October 2006 - Posts

Monday, October 30, 2006 10:13 PM

WS-MTOMPolicy

IBM and Microsoft have published MTOM Serialization Policy Assertion (WS-MTOMPolicy) Version 1.0.

This specification describes a domain-specific policy assertion that indicates endpoint support of the optimized MIME multipart/related serialization of SOAP messages defined in section 3 of the SOAP Message Transmission Optimization Mechanism specification. This policy assertion can be specified within a policy alternative as defined in WS-Policy Framework and attached to a WSDL description as defined in WS-PolicyAttachment.

Posted by gsusx | 2 comment(s)
Sunday, October 29, 2006 10:28 AM

BizTalk server 2004 SP2

BizTalk Server 2004 SP2 is available now. Check out the new list of bugs that are fixed in this SP2.

Posted by gsusx | with no comments
Thursday, October 26, 2006 9:41 AM

MSDN WebCast

Thanks to all folks who attended to my MSDN WebCast yesterday Extending SQL Server integration Services through custom components. I’ll make the demos available soon.

Posted by gsusx | 1 comment(s)
Tuesday, October 24, 2006 7:25 PM

gSOAP article

Bo Xie (IBM)wrote an interesting article about how to use gSOAP a Web Services stack optimized for C/C++. I enjoyed reading the article even though when I disagree in some topics. I don’t think that C/C++ is always the best option when comes to build Web Services with a small memory footprint. Proper memory optimization is almost always a design + algorithms decision. And nowadays Standards like MTOM and XOP can help to alleviate those challenges. Also there are another C++ Web Services platforms that perform really well Visual C++ .NET and Systinet WASP Server for C++ are just 2 alternatives to gSOAP when comes to build C++ Web Services.

Posted by gsusx | 22 comment(s)
Friday, October 20, 2006 1:06 PM

WCF Oracle Application Server WS-Security interoperability Part1: from WCF to Oracle

By Jesus Rodriguez

This article is part of a series intended to explore interesting Web services interoperability scenarios between Microsoft .NET technologies and Oracle Application Server. The first two articles of this series explored interoperability scenarios  (WS-Security interoperability and WS-Addressing interoperability) between Oracle Business Process Execution Language (BPEL) Process Manager (PM) and Microsoft Web Services Enhancements (WSE) and Windows Communication Foundation (WCF) platforms.

The articles that compose this series are intended to illustrate techniques, architecture and design strategies in order to address some of the most common scenarios in Web services interoperability between Oracle App Server and Microsoft Web Services platforms. Particularly, this article is focused on how to implement the Anonymous over Certificate WS-Security scenario between Oracle App Server and Microsoft WCF.

What is WS-Security?

WS-Security is the main specification to enable security in Web services. It addresses scenarios like message integrity, authentication and message confidentiality.

WS-Security 1.1 was recently approved as an OASIS Standard.

Is there something wrong with SSL?

Message Security vs. Transport Security

Secure Sockets Layer (SSL) has proven its effectiveness in securing resources through the Internet. When dealing with Web services however, SSL must be considered in conjunction with WS-Security to provide a truly secure environment.

  • SSL is strictly tied to TCP-based transports like HTTP; for Web services that are using non-TCP transports such as MSMQ or SMTP, SSL does not represent a viable option.
  • SSL was designed for point-to-point communications; making it difficult to implement in a routing scenario between Web services. In a routing scenario, the final receiver must be able to validate the original credentials.  Extensibility using SSL becomes difficult to provide when those credentials are not stored in the message.
  • SSL protects the messages on the wire (between the endpoints) but does not provide protection for the message on the endpoints; allowing access to the whole message upon gaining access to one of the endpoints.

Anonymous over Certificate scenario

This is one of the most common scenarios when it comes to secure interactions between Web services. Basically, Anonymous over Certificate represents a case in which the Web service and the client trust each other. A good example could be an ATM machine (client) and the Bank (service). Even though trust relationships exists between the client and the service, it is still required that the interaction between them be encrypted and/or signed.     In addition, all security must be implemented using a message-based security approach.

The following section will illustrate how to implement an Anonymous over Certificate scenario with a WCF client consuming an Oracle Application Server Web Service.

The implementation: From WCF to Oracle App Server.

Oracle Web Service

Our target Web service for this example implements a single operation as shown in the following figure.

public class MathWS {

                    public MathWS() {

                    }

                   

                    public int Add(int param1, int param2)

                    {

                              return param1 + param2;

                    }

}

 In order to implement Anonymous over Certificate scenario we need to add

WS-Security configuration properties as is illustrated in the following figure.

 

Figure 1: WS-Security settings dialog in Oracle JDeveloper

After completing the dialog, the WS-Security configuration properties should look like the following.

<oracle-Webservices xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                    xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/oracle-Webservices-10_0.xsd">
    Web Service Description elements...
    </Webservice-description>
    <Webservice-description name="MathWS">
        <port-component name="MathWSSoap12HttpPort">
            <runtime enabled="security">
                <security>
                    <key-store name="" store-pass="my password" path="my certificate store..."/>
                    <signature-key key-pass="my password" alias="signature key"/>
                    <encryption-key key-pass="my password" alias="encryption key"/>
                    <inbound>
                        <verify-signature>
                            <signature-methods>
                                <signature-method>DSA-SHA1</signature-method>
                                <signature-method>RSA-MD5</signature-method>
                                <signature-method>RSA-SHA1</signature-method>
                            </signature-methods>
                            <tbs-elements>
                                <tbs-element local-part="Body"
                                             name-space="http://schemas.xmlsoap.org/soap/envelope/"/>
                            </tbs-elements>
                            <verify-timestamp created="false" expiry="28800"/>
                        </verify-signature>
                        <decrypt>
                            <encryption-methods>
                                <encryption-method>AES-128</encryption-method>
                                <encryption-method>AES-256</encryption-method>
                                <encryption-method>3DES</encryption-method>
                            </encryption-methods>
                            <tbe-elements>
                                <tbe-element local-part="Body"
                                             name-space="http://schemas.xmlsoap.org/soap/envelope/"
                                             mode="CONTENT"/>
                            </tbe-elements>
                        </decrypt>
                    </inbound>
                    <outbound>
                        <signature>
                            <signature-method>RSA-SHA1</signature-method>
                            <tbs-elements>
                                <tbs-element local-part="Body"
                                             name-space="http://schemas.xmlsoap.org/soap/envelope/"/>
                            </tbs-elements>
                            <add-timestamp created="false" expiry="28800"/>
                        </signature>
                        <encrypt>
                            <use-request-cert>true</use-request-cert>
                            <encryption-method>3DES</encryption-method>
                            <keytransport-method>RSA-1_5</keytransport-method>
                            <tbe-elements>
                                <tbe-element local-part="Body"
                                             name-space="http://schemas.xmlsoap.org/soap/envelope/"
                                             mode="CONTENT"/>
                            </tbe-elements>
                        </encrypt>
                    </outbound>
                </security>
            </runtime>
            <operations>
                <operation name="Add" input="{http://wsprj/}AddElement"/>
            </operations>
        </port-component>
    </Webservice-description>
</oracle-Webservices>

As you can see in the highlighted section, this Web service is configured to accept encrypted and signed SOAP messages using certificates. The certificates used in this procedure should be stored in an Oracle compatible certificate store. To find out more information about managing Oracle certificate stores, read Administering Web Services Security in the Oracle App Server documentation.

Those are all the steps required to implement the Anonymous over Certificate security pattern in Oracle Application Server. Now it is time to create a client that consumes this Web service.

WCF client

The fist step required to consume the Web service explained in the previous section using WCF is to generate the Web service proxy. This can either be done by adding a Service Reference to the client project or using the Service Metadata tool (SvcUtil.exe). Another required step is importing the required certificates used for signing and encryption in the Windows certificate store.

In order to implement Anonymous over Certificate scenario the client binding needs to include message security settings. Client authentication is not required so that the clientCredentialType setting must be set to None. Given that Oracle App Server does not implement WS-Trust; key exchange settings needs to be disabled. The following configuration file illustrates those concepts.

 

<configuration>

      <system.serviceModel>

 

            <client>

                  <endpoint name="Username"

                                            address="Oracle WS Url…"

                                            binding="wsHttpBinding"

                                            bindingConfiguration="Binding1"

                                            behaviorConfiguration="ClientCertificateBehavior"

                                            contract="MathWebService">

                       

                  </endpoint>

            </client>

 

            <bindings>

                  <wsHttpBinding>

                        <binding name="Binding1">

                              <security mode="Message">

                                    <message clientCredentialType="None" algorithmSuite="Basic256" negotiateServiceCredential="false" establishSecurityContext="false"  />

                              </security>

                        </binding>

 

                  </wsHttpBinding>

            </bindings>

            <behaviors>

                  <endpointBehaviors>

                        <behavior name="ClientCertificateBehavior">

                              <clientCredentials>

                                    <serviceCertificate>

                                          <defaultCertificate storeLocation="LocalMachine" storeName="Root" findValue="my certificaste…" x509FindType="FindBySubjectName" />

                                    </serviceCertificate>

                              </clientCredentials>

                        </behavior>

                  </endpointBehaviors>

            </behaviors>

      </system.serviceModel>

</configuration>

The following code shows how to invoke the target Web service from the WCF client application.

MathWebServiceClient proxy = new MathWebServiceClient();

AddRequest request = new AddRequest();

request.param1 = 34;

request.param2 = 45;

int result= proxy.Add(request);

When this client code runs it produces the following WS-Security request.

 

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">

      <s:Header>

            <a:Action s:mustUnderstand="1" u:Id="_4">http://wsprj//Add</a:Action>

            <a:MessageID u:Id="_5">urn:uuid:da788d69-7b2f-4da0-b4a2-462aa3e27034</a:MessageID>

            <a:ReplyTo u:Id="_6">

                  <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>

            </a:ReplyTo>

            <a:To s:mustUnderstand="1" u:Id="_7">Web Service Url…</a:To>

            <o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">

                  <u:Timestamp u:Id="uuid-9f1b2072-3a2f-42ab-b13a-042a910d2c46-2">

                        <u:Created>2006-10-14T00:45:56.125Z</u:Created>

                        <u:Expires>2006-10-14T00:50:56.125Z</u:Expires>

                  </u:Timestamp>

                  <e:EncryptedKey Id="uuid-9f1b2072-3a2f-42ab-b13a-042a910d2c46-1" xmlns:e="http://www.w3.org/2001/04/xmlenc#">

                        <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">

                              <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns="http://www.w3.org/2000/09/xmldsig#"/>

                        </e:EncryptionMethod>

                        <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">

                              <o:SecurityTokenReference>

                                    <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">yn+OeSsl5gFf7Kcu6sCJdE6NQSA=</o:KeyIdentifier>

                              </o:SecurityTokenReference>

                        </KeyInfo>

                        <e:CipherData>

      <e:CipherValue>Encrypted Data...</e:CipherValue>

                        </e:CipherData>

                  </e:EncryptedKey>

                  <c:DerivedKeyToken u:Id="_0" xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc">

                        <o:SecurityTokenReference>

                              <o:Reference ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey" URI="#uuid-9f1b2072-3a2f-42ab-b13a-042a910d2c46-1"/>

                        </o:SecurityTokenReference>

                        <c:Offset>0</c:Offset>

                        <c:Length>24</c:Length>

                        <c:Nonce>yx51fwZgkyMOiJx6oi1Syg==</c:Nonce>

                  </c:DerivedKeyToken>

                  <c:DerivedKeyToken u:Id="_1" xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc">

                        <o:SecurityTokenReference>

                              <o:Reference ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey" URI="#uuid-9f1b2072-3a2f-42ab-b13a-042a910d2c46-1"/>

                        </o:SecurityTokenReference>

                        <c:Nonce>tlSDkdNGRsMliLbV+Lgcuw==</c:Nonce>

                  </c:DerivedKeyToken>

                  <e:ReferenceList xmlns:e="http://www.w3.org/2001/04/xmlenc#">

                        <e:DataReference URI="#_3"/>

                        <e:DataReference URI="#_8"/>

                  </e:ReferenceList>

                  <e:EncryptedData Id="_8" Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:e="http://www.w3.org/2001/04/xmlenc#">

                        <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>

                        <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">

                              <o:SecurityTokenReference>

                                    <o:Reference URI="#_1"/>

                              </o:SecurityTokenReference>

                        </KeyInfo>

                        <e:CipherData>

                              <e:CipherValue>Encrypted data....</e:CipherValue>

                        </e:CipherData>

                  </e:EncryptedData>

            </o:Security>

      </s:Header>

      <s:Body u:Id="_2">

            <e:EncryptedData Id="_3" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:e="http://www.w3.org/2001/04/xmlenc#">

                  <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>

                  <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">

                        <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">

                              <o:Reference URI="#_1"/>

                        </o:SecurityTokenReference>

                  </KeyInfo>

                  <e:CipherData>

                        <e:CipherValue>Encrypted data...</e:CipherValue>

                  </e:CipherData>

            </e:EncryptedData>

      </s:Body>

</s:Envelope>

   

Conclusions

This article explained the techniques used to implement the Anonymous over Certificate WS-Security scenario between WCF and Oracle Application Server. Specifically, it covered how to invoke an Oracle Application Server Web Service that implements Anonymous over Certificate from WCF. The second part of this article will address this scenario from Oracle Application Server to WCF.

Posted by gsusx | 6 comment(s)
Filed under: , , ,
Friday, October 20, 2006 11:13 AM

BPI&SOA conference slides

The slides of my session in the BPI & SOA conference are now available at AdapterWorx. The session was oriented to explore Architecture principles & challenges to design integration solution that involves Software as a Service (SaaS) interactions.

Posted by gsusx | with no comments
Thursday, October 19, 2006 7:50 PM

SonicMQ adapter

Thanks to Benny, Joel and the team the documentation of the SonicMQ adapter for BizTalk Server 2006 is now available at AdapterWorx. The trial version of the adapter is also available. Go ahead try it, create some cool demos and provide feedback.

Posted by gsusx | with no comments
Monday, October 16, 2006 10:52 PM

WS-Notification

WS-Notification v 1.3 is now an OASIS Standard.

Posted by gsusx | with no comments
Thursday, October 12, 2006 12:49 AM

Apex

 It’s undeniable that a lot of innovation is happening around Software as a Service (SaaS). I’ve seen a lot of creative ideas coming up form players on the SaaS space. This week in DreamForce SalesForce.com announced Apex which intends to be the programming language to create application on AppExchange. The syntax behind Apex is a combination of a Java-based procedural language and a SOQL-based query language. Conceptually similar to DLINQ but much more constrained feature-wise.

Posted by gsusx | with no comments
Friday, October 06, 2006 12:16 PM

BPM&SaaS session

Thanks to all folks who attended to my session yesterday on the BPM&SOA conference. I’ll publish the presentation and some comments about the Architecture principles in the next few days.
Posted by gsusx | with no comments
More Posts Next page »