X509MutualCertSecurity with manual Assertion Config

Thread view:

Enable EMail Alerts

Start New Thread

Thread rating:

Techno_Dex - 01 Sep 2006 17:45 GMT

I'm wanting to configure X509MutualCertificateSecurity manually from a
client but not sure how to get the Assertion started. Basically I have an
assembly (the Client side of this request) that can be called by mulitple
users. They will pass in their ID, which the assembly will then look up in
the database to find out which location (URL) they need to hit the
WebService and that WS's unique certificate name/KeyID. So to reiterate, I
have one client and multiple WS services (all the same) deployed at various
locations, each with there own certificate.

From what I've seen in the Lab code put out so far, is looks like I need to
create an Assertion and set the X509TokenProvider to the desired certificate
of the the appropriate WS based on ClientID. Then create an
EndpointProtectionRequirements object and configure it, then add the
Assertion to a Policy and set the Policy on the WSProxy. My problem is I'm
not sure what type of assertion to create. The examples I see use a
UsernameForCertificateAssertion, but I don't want to use a UserName, I want
to secure the the communication via MutualCertificateSecurity.

Also, if I configure only the server side in code, can I rely on the
.SetPolicy() method to configure the client side which is static, or will
the SetPolicy method overwrite any policy objects that are currently
configured on the proxy????

TIA

Reply to this Message

Techno_Dex - 01 Sep 2006 18:14 GMT

It looks like what I was searching for is the MutualCertificate11Assertion
object. If anyone happens to have information about configuring this in
code, I would be interested to here as I'm not sure on a couple of the
properties like RequireSignatureConfirmation and RenewExpiredSecurityContext

> I'm wanting to configure X509MutualCertificateSecurity manually from a
> client but not sure how to get the Assertion started. Basically I have an
[quoted text clipped - 20 lines]
>
> TIA

Reply to this Message

Techno_Dex - 01 Sep 2006 21:39 GMT

Ok, so I'm trying to set the ClientX509TokenProvider and
ServiceX509TokenProvider on the Assertion using the
X509FindType.FindBySubjectKeyIdentifier, which I hardcoded (for testing
purposes) with the values I extracted using the "WSE X.509 Certificate Tool"
(WseCertificate3.exe) for the Client and Service Certificates. The problem
is when I actually go to set to policy which contains these assertions, I
get an error that it couldn't find Certificates with the keys given. Now
the really odd thing is I used the X509Util.FindCertificateByKeyIdentifier()
method to get the X509SecurityToken and this had no problem finding the
Certificates and creating a Token. Any ideas on what I am missing???

> It looks like what I was searching for is the MutualCertificate11Assertion
> object. If anyone happens to have information about configuring this in
[quoted text clipped - 26 lines]
>>
>> TIA

Reply to this Message

Techno_Dex - 01 Sep 2006 22:32 GMT

WSE definately needs to work on documentation. In order to use the
X509TokenProvider, the KeyID passed in needs to be in HEX, so the Base64
string that is returned from the "WSE X.509 Certificate Tool" needs to be
converted. I'm not fond of the conversion, but currently what works is
sKeyID =
BitConverter.ToString(Convert.FromBase64String("<Base64Value>")).Replace("-","");
Where the separators in the string once converted from the byte[] must be
removed before being passed into the TokenProvider constructor. I still
need to understand the SetServiceCredentials and SetClientCredentials
functionality. Do I need to set these in code for Authentication like
MutualCertSecurity does via the Wizard Tool?

> Ok, so I'm trying to set the ClientX509TokenProvider and
> ServiceX509TokenProvider on the Assertion using the
[quoted text clipped - 38 lines]
>>>
>>> TIA

Reply to this Message

X509MutualCertSecurity with manual Assertion Config

Free Magazines