Share via

WCF consume webservice with transport security based on certificate and message encryption based on another certificate

Erwin Paul Kuiper 1 Reputation point
2022-11-02T13:51:18.53+00:00

Hi,

I am consuming a soap webservice with transport security based on a x509 certificate with a private key.
For this we have configured a WsHttpBinding with transport mode and clientcredentialtype certificate.
In the behavior, we have added the client certificate with the private key in the client credentials.
This is working fine.

Now the client who is hosting the webservice wants an additional layer of security by adding message encryption.
I know this is redundant because the transport is already being encrypted, but the client really wants the messages also to be encrypted.
I have got another x509 certificate with a public key for the message encryption, but I can't find out how to get this working.
I found out that message security doesn't work with SSL out of the box, so probably this has to be done with a custom binding.
Is that true?

I have converted the WsHttpBinding for the transport security to a CustomBinding and that is working fine. This is the config for the custom binding for just the transport security: 

<system.serviceModel>		  
	<client>  
		<endpoint address="https://endpointurl"  
					behaviorConfiguration="endpointCredentialBehavior"  
					binding="customBinding"  
					bindingConfiguration="Binding1"  
					contract="MyNamespace.MyType"/>  
	</client>  
	<behaviors>  
		<endpointBehaviors>  
			<behavior name="endpointCredentialBehavior">  
				<clientCredentials>  
					<clientCertificate findValue="mysubjectname"  
										storeLocation="CurrentUser"  
										storeName="My"  
										x509FindType="FindBySubjectName" />  
				</clientCredentials>					  
			</behavior>  
		</endpointBehaviors>  
	</behaviors>  
	<bindings>  
		<customBinding>  
			<binding name="Binding1">  
				<textMessageEncoding messageVersion="Soap12"></textMessageEncoding>  
				<httpsTransport requireClientCertificate="true"></httpsTransport>					  
			</binding>  
		</customBinding>  
	</bindings>  
</system.serviceModel>

What do I have to add to the custom binding to add the message encryption? I suppose I have to add a security element, but I can't find out which one and how it has to be configured.

Am I right that for the message encryption I have to add the new certificate with the public key to the behavior in a servicecertificate's defaultcertificate? So that the certificate with the private key has to be configured in a client certificate (for the transport security, like we have now) and the other certificate with the public key has to be configured in a service certificate? Sorry, but I can't find good documentation about this.

Any help would be appreciated.

Developer technologies | .NET | Other
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2022-11-03T03:12:37.69+00:00

    Hi @Erwin Paul Kuiper ,

    WCF provides several modes by which clients and services authenticate to one another. You can create security binding elements for the authentication mode by using static methods on the SecurityBindingElement class or configuration.

    According to your situation, you can use AnonymousForSslNegotiated authentication mode. You can configure it this way: 

    <bindings>    
  <customBinding>    
    <binding name="SecureCustomBinding">    
     <security authenticationMode ="AnonymousForSslNegotiated" />    
    </binding>    
  </customBinding>    
</bindings>

    Also you can refer to this docs for more info.

    ------------------------------------------------------------------------------------------------------------------------------------------------------

    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  2. Erwin Paul Kuiper 1 Reputation point
    2022-11-04T10:49:20.743+00:00

    Hi JiayaoWu-MSFT,

    Thanks for your reply.

    The customer wants to use both message security and transport security. They want us to authenticate ourselves with a private key certificate on the transport level and they want us to encrypt the messages with another public key certificate. So I don't think the authenticationMode should be AnonymousForSslNegotiated, because we have to authenticate ourselves. After some further reading, I wonder if the authenticationMode should be MutualCertificate, because both we and the customer who is hosting the webservice have a private key and a public key.

    If we use a security element configured with authenticationMode="MutualCertificate" together with an httpsTransport element configured with requireClientCertificate="true" and we put the private key certificate in the behaviors clientcredentials clientcertificate and we put the public key certificate in the clientcredentials servicecertificate, will then the public key be used for the message encryption and will the private key be used for the authentication on the transport level and for the digital signature in the message?

    That might be what we need.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.