0

I've a wcf service with basicHttpBinding, message security mode and certificate client credential type. I can consume this service via wcf client, but this service has to be used also in another system with a java client. I'm testing with soapui, but I obtain empty response or a security message error. I've tried variuos soapui configuration to load client certificate, but none of these worked. I exposed the service via http (non https) and this is the server wcf configuration:

<system.serviceModel>
    <bindings>
      <basicHttpBinding>
        <binding name="basicEndPoint" closeTimeout="00:01:00" openTimeout="00:01:00"
                 receiveTimeout="00:10:00" sendTimeout="00:01:00" allowCookies="false"
                 bypassProxyOnLocal="false" maxBufferSize="2147483647" maxBufferPoolSize="2147483647"
                 maxReceivedMessageSize="2147483647" messageEncoding="Text" textEncoding="utf-8"
                 transferMode="Buffered" useDefaultWebProxy="true">
          <readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647"
                        maxArrayLength="2147483647" maxBytesPerRead="2147483647"
                        maxNameTableCharCount="2147483647"/>
          <security mode="Message">
            <message clientCredentialType="Certificate" />
          </security>
        </binding>
      </basicHttpBinding>
    </bindings>
    <behaviors>
      <endpointBehaviors>
        <behavior name="customBehavior">
          <clientCredentials>
            <clientCertificate findValue="ClientSide" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My"/>
            <serviceCertificate>
              <defaultCertificate findValue="ServerSide" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My"/>
              <authentication certificateValidationMode="PeerOrChainTrust"/>
            </serviceCertificate>
          </clientCredentials>
        </behavior>
      </endpointBehaviors>
    </behaviors>
    <client>
      <endpoint address="http://localhost:8080/WebServices/ExternalServices.svc"
        behaviorConfiguration="customBehavior" binding="basicHttpBinding"
        bindingConfiguration="basicEndPoint" contract="ServiceReference1.IExternalServices"
        name="BasicHttpBinding_IExternalServices" >
        <identity>
          <certificateReference findValue="ServerSide"  storeName="My" storeLocation="LocalMachine" x509FindType="FindBySubjectName" />
          <dns value="ServerSide"/>
        </identity>
      </endpoint>
      <endpoint address="mex"
              binding="mexHttpBinding"
              contract="IMetadataExchange"/>
    </client>
  </system.serviceModel>

What's wrong in this settings? Thanks in advance

VariableName
  • 1
  • 3

2 Answers2

0

I'm not an WCF expert (even not a user :P) but based on configuration:

<endpointBehaviors>
    <behavior name="customBehavior">
      <clientCredentials>
        <clientCertificate findValue="ClientSide" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My"/>
        <serviceCertificate>
          <defaultCertificate findValue="ServerSide" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My"/>
          <authentication certificateValidationMode="PeerOrChainTrust"/>
        </serviceCertificate>
      </clientCredentials>
    </behavior>
</endpointBehaviors>

Seems that in order to hit your server endpoint you must present certificate client credentials.

So to invoke your service from SOAPUI you could do two things, first expose your service using https in order to be available for a client to present the certificate credentials. And second configure SOAPUI as follow to send the client certificate to the endpoint:

From the menu select File > Preferences, and then the SSL settings. In this panel select a keystore which contains the client key and certificate valid for the service and put the keystore password, optionally mark the required client authentication:

enter image description here

NOTE: Based on your configuration:

<clientCertificate findValue="ClientSide" 
           x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My"/>

A valid client certificate must be an end entity certificate issued by on the certificate authorities located in the Windows local keystore of your server.

albciff
  • 18,112
  • 4
  • 64
  • 89
  • thank for your reply. I have already tried these configurations; before using basichttpbinding, i've set wshttpbinding with https and selected keystore and password, without success. Googling I read that wshttpbinding is not very interoperable, so i changed it to basichttpbinding and tried without https. I'd be curious to know if somewhere there is some official guideline on how to develop services with soap wcf authentication certificate not only compatible with wcf client. – VariableName Sep 22 '16 at 10:07
  • @VariableName I've some knowledge about PKI, SSL etc. However as I said in the answer I don't have a concret experience with *WCF*... I suppose that surely there are gudelines on the subject but I don't know where to find it, sorry. – albciff Sep 22 '16 at 20:59
-1

I had hard time setting up SOAPUI for WCF testing with Client Certificate Authentication. Finally I got it work. Faced different issues like: SNI support issues, unsigned 'To' Header Getting WCF to accept unsigned 'To' Header and other.

I would recommend to switch on WCF tracing and you can get detailed error information on the server: https://msdn.microsoft.com/en-us/library/ms732023(v=vs.110).aspx so it can be easily troubleshooted.

Community
  • 1
  • 1
Alexey Sas
  • 49
  • 1
  • 2
  • Welcome to StackOverflow! It may be a good idea to copy the relevant material from your links to your answer so that if the links ever change your answer is still helpful – DeadChex Oct 21 '16 at 15:10