure="true"
timestampValidityDuration="00:05:00"
cookieRenewalThresholdPercentage="60" />
<localServiceSettings detectReplays="true"
issuedCookieLifetime="10:00:00"
maxStatefulNegotiations="128" replayCacheSize="900000"
maxClockSkew="00:05:00"
negotiationTimeout="00:01:00" replayWindow="00:05:00"
inactivityTimeout="00:02:00"
sessionKeyRenewalInterval="15:00:00"
sessionKeyRolloverInterval="00:05:00"
reconnectTransportOnFailure="true"
maxPendingSessions="128"
maxCachedCookies="1000"
timestampValidityDuration="00:05:00" />
<secureConversationBootstrap />
</security>
<!--Added by User: End-->
<textMessageEncoding maxReadPoolSize="64"
maxWritePoolSize="16"
messageVersion="Soap12" writeEncoding="utf-8">
<readerQuotas maxDepth="32" maxStringContentLength="8192"
maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384"
/>
</textMessageEncoding>
<!--Added by User: Begin-->
<httpTransport manualAddressing="false"
maxBufferPoolSize="524288"
maxReceivedMessageSize="65536" allowCookies="false"
authenticationScheme="Anonymous"
bypassProxyOnLocal="false"
hostNameComparisonMode="StrongWildcard"
keepAliveEnabled="true" maxBufferSize="65536"
proxyAuthenticationScheme="Anonymous"
realm="" transferMode="Buffered"
unsafeConnectionNtlmAuthentication="false"
useDefaultWebProxy="true" />
<!--Added by User: End-->
</binding>
</customBinding>
Run the client program.
This section describes how to implement Kerberos with SPNEGO negotiation in the following interoperability scenario:
To configure Microsoft WCF/.NET 3.5 client and OWSM 12c Web service, perform the steps described in the following sections:
Create a Web service application.
Deploy the Web service application.
Create a policy that uses the http_spnego_token_service_template assertion template.
Attach the policy to the Web service.
Use the SVCUtil utility to create a client proxy and configuration file from the deployed Web service.
Note:
The SVCUtil utility will not work if the Web service has an OWSM policy attached to it. Detach the policy from the service before running this utility to generate the proxy and re-attach once all artifacts are generated successfully.
Add the files generatedProxy.cs and app.config by right clicking the application (in the Windows Explorer) and selecting Add Existing Item.
Edit the app.config file as follows.
<configuration>
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="BPELProcessBinding">
<security mode= "TransportCredentialOnly">
<transport clientCredentialType="Windows"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint
address="http://host:port/soa-infra/services/default/SOAProxy/bpelpro
cess_client_ep"
binding="basicHttpBinding"
bindingConfiguration="BPELProcessBinding"
contract="BPELProcess" name="BPELProcess_pt"
<identity>
<servicePrincipalName value ="HTTP/host:port@MYCOMPANY.LOCAL" />
</identity>
</endpoint>
</client>
</system.serviceModel>
</configuration>
In this listing, note that the values of the contract and name attributes of the endpoint element are obtained from the generatedProxy.cs file.
Compile the client.
After attaching the OWSM policy to the deployed Web service, run the client.
This section describes how to implement Kerberos with SPNEGO negotiation and credential delegation in the following interoperability scenario:
To configure Microsoft WCF/.NET 3.5 client and OWSM 12c Web service, perform the steps described in the following sections:
Create a Web service application.
Deploy the Web service application.
Create a policy that uses the http_spnego_token_service_template assertion template.
Attach the policy to the web service.
Set the value of the credential.delegation configuration setting to true.
You can specify this information when attaching the policy, by overriding the policy configuration. For more information, see "Overriding Policy Configuration Properties" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Use the SVCUtil utility to create a client proxy and configuration file from the deployed Web service.
Note:
The SVCUtil utility will not work if the Web service has an OWSM policy attached to it. Detach the policy from the service before running this utility to generate the proxy and re-attach once all artifacts are generated successfully.
Add the files generatedProxy.cs and app.config by right clicking the application (in the Windows Explorer) and selecting Add Existing Item.
Edit the app.config file as follows.
<configuration>
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="BPELProcess1Binding">
<security mode= "TransportCredentialOnly">
<transport clientCredentialType="Windows"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint
address="http://host:port/soa-infra/services/default/SOAProxy/bpelpro
cess1_client_ep"
binding="basicHttpBinding"
bindingConfiguration="BPELProcess1Binding"
contract="BPELProcess1" name="BPELProcess1_pt"
behaviorConfiguration="CredentialDelegation">
<identity>
<servicePrincipalName value ="HTTP/host:port@MYCOMPANY.LOCAL" />
</identity>
</endpoint>
</client>
<behaviors>
<endpointBehaviors>
<behavior name="CredentialDelegation">
<clientCredentials>
<windows allowedImpersonationLevel="Delegation"
allowNtlm="false"/>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
</system.serviceModel>
</configuration>
In this listing, note that the values of the contract and name attributes of the endpoint element are obtained from the generatedProxy.cs file.
Compile the client.
After attaching the OWSM policy to the deployed Web service, run the client.
This section describes securing a WCF/.NET 3.5 client with Microsoft Active Directory Federation Services 2.0 (ADFS 2.0) secure token service (STS), using a policy utilizing SAML bearer token over one-way SSL.
Note:
The SAML sender vouches token is not supported in this use case.
This procedure described in this section assumes that you install and configure ADFS 2.0 on a Windows Server 2008 or Windows Server 2008 R2 system. This system is set up in the STS role.
The following topics are described:
Section 5.10.1, "Install and Configure Active Directory Federation Services (ADFS) 2.0"
Section 5.10.2, "Configure ADFS 2.0 STS As Trusted SAML Token Issuer"
Section 5.10.3, "Configure Users in Oracle Internet Directory"
Section 5.10.5, "Register the Web Service as a Relying Party in ADFS 2.0"
This section describes how to install and configure ADFS 2.0.
The following topics are described:
Section 5.10.1.3, "Create and Configure a Self-Signed Server Authentication Certificate"
Section 5.10.1.4, "Configure the System as a Standalone Federation Server"
Section 5.10.1.5, "Export ADFS 2.0 Token-Signing Certificate"
Install and configure Active Directory. See http://technet.microsoft.com/en-us/windowsserver for related links and information.
Install ADFS 2.0 and configure it using the wizard. See http://technet.microsoft.com/en-us/windowsserver/dd448613 for related links and information. See http://go.microsoft.com/fwlink/?linkid=151338 for download information.
As you configure ADFS 2.0 using the wizard, on the Server Role page be sure to click Federation server.
Create and configure a self-signed server authentication certificate in IIS and bind it to the default Web site using the Internet Information Services (IIS) Manager console. When done, enable SSL server authentication.
The AD FS 2.0 Setup Wizard automatically installed the Web server (IIS) server role on the system.
Creating a self-signed server authentication certificate is described generally in http://technet.microsoft.com/en-us/library/cc771041%28v=ws.10%29.aspx. The steps in this section provides use case-specific information.
Open the Internet Information Services (IIS) Manager console.
On the Start menu, click All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
In the console tree, click the root node that contains the name of the system, and then, in the details pane, double-click the icon named Server Certificates in the IIS grouping.
In the Actions pane, click Create Self-Signed Certificate.
In the console tree, click Default Web Site.
In the Actions pane, click Bindings.
In the Site Bindings dialog box, click Add.
In the Add Site Binding dialog box, select https in the Type drop-down list. Select the certificate you just created in the SSL certificate drop-down list, click OK, and then click Close.
Close the Internet Information Services (IIS) Manager console. Enable SSL Server Authentication.
Configure the system as a standalone federation server, as described in http://technet.microsoft.com/en-us/library/ee913579%28v=ws.10%29.aspx.
Export the ADFS 2.0 token-signing certificate, as described in http://technet.microsoft.com/en-us/library/dd378922%28v=ws.10%29.aspx#BKMK_4.
For a self-signed certificate, select DER encoded binary X.509 (.cer).
If the signing certificate is not self-signed, select Cryptographic Message Syntax Standard – PKCS 7 certificates (.p7b) and check Include all the certificates in the certification path if possible.
Create users and include an email address. You later enable the STS to send the email address as the subject name id in the outgoing SAML assertions for the service.
Follow these steps to add a sample user to Active Directory. Make sure to set the email address for each user.
Log in to the system with domain administrator credentials.
Click Start, click Administrative Tools, and then click Active Directory Users and Computers.
In the console tree, right-click the Users folder. Click New, and then click User.
On the New Object – User page, add the user, and then click Next.
Provide a password, clear the User must change password at next logon check box, and then click Next.
Click Finish.
In the right-most pane of Active Directory Users and Computers, right-click the new user object, and then click Properties.
On the General tab, in the E-mail box, type the email address of the user, and then click OK.
Perform the following steps to configure OWSM to trust the SAML assertions issued by an ADFS 2.0 STS:
Get the STS signing certificates you exported in Section 5.10.1.5, "Export ADFS 2.0 Token-Signing Certificate".
For a .p7b file for a certificate chain, open the file in IE and copy each certificate in the chain in a .cer file.
Import the certificates into the location of the default keystore using keytool.
keytool –importcert –file <sts-signing-certs-file> –trustcacerts –alias <alias> –keystore default-keystore.jks
Add http://domain-name/adfs/services/trust as a SAML trusted issuer.
See "Configuring SAML Trusted Issuers and DN Lists" in Securing Web Services and Managing Policies with Oracle Web Services Manager for the steps to follow.
Add the Subject DN (as defined in RFC 2253) of the STS certificate in the Trusted STS Servers section. Use a string that conforms to RFC 2253, such as CN=abc. You can use the mechanism of your choice, such as keytool, to view the certificate and determine the Subject DN.
See "Configuring SAML Trusted Issuers and DN Lists" in Securing Web Services and Managing Policies with Oracle Web Services Manager for the steps to follow.
For each user, configure the mail attribute to match the user email address set in ADFS.
See Managing Directory Entries for Creating a User in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory for information on configuring users in Oracle Internet Directory.
Attach the OWSM oracle/wss11_saml_or_username_token_with_message_protection_service_policy or oracle/wss_saml_token_bearer_over_ssl_service_policy policy to the Web service.
These policies enforce message protection (integrity and confidentiality) and SAML-based authentication using credentials provided in SAML tokens with the bearer confirmation method in the WS-Security SOAP header. They also verify that the transport protocol provides SSL message protection.
See "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager for information on attaching policies.
Configure ADFS 2.0 to issue the SAML assertion to the Web service with the email address or the name ID (SAM-Account-Name) as the subject name id.
See http://technet.microsoft.com/en-us/library/dd807108%28v=ws.10%29.aspx for general information on relying parties.
This section provides use case-specific information.
Add the Web Service as a Relying Party
In the AD FS 2.0 Management console, click AD FS 2.0.
In the details pane, click Add a trusted relying party to start the Add Relying Party Wizard.
On the Welcome page, click Start to begin.
Select Enter data about the relying party manually.
Provide a display name and enter any notes you want.
Select ADFS 2.0 Profile.
On the Configure Certificate page, click Next.
Configuring a token encryption certificate on this page is optional. Configure one on this page if you require that the token be encrypted. If you do not configure a token encryption certificate, the token issued by STS is not encrypted for the service.
WS-Trust is always enabled. Click Next.
For the Relying Party Trust Identifier, enter the service URL and click Add.
Permit all users to access this relying party.
Click Next and then Close.
Configure the Claim Rules for the Service
To enable the STS to send the email address or the name ID as the subject name id in the outgoing SAML assertions for the service, use the steps in this section to create a chain of two claim rules with different templates.
See http://technet.microsoft.com/en-us/library/ee913578%28v=ws.10%29.aspx for general information on claim rules. See http://technet.microsoft.com/en-us/library/dd807115%28v=ws.10%29.aspx to create a rule to send LDAP attributes as claims.
This section provides use case-specific information.
Right-click on the Relying Party for the service and select Edit Claim Rules.
On the Issuance Transform Rules tab select Add Rule.
Select Send LDAP Attribute as Claims as the claim rule template to use.
Give the Claim a name, such as Get LDAP Attributes.
Set the Attribute Store to Active Directory, the LDAP Attribute to E-Mail-Addresses, and the Outgoing Claim Type to E-mail Address.
If you want to instead use the name ID as the subject name ID, under LDAP Attribute, select SAM-Account-Name.
Select Finish.
If you use the name ID as the subject name ID, click OK to close the property page and save the changes to the relying party trust.
If you use the email address as the subject name ID, continue to add a rule.
Select Add Rule.
Select Transform an Incoming Claim as the claim rule template to use.
Give it a name, such as Email to Name ID.
Set the Incoming claim type as E-mail Address. (It must match the Outgoing Claim Type in the previous rule.)
Set the Outgoing claim type as Name ID and the Outgoing name ID format as Email (urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress).
Pass through all claim values and click Finish.
Click OK to close the property page and save the changes to the relying party trust.
Perform the following steps to secure WCF/.NET 3.5 Client with ADFS 2.0:
Install .NET 3.5 and Visual Studio 2008.
Import the SSL server certificates for STS and the service into Windows.
If the SSL server certificate for STS or the service is not issued from a trusted CA, or self-signed, then it needs to be imported with MMC tool, as described in Section 5.6.1, "Configuration Prerequisites for Interoperability".
Create and Configure the WCF Client.
ADFS 2.0 STS supports multiple security and authentication mechanisms for token insurance. Each is exposed as a separate endpoint. For username/password authentication, two endpoints are provided:
http://<adfs.domain>/adfs/services/trust/13/username — This endpoint is for username token with message protection.
https://<adfs.domain>/adfs/services/trust/13/usernamemixed — This endpoint is for username token with transport protection (SSL).
The WCF client uses the https://<adfs.domain>/adfs/services/trust/13/usernamemixed endpoint for username token on SSL to obtain the SAML bearer token for the service.
Generate the WCF Client with the service WSDL.
See http://msdn.microsoft.com/en-us/library/ms733133(v=vs.90) for information on creating a Windows Communication Foundation client.
Note:
SVCUtil does not support the security policy with policy alternatives as advertised for the OWSM policy oracle/wss11_saml_or_username_token_with_message_protection_service_policy, or the oracle/wss_saml_bearer_token_over_ssl_service_policy policy. To work around this:
Detach the policy for the service.
Generate a proxy using SVCUtil.
Attach the policy back to the service.
Configure the client with ws2007FederationHttpBinding:
In the Solution Explorer of the client project, add a reference by right-clicking on references, selecting Add reference, and browsing to C:\Windows\Microsoft .NET framework\v3.0\Windows Communication Framework\System.Runtime.Serialization.dll.
Edit the app.config file. (See http://msdn.microsoft.com/en-us/library/bb472490.aspx for information on WS 2007 Federation HTTP Binding.) Consider the following sample:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.serviceModel>
<behaviors>
<endpointBehaviors>
<behavior name="secureBehaviour">
<clientCredentials>
<serviceCertificate>
<defaultCertificate findValue="weblogic"
storeLocation="LocalMachine"
storeName="My"
x509FindType="FindBySubjectName"/>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<ws2007FederationHttpBinding>
<binding name="JaxWsWss11SamlOrUsernameOrSamlBearerOverSSLSoapHttp">
<security mode="TransportWithMessageCredential">
<message negotiateServiceCredential="false"
algorithmSuite="Basic128"
issuedTokenType ="http://docs.oasis-open.org/wss/oasis-wss-saml-token-
profile-1.1#SAMLV1.1"
issuedKeyType="BearerKey">
<issuer address ="https://domain-name/adfs/services/trust/13/usernamemixed"
binding ="ws2007HttpBinding"
bindingConfiguration="ADFSUsernameMixed"/>
</message>
</security>
</binding>
</ws2007FederationHttpBinding>
<ws2007HttpBinding>
<binding name="ADFSUsernameMixed">
<security mode="TransportWithMessageCredential">
<message clientCredentialType="UserName" establishSecurityContext="false" />
</security>
</binding>
</ws2007HttpBinding>
</bindings>
<client>
<endpoint
address="https://adc2170989:8002/JaxWsWss11SamlOrUsernameOrSamlBearerOverSSL/JaxWsWss11Sam
lOrUsernameOrSamlBearerOverSSLService"
binding="ws2007FederationHttpBinding"
bindingConfiguration="JaxWsWss11SamlOrUsernameOrSamlBearerOverSSLSoapHttp"
contract="JaxWsWss11SamlOrUsernameOrSamlBearerOverSSL"
name="JaxWsWss11SamlOrUsernameOrSamlBearerOverSSLPort">
<identity>
<dns value="weblogic" />
</identity>
</endpoint>
</client>
</system.serviceModel>
</configuration>
Edit the program.cs file to make the service call.
If not already present, create a .cs file in the project and name it program.cs (or any name of your choice.) Edit it to match the following:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.ServiceModel;
namespace Client
{
class Program
{
static void Main(string[] args)
{
JaxWsWss11SamlOrUsernameOrSamlBearerOverSSLClient client =
New JaxWsWss11SamlOrUsernameOrSamlBearerOverSSLClient();
client.ClientCredentials.UserName.UserName = "joe";
client.ClientCredentials.UserName.Password = "eoj";
System.Net.ServicePointManager.ServerCertificateValidationCallback =
((sender, certificate, chain, sslPolicyErrors) => true);
Console.WriteLine(client.echo("Hello"));
Console.Read();
}
}
}
In this sample program.cs file:
joe is the username and eoj is the password used by the client to authenticate to the STS.
System.Net.ServicePointManager.ServerCertificateValidationCallback = ((sender, certificate, chain, sslPolicyErrors) => true); has been added to validate the server side self-signed certificate. This is not required if the server certificate is issued by a trusted CA. If using a self-signed certificate for testing, add this method to validate the certificate on the client side.