This chapter describes how to configure message-level security between .NET 2.0 and Service Bus.
The chapter includes the following sections:
You can set up Message-level security between the Microsoft .NET 2.0 framework and Service Bus.
Message-level security applies security checks to a SOAP message after a web services client establishes a connection with an Service Bus proxy service or business service and before the proxy service or business service processes the message.
The .NET framework is a software component that you can add to the Microsoft Windows operating system.
It provides pre-coded solutions to common program requirements, and manages the execution of programs written specifically for the framework.
This section provides the steps that you need to perform for .NET 2.0 and for Service Bus to configure message-level security.
Caution:
Before you perform these steps, you must follow the steps in Configuring Message-Level Security for Web Services to configure inbound and outbound messaging for Service Bus.
To configure message-level security between .NET and Service Bus:
Before you configure Service Bus, these conditions must exist.
A .NET client invokes an Service Bus proxy with a plain text message (for example, message-level security does not exist between the .NET client and the Service Bus proxy).
Service Bus enforces outbound message-level security on the SOAP request.
Note:
For cases where the .NET client has message-level security enabled, you can use Service Bus as a pass-through proxy.
To configure Service Bus for message-level security with .NET:
The sample WSDL file in this section shows how to configure WS-Policy
for message-level identity propagation, confidentiality, and integrity in Service Bus.
Example - Configuring WS-Policy for Message-Level Security
<?xml version='1.0' encoding='UTF-8'?> <definitions name="SecureHello WorldServiceDefinitions"targetNamespace= "http://www.bea.com" xmlns="http://schemas.xmlsoap.org/wsdl/" xmlns:s0="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss- wssecurity-utility-1.0.xsd" xmlns:s1="http://www.bea.com" xmlns:s2="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"> <wsp:UsingPolicy xmlns:n1="http://schemas.xmlsoap.org/wsdl/" n1:Required="true"/> <wsp:Policy s0:Id="Encrypt.xml"> <wssp:Confidentialityxmlns:wssp="http://www.bea.com/wls90/ security/policy"> <wssp:KeyWrappingAlgorithm URI="http://www.w3.org/2001/04/ xmlenc#rsa-1_5"/> <wssp:Target> <wssp:EncryptionAlgorithm URI="http://www.w3.org/2001/ 04/xmlenc#aes256-cbc"/> <wssp:MessageParts Dialect="http://schemas.xmlsoap.org /2002/12/wsse#part">wsp:Body() </wssp:MessageParts> </wssp:Target> <wssp:KeyInfo> <wssp:SecurityToken TokenType="http://docs.oasis-open. org/wss/2004/01/oasis-200401-wss-x509-token- profile-1.0#X509v3"/> <wssp:SecurityTokenReference> <wssp:Embedded> <wsse:BinarySecurityToken EncodingType="http: //docs.oasis-open.org/wss/2004/ 01/oasis-200401-wss-soap-message -security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/ wss/2004/01/oasis-200401-wss-x509 -token-profile-1.0#X509v3" xmlns:wsse="http://docs.oasis-open.org/ wss/2004/01/oasis-200401-wss-wssecurity- secext-1.0.xsd">MIIB7DCCAZYCEN+FHomYRZU YPLiIutc0lIIwDQYJKoZIhvcNAQEEBQAweTELMAk GA1UEBhMCVVMxEDAOBgNVBAgTB015U3RhdGUxDzA NBgNVBAcTBk15VG93bjEXMBUGA1UEChMOTXlPcmd hbml6YXRpb24xGTAXBgNVBAsTEEZPUiBURVNUSU5 HIE9OTFkxEzARBgNVBAMTCkNlcnRHZW5DQUIwHhc NMDYwNjA3MDQ0MDM2WhcNMjEwNjA4MDQ0MDM2WjB 6MQswCQYDVQQGEwJVUzEQMA4GA1UECBYHTXlTdGF 0ZTEPMA0GA1UEBxYGTXlUb3duMRcwFQYDVQQKFg5 NeU9yZ2FuaXphdGlvbjEZMBcGA1UECxYQRk9SIFR FU1RJTkcgT05MWTEUMBIGA1UEAxYLYmFuZ3BsdHc zazIwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxv2 nWByAF2Xr9wrb06ydrrcqPt2VQa0xcwfdZZ6oGlj 1TXq+G5/Q82v7CdxjyWUQBuAzduQx9wFCrAe/aWV pgQIDAQABMA0GCSqGSIb3DQEBBAUAA0EARbwfl8w X915jL5reY+isriNF0EfUs5ck53WRNowiapJx2ea ZE03quksJgeJ0z0HekkR/aTQnkMV1xIt1HxMKRw= =</wsse:BinarySecurityToken> </wssp:Embedded> </wssp:SecurityTokenReference> </wssp:KeyInfo> </wssp:Confidentiality> </wsp:Policy> <wsp:Policy s0:Id="Auth.xml"> <wssp:Identity xmlns:wssp="http://www.bea.com/wls90/security/ policy"> <wssp:SupportedTokens> <wssp:SecurityToken TokenType="http://docs.oasis-open. org/wss/2004/01/oasis-200401-wss-username-token -profile-1.0#UsernameToken"> <wssp:UsePassword Type="http://docs.oasis-open. org/wss/2004/01/oasis-200401-wss-username -token-profile-1.0#PasswordText"/> </wssp:SecurityToken> </wssp:SupportedTokens> </wssp:Identity> </wsp:Policy> <wsp:Policy s0:Id="Sign.xml"> <wssp:Integrity SignToken='false' xmlns:wls="http://www.bea.com/wls90/security/ policy/wsee#part"xmlns:wssp="http://www.bea.com/wls90/ security/policy" xmlns:wsu="http://docs.oasis-open.org/wss /2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <wssp:SignatureAlgorithm URI="http://www.w3.org/2000/09/ xmldsig#rsa-sha1"/> <wssp:CanonicalizationAlgorithm URI="http://www.w3.org/ 2001/10/ xml-exc-c14n#"/> <wssp:Target> <wssp:DigestAlgorithm URI="http://www.w3.org/2000/09 /xmldsig#sha1"/> <wssp:MessageParts Dialect="http://www.bea.com/wls90/ security/policy/wsee#part"> wls:SystemHeaders() </wssp:MessageParts> </wssp:Target> <wssp:Target> <wssp:DigestAlgorithm URI="http://www.w3.org/2000/09 /xmldsig#sha1"/> <wssp:MessageParts Dialect="http://www.bea.com/wls90/ security/policy/wsee#part"> wls:SecurityHeader(wsu:Timestamp) </wssp:MessageParts> </wssp:Target> <wssp:Target> <wssp:DigestAlgorithm URI="http://www.w3.org/2000/09/ xmldsig#sha1"/> <wssp:MessageParts Dialect="http://schemas.xmlsoap. org/2002/12/wsse#part"> wsp:Body() </wssp:MessageParts> </wssp:Target> <wssp:SupportedTokens> <wssp:SecurityToken IncludeInMessage="true" TokenType= "http://docs.oasis-open.org/wss/2004/01/oasis- 200401-wss-x509-token-profile-1.0#X509v3"> <wssp:TokenIssuer>CN=CACERT,OU=FOR TESTING ONLY, O=MyOrganization,L=MyTown,ST=MyState,C=US,1.2. 840.113549.1.9.1=#160f737570706f7274406265612e636 f6d,CN=Demo Certificate Authority Constraints,OU= Security,O=BEA WebLogic,L=San Francisco,ST= California,C=US,1.2.840.113549.1.9.1=#16107365637 572697479406265612e636f6d,CN=Demo Certificate Authority Constraints,OU=Security,O=BEA WebLogic, L=San Francisco,ST=California,C=US,CN=CertGenCAB, OU=FOR TESTING ONLY,O=MyOrganization,L=MyTown,ST= MyState,C=US,CN=Equifax Secure eBusiness CA-1,O= Equifax Secure Inc.,C=US,CN=VeriSign Class 1 Public Primary Certification Authority - G3,OU= (c)1999 VeriSign\, Inc. - For authorized use only, OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US, OU=VeriSign Trust Network,OU=(c) 1998 VeriSign\, Inc. - For authorized use only,OU=Class 2 Public Primary Certification Authority - G2,O=VeriSign\, Inc.,C=US,CN=VeriSign Class 3 Public Primary Certification Authority - G3,OU=(c) 1999 VeriSign\,Inc. - For authorized use only,OU= VeriSign Trust Network,O=VeriSign\,Inc.,C=US,CN= Entrust.net Client Certification Authority,OU=(c) 2000 Entrust.net Limited,OU=www.entrust.net/ GCCA_CPS incorp. by ref. (limits liab.),O=Entrust .net,OU=Go Daddy Class 2 Certification Authority, O=The Go Daddy Group\, Inc.,C=US,CN=GTE Cyber Trust Global Root,OU=GTE CyberTrust Solutions\, Inc., O=GTE Corporation,C=US,CN=Entrust.net Secure Server Certification Authority,OU=(c) 2000 Entrust.net Limited,OU=www.entrust.net/SSL_CPS incorp. by ref. (limits liab.),O=Entrust.net,OU= Class 1 Public Primary Certification Authority, O=VeriSign\, Inc.,C=US,1.2.840.113549.1.9.1=#161 9706572736f6e616c2d6261736963407468617774652e636 f6d,CN=Thawte Personal Basic CA,OU=Certification Services Division,O=Thawte Consulting,L=Cape Town, ST=Western Cape,C=ZA,OU=VeriSign Trust Network, OU=(c) 1998 VeriSign\, Inc. - For authorized use only,OU=Class 1 Public Primary Certification Authority - G2,O=VeriSign\, Inc., C=US,CN=Entrust.net Secure Server Certification Authority,OU=(c) 1999 Entrust.net Limited,OU= www.entrust.net/CPS incorp. by ref.(limits iab.), O=Entrust.net,C=US, 1.2.840.113549.1.9.1=#161c706 572736f6e616c2d667265656d61696c407468617774652e63 6f6d,CN=Thawte Personal Freemail CA,OU= Certification Services Div,O=Thawte Consulting, L =Cape Town,ST=Western Cape,C=ZA,OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc. C=US,CN=GTE CyberTrust Root,O=GTE Corporation,C= US,CN=VeriSign Class 2 Public Primary Certificate Authority - G3,OU=(c) 1999 VeriSign\, Inc. - For authorized use only,OU=VeriSign Trust Network,O= VeriSign\,Inc.,C=US,1.2.840.113549.1.9.1=#1617736 5727665722d6365727473407468617774652e636f6d,CN= Thawte Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST= Western Cape,C=ZA,OU=Equifax Secure Certificate Authority,O=Equifax,C=US,1.2.840.113549.1.9.1=#16 1b706572736f6e616c2d7072656d69756d407468617774652 e636f6d,CN=Thawte Personal Premium CA,OU= Certification Services Division,O=Thawte Consulting,L=Cape Town,ST=Western Cape,C=ZA,1.2. 840.113549.1.9.1=#16197072656d69756d2d73657276657 2407468617774652e636f6d,CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA, OU=VeriSign Trust Network,OU=(c) 1998 VeriSign\, Inc. - For authorized use only,OU=Class 3 Public Primary Certification Authority - G2,O=VeriSign\, Inc.,C=US,CN=Entrust.net Certification Authority (2048),OU=(c) 1999 Entrust.net Limited,OU=www .entrust.net/CPS_2048 incorp. by ref. (limits liab.),O=Entrust.net,1.2.840.113549.1.9.1=#1611 696e666f4076616c69636572742e636f6d,CN=http://www. valicert.com/,OU=ValiCert Class 2 Policy Validation Authority,O=ValiCert\, Inc.,L=Vali cert Validation Network,CN=Baltimore CyberTrust Root, OU=CyberTrust,O=Baltimore,C=IE,OU=Secure Server Certification Authority,O=RSA Data Security\, Inc.,C=US,CN=Entrust.net Client Cert Authority,OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/Client_CA_Info/CPS incorp. by ref. limits liab.,O=Entrust.net,C=US,CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US,CN=GTE CyberTrust Root 5,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US,OU=Starfield Class 2 Certification Authority,O=Starfield Technologies\, Inc.,C=US,CN=Equifax Secure Global eBusiness CA-1,O=Equifax Secure Inc.,C=US, CN=Baltimore CyberTrust Code Signing Root,OU= CyberTrust,O=Baltimore,C=IE,OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US,OU=Equifax Secure eBusiness CA-2,O= Equifax Secure,C=US,</wssp:TokenIssuer> </wssp:SecurityToken> </wssp:SupportedTokens> </wssp:Integrity> <wssp:MessageAge Age="60" xmlns:wssp="http://www.bea.com/wls90/ security/policy"/> </wsp:Policy> <types> <xs:schema attributeFormDefault="unqualified" elementFormDefault= "qualified" targetNamespace="http://www.bea.com" xmlns:s0=" http://www.bea.com" xmlns:s1="http://schemas.xmlsoap.org /wsdl/soap/" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/ 09/policy" xmlns:xs="http://www.w3.org/2001/XMLSchema"> <xs:element name="sayHello"> <xs:complexType> <xs:sequence> <xs:element name="s" type="xs:string"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="sayHelloResponse"> <xs:complexType> <xs:sequence> <xs:element name="return" type="xs:string"/> </xs:sequence> </xs:complexType> </xs:element> </xs:schema> </types> <message name="sayHello"> <part element="s1:sayHello" name="parameters"/> </message> <message name="sayHelloResponse"> <part element="s1:sayHelloResponse" name="parameters"/> </message> <portType name="SecureHelloWorldPortType" wsp:PolicyURIs="#Sign.xml #Auth.xml #Encrypt.xml"> <operation name="sayHello" parameterOrder="parameters"> <input message="s1:sayHello"/> <output message="s1:sayHelloResponse"/> </operation> </portType> <binding name="SecureHelloWorldServiceSoapBinding" type="s1: SecureHelloWorldPortType"> <s2:binding style="document" transport="http://schemas. xmlsoap.org/ soap/http"/> <operation name="sayHello"> <s2:operation soapAction="" style="document"/> <input> <s2:body parts="parameters" use="literal"/> </input> <output> <s2:body parts="parameters" use="literal"/> </output> </operation> </binding> <service name="SecureHelloWorldService"> <port binding="s1:SecureHelloWorldServiceSoapBinding" name="SecureHelloWorldServicePort"> <s2:address location="http://localhost:9111/ SecureHelloWorldService/SecureHelloWorld Service"/> </port> </service> </definitions>