 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / ASP.NET / Web Services / March 2005Encryption and signing using Security context tokens using WS-Pol
Hi Every One I am unable to do signing and ecryption using SecurityContexttokens using WS-Policy... Issuing the SCT works, but subsequent messages fail? Here's an excerpt from my policy cache: <defaultOperation> <request policy="#Sign-SCT-Encrypt-SCT-1" /> <response policy="#Sign-SCT-Encrypt-SCT-2" /> <fault policy="" /> </defaultOperation> <wsp:Policy wsu:Id="Sign-SCT-Encrypt-SCT-1"> <wsp:MessagePredicate wsp:Usage="wsp:Required" Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body() wsp:Header(wsa:To) wsp:Header(wsa:Action) wsp:Header(wsa:MessageID) wse:Timestamp()</wsp:MessagePredicate> <wssp:Integrity wsp:Usage="wsp:Required"> <wssp:TokenInfo> <wssp:SecurityToken wse:IdentityToken="true"> <wssp:TokenType>http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct</wssp:TokenType> <wssp:Claims> <wse:BaseToken> <wssp:SecurityToken> <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X 509v3</wssp:TokenType> </wssp:SecurityToken> </wse:BaseToken> <wse:IssuerToken>Put stuff to verify the issuer here (e.g. issuer's x509 cert identification info)</wse:IssuerToken> </wssp:Claims> </wssp:SecurityToken> </wssp:TokenInfo> <wssp:MessageParts Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body() wsp:Header(wsa:Action) wsp:Header(wsa:FaultTo) wsp:Header(wsa:From) wsp:Header(wsa:MessageID) wsp:Header(wsa:RelatesTo) wsp:Header(wsa:ReplyTo) wsp:Header(wsa:To) wse:Timestamp()</wssp:MessageParts> </wssp:Integrity> <wssp:Confidentiality wsp:Usage="wsp:Required"> <wssp:KeyInfo> <wssp:SecurityToken wse:IdentityToken="true"> <wssp:TokenType>http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct</wssp:TokenType> <wssp:Claims> <wse:BaseToken> <wssp:SecurityToken> <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X 509v3</wssp:TokenType> </wssp:SecurityToken> </wse:BaseToken> <wse:IssuerToken>Put stuff to verify the issuer here (e.g. issuer's x509 cert identification info)</wse:IssuerToken> </wssp:Claims> </wssp:SecurityToken> </wssp:KeyInfo> <wssp:MessageParts Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()</wssp:MessageParts> </wssp:Confidentiality> </wsp:Policy> <wsp:Policy wsu:Id="Sign-SCT-Encrypt-SCT-2"> <wsp:MessagePredicate wsp:Usage="wsp:Required" Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body() wsp:Header(wsa:To) wsp:Header(wsa:Action) wsp:Header(wsa:MessageID) wse:Timestamp()</wsp:MessagePredicate> <wssp:Integrity wsp:Usage="wsp:Required"> <wssp:TokenInfo> <wssp:SecurityToken wse:IdentityToken="true"> <wssp:TokenType>http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct</wssp:TokenType> </wssp:SecurityToken> </wssp:TokenInfo> <wssp:MessageParts Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body() wsp:Header(wsa:Action) wsp:Header(wsa:FaultTo) wsp:Header(wsa:From) wsp:Header(wsa:MessageID) wsp:Header(wsa:RelatesTo) wsp:Header(wsa:ReplyTo) wsp:Header(wsa:To) wse:Timestamp()</wssp:MessageParts> </wssp:Integrity> <wssp:Confidentiality wsp:Usage="wsp:Required"> <wssp:KeyInfo> <wssp:SecurityToken wse:IdentityToken="true"> <wssp:TokenType>http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct</wssp:TokenType> </wssp:SecurityToken> </wssp:KeyInfo> <wssp:MessageParts Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()</wssp:MessageParts> </wssp:Confidentiality> </wsp:Policy> Note the use of wse:IdentityToken="true" in the policies; that's how the same SCT is used for both the request and response. Note that you don't need to verify claims against the response token since the claims were verified for the identity token on the request. Thomas S. Trias Senior Developer Afni Insurance Services http://www.afniinc.com/ > Hi Every One > > I am unable to do signing and ecryption using SecurityContexttokens using > WS-Policy... Thanks Thomas , yes issuing SCT works , but in a webfarm scenario calling service fails using WS- Policy, any suggestions fully appreciated..... with many thnks kiran > Issuing the SCT works, but subsequent messages fail? > [quoted text clipped - 100 lines] > > I am unable to do signing and ecryption using SecurityContexttokens using > > WS-Policy... What is the specific failure message? Is it a policy failure regarding the encryption / signature token, or is it a failure to map to a specific policy? I can see where you might have some difficulty setting up SCT mediated communication in a web-farm environment if the load-balancer doesn't associate a particular client session (identifiable in this case only by the SCT / issuer, unless you also use an additional mechanism) with a particular server in the farm. The built-in SecurityContextService only keeps track of the SCTs that it has issued; it doesn't know about the other servers in the farm. So, once a client has acquired an SCT from a particular server, it either has to be tied to that server for the conversation's lifetime, or you have to devise a mechanism whereby the servers in the farm share an SCT cache or can query each other to validate the SCT. Either of those options requires setting up a custom SecurityContextService. Do you have x509 certificates setup for the servers? Does each server know about the public keys for each of the other servers? As long as the servers can engage in trusted behavior amongst themselves, you can setup another web-service for SCT cache coherency, with operations for querying (pull), copying (push), and revocation of SCTs from the caches of the web-farm servers. One thing I'm not clear on is the best way to seamlessly integrate a custom SecurityContextService that responds to the standard SCT request (SoapAction = "http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT") on the same URI as the main service (e. g. "http://mydomain/myservice.asmx"), without getting in the way of the rest of the requests. All of the examples I've seen regarding SecurityContextService are focused on handling custom tokens with a specific endpoint just for token management. Using a specific endpoint for token management may not be the worst solution; it depends upon how much control you have over the web service consumers / proxies. Thomas S. Trias Senior Developer Afni Insurance Services http://www.afniinc.com/ > Thanks Thomas , > [quoted text clipped - 3 lines] > with many thnks > kiran Thanks Thomas Yes it is a failure to map to a specific policy In a webfarm scenario wen i try to run the sample using policy the error is ------------------------------------- Message: WSE464: No policy could be found for this message. at Microsoft.Web.Services2.Policy.SimplePolicyEnforcer.Enforce(SoapEnvelope m essage) at Microsoft.Web.Services2.Policy.PolicyManager.Enforce(SoapEnvelope message) at Microsoft.Web.Services2.Policy.PolicyEnforcementOutputFilter.ProcessMessag e(SoapEnvelope envelope) at Microsoft.Web.Services2.Pipeline.ProcessOutputMessage(SoapEnvelope envelop e) at Microsoft.Web.Services2.OutputStream.Close() at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodN ame, Object[] parameters) at SecureConvClient.StockServiceWse.StockQuoteRequest(String[] symbols) in c: \program files\microsoft wse\v2.0\samples\cs\quickstart\secureconvcodeclient\sec ureconvproxy.cs:line 41 ------------------------- we are using the same concept as Chris Keyser for Managing Security Context Tokens in a Web Farm.The built-in SecurityContextService keeps track of the SCTs that it has issued are kept in a database and retrieved.And also we have x509 certificates installed in both the servers. http://msdn.microsoft.com/webservices/default.aspx?pull=/library/en-us/dnwebsrv/ html/sctinfarm.asp This works fine for code in webfarm environment. My policy file at the client side looks like this . --------------------------------------------- <?xml version="1.0" encoding="utf-8"?> <!-- This sample is designed to demonstrate WSE features and is not intended for production use. Code and policy for a production application must be developed to meet the specific data and security requirements of the application. --> <policyDocument xmlns="http://schemas.microsoft.com/wse/2003/06/Policy"> <mappings> <!-- The following section describes the policy requirements for the sample service. Note that the fault policy is empty. This indicates that no policy is applied to faults for this service operation. --> //This is the point where to get the SCT service. <endpoint uri="http://server1/SecureConvCodeService/SecureConvService.asmx"> <defaultOperation> <request policy="#Sign-SCT-Encrypt-SCT" /> <response policy="" /> <fault policy="" /> </defaultOperation> <operation requestAction="http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT"> <request policy="" /> <response policy="" /> <fault policy="" /> </operation> </endpoint> </mappings> <policies xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing" xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy" xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wssp="http://schemas.xmlsoap.org/ws/2002/12/secext" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <!-- This policy is used for the target Web service. It requires the body and addressing headers to be signed with the SecureContextToken and the body to be encrypted with token. --> <!-- This policy is used for the token issuer service. It requires the body and addressing headers to be signed with a UsernameToken. --> <wsp:Policy wsu:Id="Sign-SCT-Encrypt-SCT"> <!--MessagePredicate is used to require headers. This assertion should be used along with the Integrity assertion when the presence of the signed element is required. NOTE: this assertion does not do anything for enforcement (send-side) policy.--> <wsp:MessagePredicate wsp:Usage="wsp:Required" Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body() wsp:Header(wsa:To) wsp:Header(wsa:Action) wsp:Header(wsa:MessageID) wse:Timestamp()</wsp:MessagePredicate> <!--The Integrity assertion is used to ensure that the message is signed with SCT. Many Web services will also use the token for authorization, such as by using the <wse:Role> claim or specific SCT claims.--> <wssp:Integrity wsp:Usage="wsp:Required"> <wssp:TokenInfo> <!--The SecurityToken element within the TokenInfo element describes which token type must be used for Signing.--> <wssp:SecurityToken> <wssp:TokenType>http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct</wssp:TokenType> <wssp:Claims> <wse:BaseToken> <wssp:SecurityToken> <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1 .0#UsernameToken</wssp:TokenType> </wssp:SecurityToken> </wse:BaseToken> <wse:IssuerToken> <wssp:SecurityToken> <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X 509v3</wssp:TokenType> <wssp:TokenIssuer>DC=com, DC=everest, CN=EverestCsr</wssp:TokenIssuer> <wssp:Claims> <!--By specifying the SubjectName claim, the policy system can look for a certificate with this subject name in the certificate store indicated in the application's configuration, such as LocalMachine or CurrentUser. The WSE X.509 Certificate Tool is useful for finding the correct values for this field.--> <wssp:SubjectName MatchType="wssp:Exact">DC=com, DC=everest, CN=Users, CN=Administrator</wssp:SubjectName> <wssp:X509Extension OID="2.5.29.14" MatchType="wssp:Exact">0Ue6rBPQiujm0dbW4HptwVcym8w=</wssp:X509Extension> </wssp:Claims> </wssp:SecurityToken> </wse:IssuerToken> </wssp:Claims> </wssp:SecurityToken> </wssp:TokenInfo> <wssp:MessageParts Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body() wsp:Header(wsa:Action) wsp:Header(wsa:FaultTo) wsp:Header(wsa:From) wsp:Header(wsa:MessageID) wsp:Header(wsa:RelatesTo) wsp:Header(wsa:ReplyTo) wsp:Header(wsa:To) wse:Timestamp()</wssp:MessageParts> </wssp:Integrity> <!--The Confidentiality assertion is used to ensure that the SOAP Body is encrypted.--> <wssp:Confidentiality wsp:Usage="wsp:Required"> <wssp:KeyInfo> <!--The SecurityToken element within the KeyInfo element describes which token type must be used for Encryption.--> <wssp:SecurityToken> <wssp:TokenType>http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct</wssp:TokenType> <wssp:Claims> <wse:BaseToken> <wssp:SecurityToken> <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1 .0#UsernameToken</wssp:TokenType> </wssp:SecurityToken> </wse:BaseToken> <wse:IssuerToken> <wssp:SecurityToken> <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X 509v3</wssp:TokenType> <wssp:TokenIssuer>DC=com, DC=everest, CN=EverestCsr</wssp:TokenIssuer> <wssp:Claims> <!--By specifying the SubjectName claim, the policy system can look for a certificate with this subject name in the certificate store indicated in the application's configuration, such as LocalMachine or CurrentUser. The WSE X.509 Certificate Tool is useful for finding the correct values for this field.--> <wssp:SubjectName MatchType="wssp:Exact">DC=com, DC=everest, CN=Users, CN=Administrator</wssp:SubjectName> <wssp:X509Extension OID="2.5.29.14" MatchType="wssp:Exact">0Ue6rBPQiujm0dbW4HptwVcym8w=</wssp:X509Extension> </wssp:Claims> </wssp:SecurityToken> </wse:IssuerToken> </wssp:Claims> </wssp:SecurityToken> </wssp:KeyInfo> <wssp:MessageParts Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()</wssp:MessageParts> </wssp:Confidentiality> </wsp:Policy> </policies> </policyDocument> --------------------------------- and my Web.config at the issuer token side looks like this <?xml version="1.0" encoding="utf-8"?> <configuration> <configSections> <section name="microsoft.web.services2" type="Microsoft.Web.Services2.Configuration.WebServicesConfiguration, Microsoft.Web.Services2, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> </configSections> <system.web> <webServices> <soapExtensionTypes> <add type="Microsoft.Web.Services2.WebServicesExtension, Microsoft.Web.Services2, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" priority="1" group="0" /> </soapExtensionTypes> </webServices> <!-- DYNAMIC DEBUG COMPILATION Set compilation debug="true" to enable ASPX debugging. Otherwise, setting this value to false will improve runtime performance of this application. Set compilation debug="true" to insert debugging symbols (.pdb information) into the compiled page. Because this creates a larger file that executes more slowly, you should set this value to true only when debugging and to false at all other times. For more information, refer to the documentation about debugging ASP .NET files. --> <compilation defaultLanguage="c#" debug="true" /> <!-- <identity impersonate="true" userName="VISUALSOFT-TECH\davindersing" password="dev1" /> --> </system.web> <microsoft.web.services2> <diagnostics> <!-- Configures the error reporting facility. The "enabled" attribute is required for the <detailedErrors> element, and its default value is false. If the enabled attribute is set to true explicitly, WSE will send back the detailed error information, i.e. a full stack trace as well as the information about all the inner exceptions. If the enabled attribute is set to false explicitly, WSE will send back the custom (friendly) messages, i.e. the top level exception message without stack trace and information about the inner exceptions. The detailedErrors section is optional. If it is not present, for http or https request, the customErrors under the system.web section will be used to decide whether WSE will send back the custom (friendly) message. Please refer to the ASP.NET configruation section for further information. For all the other transports, WSE will always send back the custom (friendly) message. --> <detailedErrors enabled="true" /> <trace enabled="true"/> </diagnostics> <security> <x509 allowTestRoot="true" allowRevocationUrlRetrieval="false" verifyTrust="false" /> <securityTokenManager type="SecureConvCodeService.CustomUsernameTokenManager, SecureConvCodeService" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" qname="wsse:UsernameToken" > <replayDetection enabled="false"/> </securityTokenManager> <!--!!!!!********** You should follow best practices for managing sensitive configuraiton information like connection strings and keys in a production environment. Located here: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/S ecNetch08.asp and here: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/S ecNetch12.asp --> <securityTokenManager type="SecureConvCodeService.CookieSCTManager, SecureConvCodeService" xmlns:wssc="http://schemas.xmlsoap.org/ws/2004/04/sc" qname="wssc:SecurityContextToken"> <secretKey>9zgyMgCz8K631HYRV+Qj+Q==</secretKey> <!--<secretKey>zw04MvaqVuxbhXi7mgJE2QTofmY=</secretKey>--> </securityTokenManager> <securityTokenManager type="SecureConvCodeService.DatabaseSCTManager, SecureConvCodeService" xmlns:wssc="http://schemas.xmlsoap.org/ws/2004/04/sc" qname="wssc:SecurityContextToken"> <connectionString> Integrated Security=False;database=TokenCache;server=192.168.200.10; User Id=foo;password=bar; </connectionString> </securityTokenManager> </security> <tokenIssuer> <!--required for WSE SP1 - will be fixed in subsequent release and then commented out config should be used --> <!-- <autoIssueSecurityContextToken enabled="true" type="SecureConvCodeService.DistributedCacheSCTService, SecureConvCodeService" /> --> <autoIssueSecurityContextToken enabled="true" /> <serverToken> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <wsse:SecurityTokenReference> <!-- Replace the identifier below with your own certificate Id in Base64String here The certificate is from the Local Machine store's Personal folder, and the certificate Id can be retrieved by X509Certificate Tool --> <wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X 509SubjectKeyIdentifier">0Ue6rBPQiujm0dbW4HptwVcym8w=</wsse:KeyIdentifier> </wsse:SecurityTokenReference> </KeyInfo> </serverToken> </tokenIssuer> <policy> <cache name="policyCache.config" /> </policy> </microsoft.web.services2> </configuration> ------------------------------------------------ My service side and issuer token policy file looks like this <?xml version="1.0" encoding="utf-8"?> <!-- This sample is designed to demonstrate WSE features and is not intended for production use. Code and policy for a production application must be developed to meet the specific data and security requirements of the application. --> <policyDocument xmlns="http://schemas.microsoft.com/wse/2003/06/Policy"> <mappings> <!-- The following section describes the policy requirements for the sample service. Note that the fault policy is empty. This indicates that no policy is applied to faults for this service operation. --> <endpoint uri="http://server2/SecureConvCodeService/SecureConvService.asmx"> <defaultOperation> <request policy="#Sign-SCT-Encrypt-SCT" /> <response policy="" /> <fault policy="" /> </defaultOperation> <operation requestAction="http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT"> <request policy="" /> <response policy="" /> <fault policy="" /> </operation> </endpoint> </mappings> <policies xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing" xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy" xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wssp="http://schemas.xmlsoap.org/ws/2002/12/secext" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <!-- This policy is used for the target Web service. It requires the body and addressing headers to be signed with the SecureContextToken and the body to be encrypted with token. --> <!-- This policy is used for the token issuer service. It requires the body and addressing headers to be signed with a UsernameToken. --> <wsp:Policy wsu:Id="Sign-SCT-Encrypt-SCT"> <!--MessagePredicate is used to require headers. This assertion should be used along with the Integrity assertion when the presence of the signed element is required. NOTE: this assertion does not do anything for enforcement (send-side) policy.--> <wsp:MessagePredicate wsp:Usage="wsp:Required" Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body() wsp:Header(wsa:To) wsp:Header(wsa:Action) wsp:Header(wsa:MessageID) wse:Timestamp()</wsp:MessagePredicate> <!--The Integrity assertion is used to ensure that the message is signed with SCT. Many Web services will also use the token for authorization, such as by using the <wse:Role> claim or specific SCT claims.--> <wssp:Integrity wsp:Usage="wsp:Required"> <wssp:TokenInfo> <!--The SecurityToken element within the TokenInfo element describes which token type must be used for Signing.--> <wssp:SecurityToken> <wssp:TokenType>http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct</wssp:TokenType> <wssp:Claims> <wse:BaseToken> <wssp:SecurityToken> <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1 .0#UsernameToken</wssp:TokenType> </wssp:SecurityToken> </wse:BaseToken> <wse:IssuerToken> <wssp:SecurityToken> <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X 509v3</wssp:TokenType> <wssp:TokenIssuer>DC=com, DC=everest, CN=EverestCsr</wssp:TokenIssuer> <wssp:Claims> <!--By specifying the SubjectName claim, the policy system can look for a certificate with this subject name in the certificate store indicated in the application's configuration, such as LocalMachine or CurrentUser. The WSE X.509 Certificate Tool is useful for finding the correct values for this field.--> <wssp:SubjectName MatchType="wssp:Exact">DC=com, DC=everest, CN=Users, CN=Administrator</wssp:SubjectName> <wssp:X509Extension OID="2.5.29.14" MatchType="wssp:Exact">0Ue6rBPQiujm0dbW4HptwVcym8w=</wssp:X509Extension> </wssp:Claims> </wssp:SecurityToken> </wse:IssuerToken> </wssp:Claims> </wssp:SecurityToken> </wssp:TokenInfo> <wssp:MessageParts Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body() wsp:Header(wsa:Action) wsp:Header(wsa:FaultTo) wsp:Header(wsa:From) wsp:Header(wsa:MessageID) wsp:Header(wsa:RelatesTo) wsp:Header(wsa:ReplyTo) wsp:Header(wsa:To) wse:Timestamp()</wssp:MessageParts> </wssp:Integrity> <!--The Confidentiality assertion is used to ensure that the SOAP Body is encrypted.--> <wssp:Confidentiality wsp:Usage="wsp:Required"> <wssp:KeyInfo> <!--The SecurityToken element within the KeyInfo element describes which token type must be used for Encryption.--> <wssp:SecurityToken> <wssp:TokenType>http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct</wssp:TokenType> <wssp:Claims> <wse:BaseToken> <wssp:SecurityToken> <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1 .0#UsernameToken</wssp:TokenType> </wssp:SecurityToken> </wse:BaseToken> <wse:IssuerToken> <wssp:SecurityToken> <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X 509v3</wssp:TokenType> <wssp:TokenIssuer>DC=com, DC=everest, CN=EverestCsr</wssp:TokenIssuer> <wssp:Claims> <!--By specifying the SubjectName claim, the policy system can look for a certificate with this subject name in the certificate store indicated in the application's configuration, such as LocalMachine or CurrentUser. The WSE X.509 Certificate Tool is useful for finding the correct values for this field.--> <wssp:SubjectName MatchType="wssp:Exact">DC=com, DC=everest, CN=Users, CN=Administrator</wssp:SubjectName> <wssp:X509Extension OID="2.5.29.14" MatchType="wssp:Exact">0Ue6rBPQiujm0dbW4HptwVcym8w=</wssp:X509Extension> </wssp:Claims> </wssp:SecurityToken> </wse:IssuerToken> </wssp:Claims> </wssp:SecurityToken> </wssp:KeyInfo> <wssp:MessageParts Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()</wssp:MessageParts> </wssp:Confidentiality> </wsp:Policy> </policies> </policyDocument> ------------------------------- Do i have to include policy file at the Target service and token issuer service end ? and also can u specify what i have to include in the <endpoint uri> in policy cache. And also at the service end the <autoIssueSecurityContextToken enabled="false" /> is that correct? Hope you understand my problem . With Many Thanks Kiran > What is the specific failure message? Is it a policy failure regarding the > encryption / signature token, or is it a failure to map to a specific policy? [quoted text clipped - 42 lines] > > with many thnks > > kiran Kiran, If you are going to enforce requirements on both ends of the communication using policy, then you definitely need policy documents on both the caller and callee. Since it looks like you are setting up policy both for your SCT service and your main web service, the policy document should be specified in the web.config for each if they are in separate ASP.NET applications and in the common web.config otherwise. > <mappings> > <endpoint [quoted text clipped - 12 lines] > </endpoint> > </mappings> This portion of the policy file indicates that you have a web service at "http://server1/SecureConvCodeService/SecureConvService.asmx"; the operations on this service will be mapped to the specified policies based upon the SoapAction header received. SCT requests (SoapAction = "http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT"), will have no policy applied to requests, responses or faults, and all other requests must be signed and encrypted by an SCT (although responses and faults will neither be signed nor encrypted). The point of failure is that the "To:" portion of the WS-Addressing part of the Soap envelope in the request does not match "http://server1/SecureConvCodeService/SecureConvService.asmx", so WSE can't match the request to the policy. If you change the URI to "http://name-or-addr-of-the-load-balancer/SecureConvCodeService/SecureConvService.asmx", the policy will probably be found, but you will run into another error: the connection information from the HTTP request will not match the "To:" information, since the "To:" will contain the external URI, and the HTTP connection will actually be made to a particular internal server. Since the client cannot know which internal server they will get, the only solution is to add a SoapActor attribute to your web services; I recommend using the external URI as your SoapActor, so that you don't have to change any existing proxies / clients. If you choose some other URI as your SoapActor (make it the same for all internal servers), clients will have to specify that SoapActor as the "To:" (along with Via information referencing the external URI). BTW, thanks for the information; you may have just pointed me towards a solution for my post about autoIssueSecurityContextToken and SoapActor. Thomas S. Trias Senior Developer Afni Insurance Services http://www.afniinc.com/ Thomas Thanks for the information ,Yes u r rite including SOAP actor is possible solution. I was just trying to add one more <endpoint uri> , that i was mising in my policy file.Its working (not working i should say ),But the problem is it is not using the same SCT , it is generating one more SCT.This shouldnt happen in a webfarm scenario. Thomas just forget for a moment about webfarm scenario ,Using policy wen i try to invoke two different services in the same virtual directory for two requests its creating two security context tokens. I just included one more <endpoint uri> in the policy file. When we use code we didnt face any problems, with same SCT the two methods are invoked. Do u have any solution for this . > Kiran, > [quoted text clipped - 55 lines] > Afni Insurance Services > http://www.afniinc.com/ So, you have two different endpoints in the same virtual directory, e.g. : http://mydomain/dir/service1.asmx http://mydomain/dir/service2.asmx Is the client / proxy setup to request another SCT if it gets a particular type of fault? At what point does the client request another SCT? Is the following what you are seeing? 1) Client calls service1 with SoapAction = "http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT" to get an SCT 2) Service successfully negotiates an SCT with Client 3) Client calls a method on Service1 signed / encrypted with the SCT 4) Service processes request and returns a response 5) Client calls a method on Service2 signed / encrypted with the SCT 6) Service returns a fault based upon policy / unknown SCT 7) Clients requests an SCT from Service2 Try turning on tracing by adding the following (with appropriate directory changes) to the web.config microsoft.web.services2 section: <diagnostics> <trace enabled="true" input="C:\Temp\input.txt" output="C:\Temp\output.txt" /> </diagnostics> That way you can see the exact sequence of request / response behavior. Frankly, I haven't tried this scenario, but I did notice the following in the documentation for the SoapService.AutoIssueSCTService property: Gets the security token service that automatically issues SecurityContextToken security tokens for the current application domain. Since both services are in the same virtual directory, both assemblies should be in the same app domain, so they should share a single AutoIssueSCTService, and thus, I would believe, the same SCT cache... I'll have to try it and see. Thomas S. Trias Senior Developer Afni Insurance Services http://www.afniinc.com/ > Thomas > [quoted text clipped - 10 lines] > problems, with same SCT the two methods are invoked. Do u have any solution > for this . Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.