This chapter describes interoperability of Oracle Web Services Manager (OWSM) with Microsoft WCF/.NET 3.5 security environments.
This chapter includes the following sections:
Overview of Interoperability with Microsoft WCF/.NET 3.5 Security Environments
Mutual Authentication with Message Protection (WS-Security 1.1)
WCF/.NET 3.5 Client with Microsoft Active Directory Federation Services 2.0 (ADFS 2.0) STS
In conjunction with Microsoft, Oracle has performed interoperability testing to ensure that the web service security policies created using OWSM 12c can interoperate with web service policies configured using Microsoft Windows Communication Foundation (WCF)/.NET 3.5 Framework and vice versa.
For more information about Microsoft WCF/.NET 3.5 Framework, see http://msdn.microsoft.com/en-us/netframework/aa663324.aspx
.
For more information about:
OWSM predefined policies, see "Predefined Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Configuring and attaching OWSM 12c policies, see "Securing Web Services" and "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Note:
In most cases, you can attach OWSM policies in source code, before deploying an application, or you can attach policies post deployment, using WLST or Fusion Middleware Control. To simplify the instructions in this chapter, it is assumed that you are attaching policies at runtime. If a situation requires that you attach a policy before deploying, it is described that way in the instructions.Note:
Some of the procedures described in this chapter instruct you to use the Microsoft ServiceModel Metadata Utility Tool (SvcUtil.exe
) to create a client proxy and configuration file from the deployed web service. However, SvcUtil.exe
does not work with certain security policy assertions used with OWSM. As a workaround when generating a WCF proxy for a web service protected by an OWSM policy, do the following:
Detach the policy.
Generate the proxy using SvcUtil.exe
.
Re-attach the policy.
For more information about SvcUtil.exe
, see http://msdn.microsoft.com/en-us/library/aa347733%28v=vs.90%29.aspx
.
Table 5-1 and Table 5-2 summarize the most common Microsoft .NET 3.5 interoperability scenarios based on the following security requirements: authentication, message protection, and transport.
Note:
In the following scenarios, ensure that you are using a keystore with v3 certificates. By default, the JDK 1.5 keytool generates keystores with v1 certificates.In addition, ensure that the keys use the proper extensions, including DigitalSignature
, Non_repudiation
, Key_Encipherment
, and Data_Encipherment
.
Table 5-1 OWSM 12c Service Policy and Microsoft WCF/.NET 3.5 Client Policy Interoperability
Identity Token | WS-Security Version | Message Protection | Transport Security | Service Policy | Client Policy |
---|---|---|---|---|---|
MTOM |
NA |
NA |
NA |
|
See Table 5-4, "Configuring the Microsoft WCF/.NET 3.5 Client" |
Username or SAML |
1.1 |
Yes |
No |
OR
|
See Table 5-8, "Configuring the Microsoft WCF/.NET 3.5 Client"See |
Username |
1.0 and 1.1 |
No |
Yes |
OR
|
See Table 5-12, "Configuring the Microsoft WCF/.NET 3.5 Client"See |
Mutual Authentication |
1.1 |
Yes |
No |
|
See Table 5-15, "Configuring the Microsoft WCF/.NET 3.5 Client" |
Kerberos |
1.1 |
Yes |
No |
|
See Table 5-21, "Configuration Prerequisites for Interoperability" |
Table 5-2 Microsoft WCF/.NET 3.5 Service Policy and OWSM 12c Client Policy Interoperability
Identity Token | WS-Security Version | Message Protection | Transport Security | Service Policy | Client Policy |
---|---|---|---|---|---|
MTOM |
NA |
NA |
NA |
See Table 5-5, "Configuring the Microsoft WCF/.NET 3.5 Web Service" |
|
Username |
1.1 |
Yes |
No |
See Table 5-9, "Configuring the Microsoft WCF/.NET 3.5 Web Service" |
|
Mutual Authentication |
1.1 |
Yes |
No |
|
This section describes how to implement MTOM in the following interoperability scenarios:
Configuring an OWSM 12c Web Service and a Microsoft WCF/.NET 3.5 Client
Configuring a Microsoft WCF/.NET 3.5 Web Service and an OWSM 12c Client
The following instructions tell how to configure an OWSM 12c web service and a Microsoft WCF/.NET 3.5 Client to implement Message Transmission Optimization Mechanism (MTOM):
Table 5-3 Configuring the OWSM 12c Web Service
Task | Description | More Information |
---|---|---|
1 |
Create and deploy a web service application. |
-- |
2 |
Attach the following policy to the web service: |
"Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
Table 5-4 Configuring the Microsoft WCF/.NET 3.5 Client
Task | Description | More Information |
---|---|---|
1 |
Use the Microsoft SvcUtil utility to create a client proxy and configuration file from the deployed web service. See Example 5-1, "app.config File for MTOM Interoperability". |
|
2 |
Run the client program. |
-- |
Example 5-1 app.config File for MTOM Interoperability
<?xml version="1.0" encoding="utf-8"?> <configuration> <system.serviceModel> <bindings> <customBinding> <binding name="CustomBinding_IMTOMService"> <mtomMessageEncoding maxReadPoolSize="64" maxWritePoolSize="16" messageVersion="Soap12" maxBufferSize="65536" writeEncoding="utf-8"> <readerQuotas maxDepth="32" maxStringContentLength= "8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384" /> </mtomMessageEncoding> <httpTransport manualAddressing="false" maxBufferPoolSize="524288" maxReceivedMessageSize="65536" allowCookies="false" authenticationScheme="Anonymous" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard" keepAliveEnabled="true" maxBufferSize="65536" proxyAuthenticationScheme="Anonymous" realm="" transferMode="Buffered" unsafeConnectionNtlmAuthentication="false" useDefaultWebProxy="true" /> </binding> </customBinding> </bindings> <client> <endpoint address="<endpoint_url>" binding="customBinding" bindingConfiguration="CustomBinding_IMTOMService" contract="IMTOMService" name="CustomBinding_IMTOMService" > </endpoint> </client> </system.serviceModel> </configuration>
The following instructions tell how to configure a Microsoft WCF/.NET 3.5 web service and an OWSM 12c client to implement Message Transmission Optimization Mechanism (MTOM):
Table 5-5 Configuring the Microsoft WCF/.NET 3.5 Web Service
Task | Description | More Information |
---|---|---|
1 |
Create a .NET web service. For an example, see Example 5-2, ".NET Web Service for MTOM Interoperability". |
"How to: Define a Windows Communication Foundation Service Contract" at -- |
2 |
Deploy the application. |
-- |
Table 5-6 Configuring the OWSM 12c Client
Task | Description | More Information |
---|---|---|
1 |
Using JDeveloper, create a SOA composite that consumes the .NET web service. |
|
2 |
Attach the following policy to the web service client:
|
"Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
Example 5-2 .NET Web Service for MTOM Interoperability
static void Main(string[] args) { string uri = "http://host:port/TEST/MTOMService/SOA/MTOMService"; // Step 1 of the address configuration procedure: Create a URI to serve as the base address. Uri baseAddress = new Uri(uri); // Step 2 of the hosting procedure: Create ServiceHost ServiceHost selfHost = new ServiceHost(typeof(MTOMService), baseAddress); try { HttpTransportBindingElement hb = new HttpTransportBindingElement(); hb.ManualAddressing = false; hb.MaxBufferPoolSize = 2147483647; hb.MaxReceivedMessageSize = 2147483647; hb.AllowCookies = false; hb.AuthenticationScheme = System.Net.AuthenticationSchemes.Anonymous; hb.KeepAliveEnabled = true; hb.MaxBufferSize = 2147483647; hb.ProxyAuthenticationScheme = System.Net.AuthenticationSchemes.Anonymous; hb.Realm = ""; hb.TransferMode = System.ServiceModel.TransferMode.Buffered; hb.UnsafeConnectionNtlmAuthentication = false; hb.UseDefaultWebProxy = true; MtomMessageEncodingBindingElement me = new MtomMessageEncodingBindingElement(); me.MaxReadPoolSize=64; me.MaxWritePoolSize=16; me.MessageVersion=System.ServiceModel.Channels.MessageVersion.Soap12; me.WriteEncoding = System.Text.Encoding.UTF8; me.MaxWritePoolSize = 2147483647; me.MaxBufferSize = 2147483647; me.ReaderQuotas.MaxArrayLength = 2147483647; CustomBinding binding1 = new CustomBinding(); binding1.Elements.Add(me); binding1.Elements.Add(hb); ServiceEndpoint ep = selfHost.AddServiceEndpoint(typeof(IMTOMService), binding1, "MTOMService"); EndpointAddress myEndpointAdd = new EndpointAddress(new Uri(uri), EndpointIdentity.CreateDnsIdentity("WSMCert3")); ep.Address = myEndpointAdd; // Step 4 of the hosting procedure: Enable metadata exchange. ServiceMetadataBehavior smb = new ServiceMetadataBehavior(); smb.HttpGetEnabled = true; selfHost.Description.Behaviors.Add(smb); using (ServiceHost host = new ServiceHost(typeof(MTOMService))) { System.ServiceModel.Description.ServiceDescription svcDesc = selfHost.Description; ServiceDebugBehavior svcDebug = svcDesc.Behaviors.Find<ServiceDebugBehavior>(); svcDebug.IncludeExceptionDetailInFaults = true; } // Step 5 of the hosting procedure: Start (and then stop) the service. selfHost.Open(); Console.WriteLine("The service " + uri + " is ready."); Console.WriteLine("Press <ENTER> to terminate service."); Console.WriteLine(); Console.ReadLine(); // Close the ServiceHostBase to shutdown the service. selfHost.Close(); } catch (CommunicationException ce) { Console.WriteLine("An exception occurred: {0}", ce.Message); selfHost.Abort(); } }
This section describes how to implement username token with message protection that conforms to the WS-Security 1.1 standard--with or without secure conversation enabled--in the following interoperability scenarios:
Configuring an OWSM 12c Web Service and a Microsoft WCF/.NET 3.5 Client
Configuring a Microsoft WCF/.NET 3.5 Web Service and an OWSM 12c Client
The following instructions tell how to configure a OWSM 12c web service and a Microsoft WCF/.NET 3.5 client to implement username token with message protection that conforms to the WS-Security 1.1 standard, both with and without secure conversation enabled:
Table 5-7 Configuring the OWSM 12c Web Service
Task | Description | More Information |
---|---|---|
1 |
Create a web service application. |
-- |
2 |
Select the policy to use based on whether or not you want to enable secure conversation: If you do not want to enable secure conversation, clone either of the following policies:
To enable secure conversation, clone the following policy:
Note: In the case of secure conversation enabled, you will have to configure the |
"Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
3 |
Export the X.509 certificate file from the keystore on the service side to a keytool -export -alias alice -file C:\alice.cer -keystore default-keystore.jks |
-- |
Table 5-8 Configuring the Microsoft WCF/.NET 3.5 Client
Task | Description | More Information |
---|---|---|
Import the certificate file (exported previously) to the keystore on the client server using Microsoft Management Console (mmc), as follows:.
|
"How to: View Certificates with the MMC Snap-in" at |
|
2 |
Generate a .NET client using the WSDL of the web service. |
"How to: Create a Windows Communication Foundation Client" at |
3 |
In the Solution Explorer of the client project, add a reference by right-clicking on references, selecting Add reference, and browsing to |
-- |
4 |
Edit the If you follow the default key setup, then |
-- |
5 |
Edit the If you do not want to enable secure conversation, edit the
To enable secure conversation, edit the
|
|
6 |
Compile the project. |
-- |
7 |
Open a command prompt and navigate to the project's Debug folder. |
-- |
8 |
Enter |
-- |
<?xml version="1.0" encoding="utf-8"?> <configuration> <system.serviceModel> <behaviors> <endpointBehaviors> <behavior name="secureBehaviour"> <clientCredentials> <serviceCertificate> <defaultCertificate findValue="<certificate_cn>" storeLocation="CurrentUser" storeName="My" x509FindType="FindBySubjectName"/> </serviceCertificate> </clientCredentials> </behavior> </endpointBehaviors> </behaviors> <bindings> <customBinding> <binding name="HelloWorldSoapHttp"> <!-- To enable secrure conversation, use authenticationMode="SecureConversation" instead of the value for authenticationMode shown below --> <security authenticationMode="UserNameOverTransport" defaultAlgorithmSuite="Basic128" requireDerivedKeys="false" securityHeaderLayout="Lax" includeTimestamp="true" keyEntropyMode="CombinedEntropy" messageProtectionOrder="SignBeforeEncrypt" messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10" requireSignatureConfirmation="true"> <localClientSettings cacheCookies="true" detectReplays="false" replayCacheSize="900000" maxClockSkew="00:05:00" maxCookieCachingTime="Infinite" replayWindow="00:05:00" sessionKeyRenewalInterval="10:00:00" sessionKeyRolloverInterval="00:05:00" reconnectTransportOnFailure="true" timestampValidityDuration="00:05:00" cookieRenewalThresholdPercentage="60"/> <localServiceSettings detectReplays="true" issuedCookieLifetime="10:00:00" maxStatefulNegotiations="128" replayCacheSize="900000" maxClockSkew="00:05:00" negotiationTimeout="00:01:00" replayWindow="00:05:00" inactivityTimeout="00:02:00" sessionKeyRenewalInterval="15:00:00" sessionKeyRolloverInterval="00:05:00" reconnectTransportOnFailure="true" maxPendingSessions="128" maxCachedCookies="1000" timestampValidityDuration="00:05:00" /> <secureConversationBootstrap /> <!-- To enable secure conversation, add the following properties to the <secureConversationBootstrap> element: <secureConversationBootstrap authenticationMode="UserNameOverTransport" requireDerivedKeys="false" securityHeaderLayout="Lax" includeTimestamp="true" keyEntropyMode="CombinedEntropy" messageProtectionOrder="SignBeforeEncrypt" messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10" requireSignatureConfirmation="true"/> --> --> </security> <textMessageEncoding maxReadPoolSize="64" maxWritePoolSize="16" messageVersion="Soap11" writeEncoding="utf-8"> <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384" /> </textMessageEncoding> <HttpTransport manualAddressing="false" maxBufferPoolSize="524288" maxReceivedMessageSize="65536" allowCookies="false" authenticationScheme="Anonymous" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard" keepAliveEnabled="true" maxBufferSize="65536" proxyAuthenticationScheme="Anonymous" realm="" transferMode="Buffered" unsafeConnectionNtlmAuthentication="false" useDefaultWebProxy="true" /> </binding> </customBinding> </bindings> <client> <endpoint address="<endpoint_url>" binding="customBinding" bindingConfiguration="HelloWorldSoapHttp" contract="HelloWorld" name="HelloWorldPort" behaviorConfiguration="secureBehaviour" > <identity> <dns value="<certificate_cn>"/> </identity> </endpoint> </client> </system.serviceModel> </configuration>
The following instructions tell how to configure a Microsoft WCF/.NET 3.5 web service and an OWSM 12c client to implement username token with message protection that conforms to the WS-Security 1.1 standard:
Table 5-9 Configuring the Microsoft WCF/.NET 3.5 Web Service
Task | Description | More Information |
---|---|---|
1 |
Create a .NET web service. Be sure to create a custom binding for the web service using the |
"How to: Define a Windows Communication Foundation Service Contract" at |
2 |
Create and import a certificate file to the keystore on the web service server. Using Microsoft Visual Studio, the command would be similar to the following: makecert -r -pe -n "CN=wsmcert3" -sky exchange -ss my C:\wsmcert3.cer This command creates and imports a certificate in mmc. If the command does not provide expected results, then try the following sequence of commands. You need to download Windows Developer Kit (WDK) at makecert -r -pe -n "CN=wsmcert3" -sky exchange -ss my -sv wscert3.pvk C:\wsmcert3.cer pvk2pfx.exe -pvk wscert3.pvk -spc wsmcert3.cer -pfx PRF_WSMCert3.pfx -pi welcome1 Then, in mmc, import |
-- |
3 |
Import the certificate created on the web service server to the client server using the keytool -import -alias wsmcert3 -file C:\wsmcert3.cer -keystore <owsm_client_keystore> |
-- |
4 |
Right-click on the web service Solution project in Solutions Explorer and click Open Folder In Windows Explorer. |
-- |
5 |
Navigate to the |
-- |
6 |
Double-click the |
-- |
Table 5-10 Configuring the OWSM 02c Client
Task | Description | More Information |
---|---|---|
1 |
Using JDeveloper, create a SOA composite that consumes the .NET web service. |
|
2 |
In JDeveloper, create a partner link using the WSDL of the .NET service. |
-- |
3 |
Attach the following policy to the web service client: |
"Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
4 |
Provide configurations for the You can specify this information when attaching the policy, by overriding the policy configuration. For more information. Ensure that you configure the <wsp:PolicyReference URI="oracle/wss11_username_token_with_message_protection_client_policy" orawsp:category="security" orawsp:status="enabled"/> <property name="csf-key" type="xs:string" many="false"> basic.credentials </property> <property name="keystore.recipient.alias" type="xs:string" many="false"> wsmcert3 </property> |
"Overriding Policy Configuration Properties" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
Example 5-4 Example of .NET Web Service
static void Main(string[] args) { // Step 1 of the address configuration procedure: Create a URI to serve as the // base address. // Step 2 of the hosting procedure: Create ServiceHost string uri = "http://host:port/TEST/NetService"; Uri baseAddress = new Uri(uri); ServiceHost selfHost = new ServiceHost(typeof(CalculatorService), baseAddress); try { SymmetricSecurityBindingElement sm = SymmetricSecurityBindingElement.CreateUserNameForCertificateBindingElement(); sm.DefaultAlgorithmSuite = System.ServiceModel.Security.SecurityAlgorithmSuite.Basic128; sm.SetKeyDerivation(false); sm.SecurityHeaderLayout = SecurityHeaderLayout.Lax; sm.IncludeTimestamp = true; sm.KeyEntropyMode = SecurityKeyEntropyMode.CombinedEntropy; sm.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt; sm.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005 WSSecurityPolicy11BasicSecurityProfile10; sm.RequireSignatureConfirmation = true; sm.LocalClientSettings.CacheCookies = true; sm.LocalClientSettings.DetectReplays = true; sm.LocalClientSettings.ReplayCacheSize = 900000; sm.LocalClientSettings.MaxClockSkew = new TimeSpan(00, 05, 00); sm.LocalClientSettings.MaxCookieCachingTime = TimeSpan.MaxValue; sm.LocalClientSettings.ReplayWindow = new TimeSpan(00, 05, 00); ; sm.LocalClientSettings.SessionKeyRenewalInterval = new TimeSpan(10, 00, 00); sm.LocalClientSettings.SessionKeyRolloverInterval = new TimeSpan(00, 05, 00); ; sm.LocalClientSettings.ReconnectTransportOnFailure = true; sm.LocalClientSettings.TimestampValidityDuration = new TimeSpan(00, 05, 00); ; sm.LocalClientSettings.CookieRenewalThresholdPercentage = 60; sm.LocalServiceSettings.DetectReplays = false; sm.LocalServiceSettings.IssuedCookieLifetime = new TimeSpan(10, 00, 00); sm.LocalServiceSettings.MaxStatefulNegotiations = 128; sm.LocalServiceSettings.ReplayCacheSize = 900000; sm.LocalServiceSettings.MaxClockSkew = new TimeSpan(00, 05, 00); sm.LocalServiceSettings.NegotiationTimeout = new TimeSpan(00, 01, 00); sm.LocalServiceSettings.ReplayWindow = new TimeSpan(00, 05, 00); sm.LocalServiceSettings.InactivityTimeout = new TimeSpan(00, 02, 00); sm.LocalServiceSettings.SessionKeyRenewalInterval = new TimeSpan(15, 00, 00); sm.LocalServiceSettings.SessionKeyRolloverInterval = new TimeSpan(00, 05, 00); sm.LocalServiceSettings.ReconnectTransportOnFailure = true; sm.LocalServiceSettings.MaxPendingSessions = 128; sm.LocalServiceSettings.MaxCachedCookies = 1000; sm.LocalServiceSettings.TimestampValidityDuration = new TimeSpan(15, 00, 00); HttpTransportBindingElement hb = new HttpTransportBindingElement(); hb.ManualAddressing = false; hb.MaxBufferPoolSize = 524288; hb.MaxReceivedMessageSize = 65536; hb.AllowCookies = false; hb.AuthenticationScheme = System.Net.AuthenticationSchemes.Anonymous; hb.KeepAliveEnabled = true; hb.MaxBufferSize = 65536; hb.ProxyAuthenticationScheme = System.Net.AuthenticationSchemes.Anonymous; hb.Realm = ""; hb.TransferMode = System.ServiceModel.TransferMode.Buffered; hb.UnsafeConnectionNtlmAuthentication = false; hb.UseDefaultWebProxy = true; TextMessageEncodingBindingElement tb1 = new TextMessageEncodingBindingElement(); tb1.MaxReadPoolSize = 64; tb1.MaxWritePoolSize = 16; tb1.MessageVersion = System.ServiceModel.Channels.MessageVersion.Soap12; tb1.WriteEncoding = System.Text.Encoding.UTF8; CustomBinding binding1 = new CustomBinding(sm); binding1.Elements.Add(tb1); binding1.Elements.Add(hb); ServiceEndpoint ep = selfHost.AddServiceEndpoint(typeof(ICalculator), binding1, "CalculatorService"); EndpointAddress myEndpointAdd = new EndpointAddress( new Uri(uri), EndpointIdentity.CreateDnsIdentity("WSMCert3")); ep.Address = myEndpointAdd; // Step 4 of the hosting procedure: Enable metadata exchange. ServiceMetadataBehavior smb = new ServiceMetadataBehavior(); smb.HttpGetEnabled = true; selfHost.Description.Behaviors.Add(smb); selfHost.Credentials.ServiceCertificate.SetCertificate(StoreLocation.CurrentUser, StoreName.My, X509FindType.FindBySubjectName, "WSMCert3"); selfHost.Credentials.ClientCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.PeerOrChainTrust; selfHost.Credentials.UserNameAuthentication.UserNamePasswordValidationMode = UserNamePasswordValidationMode.Custom; CustomUserNameValidator cu = new CustomUserNameValidator(); selfHost.Credentials.UserNameAuthentication.CustomUserNamePasswordValidator = cu; using (ServiceHost host = new ServiceHost(typeof(CalculatorService))) { System.ServiceModel.Description.ServiceDescription svcDesc = selfHost.Description; ServiceDebugBehavior svcDebug = svcDesc.Behaviors.Find<ServiceDebugBehavior>(); svcDebug.IncludeExceptionDetailInFaults = true; } // Step 5 of the hosting procedure: Start (and then stop) the service. selfHost.Open(); Console.WriteLine("The Calculator service is ready."); Console.WriteLine("Press <ENTER> to terminate service."); Console.WriteLine(); Console.ReadLine(); selfHost.Close(); } catch (CommunicationException ce) { Console.WriteLine("An exception occurred: {0}", ce.Message); selfHost.Abort(); } }
This section describes how to implement username token over SSL in the following interoperability scenario:
The following instructions tell how to configure an OWSM 12c web service and a Microsoft WCF/.NET 3.5 client to implement username token over SSL, both with and without secure conversation enabled:
Table 5-11 Configuring the OWSM 12c Web Service
Task | Description | More Information |
---|---|---|
1 |
Configure the server for SSL. |
"Configuring Transport-Level Security (SSL)" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
2 |
Create an OWSM web service. |
-- |
3 |
Select the policy to use based on whether or not you want to enable secure conversation. If you do not want to enable secure conversation, use either of the following policies:
To enable secure conversation, use the following policy:
Note: In the case of secure conversation enabled, you will have to configure the |
"Cloning a Web Service Policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
4 |
Edit the policy settings, as follows:
|
-- |
5 |
Attach the policy. |
"Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
Table 5-12 Configuring the Microsoft WCF/.NET 3.5 Client
Task | Description | More Information |
---|---|---|
1 |
Generate a .NET client using the WSDL of the web service. |
"How to: Create a Windows Communication Foundation Client" at |
2 |
In the Solution Explorer of the client project, add a reference by right-clicking on references, selecting Add reference, and browsing to |
-- |
3 |
Edit the |
-- |
5 |
Edit the If you do not want to enable secure conversation, edit the
To enable secure conversation, edit the
|
|
4 |
Compile the project. |
-- |
5 |
Open a command prompt and navigate to the project's Debug folder. |
-- |
6 |
Type |
-- |
<?xml version="1.0" encoding="utf-8"?> <configuration> <system.serviceModel> <bindings> <customBinding> <binding name="BPELProcess1Binding"> <!-- To enable secrure conversation, you must use authenticationMode="SecureConversation" instead of the value for authenticationMode shown below, under <security --> <security defaultAlgorithmSuite="Basic128" authenticationMode="UserNameOverTransport" requireDerivedKeys="false" securityHeaderLayout="Lax" includeTimestamp="true" keyEntropyMode="CombinedEntropy" messageProtectionOrder="SignBeforeEncrypt" messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversation February2005WSSecurityPolicy11BasicSecurityProfile10" requireSignatureConfirmation="true"> <localClientSettings cacheCookies="true" detectReplays="false" replayCacheSize="900000" maxClockSkew="00:05:00" maxCookieCachingTime="Infinite" replayWindow="00:05:00" sessionKeyRenewalInterval="10:00:00" sessionKeyRolloverInterval="00:05:00" reconnectTransportOnFailure="true" timestampValidityDuration="00:05:00" cookieRenewalThresholdPercentage="60"/> <localServiceSettings detectReplays="true" issuedCookieLifetime="10:00:00" maxStatefulNegotiations="128" replayCacheSize="900000" maxClockSkew="00:05:00" negotiationTimeout="00:01:00" replayWindow="00:05:00" inactivityTimeout="00:02:00" sessionKeyRenewalInterval="15:00:00" sessionKeyRolloverInterval="00:05:00" reconnectTransportOnFailure="true" maxPendingSessions="128" maxCachedCookies="1000" timestampValidityDuration="00:05:00" /> <secureConversationBootstrap /> <!-- To enable secure conversation, add the following properties to the <secureConversationBootstrap> element: <secureConversationBootstrap authenticationMode="UserNameOverTransport" requireDerivedKeys="false" securityHeaderLayout="Lax" includeTimestamp="true" keyEntropyMode="CombinedEntropy" messageProtectionOrder="SignBeforeEncrypt" messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10" requireSignatureConfirmation="true"/> --> </security> <textMessageEncoding maxReadPoolSize="64" maxWritePoolSize="16" messageVersion="Soap11" writeEncoding="utf-8"> <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384" /> </textMessageEncoding> <httpsTransport manualAddressing="false" maxBufferPoolSize="524288" maxReceivedMessageSize="65536" allowCookies="false" authenticationScheme="Anonymous" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard" keepAliveEnabled="true" maxBufferSize="65536" proxyAuthenticationScheme="Anonymous" realm="" transferMode="Buffered" unsafeConnectionNtlmAuthentication="false" useDefaultWebProxy="true" requireClientCertificate="false"/> </binding> </customBinding> </bindings> <client> <endpoint address=" https://host:port/soa-infra/services/default/IO_NET6/bpelprocess1_client_ep" binding="customBinding" bindingConfiguration="BPELProcess1Binding" contract="BPELProcess1" name="BPELProcess1_pt" /> </client> </system.serviceModel> </configuration>
This section describes how to implement mutual authentication with message protection that conform to the WS-Security 1.1 standards in the following interoperability scenarios:
Configuring an OWSM 12c Web Service and a Microsoft WCF/.NET 3.5 Client
Configuring a Microsoft WCF/.NET 3.5 Web Service and an OWSM 12c Client
Before configuring the web service and client in either of the above scenarios, follow the instructions in "Configuration Prerequisites".
Table 5-13 describes how to perform prerequisite configuration tasks for implementing mutual authentication with message protection that conform to the WS-Security 1.1 standards.
Table 5-13 Configuration Prerequisites for Interoperability
Task | Description | More Information |
---|---|---|
1 |
Export the X.509 certificate file from the keystore on the service side to a keytool -export -alias alice -file C:\alice.cer -keystore default-keystore.jks |
-- |
2 |
Import the certificate file (exported previously) to the keystore on the client server using Microsoft Management Console (mmc).
|
"How to: View Certificates with the MMC Snap-in" at |
The following instructions tell how to configure an OWSM 12c web service and a Microsoft WCF/.NET 3.5 client to implement mutual authentication with message protection that conform to the WS-Security 1.1 standards:
Table 5-14 Configuring the OWSM 12c Web Service
Task | Description | More Information |
---|---|---|
1 |
Create a SOA composite and deploy it. |
-- |
2 |
Using Fusion Middleware Control, attach the following policy to the web service:
|
"Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
Table 5-15 Configuring the Microsoft WCF/.NET 3.5 Client
Task | Description | More Information |
---|---|---|
1 |
Use the Microsoft SvcUtil utility to create a client proxy (see Table 5-15, "Client Program") and configuration file from the deployed web service. |
|
2 |
In the Solution Explorer of the client project, add a reference by right-clicking on references, selecting Add reference, and browsing to |
-- |
3 |
Create an An example of the complete file is shown in Example 5-6, "app.config File". The steps listed below are called out in bold type in the example.
|
-- |
3 |
Compile the project. |
-- |
4 |
Open a command prompt and navigate to the project's Debug folder. |
-- |
5 |
Enter |
-- |
<?xml version="1.0" encoding="utf-8"?> <configuration> <system.serviceModel> <!-- 1. Define behaviors with credentials ------------------------------------------- --> <behaviors> <endpointBehaviors> <behavior name="secureBehaviour"> <clientCredentials> <serviceCertificate> <defaultCertificate findValue="<certificate_cn>" storeLocation="CurrentUser" storeName="My" x509FindType="FindBySubjectName"/> </serviceCertificate> </clientCredentials> </behavior> </endpointBehaviors> </behaviors> <!-- ------------------------------------------------------------------------------- --> <bindings> <customBinding> <binding name="BPELProcess1Binding"> <!-- --- 2. Create a custom binding ------------------------------------------------- --> <security defaultAlgorithmSuite="Basic128" authenticationMode="MutualCertificate" <!-- ------------------------------------------------------------------------------- --> requireDerivedKeys="false" securityHeaderLayout="Lax" includeTimestamp="true" keyEntropyMode="CombinedEntropy" messageProtectionOrder="SignBeforeEncrypt" messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversation February2005WSSecurityPolicy11BasicSecurityProfile10" requireSignatureConfirmation="true"> <!-- --- 3. Disable the message replay detection ----------------------------------- --> <localClientSettings cacheCookies="true" detectReplays="false" replayCacheSize="900000" maxClockSkew="00:05:00" maxCookieCachingTime="Infinite" <!-- ------------------------------------------------------------------------------- --> replayWindow="00:05:00" sessionKeyRenewalInterval="10:00:00" sessionKeyRolloverInterval="00:05:00" reconnectTransportOnFailure="true" timestampValidityDuration="00:05:00" cookieRenewalThresholdPercentage="60" /> <localServiceSettings detectReplays="true" issuedCookieLifetime="10:00:00" maxStatefulNegotiations="128" replayCacheSize="900000" maxClockSkew="00:05:00" negotiationTimeout="00:01:00" replayWindow="00:05:00" inactivityTimeout="00:02:00" sessionKeyRenewalInterval="15:00:00" sessionKeyRolloverInterval="00:05:00" reconnectTransportOnFailure="true" maxPendingSessions="128" maxCachedCookies="1000" timestampValidityDuration="00:05:00" /> <secureConversationBootstrap /> </security> <textMessageEncoding maxReadPoolSize="64" maxWritePoolSize="16" messageVersion="Soap11" writeEncoding="utf-8"> <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384" /> </textMessageEncoding> <httpTransport manualAddressing="false" maxBufferPoolSize="524288" maxReceivedMessageSize="65536" allowCookies="false" authenticationScheme="Anonymous" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard" keepAliveEnabled="true" maxBufferSize="65536" proxyAuthenticationScheme="Anonymous" realm="" transferMode="Buffered" unsafeConnectionNtlmAuthentication="false" useDefaultWebProxy="true" /> </binding> </customBinding> </bindings> <client> <!-- - 4. Modify endpoint behavior ------------------------------------------------- --> <endpoint address="http://<server>:<port>//MyWebService1SoapHttpPort" binding="customBinding" bindingConfiguration="MyWebService1SoapHttp" contract="MyWebService1" name="MyWebService1SoapHttpPort" behaviorConfiguration="secureBehaviour" > <identity> <dns value="<certificate_cn>"/> </identity> </endpoint> <!-- ------------------------------------------------------------------------------- --> </client> </system.serviceModel> </configuration>
namespace IO_NET10_client { class Program { static void Main(string[] args) { BPELProcess1Client client = new BPELProcess1Client(); client.ClientCredentials.ClientCertificate.SetCertificate( StoreLocation.CurrentUser, StoreName.My, X509FindType.FindBySubjectName, "WSMCert3"); client.ClientCredentials.ServiceCertificate.SetDefaultCertificate( StoreLocation.CurrentUser, StoreName.My, X509FindType.FindBySubjectName, "Alice"); process proc = new process(); proc.input = "Test wss11_x509_token_with_message_protection_policy - "; Console.WriteLine(proc.input); processResponse response = client.process(proc); Console.WriteLine(response.result.ToString()); Console.WriteLine("Press <ENTER> to terminate Client."); Console.ReadLine(); } } }
The following instructions tell how to configure a Microsoft WCF/.NET 3.5 web service and an OWSM 12c client to implement mutual authentication with message protection that conform to the WS-Security 1.1 standards:
Table 5-16 Configuring the Microsoft WCF/.NET 3.5 Web Service
Task | Description | More Information |
---|---|---|
1 |
Create a .NET web service. For an example, see Example 5-4, "Example of .NET Web Service". |
"How to: Define a Windows Communication Foundation Service Contract" at |
2 |
Create a custom binding for the web service using the SymmetricSecurityBindingElement. The following is a sample of the SymmetricSecurityBindingElement object: SymmetricSecurityBindingElement sm = (SymmetricSecurityBindingElement)SecurityBindingElement.CreateMutualCertificate BindingElement(); sm.DefaultAlgorithmSuite = System.ServiceModel.Security.SecurityAlgorithmSuite.Basic128;sm.SetKeyDerivati on(false); sm.SecurityHeaderLayout = SecurityHeaderLayout.Lax;sm.IncludeTimestamp = true; sm.KeyEntropyMode = SecurityKeyEntropyMode.CombinedEntropy; sm.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;sm.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversation February2005WSSecurityPolicy11BasicSecurityProfile10; sm.RequireSignatureConfirmation = true; |
"How to: Create a Custom Binding Using the SecurityBindingElement" at |
4 |
Deploy the application. |
-- |
Table 5-17 Configuring the OWSM 12c Client
Task | Description | More Information |
---|---|---|
1 |
Using JDeveloper, create a SOA composite that consumes the .NET web service. |
|
2 |
In JDeveloper, create a partner link using the WSDL of the .NET service and add the import as follows: <wsdl:import namespace="<namespace>" location="<WSDL location>"/> |
-- |
3 |
In Fusion Middleware Control, attach the following policy to the web service client:
|
"Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
4 |
Provide configurations for the You can specify this information when attaching the policy, by overriding the policy configuration. Ensure that you configure the |
"Overriding Policy Configuration Properties" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
5 |
Invoke the web service method from the client. |
-- |
This section describes how to implement Kerberos with message protection in the following interoperability scenario:
Table 5-18 Configuration Prerequisites for Interoperability
Task | Description | More Information |
---|---|---|
1 |
Configure the Key Distribution Center (KDC) and Active Directory (AD). |
"To Configure Windows Active Directory and Domain Controller" (the domain controller can serve as KDC) at |
2 |
Set up the Kerberos configuration file |
-- |
Example 5-8 Kerberos Configuration File
[logging] default = c:\log\krb5libs.log kdc = c:\log\krb5kdc.log admin_server = c:\log\kadmind.log [libdefaults] default_realm = MYCOMPANY.LOCAL dns_lookup_realm = false dns_lookup_kdc = false default_tkt_enctypes = rc4-hmac default_tgs_enctypes = rc4-hmac permitted_enctypes = rc4-hmac kdc = hostname [realms] MYCOMPANY.LOCAL = { kdc = host:port admin_server = host:port default_domain = <domainname> } [domain_realm] .<domainname> = MYCOMPANY.LOCAL <domainname> = MYCOMPANY.LOCAL [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }
The following instructions tell how to configure an OWSM 12c web service and a Microsoft WCF/.NET 3.5 client to implement Kerberos with message protection:
Table 5-19 Configuring the OWSM 12c Web Service
Task | Description | More Information |
---|---|---|
1 |
Create and deploy a web service application. |
-- |
2 |
Clone the following policy: |
"Cloning a Web Service Policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
3 |
Edit the policy settings to set Algorithm Suite to |
-- |
4 |
Attach the policy to the web service. |
"Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
Table 5-20 Configuring the Microsoft WCF/.NET 3.5 Client
Task | Description | More Information |
---|---|---|
1 |
Create a user in AD to represent the host where the web service is hosted. By default the user account is created with RC4-HMAC encryption. For example, foobar with user name is |
-- |
2 |
Use the following ktpass command to create a keytab file on the Windows AD machine where the KDC is running:
where Use FTP binary mode to move the generated keytab file to the machine where the SOA Composite web service is hosted. |
-- |
3 |
Use the following
Only one SPN must be mapped to the user. If there are multiple SPNs mapped to the user, remove them using the command |
-- |
4 |
Use the Microsoft svcutil utility to create a client proxy and configuration file from the deployed web service. Add the files generatedProxy.cs and app.config by right clicking the application (in the Windows Explorer) and selecting Add Existing Item. In the endpoint element of the app.config, add an "identity" element with service principal name as "HTTP/foobar@MYCOMPANY.LOCAL" (the same value used for creating keytab). <client> <endpoint address="http://host:port/HelloServicePort" binding="customBinding" bindingConfiguration="NewHelloSoap12HttpPortBinding" contract="NewHello" name="HelloServicePort"> <identity> <servicePrincipalName value ="HTTP/foobar@MYCOMPANY.LOCAL"/> </identity> </endpoint> </client> A sample binding is provided in Example 5-9, "Custom Binding". |
|
5 |
Run the client program. |
- |
<customBinding> <binding name="NewHelloSoap12HttpPortBinding"> <!--Added by User: Begin--> <security defaultAlgorithmSuite="Basic128" authenticationMode="Kerberos" requireDerivedKeys="false" securityHeaderLayout="Lax" includeTimestamp="true" keyEntropyMode="CombinedEntropy" messageProtectionOrder="SignBeforeEncrypt" messageSecurityVersion="WSSecurity11WSTrustFebruary2005 WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurity Profile10" requireSignatureConfirmation="true"> <localClientSettings cacheCookies="true" detectReplays="true" replayCacheSize="900000" maxClockSkew="00:05:00" maxCookieCachingTime="Infinite" replayWindow="00:05:00" sessionKeyRenewalInterval="10:00:00" sessionKeyRolloverInterval="00:05:00" reconnectTransportOnFailure="true" timestampValidityDuration="00:05:00" cookieRenewalThresholdPercentage="60" /> <localServiceSettings detectReplays="true" issuedCookieLifetime="10:00:00" maxStatefulNegotiations="128" replayCacheSize="900000" maxClockSkew="00:05:00" negotiationTimeout="00:01:00" replayWindow="00:05:00" inactivityTimeout="00:02:00" sessionKeyRenewalInterval="15:00:00" sessionKeyRolloverInterval="00:05:00" reconnectTransportOnFailure="true" maxPendingSessions="128" maxCachedCookies="1000" timestampValidityDuration="00:05:00" /> <secureConversationBootstrap /> </security> <!--Added by User: End--> <textMessageEncoding maxReadPoolSize="64" maxWritePoolSize="16" messageVersion="Soap12" writeEncoding="utf-8"> <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384" /> </textMessageEncoding> <!--Added by User: Begin--> <httpTransport manualAddressing="false" maxBufferPoolSize="524288" maxReceivedMessageSize="65536" allowCookies="false" authenticationScheme="Anonymous" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard" keepAliveEnabled="true" maxBufferSize="65536" proxyAuthenticationScheme="Anonymous" realm="" transferMode="Buffered" unsafeConnectionNtlmAuthentication="false" useDefaultWebProxy="true" /> <!--Added by User: End--> </binding> </customBinding>
This section describes how to implement Kerberos with message protection using derived keys in the following interoperability scenario:
Before configuring the web service and client in the above scenario, follow the instructions in Section 5.7.1, "Configuration Prerequisites."
Table 5-21 describes how to perform prerequisite configuration tasks for implementing Kerberos with message protection using derived keys.
Table 5-21 Configuration Prerequisites for Interoperability
Task | Description | More Information |
---|---|---|
1 |
Configure the Key Distribution Center (KDC) and Active Directory (AD). |
|
2 |
Set up the Kerberos configuration file |
-- |
Example 5-10 Kerberos Configuration File
[logging] default = c:\log\krb5libs.log kdc = c:\log\krb5kdc.log admin_server = c:\log\kadmind.log [libdefaults] default_realm = MYCOMPANY.LOCAL dns_lookup_realm = false dns_lookup_kdc = false default_tkt_enctypes = rc4-hmac default_tgs_enctypes = rc4-hmac permitted_enctypes = rc4-hmac kdc = hostname [realms] MYCOMPANY.LOCAL = { kdc = host:port admin_server = host:port default_domain = <domainname> } [domain_realm] .<domainname> = MYCOMPANY.LOCAL <domainname> = MYCOMPANY.LOCAL [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }
The following instructions tell how to configure an OWSM 12c web service and a Microsoft WCF/.NET 3.5 client to implement Kerberos with message protection:
Table 5-22 Configuring the OWSM 12c Web Service
Task | Description | More Information |
---|---|---|
1 |
Create and deploy a web service application. |
-- |
2 |
Clone the following policy: |
"Cloning a Web Service Policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
3 |
Edit the policy settings to enable the Derived Keys option. |
-- |
4 |
Attach the policy to the web service. |
"Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
Table 5-23 Configuring the Microsoft WCF/.NET 3.5 Client
Task | Description |
---|---|
1 |
Create a user in AD to represent the host where the web service is hosted. By default the user account is created with RC4-HMAC encryption. For example, foobar with user name as "HTTP/foobar". |
2 |
Use the following ktpass command to create a keytab file on the Windows AD machine where the KDC is running:
where HTTP/foobar is the SPN, mapped to a user "foobar". Do not set "/desonly or cyrpto as "des-cbc-crc". MYCOMPANY.LOCAL is the default Realm for the KDC and is available in the Use FTP binary mode to move the generated keytab file to the machine where the SOA Composite web service is hosted. |
3 |
Use the following
Only one SPN must be mapped to the user. If there are multiple SPNs mapped to the user, remove them using the command |
4 |
Use the Microsoft SvcUtil utility to create a client proxy and configuration file from the deployed web service. Add the files generatedProxy.cs and app.config by right clicking the application (in the Windows Explorer) and selecting Add Existing Item. In the endpoint element of the app.config, add an "identity" element with service principal name as "HTTP/foobar@MYCOMPANY.LOCAL" (the same value used for creating keytab). <client> <endpoint address="http://host:port/HelloServicePort" binding="customBinding" bindingConfiguration="NewHelloSoap12HttpPortBinding" contract="NewHello" name="HelloServicePort"> <identity> <servicePrincipalName value ="HTTP/foobar@MYCOMPANY.LOCAL"/> </identity> </endpoint> </client> A sample binding is provided in Example 5-11, "Custom Binding". |
5 |
Run the client program. |
<customBinding> <binding name="NewHelloSoap12HttpPortBinding"> <!--Added by User: Begin--> <security defaultAlgorithmSuite="Basic128" authenticationMode="Kerberos" requireDerivedKeys="true" securityHeaderLayout="Lax" includeTimestamp="true" keyEntropyMode="CombinedEntropy" messageProtectionOrder="SignBeforeEncrypt" messageSecurityVersion="WSSecurity11WSTrustFebruary2005 WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurity Profile10" requireSignatureConfirmation="true"> <localClientSettings cacheCookies="true" detectReplays="true" replayCacheSize="900000" maxClockSkew="00:05:00" maxCookieCachingTime="Infinite" replayWindow="00:05:00" sessionKeyRenewalInterval="10:00:00" sessionKeyRolloverInterval="00:05:00" reconnectTransportOnFailure="true" timestampValidityDuration="00:05:00" cookieRenewalThresholdPercentage="60" /> <localServiceSettings detectReplays="true" issuedCookieLifetime="10:00:00" maxStatefulNegotiations="128" replayCacheSize="900000" maxClockSkew="00:05:00" negotiationTimeout="00:01:00" replayWindow="00:05:00" inactivityTimeout="00:02:00" sessionKeyRenewalInterval="15:00:00" sessionKeyRolloverInterval="00:05:00" reconnectTransportOnFailure="true" maxPendingSessions="128" maxCachedCookies="1000" timestampValidityDuration="00:05:00" /> <secureConversationBootstrap /> </security> <!--Added by User: End--> <textMessageEncoding maxReadPoolSize="64" maxWritePoolSize="16" messageVersion="Soap12" writeEncoding="utf-8"> <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384" /> </textMessageEncoding> <!--Added by User: Begin--> <httpTransport manualAddressing="false" maxBufferPoolSize="524288" maxReceivedMessageSize="65536" allowCookies="false" authenticationScheme="Anonymous" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard" keepAliveEnabled="true" maxBufferSize="65536" proxyAuthenticationScheme="Anonymous" realm="" transferMode="Buffered" unsafeConnectionNtlmAuthentication="false" useDefaultWebProxy="true" /> <!--Added by User: End--> </binding> </customBinding>
This section describes how to implement Kerberos with SPNEGO negotiation in the following interoperability scenario:
The following instructions tell how to configure an OWSM 12c web service and a Microsoft WCF/.NET 3.5 client to implement Kerberos with SPNEGO negotiation:
Table 5-24 Configuring the OWSM 12c Web Service
Task | Description | More Information |
---|---|---|
1 |
Create and deploy a web service application. |
-- |
2 |
Create a policy that uses the |
"Configuring Kerberos With SPNEGO Negotiation" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
3 |
Attach the policy to the web service. |
-- |
Table 5-25 Configuring the Microsoft WCF/.NET 3.5 Client
Task | Description | More Information |
---|---|---|
1 |
Use the Microsoft SvcUtil utility to create a client proxy and configuration file from the deployed web service. |
|
2 |
Add the files generatedProxy.cs and app.config by right clicking the application (in the Windows Explorer) and selecting Add Existing Item. |
-- |
3 |
Edit the In this listing, note that the values of the contract and name attributes of the endpoint element are obtained from the generatedProxy.cs file. |
-- |
4 |
Compile the client. |
-- |
5 |
After attaching the OWSM policy to the deployed web service, run the client. |
-- |
<configuration> <system.serviceModel> <bindings> <basicHttpBinding> <binding name="BPELProcessBinding"> <security mode= "TransportCredentialOnly"> <transport clientCredentialType="Windows"/> </security> </binding> </basicHttpBinding> </bindings> <client> <endpoint address="http://host:port/soa-infra/services/default/SOAProxy/bpelpro cess_client_ep" binding="basicHttpBinding" bindingConfiguration="BPELProcessBinding" contract="BPELProcess" name="BPELProcess_pt" <identity> <servicePrincipalName value ="HTTP/host:port@MYCOMPANY.LOCAL" /> </identity> </endpoint> </client> </system.serviceModel> </configuration>
This section describes how to implement Kerberos with SPNEGO negotiation and credential delegation in the following interoperability scenario:
The following instructions tell how to configure an OWSM 12c web service and a Microsoft WCF/.NET 3.5 client to implement Kerberos with SPNEGO negotiation and credential delegation:
Table 5-26 Configuring the OWSM 12c Web Service
Task | Description | More Information |
---|---|---|
1 |
Create and deploy a web service application. |
-- |
2 |
Create a policy that uses the |
"Configuring Kerberos With SPNEGO Negotiation" in Securing Web Services and Managing Policies with Oracle Web Services Manager. |
3 |
Attach the policy to the web service. |
-- |
4 |
Set the value of the You can specify this information when attaching the policy, by overriding the policy configuration. |
"Overriding Policy Configuration Properties" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
Table 5-27 Configuring the Microsoft WCF/.NET 3.5 Client
Task | Description | More Information |
---|---|---|
1 |
Use the Microsoft SvcUtil utility to create a client proxy and configuration file from the deployed web service. |
|
2 |
Add the files |
-- |
3 |
Edit the In the example, note that the values of the contract and name attributes of the endpoint element are obtained from the |
-- |
4 |
Compile the client. |
-- |
5 |
After attaching the OWSM policy to the deployed web service, run the client. |
-- |
<configuration> <system.serviceModel> <bindings> <basicHttpBinding> <binding name="BPELProcess1Binding"> <security mode= "TransportCredentialOnly"> <transport clientCredentialType="Windows"/> </security> </binding> </basicHttpBinding> </bindings> <client> <endpoint address="http://host:port/soa-infra/services/default/SOAProxy/bpelpro cess1_client_ep" binding="basicHttpBinding" bindingConfiguration="BPELProcess1Binding" contract="BPELProcess1" name="BPELProcess1_pt" behaviorConfiguration="CredentialDelegation"> <identity> <servicePrincipalName value ="HTTP/host:port@MYCOMPANY.LOCAL" /> </identity> </endpoint> </client> <behaviors> <endpointBehaviors> <behavior name="CredentialDelegation"> <clientCredentials> <windows allowedImpersonationLevel="Delegation" allowNtlm="false"/> </clientCredentials> </behavior> </endpointBehaviors> </behaviors> </system.serviceModel> </configuration>
This section tells how to secure a WCF/.NET 3.5 client with Microsoft Active Directory Federation Services 2.0 (ADFS 2.0) secure token service (STS), using a policy utilizing SAML bearer token over one-way SSL.
Note:
The SAML sender vouches token is not supported in this use case.The procedure described in this section assumes that you install and configure ADFS 2.0 on a Windows Server 2008 or Windows Server 2008 R2 system. This system is set up in the STS role.
The section includes the following topics:
Section 5.10.1, "Install and Configure Active Directory Federation Services (ADFS) 2.0"
Section 5.10.2, "Configure ADFS 2.0 STS As Trusted SAML Token Issuer"
Section 5.10.3, "Configure Users in Oracle Internet Directory"
Section 5.10.5, "Register the Web Service as a Relying Party in ADFS 2.0"
The following instructions tell how to install and configure ADFS 2.0:
Table 5-28 Install and Configure Active Directory Federation Services (ADFS) 2.0
Task | Description | More Information |
---|---|---|
1 |
Install and configure Active Directory. |
|
2 |
Install ADFS 2.0 and configure it using the wizard. As you configure ADFS 2.0 using the wizard, on the Server Role page be sure to click Federation server. |
|
3 |
Create and configure a self-signed server authentication certificate in IIS and bind it to the default Web site using the Internet Information Services (IIS) Manager console. When done, enable SSL server authentication. The AD FS 2.0 Setup Wizard automatically installed the Web server (IIS) server role on the system. Creating a self-signed server authentication certificate is described generally in
|
-- |
4 |
Configure the system as a standalone federation server. |
|
5 |
Export the ADFS 2.0 token-signing certificate. For a self-signed certificate, select DER encoded binary X.509 ( If the signing certificate is not self-signed, select Cryptographic Message Syntax Standard – PKCS 7 certificates (.p7b) and check Include all the certificates in the certification path if possible. |
|
6 |
Create users and include an email address. You later enable the STS to send the email address as the subject name id in the outgoing SAML assertions for the service. Follow these steps to add a sample user to Active Directory. Make sure to set the email address for each user.
|
-- |
The following instructions tell how to configure OWSM to trust the SAML assertions issued by an ADFS 2.0 STS:
Table 5-29 Configure ADFS 2.0 STS As Trusted SAML Token Issuer
Task | Description | More Information |
---|---|---|
1 |
Get the STS signing certificates you exported in Table 5-28, "Install and Configure Active Directory Federation Services (ADFS) 2.0". For a |
-- |
2 |
Import the certificates into the location of the default keystore using keytool.
|
-- |
3 |
Add |
"Configuring SAML Trusted Issuers and DN Lists" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
4 |
Add the Subject DN (as defined in RFC 2253) of the STS certificate in the Trusted STS Servers section. Use a string that conforms to RFC 2253, such as |
"Configuring SAML Trusted Issuers and DN Lists" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
For each user, configure the mail attribute to match the user email address set in ADFS.
See Managing Directory Entries for Creating a User in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory for information on configuring users in Oracle Internet Directory.
Attach any of the following OWSM policies to the web service:
oracle/wss_sts_issued_saml_bearer_token_over_ssl_service_policy
oracle/wss_saml_token_bearer_over_ssl_service_policy
oracle/wss11_saml_or_username_token_with_message_protection_service_policy
These policies enforce message protection (integrity and confidentiality) and SAML-based authentication using credentials provided in SAML tokens with the bearer confirmation method in the WS-Security SOAP header. They also verify that the transport protocol provides SSL message protection.
See "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager for information on attaching policies.
Configure ADFS 2.0 to issue the SAML assertion to the web service with the email address or the name ID (SAM-Account-Name) as the subject name id.
See http://technet.microsoft.com/en-us/library/dd807108%28v=ws.10%29.aspx
for general information on relying parties.
This section provides use case-specific information.
Add the Web Service as a Relying Party
In the AD FS 2.0 Management console, click AD FS 2.0.
In the details pane, click Add a trusted relying party to start the Add Relying Party Wizard.
On the Welcome page, click Start to begin.
Select Enter data about the relying party manually.
Provide a display name and enter any notes you want.
Select ADFS 2.0 Profile.
On the Configure Certificate page, click Next.
Configuring a token encryption certificate on this page is optional. Configure one on this page if you require that the token be encrypted. If you do not configure a token encryption certificate, the token issued by STS is not encrypted for the service.
WS-Trust is always enabled. Click Next.
For the Relying Party Trust Identifier, enter the service URL and click Add.
Permit all users to access this relying party.
Click Next and then Close.
Configure the Claim Rules for the Service
To enable the STS to send the email address or the name ID as the subject name id
in the outgoing SAML assertions for the service, use the steps in this section to create a chain of two claim rules with different templates.
See http://technet.microsoft.com/en-us/library/ee913578%28v=ws.10%29.aspx
for general information on claim rules. See http://technet.microsoft.com/en-us/library/dd807115%28v=ws.10%29.aspx
to create a rule to send LDAP attributes as claims.
This section provides use case-specific information.
Right-click on the Relying Party for the service and select Edit Claim Rules.
On the Issuance Transform Rules tab select Add Rule.
Select Send LDAP Attribute as Claims as the claim rule template to use.
Give the Claim a name, such as Get LDAP Attributes.
Set the Attribute Store to Active Directory, the LDAP Attribute to E-Mail-Addresses, and the Outgoing Claim Type to E-mail Address.
If you want to instead use the name ID as the subject name ID, under LDAP Attribute, select SAM-Account-Name.
Select Finish.
If you use the name ID as the subject name ID, click OK to close the property page and save the changes to the relying party trust.
If you use the email address as the subject name ID, continue to add a rule.
Select Add Rule.
Select Transform an Incoming Claim as the claim rule template to use.
Give it a name, such as Email to Name ID.
Set the Incoming claim type as E-mail Address. (It must match the Outgoing Claim Type in the previous rule.)
Set the Outgoing claim type as Name ID and the Outgoing name ID format as Email (urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
).
Pass through all claim values and click Finish.
Click OK to close the property page and save the changes to the relying party trust.
Perform the following steps to secure WCF/.NET 3.5 Client with ADFS 2.0:
Install .NET 3.5 and Microsoft Visual Studio 2008.
Import the SSL server certificates for STS and the service into Windows.
If the SSL server certificate for STS or the service is not issued from a trusted CA, or self-signed, then it needs to be imported with MMC tool, as described in Table 5-18, "Configuration Prerequisites for Interoperability".
Create and Configure the WCF Client.
ADFS 2.0 STS supports multiple security and authentication mechanisms for token insurance. Each is exposed as a separate endpoint. For username/password authentication, two endpoints are provided:
http://<adfs.domain>/adfs/services/trust/13/username
— This endpoint is for username token with message protection.
https://<adfs.domain>/adfs/services/trust/13/usernamemixed
— This endpoint is for username token with transport protection (SSL).
The WCF client uses the https://<adfs.domain>/adfs/services/trust/13/usernamemixed
endpoint for username token on SSL to obtain the SAML bearer token for the service.
Generate the WCF Client with the service WSDL.
See http://msdn.microsoft.com/en-us/library/ms733133(v=vs.90)
for information on creating a Windows Communication Foundation client.
Configure the client with ws2007FederationHttpBinding
:
In the Solution Explorer of the client project, add a reference by right-clicking on references, selecting Add reference, and browsing to C:
\Windows\Microsoft.NET\framework\v3.0\Windows Communication Foundation\System.Runtime.Serialization.dll
.
Edit the app.config
file. (See http://msdn.microsoft.com/en-us/library/bb472490.aspx
for information on WS 2007 Federation HTTP Binding.) Consider the following sample:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.serviceModel>
<behaviors>
<endpointBehaviors>
<behavior name="secureBehaviour">
<clientCredentials>
<serviceCertificate>
<defaultCertificate findValue="weblogic"
storeLocation="LocalMachine"
storeName="My"
x509FindType="FindBySubjectName"/>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<ws2007FederationHttpBinding>
<binding name="JaxWsWss11SamlOrUsernameOrSamlBearerOverSSLSoapHttp">
<security mode="TransportWithMessageCredential">
<message negotiateServiceCredential="false"
algorithmSuite="Basic128"
issuedTokenType ="http://docs.oasis-open.org/wss/oasis-wss-saml-token-
profile-1.1#SAMLV1.1"
issuedKeyType="BearerKey">
<issuer address ="https://domain-name/adfs/services/trust/13/usernamemixed"
binding ="ws2007HttpBinding"
bindingConfiguration="ADFSUsernameMixed"/>
</message>
</security>
</binding>
</ws2007FederationHttpBinding>
<ws2007HttpBinding>
<binding name="ADFSUsernameMixed">
<security mode="TransportWithMessageCredential">
<message clientCredentialType="UserName" establishSecurityContext="false" />
</security>
</binding>
</ws2007HttpBinding>
</bindings>
<client>
<endpoint
address="https://adc2170989:8002/JaxWsWss11SamlOrUsernameOrSamlBearerOverSSL/JaxWsWss11Sam
lOrUsernameOrSamlBearerOverSSLService"
binding="ws2007FederationHttpBinding"
bindingConfiguration="JaxWsWss11SamlOrUsernameOrSamlBearerOverSSLSoapHttp"
contract="JaxWsWss11SamlOrUsernameOrSamlBearerOverSSL"
name="JaxWsWss11SamlOrUsernameOrSamlBearerOverSSLPort">
<identity>
<dns value="weblogic" />
</identity>
</endpoint>
</client>
</system.serviceModel>
</configuration>
Edit the program.cs
file to make the service call.
If not already present, create a .cs
file in the project and name it program.cs
(or any name of your choice.) Edit it to match the following:
using System; using System.Collections.Generic; using System.Linq; using System.Text; using System.ServiceModel; namespace Client { class Program { static void Main(string[] args) { JaxWsWss11SamlOrUsernameOrSamlBearerOverSSLClient client = New JaxWsWss11SamlOrUsernameOrSamlBearerOverSSLClient(); client.ClientCredentials.UserName.UserName = "joe"; client.ClientCredentials.UserName.Password = "eoj"; System.Net.ServicePointManager.ServerCertificateValidationCallback = ((sender, certificate, chain, sslPolicyErrors) => true); Console.WriteLine(client.echo("Hello")); Console.Read(); } } }
In this sample program.cs
file:
joe
is the username and eoj
is the password used by the client to authenticate to the STS.
System.Net.ServicePointManager.ServerCertificateValidationCallback = ((sender, certificate, chain, sslPolicyErrors) => true);
has been added to validate the server side self-signed certificate. This is not required if the server certificate is issued by a trusted CA. If using a self-signed certificate for testing, add this method to validate the certificate on the client side.