Re: UsernameOverTransportSecurity+SSL Confusion, please help

Hi Pablo,

thank you for your response.

I am still confused little bit.

I generated the wsdl file suing https://. From my client app if I
supply invalid credentials, I get an exception, so the authentication
seems to be working there. However, if I paste the url of my webservice
on my local machine, either in IE or Firefox, I can see the methods and
execute them.
ie https://locahost/myservice

How come the authentication is not working there? What settings should
I have under IIS settings for my WebService?

One more question. In order to use SSL, I will have to purchase the
Certificate, right? I will have a private key on the server, and I will
give the private key to my client? They will need to install it on
their server, correct? And I don't have to do anything in the config
files regarding this, correct?

Thanks a million!!

Mike


Pablo Cibraro [MVP] wrote:
Hi Mike,

If you are using transport security, the following section is not necessary
(It is only used by message security),

<security>
<x509 verifyTrust="true" allowTestRoot="true"
revocationMode="Offline" verificationMode="TrustedPeopleOrChain"/>
<binarySecurityTokenManager>
<add
type="Microsoft.Web.Services3.Security.Tokens.X509SecurityTokenManager,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31BF3856AD364E35"
valueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";>
<keyAlgorithm name="RSA15" />
</add>
</binarySecurityTokenManager>
</security>

I am not sure to understand what your problem is. Have you configure the
service to use SSL in the IIS ?.
If the service is running with https, it is automatically signed and
encrypted by the transport, you do not need to worry about that.
The code for the client application looks fine.

Regards,
Pablo Cibraro
http://weblogs.asp.net/cibrax

"mike" <michal.tesar@xxxxxxxxx> wrote in message
news:1158594278.807718.65720@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi,

I am confused. I have a web service, and a client. Both are connected
over VPN. I want to use direct authentication from WSE 3.0. To secure
the transport of the messages, I just want to use SSL.

I have this set up working, but I am confused. I installed a test
certificate on my web server, so I need to access my web service over
SSL. However, in my policy config file on the client I have:
<policy name="usernameTokenSecurity">
<usernameOverTransportSecurity />
<requireActionHeader />
</policy>

in app.config on the client I have:
<microsoft.web.services3>
<diagnostics>
<trace enabled="false" input="InputTrace.webinfo"
output="OutputTrace.webinfo" />
<detailedErrors enabled="false" />
</diagnostics>
<policy fileName="Configuration\wse3policyCache.config" />
<security>
<x509 verifyTrust="true" allowTestRoot="true"
revocationMode="Offline" verificationMode="TrustedPeopleOrChain"/>
<binarySecurityTokenManager>
<add
type="Microsoft.Web.Services3.Security.Tokens.X509SecurityTokenManager,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31BF3856AD364E35"
valueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";>
<keyAlgorithm name="RSA15" />
</add>
</binarySecurityTokenManager>
</security>
</microsoft.web.services3>


in my client winform I have:
Service1.ServiceWse proxy = new Service1.ServiceWse();

UsernameToken token;
token = GetUsernameToken(txtUsername.Text,
txtPassword.Text, PasswordOption.SendPlainText);

proxy.SetClientCredential(token);
proxy.SetPolicy("usernameTokenSecurity");

Service1.Product product =
proxy.GetProductInformationWithSendPlainText(txtProduct.Text);

lblResults.Text =
String.Format(CultureInfo.InvariantCulture,
"Product: {0}, Quantity {1}, Unit price {2}",
product.Name, product.Quantity,
product.UnitPrice);
lblResults.Text += proxy.ValidateLogin();




I am just confused if this is what I want this to be? Is my app.config
file correct? The direct authentication works. My concern is if the SSL
is set up ok. Where do I sign the message with the public key?

Please help!!!

Thanks,
Mike


.

Relevant Pages

  • Re: SSL question
    ... It has some methods which are accessible by some client applications. ... I have developed this web service with the use of SSL in my head, ... > SSL will encrypt this information. ...
    (microsoft.public.inetserver.iis.security)
  • RE: SoapException - NullReferenceException
    ... As for webservice over SSL, there does exists some common issue such as the ... client certificate supplyment(if you've configured it to require client ... Microsoft MSDN Online Support Lead ... I have a web service running on an SSL connection and unfortunately I ...
    (microsoft.public.dotnet.framework.aspnet.webservices)
  • Re: [PHP] Quick question, a little 0T i guess... BASIC_AUTH or forms
    ... client to server is to use SSL." ... This offers little more security than plain text. ...
    (php.general)
  • Re: An unexpected error occurred on a send
    ... Windows Client?), so the first issue may not be the problem, but firstly, ... the COM component must be called from a STA thread, while your Web Service ... App you are calling the Web Service from, to see if it cures the problem. ... > Protocol: SSL. ...
    (microsoft.public.dotnet.framework.webservices)
  • SSL and IPS (was RE: ssh and ids)
    ... How many simultaneous SSL sessions can be tracked?" ... I assume you're talking about a case in which the client constantly ... If you walk the possible session id space and ... The server chooses the session ID, ...
    (Focus-IDS)