WCF Oracle Application Server WS-Security interoperability Part1: from WCF to Oracle

By Jesus Rodriguez

This article is part of a series intended to explore interesting Web services interoperability scenarios between Microsoft .NET technologies and Oracle Application Server. The first two articles of this series explored interoperability scenarios  (WS-Security interoperability and WS-Addressing interoperability) between Oracle Business Process Execution Language (BPEL) Process Manager (PM) and Microsoft Web Services Enhancements (WSE) and Windows Communication Foundation (WCF) platforms.

The articles that compose this series are intended to illustrate techniques, architecture and design strategies in order to address some of the most common scenarios in Web services interoperability between Oracle App Server and Microsoft Web Services platforms. Particularly, this article is focused on how to implement the Anonymous over Certificate WS-Security scenario between Oracle App Server and Microsoft WCF.

What is WS-Security?

WS-Security is the main specification to enable security in Web services. It addresses scenarios like message integrity, authentication and message confidentiality.

WS-Security 1.1 was recently approved as an OASIS Standard.

Is there something wrong with SSL?

Message Security vs. Transport Security

Secure Sockets Layer (SSL) has proven its effectiveness in securing resources through the Internet. When dealing with Web services however, SSL must be considered in conjunction with WS-Security to provide a truly secure environment.

  • SSL is strictly tied to TCP-based transports like HTTP; for Web services that are using non-TCP transports such as MSMQ or SMTP, SSL does not represent a viable option.
  • SSL was designed for point-to-point communications; making it difficult to implement in a routing scenario between Web services. In a routing scenario, the final receiver must be able to validate the original credentials.  Extensibility using SSL becomes difficult to provide when those credentials are not stored in the message.
  • SSL protects the messages on the wire (between the endpoints) but does not provide protection for the message on the endpoints; allowing access to the whole message upon gaining access to one of the endpoints.

Anonymous over Certificate scenario

This is one of the most common scenarios when it comes to secure interactions between Web services. Basically, Anonymous over Certificate represents a case in which the Web service and the client trust each other. A good example could be an ATM machine (client) and the Bank (service). Even though trust relationships exists between the client and the service, it is still required that the interaction between them be encrypted and/or signed.     In addition, all security must be implemented using a message-based security approach.

The following section will illustrate how to implement an Anonymous over Certificate scenario with a WCF client consuming an Oracle Application Server Web Service.

The implementation: From WCF to Oracle App Server.

Oracle Web Service

Our target Web service for this example implements a single operation as shown in the following figure.

public class MathWS {

                    public MathWS() {

                    }

                   

                    public int Add(int param1, int param2)

                    {

                              return param1 + param2;

                    }

}

 In order to implement Anonymous over Certificate scenario we need to add

WS-Security configuration properties as is illustrated in the following figure.

 

Figure 1: WS-Security settings dialog in Oracle JDeveloper

After completing the dialog, the WS-Security configuration properties should look like the following.

<oracle-Webservices xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                    xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/oracle-Webservices-10_0.xsd">
    Web Service Description elements...
    </Webservice-description>
    <Webservice-description name="MathWS">
        <port-component name="MathWSSoap12HttpPort">
            <runtime enabled="security">
                <security>
                    <key-store name="" store-pass="my password" path="my certificate store..."/>
                    <signature-key key-pass="my password" alias="signature key"/>
                    <encryption-key key-pass="my password" alias="encryption key"/>
                    <inbound>
                        <verify-signature>
                            <signature-methods>
                                <signature-method>DSA-SHA1</signature-method>
                                <signature-method>RSA-MD5</signature-method>
                                <signature-method>RSA-SHA1</signature-method>
                            </signature-methods>
                            <tbs-elements>
                                <tbs-element local-part="Body"
                                             name-space="http://schemas.xmlsoap.org/soap/envelope/"/>
                            </tbs-elements>
                            <verify-timestamp created="false" expiry="28800"/>
                        </verify-signature>
                        <decrypt>
                            <encryption-methods>
                                <encryption-method>AES-128</encryption-method>
                                <encryption-method>AES-256</encryption-method>
                                <encryption-method>3DES</encryption-method>
                            </encryption-methods>
                            <tbe-elements>
                                <tbe-element local-part="Body"
                                             name-space="http://schemas.xmlsoap.org/soap/envelope/"
                                             mode="CONTENT"/>
                            </tbe-elements>
                        </decrypt>
                    </inbound>
                    <outbound>
                        <signature>
                            <signature-method>RSA-SHA1</signature-method>
                            <tbs-elements>
                                <tbs-element local-part="Body"
                                             name-space="http://schemas.xmlsoap.org/soap/envelope/"/>
                            </tbs-elements>
                            <add-timestamp created="false" expiry="28800"/>
                        </signature>
                        <encrypt>
                            <use-request-cert>true</use-request-cert>
                            <encryption-method>3DES</encryption-method>
                            <keytransport-method>RSA-1_5</keytransport-method>
                            <tbe-elements>
                                <tbe-element local-part="Body"
                                             name-space="http://schemas.xmlsoap.org/soap/envelope/"
                                             mode="CONTENT"/>
                            </tbe-elements>
                        </encrypt>
                    </outbound>
                </security>
            </runtime>
            <operations>
                <operation name="Add" input="{http://wsprj/}AddElement"/>
            </operations>
        </port-component>
    </Webservice-description>
</oracle-Webservices>

As you can see in the highlighted section, this Web service is configured to accept encrypted and signed SOAP messages using certificates. The certificates used in this procedure should be stored in an Oracle compatible certificate store. To find out more information about managing Oracle certificate stores, read Administering Web Services Security in the Oracle App Server documentation.

Those are all the steps required to implement the Anonymous over Certificate security pattern in Oracle Application Server. Now it is time to create a client that consumes this Web service.

WCF client

The fist step required to consume the Web service explained in the previous section using WCF is to generate the Web service proxy. This can either be done by adding a Service Reference to the client project or using the Service Metadata tool (SvcUtil.exe). Another required step is importing the required certificates used for signing and encryption in the Windows certificate store.

In order to implement Anonymous over Certificate scenario the client binding needs to include message security settings. Client authentication is not required so that the clientCredentialType setting must be set to None. Given that Oracle App Server does not implement WS-Trust; key exchange settings needs to be disabled. The following configuration file illustrates those concepts.

 

<configuration>

      <system.serviceModel>

 

            <client>

                  <endpoint name="Username"

                                            address="Oracle WS Url…"

                                            binding="wsHttpBinding"

                                            bindingConfiguration="Binding1"

                                            behaviorConfiguration="ClientCertificateBehavior"

                                            contract="MathWebService">

                       

                  </endpoint>

            </client>

 

            <bindings>

                  <wsHttpBinding>

                        <binding name="Binding1">

                              <security mode="Message">

                                    <message clientCredentialType="None" algorithmSuite="Basic256" negotiateServiceCredential="false" establishSecurityContext="false"  />

                              </security>

                        </binding>

 

                  </wsHttpBinding>

            </bindings>

            <behaviors>

                  <endpointBehaviors>

                        <behavior name="ClientCertificateBehavior">

                              <clientCredentials>

                                    <serviceCertificate>

                                          <defaultCertificate storeLocation="LocalMachine" storeName="Root" findValue="my certificaste…" x509FindType="FindBySubjectName" />

                                    </serviceCertificate>

                              </clientCredentials>

                        </behavior>

                  </endpointBehaviors>

            </behaviors>

      </system.serviceModel>

</configuration>

The following code shows how to invoke the target Web service from the WCF client application.

MathWebServiceClient proxy = new MathWebServiceClient();

AddRequest request = new AddRequest();

request.param1 = 34;

request.param2 = 45;

int result= proxy.Add(request);

When this client code runs it produces the following WS-Security request.

 

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">

      <s:Header>

            <a:Action s:mustUnderstand="1" u:Id="_4">http://wsprj//Add</a:Action>

            <a:MessageID u:Id="_5">urn:uuid:da788d69-7b2f-4da0-b4a2-462aa3e27034</a:MessageID>

            <a:ReplyTo u:Id="_6">

                  <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>

            </a:ReplyTo>

            <a:To s:mustUnderstand="1" u:Id="_7">Web Service Url…</a:To>

            <o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">

                  <u:Timestamp u:Id="uuid-9f1b2072-3a2f-42ab-b13a-042a910d2c46-2">

                        <u:Created>2006-10-14T00:45:56.125Z</u:Created>

                        <u:Expires>2006-10-14T00:50:56.125Z</u:Expires>

                  </u:Timestamp>

                  <e:EncryptedKey Id="uuid-9f1b2072-3a2f-42ab-b13a-042a910d2c46-1" xmlns:e="http://www.w3.org/2001/04/xmlenc#">

                        <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">

                              <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns="http://www.w3.org/2000/09/xmldsig#"/>

                        </e:EncryptionMethod>

                        <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">

                              <o:SecurityTokenReference>

                                    <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">yn+OeSsl5gFf7Kcu6sCJdE6NQSA=</o:KeyIdentifier>

                              </o:SecurityTokenReference>

                        </KeyInfo>

                        <e:CipherData>

      <e:CipherValue>Encrypted Data...</e:CipherValue>

                        </e:CipherData>

                  </e:EncryptedKey>

                  <c:DerivedKeyToken u:Id="_0" xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc">

                        <o:SecurityTokenReference>

                              <o:Reference ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey" URI="#uuid-9f1b2072-3a2f-42ab-b13a-042a910d2c46-1"/>

                        </o:SecurityTokenReference>

                        <c:Offset>0</c:Offset>

                        <c:Length>24</c:Length>

                        <c:Nonce>yx51fwZgkyMOiJx6oi1Syg==</c:Nonce>

                  </c:DerivedKeyToken>

                  <c:DerivedKeyToken u:Id="_1" xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc">

                        <o:SecurityTokenReference>

                              <o:Reference ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey" URI="#uuid-9f1b2072-3a2f-42ab-b13a-042a910d2c46-1"/>

                        </o:SecurityTokenReference>

                        <c:Nonce>tlSDkdNGRsMliLbV+Lgcuw==</c:Nonce>

                  </c:DerivedKeyToken>

                  <e:ReferenceList xmlns:e="http://www.w3.org/2001/04/xmlenc#">

                        <e:DataReference URI="#_3"/>

                        <e:DataReference URI="#_8"/>

                  </e:ReferenceList>

                  <e:EncryptedData Id="_8" Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:e="http://www.w3.org/2001/04/xmlenc#">

                        <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>

                        <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">

                              <o:SecurityTokenReference>

                                    <o:Reference URI="#_1"/>

                              </o:SecurityTokenReference>

                        </KeyInfo>

                        <e:CipherData>

                              <e:CipherValue>Encrypted data....</e:CipherValue>

                        </e:CipherData>

                  </e:EncryptedData>

            </o:Security>

      </s:Header>

      <s:Body u:Id="_2">

            <e:EncryptedData Id="_3" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:e="http://www.w3.org/2001/04/xmlenc#">

                  <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>

                  <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">

                        <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">

                              <o:Reference URI="#_1"/>

                        </o:SecurityTokenReference>

                  </KeyInfo>

                  <e:CipherData>

                        <e:CipherValue>Encrypted data...</e:CipherValue>

                  </e:CipherData>

            </e:EncryptedData>

      </s:Body>

</s:Envelope>

   

Conclusions

This article explained the techniques used to implement the Anonymous over Certificate WS-Security scenario between WCF and Oracle Application Server. Specifically, it covered how to invoke an Oracle Application Server Web Service that implements Anonymous over Certificate from WCF. The second part of this article will address this scenario from Oracle Application Server to WCF.

2 Comments

Comments have been disabled for this content.