0

I'm trying to consume a WebLogic webservice with ws-security 1.2.

In the WSDL, the security section is the following:

<wsp:UsingPolicy wssutil:Required="true"/>
<wsp1_2:Policy wssutil:Id="Wssp1.2-2007-SignBody.xml">
<ns1:SignedParts xmlns:ns1="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<ns1:Body/>
</ns1:SignedParts>
</wsp1_2:Policy>
<wsp1_2:Policy wssutil:Id="Wssp1.2-2007-Wss1.0-X509-Basic256.xml">
<ns2:AsymmetricBinding xmlns:ns2="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp1_2:Policy>
<ns2:InitiatorToken>
<wsp1_2:Policy>
<ns2:X509Token ns2:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp1_2:Policy>
<ns2:WssX509V3Token10/>
</wsp1_2:Policy>
</ns2:X509Token>
</wsp1_2:Policy>
</ns2:InitiatorToken>
<ns2:RecipientToken>
<wsp1_2:Policy>
<ns2:X509Token ns2:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
<wsp1_2:Policy>
<ns2:WssX509V3Token10/>
</wsp1_2:Policy>
</ns2:X509Token>
</wsp1_2:Policy>
</ns2:RecipientToken>
<ns2:AlgorithmSuite>
<wsp1_2:Policy>
<ns2:Basic256/>
</wsp1_2:Policy>
</ns2:AlgorithmSuite>
<ns2:Layout>
<wsp1_2:Policy>
<ns2:Lax/>
</wsp1_2:Policy>
</ns2:Layout>
<ns2:IncludeTimestamp/>
<ns2:ProtectTokens/>
<ns2:OnlySignEntireHeadersAndBody/>
</wsp1_2:Policy>
</ns2:AsymmetricBinding>
<ns3:Wss10 xmlns:ns3="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp1_2:Policy>
<ns3:MustSupportRefKeyIdentifier/>
<ns3:MustSupportRefIssuerSerial/>
</wsp1_2:Policy>
</ns3:Wss10>
</wsp1_2:Policy>
<wsp:Policy wssutil:Id="Wssp1.2-2007-Wsp1.5-EncryptBody.xml">
<ns4:EncryptedParts xmlns:ns4="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<ns4:Body/>
</ns4:EncryptedParts>
</wsp:Policy>

After a lot of search because I'm new in wcf I ended up into the following configuration:

<system.serviceModel>
<client>
    <endpoint name="wssMutualCert_Client"
     address="https://..."
     binding="customBinding"
     bindingConfiguration="custom1"
     contract="MyWebService.WebServicesMainMethod"
     behaviorConfiguration="MutualCertBehavior">
    </endpoint>
</client>
<bindings>
    <customBinding>
        <binding name="custom1" closeTimeout="00:01:00"
  openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00">

            <textMessageEncoding messageVersion="Soap11" writeEncoding="UTF-8" />
            <security defaultAlgorithmSuite="Basic256"
                      authenticationMode="MutualCertificateDuplex"
                      includeTimestamp="True" 
                      messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10" 
                      securityHeaderLayout="LaxTimestampLast" messageProtectionOrder="SignBeforeEncrypt">
                <localClientSettings maxClockSkew="00:07:00" />
                <localServiceSettings maxClockSkew="00:07:00" />
                <secureConversationBootstrap>
                    <localClientSettings maxClockSkew="00:07:00" />
                    <localServiceSettings maxClockSkew="00:07:00" />
                </secureConversationBootstrap>
            </security>
            <context protectionLevel="EncryptAndSign"/>
            <httpsTransport requireClientCertificate="true" maxBufferPoolSize="20000000" maxBufferSize="20000000" maxReceivedMessageSize="20000000"/>
        </binding>

    </customBinding>
    <ws2007HttpBinding>
        <binding name="wssMutualCertBinding">
            <security mode="TransportWithMessageCredential">
                <message clientCredentialType="Certificate"/>
                <transport clientCredentialType="Certificate"/>
            </security>
        </binding>
    </ws2007HttpBinding>
</bindings>
<behaviors>
    <endpointBehaviors>
        <behavior name="MutualCertBehavior">
            <clientCredentials>
                <serviceCertificate>
                    <defaultCertificate
                      findValue="XXXXX"
                      storeLocation="LocalMachine"
                      storeName="TrustedPeople" x509FindType="FindByThumbprint"/>
                </serviceCertificate>
                <clientCertificate
                    findValue="YYYYY"
                    storeLocation="LocalMachine"
                    storeName="TrustedPeople" x509FindType="FindByThumbprint"/>
            </clientCredentials>
        </behavior>
    </endpointBehaviors>
</behaviors>
<system.serviceModel>

My test appl looks like following:

static void Main(string[] args)
{
    MyWebService.WebServicesMainMethodClient client = new WebServicesMainMethodClient("wssMutualCert_Client");
    MyWebService.webRequest request = new webRequest();
    ServicePointManager.ServerCertificateValidationCallback = RemoteCertificateValidationCallback;

    try
    {
        webResponse response = client.retrieve(request);
    }
    catch (Exception e)
    {
        throw e;
    }
}
public static bool RemoteCertificateValidationCallback(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
    return true;
}

And what ever change I try in my configuration I receive the following:

An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail. 

Server stack trace: 
   at     System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.ProcessReply      (Message reply, SecurityProtocolCorrelationState correlationState, TimeSpan timeout)
at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.Request      (Message message, TimeSpan timeout)
   at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message,     TimeSpan timeout)
    at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway,      ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway,      ProxyOperationRuntime operation, Object[] ins, Object[] outs)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService    (IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
Exception rethrown at [0]: 
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at Client.MyWebService.WebServicesMainMethod.retrieve(retrieve request)

I have been trying to find something helpfull almost 2 days now. I've searhed time sychonization issues, certs issues. ANY IDEA OR RECOMMENDATION WOULD BE VERY HELPFULL. Thank you all in advance.

SteveC
  • 15,808
  • 23
  • 102
  • 173
nkaratz_gr
  • 1
  • 1
  • please publish a sample working soap (ask one from the vendor) – Yaron Naveh Apr 19 '12 at 15:03
  • If you have a similar problem, may be worth looking at this SO question If you are using WCF then this SO question may help you http://stackoverflow.com/questions/24635950/remove-timestamp-element-from-ws-security-headers-created-by-wcf – Ruskin Jul 11 '14 at 08:17

1 Answers1

0

The error means that SOAP request WCF sends is not compatible with the weblogic security configurations. Usually there are issues with timestamp WCF sends and password as a text, but often non-.Net services want Digest Mode. There is no easy solution. Read this and this. I did downgrade to WSE 3.0 to be able to send requests to Java based service. There is easier to achieve this.

Community
  • 1
  • 1
paramosh
  • 2,258
  • 1
  • 15
  • 23