Can you test a certificate-secured WCF service with SoapUI?

Question

I have a WCF service that is:

• Using the BasicHttpBinding (if you can answer for WsHttpBinding even better!)
• Using TransportWithMessageCredential Security
• Using X.509 Certificates for Transport and Message security

I would like to be able to test this service with SoapUI.

However, when I attempt to do so it appears that SoapUI signs more of the message than WCF expects, leading to this error (detected in the Application log after enabling ServiceModel auditing):

CryptographicException: Unable to resolve the '#id-100' URI in the signature to compute the digest.

Alternatively, when I use a WsHttpBinding I get the exception:

MessageSecurityException: The message received over Transport security has unsigned 'To' header.

Similar issues have been raised before:

• WCF rejects messages with additional signed elements
• http://connect.microsoft.com/VisualStudio/feedback/details/481030/wcf-signed-parts
• Getting WCF to accept unsigned 'To' Header

This does not strike me as a "Java talking to MS WCF" issue - I have a Java test client working without issue. Likewise, I can use WCFStorm to test the service. However, SoapUI has become a bit of a de facto test standard, particularly for non-Windows consumers.

So, has anyone managed to overcome these issues and test a certificate-secured WCF service using SoapUI?

Thanks

I believe this issue is irresolvable, based on my own testing and a 250 bounty not yielding an answer.

The "web.config" is generated dynamically, but it's effectively matching either of the following bindings:

<wsHttpBinding>
    <binding name="WSHttpBinding_ITwoWayAsync" closeTimeout="00:01:00"
        openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:10:00"
        bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard"
        maxBufferPoolSize="250000" maxReceivedMessageSize="250000"
        messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true"
        allowCookies="false">
      <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
          maxBytesPerRead="4096" maxNameTableCharCount="16384" />
      <security mode="TransportWithMessageCredential">
        <transport clientCredentialType="Certificate" proxyCredentialType="None" realm="" />
        <message clientCredentialType="Certificate" negotiateServiceCredential="false"
                 establishSecurityContext="false"
            algorithmSuite="Default" />
      </security>
    </binding>
  </wsHttpBinding>

 <basicHttpBinding>
    <binding name="BasicHttpBinding_ITwoWayAsync" closeTimeout="00:01:00"
        openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:10:00"
        bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
        maxBufferPoolSize="250000" maxReceivedMessageSize="250000"
        messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true"
        allowCookies="false">
      <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
          maxBytesPerRead="4096" maxNameTableCharCount="16384" />
      <security mode="TransportWithMessageCredential">
        <transport clientCredentialType="Certificate" proxyCredentialType="None" realm="" />
        <message clientCredentialType="Certificate"  algorithmSuite="Default" />
      </security>
    </binding>
  </basicHttpBinding>

Answer 1

This was impossible with SoapUI and I had to use another tool called WCFStorm.

Answer 2

I had exactly the same issue. I haven't it working with BasicHttpBinding but do have it working with WsHttpBinding. I had the error The message received over Transport security has unsigned 'To' header as well. I created a blogpost for solving this issue. Se the blogpost Connect SoapUI to WCF service certificate authentication for more information.

You have to set the parts in the signature. By default SoapUI signs the whole request but that isn’t the default by WCF so we have to set the parts that we want to sign. So add as Name “To”, Namespace “http://www.w3.org/2005/08/addressing” (this is my namespace but check yours) and set Encode to “Element”. Also check the WS-A panel in your request. Check addressing and set the default "To" checkbox.

Answer 3

I have been able to do this with a custom binding in WCF and a PFX certificate file. I had to use a custom binding because I needed to restrict access to one certificate - which is outside the scope of this question. My certificate pfx file had both the public key and the private key. The private key was password protected. I could not get to this work with any other certificate format.

In SoapUI, I go to File -> Preferences -> SSL Settings: -->Keystore Name: path_to_PFX_file -->KeyStore password: your_private_key_password

Here are my web.config settings which are pretty much the same as a basicHttpBinding:

<customBinding>
<binding name="MyServiceBindingConfiguration">
   <security authenticationMode="UserNameOverTransport" includeTimestamp="false" requireDerivedKeys="false" securityHeaderLayout="Lax" messageProtectionOrder="SignBeforeEncrypt" messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10">
      <localClientSettings maxClockSkew="00:30:00" />
      <localServiceSettings maxClockSkew="00:30:00" />
      <secureConversationBootstrap />
   </security>
   <textMessageEncoding messageVersion="Soap11">
      <readerQuotas maxDepth="32" maxStringContentLength="524288" maxArrayLength="524288" maxBytesPerRead="4096" maxNameTableCharCount="16384" />
   </textMessageEncoding>
   <httpsTransport requireClientCertificate="true" />
</binding>
</customBinding>

Hope this helps.