This chapter describes interoperability of Oracle Web Services Manager (OWSM) with Microsoft WCF/.NET 4.5 security environments.
This chapter includes the following sections:
Overview of Interoperability with Microsoft WCF/.NET 4.5 Security Environments
Mutual Authentication with Message Protection (WS-Security 1.1)
WCF/.NET 4.5 Client with Microsoft Active Directory Federation Services 2.0 (ADFS 2.0) STS
Oracle has performed interoperability testing to ensure that the web service security policies created using OWSM 12c can interoperate with web service policies configured using Microsoft Windows Communication Foundation (WCF)/.NET 4.5 Framework and vice versa.
For more information about the Microsoft .NET 4.5 (and earlier) Framework, see ".NET Development" at http://msdn.microsoft.com/en-us/library/ff361664%28v=vs.110%29.aspx.
For more information about:
OWSM predefined policies, see "Predefined Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Configuring and attaching OWSM 12c policies, see "Securing Web Services" and "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Note:
In most cases, you can attach OWSM policies in source code, before deploying an application, or you can attach policies post deployment, using WLST or Fusion Middleware Control. To simplify the instructions in this chapter, it is assumed that you are attaching policies post deployment. If a situation requires that you attach a policy before deploying, it is described that way in the instructions.Note:
Some of the procedures described in this chapter instruct you to use the Microsoft ServiceModel Metadata Utility Tool (SvcUtil.exe) to create a client proxy and configuration file from the deployed web service. However, SvcUtil.exe does not work with certain security policy assertions used with OWSM. As a workaround when generating a WCF proxy for a web service protected by an OWSM policy, do the following:
Detach the policy.
Generate the proxy using SvcUtil.exe.
Re-attach the policy.
For more information about SvcUtil.exe, see http://msdn.microsoft.com/en-us/library/aa347733%28v=vs.110%29.aspx.
Table 6-1 and Table 6-2 summarize the most common Microsoft .NET 4.5 interoperability scenarios based on the following security requirements: authentication, message protection, and transport.
Note:
In the following scenarios, ensure that you are using a keystore with v3 certificates. By default, the JDK 1.5 keytool generates keystores with v1 certificates.In addition, ensure that the keys use the proper extensions, including DigitalSignature, Non_repudiation, Key_Encipherment, and Data_Encipherment.
Table 6-1 OWSM 12c Service Policy and Microsoft WCF/.NET 4.5 Client Policy Interoperability
| Identity Token | WS-Security Version | Message Protection | Transport Security | Service Policy | Client Policy |
|---|---|---|---|---|---|
|
MTOM |
NA |
NA |
NA |
|
See Table 6-4, "Configuring the Microsoft WCF/.NET 4.5 Client" |
|
Username or SAML |
1.1 |
Yes |
No |
OR
|
See Table 6-8, "Configuring the Microsoft WCF/.NET 4.5 Client" , Table 6-12, "Configuring the Microsoft WCF/.NET 4.5 Client" , and Section 6.10.6, "Step 6: Secure WCF/.NET 4.5 Client with ADFS 2.0,". |
|
Username |
1.0 and 1.1 |
No |
Yes |
OR
|
See Table 6-12, "Configuring the Microsoft WCF/.NET 4.5 Client" |
|
Mutual Authentication |
1.1 |
Yes |
No |
|
See Table 6-17, "Configuring the Microsoft WCF/.NET 4.5 Client" |
|
Kerberos |
1.1 |
Yes |
No |
|
See Table 6-22, "Configuring the Microsoft WCF/.NET 4.5 Client" |
|
SAML Bearer |
1.0 |
No |
Yes |
OR
|
See Section 6.10.6, "Step 6: Secure WCF/.NET 4.5 Client with ADFS 2.0," |
Table 6-2 Microsoft WCF/.NET 4.5 Service Policy and OWSM 12c Client Policy Interoperability
| Identity Token | WS-Security Version | Message Protection | Transport Security | Service Policy | Client Policy |
|---|---|---|---|---|---|
|
MTOM |
NA |
NA |
NA |
See Table 6-5, "Configuring the Microsoft WCF/.NET 4.5 Web Service" |
|
|
Username |
1.1 |
Yes |
No |
See Table 6-9, "Configuring the Microsoft WCF/.NET 4.5 Web Service" |
|
|
Username Token Over SSL |
1.0 |
No |
Yes |
See Table 6-13, "Configuring the Microsoft WCF/.NET 4.5 Web Service" |
|
|
Mutual Authentication |
1.1 |
Yes |
No |
See Table 6-18, "Configuring the Microsoft WCF/.NET 4.5 Web Service" |
|
This section describes how to implement MTOM in the following interoperability scenarios:
Configuring an OWSM 12c Web Service and a Microsoft WCF/.NET 4.5 Client
Configuring a Microsoft WCF/.NET 4.5 Web Service and an OWSM 12c Client
The following instructions tell how to configure an OWSM 12c web service and a Microsoft WCF/.NET 4.5 Client to implement Message Transmission Optimization Mechanism (MTOM):
Table 6-3 Configuring the OWSM 12c Web Service
| Task | Description | More Information |
|---|---|---|
|
1 |
Create and deploy a web service application. |
"Deploying Web Service Applications" in Administering Web Services. |
|
2 |
Attach the following policy to the web service: |
"Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
Table 6-4 Configuring the Microsoft WCF/.NET 4.5 Client
| Task | Description | More Information |
|---|---|---|
|
1 |
Use the Microsoft SvcUtil utility to create a client proxy and configuration file from the deployed web service. See Example 6-1, "app.config File for MTOM Interoperability". |
"ServiceModel Metadata Utility Tool (Svcutil.exe)" at |
|
2 |
Run the client program. |
-- |
Example 6-1 app.config File for MTOM Interoperability
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.serviceModel>
<bindings>
<customBinding>
<binding name="CustomBinding_IMTOMService">
<mtomMessageEncoding maxReadPoolSize="64"
maxWritePoolSize="16"
messageVersion="Soap12" maxBufferSize="65536"
writeEncoding="utf-8">
<readerQuotas maxDepth="32" maxStringContentLength=
"8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
</mtomMessageEncoding>
<httpTransport manualAddressing="false" maxBufferPoolSize="524288"
maxReceivedMessageSize="65536" allowCookies="false"
authenticationScheme="Anonymous"
bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
keepAliveEnabled="true" maxBufferSize="65536"
proxyAuthenticationScheme="Anonymous"
realm="" transferMode="Buffered"
unsafeConnectionNtlmAuthentication="false"
useDefaultWebProxy="true" />
</binding>
</customBinding>
</bindings>
<client>
<endpoint address="<endpoint_url>"
binding="customBinding" bindingConfiguration="CustomBinding_IMTOMService"
contract="IMTOMService" name="CustomBinding_IMTOMService" >
</endpoint>
</client>
</system.serviceModel>
</configuration>
The following instructions tell how to configure a Microsoft WCF/.NET 4.5 web service and an OWSM 12c client to implement Message Transmission Optimization Mechanism (MTOM):
Table 6-5 Configuring the Microsoft WCF/.NET 4.5 Web Service
| Task | Description | More Information |
|---|---|---|
|
1 |
Create a .NET web service. For an example, see Example 6-2, ".NET Web Service for MTOM Interoperability". |
"How to: Define a Windows Communication Foundation Service Contract" at |
|
2 |
Deploy the application. |
-- |
Example 6-2 .NET Web Service for MTOM Interoperability
static void Main(string[] args)
{
string uri = "http://host:port/TEST/MTOMService/SOA/MTOMService";
// Step 1 of the address configuration procedure: Create a URI to serve as the base address.
Uri baseAddress = new Uri(uri);
// Step 2 of the hosting procedure: Create ServiceHost
ServiceHost selfHost = new ServiceHost(typeof(MTOMService), baseAddress);
try {
HttpTransportBindingElement hb = new HttpTransportBindingElement();
hb.ManualAddressing = false;
hb.MaxBufferPoolSize = 2147483647;
hb.MaxReceivedMessageSize = 2147483647;
hb.AllowCookies = false;
hb.AuthenticationScheme = System.Net.AuthenticationSchemes.Anonymous;
hb.KeepAliveEnabled = true;
hb.MaxBufferSize = 2147483647;
hb.ProxyAuthenticationScheme = System.Net.AuthenticationSchemes.Anonymous;
hb.Realm = "";
hb.TransferMode = System.ServiceModel.TransferMode.Buffered;
hb.UnsafeConnectionNtlmAuthentication = false;
hb.UseDefaultWebProxy = true;
MtomMessageEncodingBindingElement me = new MtomMessageEncodingBindingElement();
me.MaxReadPoolSize=64;
me.MaxWritePoolSize=16;
me.MessageVersion=System.ServiceModel.Channels.MessageVersion.Soap12;
me.WriteEncoding = System.Text.Encoding.UTF8;
me.MaxWritePoolSize = 2147483647;
me.MaxBufferSize = 2147483647;
me.ReaderQuotas.MaxArrayLength = 2147483647;
CustomBinding binding1 = new CustomBinding();
binding1.Elements.Add(me);
binding1.Elements.Add(hb);
ServiceEndpoint ep = selfHost.AddServiceEndpoint(typeof(IMTOMService), binding1,
"MTOMService");
EndpointAddress myEndpointAdd = new EndpointAddress(new Uri(uri),
EndpointIdentity.CreateDnsIdentity("WSMCert3"));
ep.Address = myEndpointAdd;
// Step 4 of the hosting procedure: Enable metadata exchange.
ServiceMetadataBehavior smb = new ServiceMetadataBehavior();
smb.HttpGetEnabled = true;
selfHost.Description.Behaviors.Add(smb);
using (ServiceHost host = new ServiceHost(typeof(MTOMService)))
{
System.ServiceModel.Description.ServiceDescription svcDesc =
selfHost.Description;
ServiceDebugBehavior svcDebug =
svcDesc.Behaviors.Find<ServiceDebugBehavior>();
svcDebug.IncludeExceptionDetailInFaults = true;
}
// Step 5 of the hosting procedure: Start (and then stop) the service.
selfHost.Open();
Console.WriteLine("The service " + uri + " is ready.");
Console.WriteLine("Press <ENTER> to terminate service.");
Console.WriteLine();
Console.ReadLine();
// Close the ServiceHostBase to shutdown the service.
selfHost.Close();
}
catch (CommunicationException ce)
{
Console.WriteLine("An exception occurred: {0}", ce.Message);
selfHost.Abort();
}
}
Table 6-6 Configuring the OWSM 12c Client
| Task | Description | More Information |
|---|---|---|
|
1 |
Using JDeveloper, create a SOA composite that consumes the .NET web service. |
|
|
2 |
Attach the following policy to the web service client: |
"Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
This section describes how to implement username token with message protection that conforms to the WS-Security 1.1 standard--with or without secure conversation enabled--in the following interoperability scenarios:
Configuring an OWSM 12c Web Service and a Microsoft WCF/.NET 4.5 Client
Configuring a Microsoft WCF/.NET 4.5 Web Service and an OWSM 12c Client
The following instructions tell how to configure an OWSM 12c web service and a Microsoft WCF/.NET 4.5 client to implement username token with message protection that conforms to the WS-Security 1.1 standard, both with and without secure conversation enabled:
Table 6-7 Configuring the OWSM 12c Web Service
| Task | Description | More Information |
|---|---|---|
|
1 |
Create a SOAP 1.2 compliant web service application. |
-- |
|
2 |
Select the policy to use based on whether or not you want to enable secure conversation: If you do not want to enable secure conversation, clone either of the following policies:
Note that, in the case of secure conversation not enabled, you will have to set the To enable secure conversation, clone the following policy:
|
"Cloning a Web Service Policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
|
3 |
Edit the policy configuration settings of the cloned policy from step 2, above, as follows:
Attach the policy to the web service. |
"Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
|
4 |
Also attach the following policy:
|
-- |
|
5 |
Export the X.509 certificate file from the keystore on the service side to a keytool -export -alias alice -file C:\alice.cer -keystore default-keystore.jks |
"keytool - Key and Certificate Management Tool" at |
Table 6-8 Configuring the Microsoft WCF/.NET 4.5 Client
| Task | Description | More Information |
|---|---|---|
|
1 |
Import the certificate file (exported previously) to the keystore on the client server using Microsoft Management Console (mmc), as follows:.
|
"How to: View Certificates with the MMC Snap-in" at |
|
2 |
Generate a .NET client using the WSDL of the web service. Note: You may have to set WS-Addressing action headers to prevent the client from sending implicit |
"How to: Create a Windows Communication Foundation Client" at |
|
3 |
Edit the If you follow the default key setup, then |
-- |
|
4 |
The By default, For example, see Example 6-3 (lines in |
|
|
5 |
Compile the project. |
-- |
|
6 |
Open a command prompt and navigate to the project's Debug folder. |
-- |
|
7 |
Enter |
-- |
Example 6-3 app.config File for Implementing Username Token With Message Protection (WS-Security 1.1)
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.serviceModel>
<behaviors>
<endpointBehaviors>
<behavior name="secureBehaviour">
<clientCredentials>
<serviceCertificate>
<defaultCertificate findValue="<certificate_cn>"
storeLocation="CurrentUser" storeName="My"
x509FindType="FindBySubjectName"/>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<ws2007HttpBinding>
<binding name="Wss11UsernameTokenWithMessageProtectionWSSCServicePortBinding" >
<security mode="Message">
<message clientCredentialType="UserName"
negotiateServiceCredential="false"
algorithmSuite="Basic128"
establishSecurityContext="true" />
<!-- extablishSecurityContext is true by default and therefore does not
have to be specified to enable secure conversation.
Set establishSecurityContext to false if secure conversation is not enabled -->
</security>
</binding>
</ws2007HttpBinding>
</bindings>
<client>
<endpoint address="http://10.244.167.70:7003/OWSMTestApp-Project1-context-root/ws11_username_token_with_message_protection_wsscPort?wsdl"
behaviorConfiguration="PMCert"
binding="ws2007HttpBinding"
bindingConfiguration="Wss11UsernameTokenWithMessageProtectionWSSCServicePortBinding"
contract="ServiceReference1.ws11_username_token_with_message_protection_wssc"
name="ws11_username_token_with_message_protection_wsscPort">
<identity>
<dns value="orakey" />
</identity>
</endpoint>
</client>
</system.serviceModel>
</configuration>
The following instructions tell how to configure a Microsoft WCF/.NET 4.5 web service and an OWSM 12c client to implement username token with message protection that conforms to the WS-Security 1.1 standard:
Table 6-9 Configuring the Microsoft WCF/.NET 4.5 Web Service
| Task | Description | More Information |
|---|---|---|
|
1 |
Create a .NET web service. Create a custom binding for the web service using the To enable secure conversation, make the following adjustments to the code in the example. Create another
Then create a new custom binding:
|
"How to: Define a Windows Communication Foundation Service Contract" at |
|
2 |
Create and import a certificate file to the keystore on the web service server. Using Microsoft Visual Studio, the command would be similar to the following: makecert -r -pe -n "CN=wsmcert3" -sky exchange -ss my C:\wsmcert3.cer This command creates and imports a certificate in mmc. If the command does not provide expected results, then try the following sequence of commands. You need to download Windows Developer Kit (WDK) at makecert -r -pe -n "CN=wsmcert3" -sky exchange -ss my -sv wscert3.pvk C:\wsmcert3.cer pvk2pfx.exe -pvk wscert3.pvk -spc wsmcert3.cer -pfx PRF_WSMCert3.pfx -pi welcome1 Then, in mmc, import |
-- |
|
3 |
Import the certificate created on the web service server to the client server using the keytool -import -alias wsmcert3 -file C:\wsmcert3.cer -keystore <owsm_client_keystore> |
"keytool - Key and Certificate Management Tool" at |
|
4 |
Right-click on the web service Solution project in Solutions Explorer and click Open Folder In Windows Explorer. |
-- |
|
5 |
Navigate to the |
-- |
|
6 |
Double-click the |
-- |
Example 6-4 Example of .NET Web Service
static void Main(string[] args)
{
// Step 1 of the address configuration procedure: Create a URI to serve as the
// base address.
// Step 2 of the hosting procedure: Create ServiceHost
string uri = "http://host:port/TEST/NetService";
Uri baseAddress = new Uri(uri);
ServiceHost selfHost = new ServiceHost(typeof(CalculatorService), baseAddress);
try
{
SymmetricSecurityBindingElement sm =
SymmetricSecurityBindingElement.CreateUserNameForCertificateBindingElement();
sm.DefaultAlgorithmSuite = System.ServiceModel.Security.SecurityAlgorithmSuite.Basic128;
sm.SetKeyDerivation(false);
sm.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
sm.IncludeTimestamp = true;
sm.KeyEntropyMode = SecurityKeyEntropyMode.CombinedEntropy;
sm.MessageSecurityVersion =
MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005
WSSecurityPolicy11BasicSecurityProfile10;
sm.LocalClientSettings.CacheCookies = true;
sm.LocalClientSettings.DetectReplays = true;
sm.LocalClientSettings.ReplayCacheSize = 900000;
sm.LocalClientSettings.MaxClockSkew = new TimeSpan(00, 05, 00);
sm.LocalClientSettings.MaxCookieCachingTime = TimeSpan.MaxValue;
sm.LocalClientSettings.ReplayWindow = new TimeSpan(00, 05, 00); ;
sm.LocalClientSettings.SessionKeyRenewalInterval = new TimeSpan(10, 00, 00);
sm.LocalClientSettings.SessionKeyRolloverInterval = new TimeSpan(00, 05, 00); ;
sm.LocalClientSettings.ReconnectTransportOnFailure = true;
sm.LocalClientSettings.TimestampValidityDuration = new TimeSpan(00, 05, 00); ;
sm.LocalClientSettings.CookieRenewalThresholdPercentage = 60;
sm.LocalServiceSettings.DetectReplays = false;
sm.LocalServiceSettings.IssuedCookieLifetime = new TimeSpan(10, 00, 00);
sm.LocalServiceSettings.MaxStatefulNegotiations = 128;
sm.LocalServiceSettings.ReplayCacheSize = 900000;
sm.LocalServiceSettings.MaxClockSkew = new TimeSpan(00, 05, 00);
sm.LocalServiceSettings.NegotiationTimeout = new TimeSpan(00, 01, 00);
sm.LocalServiceSettings.ReplayWindow = new TimeSpan(00, 05, 00);
sm.LocalServiceSettings.InactivityTimeout = new TimeSpan(00, 02, 00);
sm.LocalServiceSettings.SessionKeyRenewalInterval = new TimeSpan(15, 00, 00);
sm.LocalServiceSettings.SessionKeyRolloverInterval = new TimeSpan(00, 05, 00);
sm.LocalServiceSettings.ReconnectTransportOnFailure = true;
sm.LocalServiceSettings.MaxPendingSessions = 128;
sm.LocalServiceSettings.MaxCachedCookies = 1000;
sm.LocalServiceSettings.TimestampValidityDuration = new TimeSpan(15, 00, 00);
HttpTransportBindingElement hb = new HttpTransportBindingElement();
hb.ManualAddressing = false;
hb.MaxBufferPoolSize = 524288;
hb.MaxReceivedMessageSize = 65536;
hb.AllowCookies = false;
hb.AuthenticationScheme = System.Net.AuthenticationSchemes.Anonymous;
hb.KeepAliveEnabled = true;
hb.MaxBufferSize = 65536;
hb.ProxyAuthenticationScheme = System.Net.AuthenticationSchemes.Anonymous;
hb.Realm = "";
hb.TransferMode = System.ServiceModel.TransferMode.Buffered;
hb.UnsafeConnectionNtlmAuthentication = false;
hb.UseDefaultWebProxy = true;
TextMessageEncodingBindingElement tb1 = new TextMessageEncodingBindingElement();
tb1.MaxReadPoolSize = 64;
tb1.MaxWritePoolSize = 16;
tb1.MessageVersion = System.ServiceModel.Channels.MessageVersion.Soap12;
tb1.WriteEncoding = System.Text.Encoding.UTF8;
CustomBinding binding1 = new CustomBinding(sm);
binding1.Elements.Add(tb1);
binding1.Elements.Add(hb);
ServiceEndpoint ep = selfHost.AddServiceEndpoint(typeof(ICalculator), binding1,
"CalculatorService");
EndpointAddress myEndpointAdd = new EndpointAddress(
new Uri(uri),
EndpointIdentity.CreateDnsIdentity("WSMCert3"));
ep.Address = myEndpointAdd;
// Step 4 of the hosting procedure: Enable metadata exchange.
ServiceMetadataBehavior smb = new ServiceMetadataBehavior();
smb.HttpGetEnabled = true;
selfHost.Description.Behaviors.Add(smb);
selfHost.Credentials.ServiceCertificate.SetCertificate(StoreLocation.CurrentUser,
StoreName.My,
X509FindType.FindBySubjectName, "WSMCert3");
selfHost.Credentials.ClientCertificate.Authentication.CertificateValidationMode =
X509CertificateValidationMode.PeerOrChainTrust;
selfHost.Credentials.UserNameAuthentication.UserNamePasswordValidationMode =
UserNamePasswordValidationMode.Custom;
CustomUserNameValidator cu = new CustomUserNameValidator();
selfHost.Credentials.UserNameAuthentication.CustomUserNamePasswordValidator = cu;
using (ServiceHost host = new ServiceHost(typeof(CalculatorService)))
{
System.ServiceModel.Description.ServiceDescription svcDesc = selfHost.Description;
ServiceDebugBehavior svcDebug = svcDesc.Behaviors.Find<ServiceDebugBehavior>();
svcDebug.IncludeExceptionDetailInFaults = true;
}
// Step 5 of the hosting procedure: Start (and then stop) the service.
selfHost.Open();
Console.WriteLine("The Calculator service is ready.");
Console.WriteLine("Press <ENTER> to terminate service.");
Console.WriteLine();
Console.ReadLine();
selfHost.Close();
}
catch (CommunicationException ce)
{
Console.WriteLine("An exception occurred: {0}", ce.Message);
selfHost.Abort();
}
}
Table 6-10 Configuring the OWSM 12c Client
| Task | Description | More Information |
|---|---|---|
|
1 |
Using JDeveloper, create a SOA composite that consumes the .NET web service. |
|
|
2 |
In JDeveloper, create a partner link using the WSDL of the .NET service. |
-- |
|
3 |
Attach the following policy to the web service client: |
"Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
|
4 |
Provide configurations for the You can specify this information when attaching the policy, by overriding the policy configuration. For more information. Ensure that you configure the
<wsp:PolicyReference
URI="oracle/wss11_username_token_with_message_protection_client_policy"
orawsp:category="security"
orawsp:status="enabled"/>
<property
name="csf-key"
type="xs:string"
many="false">
basic.credentials
</property>
<property
name="keystore.recipient.alias"
type="xs:string"
many="false">
wsmcert3
</property>
|
"Overriding Policy Configuration Properties" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
This section describes how to implement username token over SSL in the following interoperability scenario:
The following instructions tell how to configure a OWSM 12c web service and a Microsoft WCF/.NET 4.5 client to implement username token over SSL, both with and without secure conversation enabled:
Table 6-11 Configuring the OWSM 12c Web Service
| Task | Description | More Information |
|---|---|---|
|
1 |
Configure the server for SSL. |
"Configuring Transport-Level Security (SSL)" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
|
2 |
Create an OWSM web service. |
-- |
|
3 |
Select the policy to use based on whether or not you want to enable secure conversation: If you do not want to enable secure conversation, attach any of the following policies:
Note that, in the case of secure conversation not enabled, you will have to set the To enable secure conversation, attach the following policy:
|
"Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager "Predefined Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
|
4 |
Specify that addressing is to be used, as follows: For an Oracle Infrastructure web service: Attach the following policy:
For a Java EE web service: Only a subset of OWSM security policies are supported for Java EE web services and clients, so you cannot attach |
"Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager "Which OWSM Policies Are Supported for Java EE Web Services and Clients?" in Securing Web Services and Managing Policies with Oracle Web Services Manager "Attaching Policies to Java EE Web Services and Clients at Design TIme" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
Example 6-5 Java EE Web Service with Addressing
package oracle.wsm.qa.wls.service.soap12;
import javax.jws.WebMethod;
import javax.jws.WebParam;
import javax.jws.WebService;
import javax.xml.ws.BindingType;
import javax.xml.ws.soap.Addressing;
import javax.xml.ws.soap.SOAPBinding;
import weblogic.wsee.jws.jaxws.owsm.SecurityPolicy;
@WebService
@BindingType(SOAPBinding.SOAP12HTTP_BINDING)
@Addressing(enabled=true)
public class wss_username_token_over_ssl {
public wss_username_token_over_ssl() {
super();
}
@WebMethod
public String sayHello(@WebParam(name = "arg0") String name){
return "hello "+ name;
}
}
Table 6-12 Configuring the Microsoft WCF/.NET 4.5 Client
| Task | Description | More Information |
|---|---|---|
|
1 |
Generate a .NET client using the WSDL of the web service. |
"How to: Create a Windows Communication Foundation Client" at |
|
2 |
The By default, For example, see Example 6-6 (lines in |
|
|
3 |
Compile the project. |
-- |
|
4 |
Open a command prompt and navigate to the project's Debug folder. |
-- |
|
5 |
Type |
-- |
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.serviceModel>
<bindings>
<ws2007HttpBinding>
<binding name="wss_username_over_ssl_client">
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="None" />
<message clientCredentialType="UserName"
negotiateServiceCredential="false"
establishSecurityContext="true" />
<!-- extablishSecurityContext is true by default and therefore does not
have to be specified to enable secure conversation.
Set establishSecurityContext to false if secure conversation is not enabled -->
</security>
</binding>
</ws2007HttpBinding>
</bindings>
<client>
<endpoint address="https://10.244.167.70:7004/OWSMTestApp-Project1-context-root/wss_username_token_over_sslPort"
binding="ws2007HttpBinding"
bindingConfiguration="wss_username_over_ssl_client"
contract="ServiceReference1.wss_username_token_over_ssl"
name="wss_username_token_over_sslPort" />
</client>
</system.serviceModel>
</configuration>
The following instructions tell how to configure a Microsoft WCF/.NET 4.5 web service and an OWSM 12c client to implement username token over SSL:
Table 6-13 Configuring the Microsoft WCF/.NET 4.5 Web Service
| Task | Description | More Information |
|---|---|---|
|
1 |
Configure the server for SSL. |
"Configuring Transport-Level Security (SSL)" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
|
1 |
Create a .NET web service. Create a custom binding for the web service using the To enable secure conversation, make the following adjustments to the code in the example. Create another
Then create the custom binding with
|
"How to: Define a Windows Communication Foundation Service Contract" at |
Example 6-7 Example of .NET Web Service
static void Main(string[] args)
{
// Step 1 of the address configuration procedure: Create a URI to serve as the
// base address.
// Step 2 of the hosting procedure: Create ServiceHost
string uri = "http://host:port/TEST/NetService";
Uri baseAddress = new Uri(uri);
ServiceHost selfHost = new ServiceHost(typeof(CalculatorService), baseAddress);
try
{
SecurityBindingElement sm =
SecurityBindingElement.CreateUserNameOverTransportBindingElement();
sm.DefaultAlgorithmSuite = System.ServiceModel.Security.SecurityAlgorithmSuite.Basic128;
sm.SetKeyDerivation(false);
sm.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
sm.IncludeTimestamp = true;
sm.KeyEntropyMode = SecurityKeyEntropyMode.CombinedEntropy;
sm.MessageSecurityVersion =
MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005
WSSecurityPolicy11BasicSecurityProfile10;
sm.LocalClientSettings.CacheCookies = true;
sm.LocalClientSettings.DetectReplays = true;
sm.LocalClientSettings.ReplayCacheSize = 900000;
sm.LocalClientSettings.MaxClockSkew = new TimeSpan(00, 05, 00);
sm.LocalClientSettings.MaxCookieCachingTime = TimeSpan.MaxValue;
sm.LocalClientSettings.ReplayWindow = new TimeSpan(00, 05, 00); ;
sm.LocalClientSettings.SessionKeyRenewalInterval = new TimeSpan(10, 00, 00);
sm.LocalClientSettings.SessionKeyRolloverInterval = new TimeSpan(00, 05, 00); ;
sm.LocalClientSettings.ReconnectTransportOnFailure = true;
sm.LocalClientSettings.TimestampValidityDuration = new TimeSpan(00, 05, 00); ;
sm.LocalClientSettings.CookieRenewalThresholdPercentage = 60;
sm.LocalServiceSettings.DetectReplays = false;
sm.LocalServiceSettings.IssuedCookieLifetime = new TimeSpan(10, 00, 00);
sm.LocalServiceSettings.MaxStatefulNegotiations = 128;
sm.LocalServiceSettings.ReplayCacheSize = 900000;
sm.LocalServiceSettings.MaxClockSkew = new TimeSpan(00, 05, 00);
sm.LocalServiceSettings.NegotiationTimeout = new TimeSpan(00, 01, 00);
sm.LocalServiceSettings.ReplayWindow = new TimeSpan(00, 05, 00);
sm.LocalServiceSettings.InactivityTimeout = new TimeSpan(00, 02, 00);
sm.LocalServiceSettings.SessionKeyRenewalInterval = new TimeSpan(15, 00, 00);
sm.LocalServiceSettings.SessionKeyRolloverInterval = new TimeSpan(00, 05, 00);
sm.LocalServiceSettings.ReconnectTransportOnFailure = true;
sm.LocalServiceSettings.MaxPendingSessions = 128;
sm.LocalServiceSettings.MaxCachedCookies = 1000;
sm.LocalServiceSettings.TimestampValidityDuration = new TimeSpan(15, 00, 00);
HttpTransportBindingElement hb = new HttpTransportBindingElement();
hb.ManualAddressing = false;
hb.MaxBufferPoolSize = 524288;
hb.MaxReceivedMessageSize = 65536;
hb.AllowCookies = false;
hb.AuthenticationScheme = System.Net.AuthenticationSchemes.Anonymous;
hb.KeepAliveEnabled = true;
hb.MaxBufferSize = 65536;
hb.ProxyAuthenticationScheme = System.Net.AuthenticationSchemes.Anonymous;
hb.Realm = "";
hb.TransferMode = System.ServiceModel.TransferMode.Buffered;
hb.UnsafeConnectionNtlmAuthentication = false;
hb.UseDefaultWebProxy = true;
TextMessageEncodingBindingElement tb1 = new TextMessageEncodingBindingElement();
tb1.MaxReadPoolSize = 64;
tb1.MaxWritePoolSize = 16;
tb1.MessageVersion = System.ServiceModel.Channels.MessageVersion.Soap12;
tb1.WriteEncoding = System.Text.Encoding.UTF8;
CustomBinding binding1 = new CustomBinding(sm);
binding1.Elements.Add(tb1);
binding1.Elements.Add(hb);
ServiceEndpoint ep = selfHost.AddServiceEndpoint(typeof(ICalculator), binding1,
"CalculatorService");
EndpointAddress myEndpointAdd = new EndpointAddress(
new Uri(uri),
EndpointIdentity.CreateDnsIdentity("WSMCert3"));
ep.Address = myEndpointAdd;
// Step 4 of the hosting procedure: Enable metadata exchange.
ServiceMetadataBehavior smb = new ServiceMetadataBehavior();
smb.HttpGetEnabled = true;
selfHost.Description.Behaviors.Add(smb);
selfHost.Credentials.ServiceCertificate.SetCertificate(StoreLocation.CurrentUser,
StoreName.My,
X509FindType.FindBySubjectName, "WSMCert3");
selfHost.Credentials.ClientCertificate.Authentication.CertificateValidationMode =
X509CertificateValidationMode.PeerOrChainTrust;
selfHost.Credentials.UserNameAuthentication.UserNamePasswordValidationMode =
UserNamePasswordValidationMode.Custom;
CustomUserNameValidator cu = new CustomUserNameValidator();
selfHost.Credentials.UserNameAuthentication.CustomUserNamePasswordValidator = cu;
using (ServiceHost host = new ServiceHost(typeof(CalculatorService)))
{
System.ServiceModel.Description.ServiceDescription svcDesc = selfHost.Description;
ServiceDebugBehavior svcDebug = svcDesc.Behaviors.Find<ServiceDebugBehavior>();
svcDebug.IncludeExceptionDetailInFaults = true;
}
// Step 5 of the hosting procedure: Start (and then stop) the service.
selfHost.Open();
Console.WriteLine("The Calculator service is ready.");
Console.WriteLine("Press <ENTER> to terminate service.");
Console.WriteLine();
Console.ReadLine();
selfHost.Close();
}
catch (CommunicationException ce)
{
Console.WriteLine("An exception occurred: {0}", ce.Message);
selfHost.Abort();
}
}
Table 6-14 Configuring the OWSM 12c Client
| Task | Description | More Information |
|---|---|---|
|
1 |
Generate an OWSM client using the WSDL of the web service. |
|
|
2 |
Attach the following policy to the client:
|
"Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
This section describes how to implement mutual authentication with message protection that conform to the WS-Security 1.1 standards in the following interoperability scenarios:
Configuring an OWSM 12c Web Service and a Microsoft WCF/.NET 4.5 Client
Configuring a Microsoft WCF/.NET 4.5 Web Service and an OWSM 12c Client
Before configuring the web service and client in either of the above scenarios, follow the instructions in "Configuration Prerequisites".
Table 6-15 describes how to perform prerequisite configuration tasks for implementing mutual authentication with message protection that conform to the WS-Security 1.1 standards.
Table 6-15 Configuration Prerequisites for Interoperability
| Task | Description | More Information |
|---|---|---|
|
1 |
Export the X.509 certificate file from the keystore on the service side to a keytool -export -alias alice -file C:\alice.cer -keystore default-keystore.jks |
"keytool - Key and Certificate Management Tool" at |
|
2 |
Import the certificate file (exported previously) to the keystore on the client server using Microsoft Management Console (mmc). See step 1 in Table 6-8, "Configuring the Microsoft WCF/.NET 4.5 Client" for specific instructions. |
"How to: View Certificates with the MMC Snap-in" at |
The following instructions tell how to configure an OWSM 12c web service and a Microsoft WCF/.NET 4.5 client to implement mutual authentication with message protection that conform to the WS-Security 1.1 standards:
Table 6-16 Configuring the OWSM 12c Web Service
| Task | Description | More Information |
|---|---|---|
|
1 |
Create a SOAP 1.2 compliant SOA composite and deploy it. |
-- |
|
2 |
Using Fusion Middleware Control, attach the following policy to the web service:
|
"Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
|
3 |
Export <orasp:x509-token orasp:enc-key-ref-mech="thumbprint" orasp:is-encrypted="false" orasp:is-signed="false" orasp:sign-key-ref-mech="direct"/> |
|
|
4 |
Attach the policy to the web service. |
"Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
|
5 |
Also attach the following policy:
|
-- |
Table 6-17 Configuring the Microsoft WCF/.NET 4.5 Client
| Task | Description | More Information |
|---|---|---|
|
1 |
Use the Microsoft SvcUtil utility to create a client proxy (see Example 6-9, "Client Program") and configuration file from the deployed web service. |
|
|
2 |
Create a |
-- |
|
3 |
Compile the project. |
-- |
|
4 |
Open a command prompt and navigate to the project's Debug folder. |
-- |
|
5 |
Enter |
-- |
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.serviceModel>
<behaviors>
<endpointBehaviors>
<behavior name="secureBehaviour">
<clientCredentials>
<serviceCertificate>
<defaultCertificate findValue="<certificate_cn>"
storeLocation="CurrentUser"
storeName="My"
x509FindType="FindBySubjectName"/>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<ws2007HttpBinding>
<binding name="wss_username_over_ssl_client">
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="None" />
<message clientCredentialType="UserName"
negotiateServiceCredential="false"
establishSecurityContext="false" />
</security>
</binding>
</ws2007HttpBinding>
</bindings>
<client>
<endpoint address="http://<server>:<port>//MyWebService1SoapHttpPort"
binding="ws2007HttpBinding"
contract="MyWebService1"
name="MyWebService1SoapHttpPort"
behaviorConfiguration="secureBehaviour" >
<identity>
<dns value="<certificate_cn>"/>
</identity>
</endpoint>
</client>
</system.serviceModel>
</configuration>
namespace IO_NET10_client
{
class Program
{
static void Main(string[] args)
{
BPELProcess1Client client = new BPELProcess1Client();
client.ClientCredentials.ClientCertificate.SetCertificate(
StoreLocation.CurrentUser,
StoreName.My,
X509FindType.FindBySubjectName, "WSMCert3");
client.ClientCredentials.ServiceCertificate.SetDefaultCertificate(
StoreLocation.CurrentUser,
StoreName.My,
X509FindType.FindBySubjectName, "Alice");
process proc = new process();
proc.input = "Test wss11_x509_token_with_message_protection_policy - ";
Console.WriteLine(proc.input);
processResponse response = client.process(proc);
Console.WriteLine(response.result.ToString());
Console.WriteLine("Press <ENTER> to terminate Client.");
Console.ReadLine();
}
}
}
The following instructions tell how to configure a Microsoft WCF/.NET 4.5 web service and an OWSM 12c client to implement mutual authentication with message protection that conform to the WS-Security 1.1 standards:
Table 6-18 Configuring the Microsoft WCF/.NET 4.5 Web Service
| Task | Description | More Information |
|---|---|---|
|
1 |
Create a .NET web service. For an example, see Example 6-4, "Example of .NET Web Service". |
"How to: Define a Windows Communication Foundation Service Contract" at |
|
2 |
Create a custom binding for the web service using the SymmetricSecurityBindingElement. The following is a sample of the SymmetricSecurityBindingElement object: SymmetricSecurityBindingElement sm = (SymmetricSecurityBindingElement)SecurityBindingElement.CreateMutualCertificate BindingElement(); sm.DefaultAlgorithmSuite = System.ServiceModel.Security.SecurityAlgorithmSuite.Basic128;sm.SetKeyDerivati on(false); sm.SecurityHeaderLayout = SecurityHeaderLayout.Lax;sm.IncludeTimestamp = true; sm.KeyEntropyMode = SecurityKeyEntropyMode.CombinedEntropy; sm.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;sm.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversation February2005WSSecurityPolicy11BasicSecurityProfile10; sm.RequireSignatureConfirmation = true; |
"How to: Create a Custom Binding Using the SecurityBindingElement" at |
|
4 |
Deploy the application. |
-- |
Table 6-19 Configuring the OWSM 12c Client
| Task | Description | More Information |
|---|---|---|
|
1 |
Using JDeveloper, create a SOA composite that consumes the .NET web service. |
|
|
2 |
In JDeveloper, create a partner link using the WSDL of the .NET service and add the import as follows: <wsdl:import namespace="<namespace>" location="<WSDL location>"/> |
-- |
|
3 |
In Fusion Middleware Control, attach the following policy to the web service client:
|
"Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
|
6 |
Provide configurations for the You can specify this information when attaching the policy, by overriding the policy configuration. Ensure that you configure the |
"Overriding Policy Configuration Properties" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
|
7 |
Invoke the web service method from the client. |
-- |
This section describes how to implement Kerberos with message protection in the following interoperability scenario:
Table 6-20 Configuration Prerequisites for Interoperability
| Task | Description | More Information |
|---|---|---|
|
1 |
Configure the Key Distribution Center (KDC) and Active Directory (AD). |
"To Configure Windows Active Directory and Domain Controller" (the domain controller can serve as KDC) at |
|
2 |
Set up the Kerberos configuration file |
-- |
Example 6-10 Kerberos Configuration File
[logging] default = c:\log\krb5libs.log kdc = c:\log\krb5kdc.log admin_server = c:\log\kadmind.log [libdefaults] default_realm = MYCOMPANY.LOCAL dns_lookup_realm = false dns_lookup_kdc = false default_tkt_enctypes = rc4-hmac default_tgs_enctypes = rc4-hmac permitted_enctypes = rc4-hmac kdc = hostname [realms] MYCOMPANY.LOCAL = { kdc = host:port admin_server = host:port default_domain = <domainname> } [domain_realm] .<domainname> = MYCOMPANY.LOCAL <domainname> = MYCOMPANY.LOCAL [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }
The following instructions tell how to configure an OWSM 12c web service and a Microsoft WCF/.NET 4.5 client to implement Kerberos with message protection:
Table 6-21 Configuring the OWSM 12c Web Service
| Task | Description | More Information |
|---|---|---|
|
1 |
Create and deploy a web service application. |
"Deploying Web Service Applications" in Administering Web Services. |
|
2 |
Clone the following policy: |
"Cloning a Web Service Policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
|
3 |
Edit the policy settings to set Algorithm Suite to |
-- |
|
4 |
Attach the policy to the web service. |
"Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
Table 6-22 Configuring the Microsoft WCF/.NET 4.5 Client
| Task | Description | More Information |
|---|---|---|
|
1 |
Create a user in AD to represent the host where the web service is hosted. By default the user account is created with RC4-HMAC encryption. For example, foobar with user name is |
-- |
|
2 |
Use the following ktpass command to create a keytab file on the Windows AD machine where the KDC is running:
where Use FTP binary mode to move the generated keytab file to the machine where the SOA Composite web service is hosted. |
-- |
|
3 |
Use the following
Only one SPN must be mapped to the user. If there are multiple SPNs mapped to the user, remove them using the command |
-- |
|
4 |
Use the Microsoft SvcUtil utility to create a client proxy and configuration file from the deployed web service. Add the files In the endpoint element of the
<client>
<endpoint address="http://host:port/HelloServicePort"
binding="customBinding" bindingConfiguration="NewHelloSoap12HttpPortBinding"
contract="NewHello" name="HelloServicePort">
<identity>
<servicePrincipalName value ="HTTP/foobar@MYCOMPANY.LOCAL"/>
</identity>
</endpoint>
</client>
A sample binding is provided in Example 6-11, "Custom Binding". |
|
|
5 |
Run the client program. |
- |
<customBinding>
<binding name="NewHelloSoap12HttpPortBinding">
<!--Added by User: Begin-->
<security defaultAlgorithmSuite="Basic128"
authenticationMode="Kerberos"
requireDerivedKeys="false" securityHeaderLayout="Lax"
includeTimestamp="true"
keyEntropyMode="CombinedEntropy"
messageProtectionOrder="SignBeforeEncrypt"
messageSecurityVersion="WSSecurity11WSTrustFebruary2005
WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurity
Profile10"
requireSignatureConfirmation="true">
<localClientSettings cacheCookies="true" detectReplays="true"
replayCacheSize="900000" maxClockSkew="00:05:00"
maxCookieCachingTime="Infinite"
replayWindow="00:05:00"
sessionKeyRenewalInterval="10:00:00"
sessionKeyRolloverInterval="00:05:00"
reconnectTransportOnFailure="true"
timestampValidityDuration="00:05:00"
cookieRenewalThresholdPercentage="60" />
<localServiceSettings detectReplays="true"
issuedCookieLifetime="10:00:00"
maxStatefulNegotiations="128" replayCacheSize="900000"
maxClockSkew="00:05:00"
negotiationTimeout="00:01:00" replayWindow="00:05:00"
inactivityTimeout="00:02:00"
sessionKeyRenewalInterval="15:00:00"
sessionKeyRolloverInterval="00:05:00"
reconnectTransportOnFailure="true"
maxPendingSessions="128"
maxCachedCookies="1000"
timestampValidityDuration="00:05:00" />
<secureConversationBootstrap />
</security>
<!--Added by User: End-->
<textMessageEncoding maxReadPoolSize="64"
maxWritePoolSize="16"
messageVersion="Soap12" writeEncoding="utf-8">
<readerQuotas maxDepth="32" maxStringContentLength="8192"
maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
</textMessageEncoding>
<!--Added by User: Begin-->
<httpTransport manualAddressing="false"
maxBufferPoolSize="524288"
maxReceivedMessageSize="65536" allowCookies="false"
authenticationScheme="Anonymous"
bypassProxyOnLocal="false"
hostNameComparisonMode="StrongWildcard"
keepAliveEnabled="true" maxBufferSize="65536"
proxyAuthenticationScheme="Anonymous"
realm="" transferMode="Buffered"
unsafeConnectionNtlmAuthentication="false"
useDefaultWebProxy="true" />
<!--Added by User: End-->
</binding>
</customBinding>
This section describes how to implement Kerberos with message protection using derived keys in the following interoperability scenario:
Before configuring the web service and client in the above scenario, follow the instructions in Section 6.7.1, "Configuration Prerequisites."
Table 6-23 describes how to perform prerequisite configuration tasks for implementing Kerberos with message protection using derived keys.
Table 6-23 Configuration Prerequisites for Interoperability
| Task | Description | More Information |
|---|---|---|
|
1 |
Configure the Key Distribution Center (KDC) and Active Directory (AD). |
|
|
2 |
Set up the Kerberos configuration file |
-- |
Example 6-12 Kerberos Configuration File
[logging] default = c:\log\krb5libs.log kdc = c:\log\krb5kdc.log admin_server = c:\log\kadmind.log [libdefaults] default_realm = MYCOMPANY.LOCAL dns_lookup_realm = false dns_lookup_kdc = false default_tkt_enctypes = rc4-hmac default_tgs_enctypes = rc4-hmac permitted_enctypes = rc4-hmac kdc = hostname [realms] MYCOMPANY.LOCAL = { kdc = host:port admin_server = host:port default_domain = <domainname> } [domain_realm] .<domainname> = MYCOMPANY.LOCAL <domainname> = MYCOMPANY.LOCAL [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }
The following instructions tell how to configure an OWSM 12c web service and a Microsoft WCF/.NET 4.5 client to implement Kerberos with message protection:
Table 6-24 Configuring the OWSM 12c Web Service
| Task | Description | More Information |
|---|---|---|
|
1 |
Create and deploy a web service application. |
"Deploying Web Service Applications" in Administering Web Services. |
|
2 |
Clone the following policy: |
"Cloning a Web Service Policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
|
3 |
Edit the policy settings to enable the Derived Keys option. |
-- |
|
4 |
Attach the policy to the web service. |
"Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
Table 6-25 Configuring the Microsoft WCF/.NET 4.5 Client
| Task | Description |
|---|---|
|
1 |
Create a user in AD to represent the host where the web service is hosted. By default the user account is created with RC4-HMAC encryption. For example, foobar with user name as "HTTP/foobar". |
|
2 |
Use the following ktpass command to create a keytab file on the Windows AD machine where the KDC is running:
where HTTP/foobar is the SPN, mapped to a user "foobar". Do not set "/desonly or cyrpto as "des-cbc-crc". MYCOMPANY.LOCAL is the default Realm for the KDC and is available in the Use FTP binary mode to move the generated keytab file to the machine where the SOA Composite web service is hosted. |
|
3 |
Use the following
Only one SPN must be mapped to the user. If there are multiple SPNs mapped to the user, remove them using the command |
|
4 |
Use the Microsoft SvcUtil utility to create a client proxy and configuration file from the deployed web service. Add the files generatedProxy.cs and app.config by right clicking the application (in the Windows Explorer) and selecting Add Existing Item. In the endpoint element of the app.config, add an "identity" element with service principal name as "HTTP/foobar@MYCOMPANY.LOCAL" (the same value used for creating keytab).
<client>
<endpoint address="http://host:port/HelloServicePort"
binding="customBinding" bindingConfiguration="NewHelloSoap12HttpPortBinding"
contract="NewHello" name="HelloServicePort">
<identity>
<servicePrincipalName value ="HTTP/foobar@MYCOMPANY.LOCAL"/>
</identity>
</endpoint>
</client>
A sample binding is provided in Example 6-13, "Custom Binding". |
|
5 |
Run the client program. |
<customBinding>
<binding name="NewHelloSoap12HttpPortBinding">
<!--Added by User: Begin-->
<security defaultAlgorithmSuite="Basic128"
authenticationMode="Kerberos"
requireDerivedKeys="true" securityHeaderLayout="Lax"
includeTimestamp="true"
keyEntropyMode="CombinedEntropy"
messageProtectionOrder="SignBeforeEncrypt"
messageSecurityVersion="WSSecurity11WSTrustFebruary2005
WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurity
Profile10"
requireSignatureConfirmation="true">
<localClientSettings cacheCookies="true" detectReplays="true"
replayCacheSize="900000" maxClockSkew="00:05:00"
maxCookieCachingTime="Infinite"
replayWindow="00:05:00"
sessionKeyRenewalInterval="10:00:00"
sessionKeyRolloverInterval="00:05:00"
reconnectTransportOnFailure="true"
timestampValidityDuration="00:05:00"
cookieRenewalThresholdPercentage="60" />
<localServiceSettings detectReplays="true"
issuedCookieLifetime="10:00:00"
maxStatefulNegotiations="128" replayCacheSize="900000"
maxClockSkew="00:05:00"
negotiationTimeout="00:01:00" replayWindow="00:05:00"
inactivityTimeout="00:02:00"
sessionKeyRenewalInterval="15:00:00"
sessionKeyRolloverInterval="00:05:00"
reconnectTransportOnFailure="true"
maxPendingSessions="128"
maxCachedCookies="1000"
timestampValidityDuration="00:05:00" />
<secureConversationBootstrap />
</security>
<!--Added by User: End-->
<textMessageEncoding maxReadPoolSize="64"
maxWritePoolSize="16"
messageVersion="Soap12" writeEncoding="utf-8">
<readerQuotas maxDepth="32" maxStringContentLength="8192"
maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
</textMessageEncoding>
<!--Added by User: Begin-->
<httpTransport manualAddressing="false"
maxBufferPoolSize="524288"
maxReceivedMessageSize="65536" allowCookies="false"
authenticationScheme="Anonymous"
bypassProxyOnLocal="false"
hostNameComparisonMode="StrongWildcard"
keepAliveEnabled="true" maxBufferSize="65536"
proxyAuthenticationScheme="Anonymous"
realm="" transferMode="Buffered"
unsafeConnectionNtlmAuthentication="false"
useDefaultWebProxy="true" />
<!--Added by User: End-->
</binding>
</customBinding>
This section describes how to implement Kerberos with SPNEGO negotiation in the following interoperability scenario:
The following instructions tell how to configure an OWSM 12c web service and a Microsoft WCF/.NET 4.5 client to implement Kerberos with SPNEGO negotiation:
Table 6-26 Configuring the OWSM 12c Web Service
| Task | Description | More Information |
|---|---|---|
|
1 |
Create and deploy a web service application. |
"Deploying Web Service Applications" in Administering Web Services. |
|
2 |
Create a policy that uses the |
"Configuring Kerberos With SPNEGO Negotiation" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
|
3 |
Attach the policy to the web service. |
-- |
Table 6-27 Configuring the Microsoft WCF/.NET 4.5 Client
| Task | Description | More Information |
|---|---|---|
|
1 |
Use the Microsoft SvcUtil utility to create a client proxy and configuration file from the deployed web service. |
|
|
2 |
Add the files generatedProxy.cs and app.config by right clicking the application (in the Windows Explorer) and selecting Add Existing Item. |
-- |
|
3 |
Edit the In this listing, note that the values of the contract and name attributes of the endpoint element are obtained from the generatedProxy.cs file. |
-- |
|
4 |
Compile the client. |
-- |
|
5 |
After attaching the OWSM policy to the deployed web service, run the client. |
-- |
<configuration>
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="BPELProcessBinding">
<security mode= "TransportCredentialOnly">
<transport clientCredentialType="Windows"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint
address="http://host:port/soa-infra/services/default/SOAProxy/bpelpro
cess_client_ep"
binding="basicHttpBinding"
bindingConfiguration="BPELProcessBinding"
contract="BPELProcess" name="BPELProcess_pt"
<identity>
<servicePrincipalName value ="HTTP/host:port@MYCOMPANY.LOCAL" />
</identity>
</endpoint>
</client>
</system.serviceModel>
</configuration>
This section describes how to implement Kerberos with SPNEGO negotiation and credential delegation in the following interoperability scenario:
The following instructions tell how to configure an OWSM 12c web service and a Microsoft WCF/.NET 4.5 client to implement Kerberos with SPNEGO negotiation and credential delegation:
Table 6-28 Configuring the OWSM 12c Web Service
| Task | Description | More Information |
|---|---|---|
|
1 |
Create and deploy a web service application. |
"Deploying Web Service Applications" in Administering Web Services. |
|
2 |
Create a policy that uses the |
-- |
|
3 |
Attach the policy to the web service. |
-- |
|
4 |
Set the value of the You can specify this information when attaching the policy, by overriding the policy configuration. |
"Overriding Policy Configuration Properties" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
Table 6-29 Configuring the Microsoft WCF/.NET 4.5 Client
| Task | Description | More Information |
|---|---|---|
|
1 |
Use the Microsoft SvcUtil utility to create a client proxy and configuration file from the deployed web service. |
|
|
2 |
Add the files |
-- |
|
3 |
Edit the In the example, note that the values of the contract and name attributes of the endpoint element are obtained from the |
-- |
|
4 |
Compile the client. |
-- |
|
5 |
After attaching the OWSM policy to the deployed web service, run the client. |
-- |
<configuration>
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="BPELProcess1Binding">
<security mode= "TransportCredentialOnly">
<transport clientCredentialType="Windows"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint
address="http://host:port/soa-infra/services/default/SOAProxy/bpelpro
cess1_client_ep"
binding="basicHttpBinding"
bindingConfiguration="BPELProcess1Binding"
contract="BPELProcess1" name="BPELProcess1_pt"
behaviorConfiguration="CredentialDelegation">
<identity>
<servicePrincipalName value ="HTTP/host:port@MYCOMPANY.LOCAL" />
</identity>
</endpoint>
</client>
<behaviors>
<endpointBehaviors>
<behavior name="CredentialDelegation">
<clientCredentials>
<windows allowedImpersonationLevel="Delegation"
allowNtlm="false"/>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
</system.serviceModel>
</configuration>
This section tells how to secure a WCF/.NET 4.5 client with Microsoft Active Directory Federation Services 2.0 (ADFS 2.0) secure token service (STS), using the following policies:
oracle/wss_sts_issued_saml_bearer_token_over_ssl_service_policy
oracle/wss_saml_token_bearer_over_ssl_service_policy
oracle/wss11_saml_or_username_token_with_message_protection_service_policy
Note:
The SAML sender vouches token is not supported in this use case.The procedure described in this section are based on an ADFS 2.0 installation on Windows Server 2008 or Windows Server 2008 R2.
The section includes the following topics:
Step 1: Install and Configure Active Directory Federation Services (ADFS) 2.0
"Step 2: Configure OWSM to Trust SAML Assertions Issued by an ADFS 2.0 STS"
Step 5: Register the Web Service as a Relying Party in ADFS 2.0
Install and configure ADFS 2.0 on a Windows Server 2008 or Windows Server 2008 R2 system.
Configure Active Directory and ADFS as shown in Table 6-30:
Table 6-30 Install and Configure Active Directory Federation Services (ADFS) 2.0
| Task | Description | More Information |
|---|---|---|
|
1 |
|
"Windows Server 2008 R2 and Windows Server 2008" at "Active Directory Services" at "Active Directory Federation Services" at "AD FS Step-by-Step Guide" at "AD FS 2.0 Deployment Guide" at |
|
2 |
Create and configure a self-signed server authentication certificate in Internet Information Services (IIS) and bind it to the default Web site using the IIS Manager console. When done, enable SSL server authentication. Note: The ADFS 2.0 Setup Wizard automatically installs the web server (IIS) server role on the system. |
See above. |
|
3 |
Configure ADFS 2.0 as a stand-alone federation server. |
See above. |
|
4 |
Export the ADFS 2.0 token-signing certificate. For a self-signed certificate, select DER encoded binary X.509 ( If the signing certificate is not self-signed, select Cryptographic Message Syntax Standard – PKCS 7 certificates (.p7b) and specify that all certificates in the certification path should be included. |
See above. |
|
5 |
Create users and include an e-mail address. You later enable the STS to send the e-mail address as the subject name id in the outgoing SAML assertions for the service. |
See above. |
Configure OWSM to trust the SAML assertions issued by an ADFS 2.0 STS as described in Table 6-31:
Table 6-31 Configure OWSM to Trust SAML Assertions Issued by an ADFS 2.0 STS
| Task | Description | More Information |
|---|---|---|
|
1 |
Get the STS signing certificates you exported in "Step 1: Install and Configure Active Directory Federation Services (ADFS) 2.0.". For a |
-- |
|
2 |
Import the certificates into the location of the default keystore using keytool.
|
"keytool - Key and Certificate Management Tool" at |
|
3 |
Add |
-- |
|
4 |
Add the Subject DN (as defined in RFC 2253) of the STS certificate in the Trusted STS Servers section. Use a string that conforms to RFC 2253, such as |
"Configuring SAML Trusted Issuers and DN Lists" in Securing Web Services and Managing Policies with Oracle Web Services Manager "keytool - Key and Certificate Management Tool" at |
For each user, configure the mail attribute to match the user e-mail address set in ADFS.
See Managing Directory Entries for Creating a User in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory for information on configuring users in Oracle Internet Directory.
Attach any of the following OWSM policies to the web service:
oracle/wss_sts_issued_saml_bearer_token_over_ssl_service_policy
oracle/wss_saml_token_bearer_over_ssl_service_policy
oracle/wss11_saml_or_username_token_with_message_protection_service_policy
For more information, see:
"Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager
"Predefined Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Configure ADFS 2.0 to issue the SAML assertion to the web service with the e-mail address or the name ID (SAM-Account-Name) as the subject name ID, as described in Table 6-32:
Table 6-32 Register the Web Service as a Relying Party in ADFS 2.0
| Task | Description | More Information |
|---|---|---|
|
1 |
Add the web service as a relying party. |
"Create a Relying Party Trust Manually" at |
|
2 |
Configure the claim rules for the service. Enable the STS to send the e-mail address or the name ID as the To enable the STS to send the e-mail address or the name ID as the |
"Checklist: Creating Claim Rules for a Relying Party Trust" at "Create a Rule to Send LDAP Attributes as Claims" at |
Secure the WCF/.NET 4.5 client with ADFS 2.0, as described in Table 6-33:
Table 6-33 Secure WCF/.NET 4.5 Client with ADFS 2.0
| Task | Description | More Information |
|---|---|---|
|
1 |
Import the SSL server certificates for STS and the service into Windows. If the SSL server certificate for STS or the service is not issued from a trusted CA, or self-signed, then it needs to be imported with MMC tool, as described in step 1 in Table 6-8, "Configuring the Microsoft WCF/.NET 4.5 Client". |
"How to: View Certificates with the MMC Snap-in" at |
|
2 |
Create and configure the WCF./NET client, as described in steps 3 and 4, below. ADFS 2.0 STS supports multiple security and authentication mechanisms for token insurance. Each is exposed as a separate endpoint. For username/password authentication, two endpoints are provided:
The WCF client uses the |
-- |
|
3 |
Generate the WCF Client with the service WSDL. |
"How to: Create a Windows Communication Foundation Client" at |
|
4 |
Configure the client with Example 6-16 shows a sample
|
"WS 2007 Federation HTTP Binding" at |
|
5 |
Edit the If not already present, create a In this example:
|
-- |
Example 6-16 app.config File to Implement Varieties of SAML-Based Authentication
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.serviceModel>
<behaviors>
<endpointBehaviors>
<behavior name="secureBehaviour">
<clientCredentials>
<serviceCertificate>
<defaultCertificate findValue="weblogic"
storeLocation="LocalMachine"
storeName="My"
x509FindType="FindBySubjectName"/>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<ws2007FederationHttpBinding>
<binding name="JaxWsWss11SamlOrUsernameOrSamlBearerOverSSLSoapHttp">
<security mode="TransportWithMessageCredential">
<message negotiateServiceCredential="false"
algorithmSuite="Basic128"
issuedTokenType ="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1"
issuedKeyType="BearerKey">
<issuer address ="https://domain-name/adfs/services/trust/13/usernamemixed"
binding ="ws2007HttpBinding"
bindingConfiguration="ADFSUsernameMixed"/>
</message>
</security>
</binding>
</ws2007FederationHttpBinding>
<ws2007HttpBinding>
<binding name="ADFSUsernameMixed">
<security mode="TransportWithMessageCredential">
<message clientCredentialType="UserName"
establishSecurityContext="false" />
</security>
</binding>
</ws2007HttpBinding>
</bindings>
<client>
<endpoint address="https://host:8002/JaxWsWss11SamlOrUsernameOrSamlBearerOverSSL/JaxWsWss11SamlOrUsernameOrSamlBearerOverSSLService"
binding="ws2007FederationHttpBinding"
bindingConfiguration="JaxWsWss11SamlOrUsernameOrSamlBearerOverSSLSoapHttp"
contract="JaxWsWss11SamlOrUsernameOrSamlBearerOverSSL"
name="JaxWsWss11SamlOrUsernameOrSamlBearerOverSSLPort">
<identity>
<dns value="weblogic" />
</identity>
</endpoint>
</client>
</system.serviceModel>
</configuration>
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.ServiceModel;
namespace Client
{
class Program
{
static void Main(string[] args)
{
JaxWsWss11SamlOrUsernameOrSamlBearerOverSSLClient client =
New JaxWsWss11SamlOrUsernameOrSamlBearerOverSSLClient();
client.ClientCredentials.UserName.UserName = "joe";
client.ClientCredentials.UserName.Password = "eoj";
System.Net.ServicePointManager.ServerCertificateValidationCallback =
((sender, certificate, chain, sslPolicyErrors) => true);
Console.WriteLine(client.echo("Hello"));
Console.Read();
}
}
}