56 Defining Message-Level Security with .Net 2.0

This chapter describes how to configure message-level security between .NET 2.0 and Service Bus.

The chapter includes the following sections:

56.1 Message-Level Security Between .NET 2.0 and Oracle Service Bus

You can set up Message-level security between the Microsoft .NET 2.0 framework and Service Bus. Message-level security applies security checks to a SOAP message after a web services client establishes a connection with an Service Bus proxy service or business service and before the proxy service or business service processes the message.

56.2 What is .NET?

The .NET framework is a software component that you can add to the Microsoft Windows operating system. It provides pre-coded solutions to common program requirements, and manages the execution of programs written specifically for the framework.

56.3 Message-Level Security Configuration in .NET

This section provides the steps that you need to perform for .NET 2.0 and for Service Bus to configure message-level security.


Before you perform these steps, you must follow the steps in Configuring Message-Level Security for Web Services to configure inbound and outbound messaging for Service Bus.

To configure message-level security between .NET and Service Bus:

  1. Verify that you completed the steps to configure inbound and outbound messaging for Service Bus. See the Warning above for instructions.
  2. Download Web Service Enhancements (WSE) 3.0 from http://msdn2.microsoft.com/en-us/webservices and install it. WSE 3.0 is a SOAP extension managed API (Microsoft.Web.Services3.dll) that is compatible with the .NET 2.0 framework.
  3. After you install WSE 3.0, you must enable the WSE features for your web application and enable WSE Soap Protocol Factory support. You can enable both these features using wizards in Visual Studio.

    After you enable WSE 3.0, you will notice the following restrictions:

    • WSE 3.0 no longer supports WS-Policy and therefore, WS-SecurityPolicy for configuration purposes, as it did in .NET 1.1 and WSE 2.0. WSE 3.0 supports only a proprietary policy configuration using the wse3policyCache.config file (or equivalent .NET code) that provides similar features to those in WSE 2.0. One consequence of this is that the WSDL files for the .NET web service no longer contain WS-Policy statements. On the other hand, Service Bus supports a WebLogic Server-proprietary format that is based on the assertions described in the December 18, 2002 version of the Web Services Security Policy Language (WS-SecurityPolicy) specification. In order to consume .NET WSDL files in Service Bus, you must incorporate the equivalent Service Bus proprietary version of WS-Policy in the WSDL file.

      The WSDL code sample in Sample WSDL File shows how to configure WS-Policy for message-level identity propagation, confidentiality, and integrity in Service Bus.

    • WSE 3.0 provides policy configuration for a few Turnkey Security Assertions in the wse3policyCache.config file, which can be selected with a wizard in Visual Studio. The certificate that maps to providing message-level security (encryption and signing, for example) is MutualCertificate10. For details on configuring the MutualCertificate10 Security Assertion, see http://msdn2.microsoft.com/en-us/library/aa480581.aspx.

    • The WSE Soap Protocol Factory does not support security with SOAP 1.2. The generated client stubs using the Web Reference option in Visual Studio contain the security-enabled operations only if you select SOAP 1.1. Message-level security interoperability works only with SOAP 1.1.

    • As with .NET 1.1 and WSE 2.0, you must disable automatic signing of WS-Addressing headers and timestamps that are configured by default. You must change some of the properties in the wse3policyCache.config file, as shown in the following example:

      Default Config

           <request signatureOptions="IncludeAddressing, IncludeTimestamp,
                IncludeSoapBody" encryptBody="true" />
           <response signatureOptions="IncludeAddressing, IncludeTimestamp,
                IncludeSoapBody" encryptBody="true" />
           <fault signatureOptions="IncludeAddressing, IncludeTimestamp,
                IncludeSoapBody" encryptBody="false" />

      Required Config

           <request signatureOptions="IncludeSoapBody" encryptBody="true" />
          <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true"
          <fault signatureOptions="IncludeSoapBody" encryptBody="false" />
    • By default, WSE 3.0 expects the key wrapping algorithm to be OAEP. However, Service Bus uses the RSA15 algorithm. If the configuration remains as OAEP, the following exception appears: Microsoft.Web.Services3.Security.SecurityFault: An unsupported signature or encryption algorithm was used System.Exception: WSE3002: The receiver is expecting the key wrapping algorithm to be http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p, but the incoming message usedhttp://www.w3.org/2001/04/xmlenc#rsa-1_5. You can change the key wrapping algorithm by configuring the security token manager.

      To avoid this error, add the following configuration to the web.config file (on the .NET web service) and the app.config file (on the .NET client side) under the <microsoft.web.services3> <security> elements:

           <add valueType="http://docs.oasis-open.org/wss/2004/01/
                <keyAlgorithm name="RSA15" />

      This configuration forces WSE to use RSA15 instead of OAEP.

    • For Username Token Authentication, .NET provides a usernameForCertificateSecurity turnkey assertion that secures the communication channel between the client and the service at the message layer using the service's X.509 certificate. However, this certificate depends on the ability to reference <EncryptedKey> elements as security tokens, and enables the option for signature confirmation to correlate a response message with the request that prompted it.

      An alternative for Username Token Authentication is the .NET usernameOverTransportSecurity turnkey assertion, which assumes that communication between the client and service will be secured at the transport layer. This approach is WS-Security compatible and supports message-level authentication over SSL. If you want to combine the usernameOverTransportSecurity turnkey assertion with other message-level security mechanisms, such as encryption and signing, you must write custom code in .NET.

56.4 Oracle Service Bus Configuration for Message-Level Security with .NET

Before you configure Service Bus, the following conditions must exist:

  • A .NET client invokes an Service Bus proxy with a plain text message (for example, message-level security does not exist between the .NET client and the Service Bus proxy).

  • Service Bus enforces outbound message-level security on the SOAP request.


    For cases where the .NET client has message-level security enabled, you can use Service Bus as a pass-through proxy.

To configure Service Bus for message-level security with .NET:

  1. Change the encryption algorithm from tripledes-cbc to aes256-cbc:
    <wssp:EncryptionAlgorithm URI="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
  2. Change the sign.xml policy on the WSDL file. This attribute is on the integrity assertion element.
    <wssp:Integrity SignToken='false' .... > 

    By default this value is true.

  3. The .NET web service expects the WS-Addressing <wsa:To> element to contain its own URL. As the .NET client first invokes the Service Bus proxy, the <wsa:To> element is originally set to the Service Bus proxy URL. Change this URL to the URL of the .NET web service in the Service Bus proxy message flow, using a Replace action as shown in the following example:

    Original URL

    <wsa:To wsu:Id="To_1mbmRK4w0bo2Dz1z" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-

    URL after Replace Action

    <wsa:To wsu:Id="To_1mbmRK4w0bo2Dz1z" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-

    If you do not change this URL, the following error appears:

    Microsoft.Web.Services3.Addressing.AddressingFault: Destination Unreachable
    System.Exception: WSE846: The header must match the actor URI value of the web
    service. The actor URI value can be explicitly specified using
    SoapActorAttribute on the ASMX class. In the absence of the attribute, the
    actor URI is assumed to be equal to the HTTP Request Url of the incoming
    message. The header received contained
    "http://localhost:7001/SecurityALSBProxy"; while the receiver is expecting
  4. The .NET client includes its own Timestamp elements to the SOAP header. Service Bus adds an additional Timestamp header that results in the following error:
    Microsoft.Web.Services3.Security.SecurityFault: An error was discovered
    processing the header Microsoft.Web.Services3.Security.Security
    FormatException: WSE001: The input was not a valid Security element
    because it contains more than one Timestamp child element.

    To solve this issue, use a Delete action to remove the original Timestamp elements that the .NET client adds in the message flow.

  5. Add the CertificateRegistry certification path provider. You add this from the WLS Administration Console from realm > Providers > Certification Path > New and then select CertificateRegistry from the list of options.

    Activate the change and restart the server.

    After you restart the server, edit the CertificateRegistry provider you just created. From the Management tab add the following three certificates:

    • The public certificate of Service Bus

    • The public certificate of .NET

    • The root agency (issuer of these certificates)


      One way to add the certificates is to import them from a jks store using the Migration tab. Provide the actual path of the identity store.

  6. On the Configuration (Common) tab for the CertificateRegistry provider, select Current Builder to make it the current builder.

    Save these changes. Then, activate and restart the server.

  7. The WLS keystore requires these same certificates:
    • The public certificate of Service Bus

    • The public certificate of .NET

    • The root agency (issuer of these certificates)

    You configure the identity and trust keystores for a WebLogic Server instance on the server Configuration: Keystores page. To do this, see Configure Identity and Trust in the WebLogic Server online help.

56.4.1 Sample WSDL File

The sample WSDL file in this section shows how to configure WS-Policy for message-level identity propagation, confidentiality, and integrity in Service Bus.

Example - Configuring WS-Policy for Message-Level Security

<?xml version='1.0' encoding='UTF-8'?>
<definitions name="SecureHello WorldServiceDefinitions"targetNamespace=
     <wsp:UsingPolicy xmlns:n1="http://schemas.xmlsoap.org/wsdl/"
     <wsp:Policy s0:Id="Encrypt.xml">
               <wssp:KeyWrappingAlgorithm URI="http://www.w3.org/2001/04/
                        <wssp:EncryptionAlgorithm URI="http://www.w3.org/2001/ 
                   <wssp:MessageParts Dialect="http://schemas.xmlsoap.org
                     <wssp:SecurityToken TokenType="http://docs.oasis-open.
                              <wsse:BinarySecurityToken EncodingType="http:
     <wsp:Policy s0:Id="Auth.xml">
          <wssp:Identity xmlns:wssp="http://www.bea.com/wls90/security/
                    <wssp:SecurityToken TokenType="http://docs.oasis-open.
                         <wssp:UsePassword Type="http://docs.oasis-open.
     <wsp:Policy s0:Id="Sign.xml">
          <wssp:Integrity SignToken='false' xmlns:wls="http://www.bea.com/wls90/security/
               security/policy" xmlns:wsu="http://docs.oasis-open.org/wss
               <wssp:SignatureAlgorithm URI="http://www.w3.org/2000/09/
               <wssp:CanonicalizationAlgorithm URI="http://www.w3.org/
                    2001/10/ xml-exc-c14n#"/>
                    <wssp:DigestAlgorithm URI="http://www.w3.org/2000/09
                    <wssp:MessageParts Dialect="http://www.bea.com/wls90/
                    <wssp:DigestAlgorithm URI="http://www.w3.org/2000/09
                    <wssp:MessageParts Dialect="http://www.bea.com/wls90/
                    <wssp:DigestAlgorithm URI="http://www.w3.org/2000/09/
                    <wssp:MessageParts Dialect="http://schemas.xmlsoap.
                    <wssp:SecurityToken IncludeInMessage="true" TokenType=
                         <wssp:TokenIssuer>CN=CACERT,OU=FOR TESTING ONLY,
                         f6d,CN=Demo Certificate Authority Constraints,OU=
                         Security,O=BEA WebLogic,L=San Francisco,ST=
                         572697479406265612e636f6d,CN=Demo Certificate
                         Authority Constraints,OU=Security,O=BEA WebLogic,
                         L=San Francisco,ST=California,C=US,CN=CertGenCAB,
                         OU=FOR TESTING ONLY,O=MyOrganization,L=MyTown,ST=
                         MyState,C=US,CN=Equifax Secure eBusiness CA-1,O=
                         Equifax Secure Inc.,C=US,CN=VeriSign Class 1
                         Public Primary Certification Authority - G3,OU=
                         (c)1999 VeriSign\, Inc. - For authorized use only,
                         OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US,
                         OU=VeriSign Trust Network,OU=(c) 1998 VeriSign\,
                         Inc. - For authorized use only,OU=Class 2 Public
                         Primary Certification Authority - G2,O=VeriSign\,
                         Inc.,C=US,CN=VeriSign Class 3 Public Primary
                         Certification Authority - G3,OU=(c) 1999
                         VeriSign\,Inc. - For authorized use only,OU=
                         VeriSign Trust Network,O=VeriSign\,Inc.,C=US,CN=
                         Entrust.net Client Certification Authority,OU=(c)
                         2000 Entrust.net Limited,OU=www.entrust.net/
                         GCCA_CPS incorp. by ref. (limits liab.),O=Entrust
                         .net,OU=Go Daddy Class 2 Certification Authority,
                         O=The Go Daddy Group\, Inc.,C=US,CN=GTE Cyber
                         Trust Global Root,OU=GTE CyberTrust Solutions\,
                         Inc., O=GTE Corporation,C=US,CN=Entrust.net
                         Secure Server Certification Authority,OU=(c) 2000
                         Entrust.net Limited,OU=www.entrust.net/SSL_CPS
                         incorp. by ref. (limits liab.),O=Entrust.net,OU=
                         Class 1 Public Primary Certification Authority,
                         O=VeriSign\, Inc.,C=US,1.2.840.113549.1.9.1=#161
                         f6d,CN=Thawte Personal Basic CA,OU=Certification
                         Services Division,O=Thawte Consulting,L=Cape
                         Town, ST=Western Cape,C=ZA,OU=VeriSign Trust
                         Network, OU=(c) 1998 VeriSign\, Inc. - For
                         authorized use only,OU=Class 1 Public Primary
                         Certification Authority - G2,O=VeriSign\, Inc.,
                         C=US,CN=Entrust.net Secure Server Certification
                         Authority,OU=(c) 1999 Entrust.net Limited,OU=
                         www.entrust.net/CPS incorp. by ref.(limits iab.),
                         O=Entrust.net,C=US, 1.2.840.113549.1.9.1=#161c706
                         6f6d,CN=Thawte Personal Freemail CA,OU=
                         Certification Services Div,O=Thawte Consulting, L
                         =Cape Town,ST=Western Cape,C=ZA,OU=Class 3 Public
                         Primary Certification Authority,O=VeriSign\, Inc.
                         C=US,CN=GTE CyberTrust Root,O=GTE Corporation,C=
                         US,CN=VeriSign Class 2 Public Primary Certificate
                         Authority - G3,OU=(c) 1999 VeriSign\, Inc. - For
                         authorized use only,OU=VeriSign Trust Network,O=
                         Thawte Server CA,OU=Certification Services
                         Division,O=Thawte Consulting cc,L=Cape Town,ST=
                         Western Cape,C=ZA,OU=Equifax Secure Certificate
                         e636f6d,CN=Thawte Personal Premium CA,OU=
                         Certification Services Division,O=Thawte
                         Consulting,L=Cape Town,ST=Western Cape,C=ZA,1.2.
                         2407468617774652e636f6d,CN=Thawte Premium Server
                         CA,OU=Certification Services Division,O=Thawte
                         Consulting cc,L=Cape Town,ST=Western Cape,C=ZA,
                         OU=VeriSign Trust Network,OU=(c) 1998 VeriSign\,
                         Inc. - For authorized use only,OU=Class 3 Public
                         Primary Certification Authority - G2,O=VeriSign\,
                         Inc.,C=US,CN=Entrust.net Certification Authority
                         (2048),OU=(c) 1999 Entrust.net Limited,OU=www
                         .entrust.net/CPS_2048 incorp. by ref. (limits
                         valicert.com/,OU=ValiCert Class 2 Policy
                         Validation Authority,O=ValiCert\, Inc.,L=Vali
                         cert Validation Network,CN=Baltimore CyberTrust
                         Root, OU=CyberTrust,O=Baltimore,C=IE,OU=Secure
                         Server Certification Authority,O=RSA Data
                         Security\, Inc.,C=US,CN=Entrust.net Client
                         Cert Authority,OU=(c) 1999 Entrust.net Limited,
                         OU=www.entrust.net/Client_CA_Info/CPS incorp. by
                         ref. limits liab.,O=Entrust.net,C=US,CN=GeoTrust
                         Global CA,O=GeoTrust Inc.,C=US,CN=GTE CyberTrust
                         Root 5,OU=GTE CyberTrust Solutions\, Inc.,O=GTE
                         Corporation,C=US,OU=Starfield Class 2
                         Certification Authority,O=Starfield 
                         Technologies\, Inc.,C=US,CN=Equifax Secure 
                         Global eBusiness CA-1,O=Equifax Secure Inc.,C=US,
                         CN=Baltimore CyberTrust Code Signing Root,OU=
                         CyberTrust,O=Baltimore,C=IE,OU=Class 2 Public
                         Primary Certification Authority,O=VeriSign\,
                         Inc.,C=US,OU=Equifax Secure eBusiness CA-2,O=
                         Equifax Secure,C=US,</wssp:TokenIssuer>
          <wssp:MessageAge Age="60" xmlns:wssp="http://www.bea.com/wls90/
          <xs:schema attributeFormDefault="unqualified" elementFormDefault=
               "qualified" targetNamespace="http://www.bea.com" xmlns:s0="
               http://www.bea.com" xmlns:s1="http://schemas.xmlsoap.org
               /wsdl/soap/" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/
               09/policy" xmlns:xs="http://www.w3.org/2001/XMLSchema">
               <xs:element name="sayHello">
                             <xs:element name="s" type="xs:string"/>
               <xs:element name="sayHelloResponse">
                              <xs:element name="return" type="xs:string"/>
     <message name="sayHello">
          <part element="s1:sayHello" name="parameters"/>
     <message name="sayHelloResponse">
          <part element="s1:sayHelloResponse" name="parameters"/>
     <portType name="SecureHelloWorldPortType" wsp:PolicyURIs="#Sign.xml
          #Auth.xml #Encrypt.xml">
          <operation name="sayHello" parameterOrder="parameters">
               <input message="s1:sayHello"/>
               <output message="s1:sayHelloResponse"/>
     <binding name="SecureHelloWorldServiceSoapBinding" type="s1:
          <s2:binding style="document" transport="http://schemas.
               xmlsoap.org/ soap/http"/>
               <operation name="sayHello">
                    <s2:operation soapAction="" style="document"/>
                         <s2:body parts="parameters" use="literal"/>
                          <s2:body parts="parameters" use="literal"/>
          <service name="SecureHelloWorldService">
               <port binding="s1:SecureHelloWorldServiceSoapBinding"
                    <s2:address location="http://localhost:9111/