Achieving Web services interoperability between the WebSphere Web Services Feature Pack and Windows Communication Foundation, Part 2:

Configure and test WS-Security

Charles Le VaySenior Software EngineerWeb Services Interoperability ArchitectWebSphere Application Server Feature Pack for Web ServicesIBM, Research Triangle Park, NC

Salim ZeitouniAdvisory Software EngineerWeb Services Interoperability DevelopmentIBM, Research Triangle Park, NC

December, 2007Updated 4/03/2008

© Copyright International Business Machines Corporation 2007. All rights reserved.

This article series describes how to use the IBM WebSphere Application Server Version 6.1 Feature Pack for Web Services Service Endpoint Interface samples to demonstrate interoperability with Microsoft Windows™ Communication Foundation. It provides step-by-step configurations to show you what is necessary for basic SOAP message security interoperability.

The series is intended for Web services developers and architects who plan to develop Web services across these platforms. You should have a basic understanding of Java™ programming, Web services development, WSDL and SOAP.

Introduction .......................................................................................................................... 2 Scenario overview ................................................................................................................ 3 Get started ............................................................................................................................ 3 Import certificates and custom keystores into Application Server ...................................... 5 Import certificates into Windows XP certificate store ......................................................... 5 Create a custom policy set for the EchoService ................................................................... 6 Attach the custom policy set and custom binding to EchoService ................................... 12 Configure the custom binding for EchoService ................................................................ 13

Configure EchoService request signature consumer security bindings ......................... 13 Configure the EchoService request encryption consumer security bindings ................. 25 Configure the EchoService response signature generator security bindings ................. 25 Configure the EchoService response encryption generator security bindings ............... 26 Configure EchoService service timestamp to expire in 5 minutes ................................ 27

mailto:salimz@us.ibm.commailto:ccl@us.ibm.com

Attach the custom policy set and custom binding to the EchoService client .................... 27 Assign the policy set to the EchoService client ............................................................ 27 Assign the custom binding to the EchoService client .................................................... 28

Configure the custom binding for the EchoService client ................................................. 28 Configure the EchoService client response signature consumer security bindings ....... 28 Configure the EchoService client response encryption consumer security bindings .... 29 Configure the EchoService client request signature generator security bindings .......... 30 Configure the EchoService client request encryption generator security bindings ....... 30 Configure the EchoService client timestamp to expire in five minutes ......................... 31

Test the EchoService .......................................................................................................... 31 Start the SEI samples demo user interface ..................................................................... 31 Test the EchoService client and service ......................................................................... 33

Configure the WCF client customBinding ........................................................................ 34 Configure the WCF service customBinding .................................................................. 46

Test the WCF samples ....................................................................................................... 47 Start the WCF services ................................................................................................... 47 Run the WCF client ....................................................................................................... 48

Test interoperability between WebSphere and WCF ......................................................... 49 Test the WCF client to WebSphere service ................................................................... 49 Test the WebSphere client to WCF service .................................................................. 49

Summary ............................................................................................................................ 49 Acknowledgments .............................................................................................................. 50 Resources ........................................................................................................................... 50

Specifications ............................................................................................................. 50 WSFP and developerWorks ...................................................................................... 50 Windows Communication Foundation ...................................................................... 50

About the authors ............................................................................................................... 50

Introduction

The WebSphere Application Server Version 6.1 Feature Pack for Web Services (hereafter called WSFP) includes a set of Java API for XML-Based Web Services (JAX-WS) samples that demonstrate simple message exchange patterns (MEPs) using both a synchronous and asynchronous programming model. The samples support SOAP 1.1 and SOAP 1.2. Using these MEP samples composed with Web services standards such as WS-Addressing (WS-A), WS-Security, WS-Reliable Messaging (WS-RM), and WS-Secure Conversation (WS-SC), you can perform a broad range interoperability tests. These samples demonstrate the use of JavaBean artifacts, static service endpoints and proxy-based clients.

The purpose of this series of articles is to highlight protocol-level interoperability between the WSFP and Windows Communication Foundation 3.0 (WCF) implementations. The articles will provide an explanation of the protocol level interoperability configurations used during WSFP interoperability testing. The key to protocol level interoperability between the WSFP and WCF is first to understand the

MEP that is used, and second to configure the correct composition of Web service standards using policy sets and WCF bindings.

This article focuses on:• Configuring a custom WebSphere WS-Security policy set and binding • Configuring WS-Security in a WCF customBinding • Testing WS-Security interoperability between WebSphere and WCF

Future articles in the series will focus on topics such as interoperability between the WSFP and WCF using WS-Secure Conversation, WS-Reliable Messaging and the composition of WS-Reliable Messaging with WS-Secure Conversation. These future articles will incorporate the test scenarios and MEPs described in Achieving Web services interoperability between the WebSphere Web Services Feature Pack and Windows Communication Foundation, Part 1, but will focus exclusively on the configurations for interoperability.

Scenario overview

The WS-Security 1.0 specification provides a technical foundation for implementing security functions such as integrity and confidentiality at the SOAP message level. This article focuses on how to define a WS-Security configuration that can interoperate with Microsoft WCF. First we’ll define the WebSphere custom policy set and custom binding using the WSFP policy set administration, and then we’ll define an interoperable customBinding for WCF using the svcconfigeditor. Finally, we’ll use the SEI samples and the provided WCF samples to test the WS-Security configurations and demonstrate interoperability.

The scenario calls for all outbound SOAP messages to be signed and encrypted. More specifically, the client and the service will sign the timestamp and the body of the SOAP message and then encrypt the body of the SOAP message prior to sending it. The client and service outbound SOAP messages will also include a timestamp expiration of five minutes.

This scenario uses the provided certificates for both the WebSphere and Microsoft implementations. The certificates represent the typical “Bob and Alice” structure used in many security scenarios. In this scenario, Bob is associated with the service and Alice associated with the client.

Get started

To run this example, you need to do the following on a Windows XP system:

1. Install WebSphere Application Server V6.1 (hereafter called Application Server).

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0.pdfhttp://www.ibm.com/developerworks/websphere/library/techarticles/0710_levay/0710_levay.htmlhttp://www.ibm.com/developerworks/websphere/library/techarticles/0710_levay/0710_levay.htmlhttp://www.ibm.com/developerworks/websphere/library/techarticles/0710_levay/0710_levay.html

2. Install the latest WebSphere Update Installer .

3. Install WebSphere Application Server V6.1 Feature Pack for Web Services, including the SEI samples. The samples are located in the /samples/lib/WebServicesSamples directory. Install the EAR files (WSSampleClientSei.ear and WSSampleServicesSei.ear) using either the Integrated Solutions Console or the installapps.cmd script. You’ll find installation instructions for both methods in the WSFP_README.txt file located in the samples directory.

4. Install the latest fix packs for WebSphere Application Server V6.1 and the Feature Pack for Web Services. Fix pack 6.1.0.13 or greater is required for this scenario.

5. Install Microsoft .Net Framework 3.0.

6. Install the Microsoft Windows SDK. The SDK contains the svcconfigeditor, which we’ll use to edit the client and service customBindings, so that we don’t have to edit them manually.

7. Download and uncompress the WCF samples for this article. The WCFSecure folder contains four folders: WCFClient, WCFService, wsdls, and mySysKeys.

WCFClient contains: • WSWindowsClient executable – The compiled WCF Web services client.• WSWindowClient.exe.config – The customBinding file for the

WSWindowsClient.• WSWindowsClient.cs. – The C# code for the client, which was included

to show the source code used in the WSWindowsClient.

WCFService contains:• WSWindowsService executable – The compiled WCF Web service.• WSWindowService.exe.config – The customBinding file for the

WSWindowsService.• WSWindowsService.cs. – The C# code for the service, which was

included to show the source code used in the WSWindowsService.

wsdls contains:Ping.wsdl, Echo.wsdl, Ping12.wsdl, and Echo12.wsdl, all of which generate both the service and client for the WSFP SEI and WCF samples.

mySysKeys.zip contains:• sender.jks – keystore containing client credentials • receiver.jks – keystore containing service credentials• alice-key – Alice’s public key

http://www.microsoft.com/downloads/details.aspx?FamilyId=C2B1E300-F358-4523-B479-F53D234CDCCF&displaylang=enhttp://www.microsoft.com/downloads/details.aspx?FamilyId=10CC340B-F857-4A14-83F5-25634C3BF043&displaylang=enhttp://www-1.ibm.com/support/docview.wss?rs=180&uid=swg27009661http://www-1.ibm.com/support/docview.wss?rs=180&context=SSEQTP&context=SSCMGN&dc=D600&uid=swg21264563&loc=en_US&cs=UTF-8&lang=enhttp://www-1.ibm.com/support/docview.wss?rs=180&uid=swg24012718

• alice-cert – Alice’s certificate• bob-key – Bob’s public key• bob-cert – Bob’s certificate• myca – certificate authority

Import certificates and custom keystores into Application Server

This example uses the self-generated keystores and certificates. These sample keystores are for testing purposes only; do not use these keystores in a production environment. To import the certificates and keystores into Application Server, do the following:

1. Create the following directory: \etc\wssecurity\mySysKeys\, where is the location your WebSphere installation.

For example: C:\Program Files\IBM\WebSphere\AppServer

2. Unzip the mySysKeys.zip to a temporary directory.

3. Copy sender.jks and receiver.jks to the \etc\wssecurity\mySysKeys\ directory:

\etc\wssecurity\mySysKeys\sender.jks o Keystore format is JKSo Keystore password = sampleappo Personal certificate alias name = alice, keypassword = sampleapp, certificate

authority = mycao Public certificate alias name = bob, certificate authority = myca

\etc\wssecurity\mySysKeys\receiver.jks o Keystore format is JKSo Keystore password = sampleappo Personal certificate alias name = bob, keypassword = sampleapp, certificate

authority = myca o Public certificate alias name = alice, certificate authority = myca

Import certificates into Windows XP certificate store

To import the Bob and Alice X.509 certificates into the certificate store using Microsoft Management Console (MMC), do the following:

1. From the Start menu, select Start => Run, enter mmc, then click OK.2. Select File => New.3. Select File => Add/Remove Snapins.4. On the StandAlone tab, click Add.5. Select Certificates, then click Add.6. Select My user account, then click Finish. 7. Click Close, then click OK.8. Expand Certificates (Current User) => Personal => Certificates, then right-

click Certificates => All Tasks => Import.9. Browse to and install alice-key.p12 from the unzipped mySysKeys.zip file.10. When prompted for the password, enter sampleapp.11. Expand Certificates => Trusted People => Certificates, then right-click

Certificates => All Tasks =>Import.12. Browse to and install bob-cert.der from the unzipped mySysKeys.zip file.13. Select File => Add/Remove Snapins.14. On the StandAlone tab, click Add.15. Select Certificates, then click Add.16. Select Computer account and click Next.17. Select Local computer, then click Finish.18. Click Close, then click OK.19. Close => OK20. Expand Certificates (Local Computer) => Personal => Certificates, then right-

click Certificates => All Tasks =>Import.21. Browse to and install bob-key.p12 from the unzipped mySysKeys.zip file.22. When prompted for the password, enter sampleapp.23. Expand Certificates => Trusted People => Certificates, then right-click

Certificates => All Tasks =>Import.24. Browse to and install alice-cert.der from the unzipped mySysKeys.zip file.

Create a custom policy set for the EchoService

Now you need to create a customized policy set based on the WSSecurity default policy set shipped with the WSFP. First we’ll make a copy of the WSSecurity default policy set, and then modify the copy as needed.

1. Start the Integrated Solution Console (ISC) by doing one of the following:• From the Start menu, select Start => Programs => IBM WebSphere =>

Application Server v6.1 => Profiles => AppSvr01 => Administrative Console.• In a browser, go to http://:9061/ibm/console. Depending on your

installation of the AppSrvxx profile, the console port may be different. 9061 is the default console port for AppSrv02.

2. Enter your Application Server administrative user ID and, if required, your password, and click Log in, as shown in Figure 1.

Figure 1. Log in to ISC

3. In the left pane, select Services => Policy sets =>Application policy sets.4. In the right pane, check WSSecurity default and click Copy at the top of the page.5. In the *Name field, enter WSSInterop, then click OK.6. Select the newly created WSSInterop policy set. 7. In this scenario, WS-Addressing is not necessary, so we’re going to remove it from

the WSSInterop policy set. To do this, check WS-Addressing, then click Delete. 8. Click Save at the top of the page.

This scenario signs only the timestamp and body, and encrypts only the body, so you need to update the policy set as follows:

9. In the left pane, select Services => Policy sets => Application policy sets.Select WSSInterop, then WS-Security, then Main policy. The Main policy dialog displays, as shown in Figure 2.

Figure 2. Main policy dialog

10. Select Request message part protection. The Request message part protection dialog displays, as shown in Figure 3.

Figure 3. Request message part protection dialog

11. Under Encrypted parts, select app_encparts, and click Edit. The Encrypted part dialog displays, as shown in Figure 4:

Figure 4. Encrypted part dialog

12. Remove the two XPath statements by selecting each XPath expression and then clicking Remove Selected Elements.

13. Click OK.14. Go back to the Main policy dialog.15. Click Response message part protection. The Response message part protection

dialog displays, as shown in Figure 5.

Figure 5. Response message part protection dialog

16. Under Encrypted parts, select app_encparts, and click Edit. The Encrypted part dialog displays, as shown in Figure 6.

Figure 6. Encrypted part dialog

17. Remove the two XPath statements by selecting each XPath expression and clicking Remove Selected Elements.

18. Click OK, then Save, and go back to the Main policy dialog.19. Ensure Include timestamp in security header is checked, as shown in Figure 7.

Figure 7. Main policy panel

20. Click OK, then Save.

Attach the custom policy set and custom binding to EchoService

In this section, we’ll attach the WSSInterop policy set to the EchoService service. Then we’ll assign a custom binding to the EchoService service.

To assign the policy set to EchoService, do the following:1. In the left pane, select Services => Service providers.2. Select EchoService, then check EchoService, then Attach. 3. Select WSSInterop from the drop-down list.

To assign the custom binding to EchoService, do the following:1. In the left pane, select Services => Service providers.2. Select EchoService, then check EchoService, then Assign Binding, then New. 3. Specify WS-Server-Binding as the name.4. Click Add, and then select WS-Security.5. Click Save.

Configure the custom binding for EchoService

In the following sections, we’ll configure the custom binding for the EchoService service. We’ll configure both the request message and response message key information. For request messages, we’ll configure the service to use Alice’s public key to validate the inbound messages. We’ll also configure the service to decrypt the inbound message using Bob’s private key. For response messages, we’ll configure the service to use Bob’s private key to sign the outbound messages, and encrypt the message using Alice’s public certificate. Since the process to configure the inbound and outbound messages is similar, screenshots are only provided in the first section. Finally, we’ll set a message expiration timeout. The timeout value describes the lifetime for the message.

Tip: Create a simple text file that contains the text input parameters used in this section and in Configure the Custom Binding for the EchoService Client. Then you can simply cut and paste the text from the text file as needed. This method cuts down on typing errors. The critical text inputs that can‘t be mistyped are: path names, passwords, certificate names and aliases.

Configure EchoService request signature consumer security bindings

1. In the left pane, select Services => Service providers.2. Select EchoService, then WS-Server-Binding, then WS-Security. The WS-

Security dialog displays, as shown in Figure 8.

Figure 8. WS-Security dialog

3. Select Authentication and protection. The Authentication and protection dialog displays, as shown in Figure 9.

Figure 9. Authentication and protection dialog

4. Click AsymmetricBindingInitiatorSignatureToken0. The AsymmetricBindingInitiatorSignatureToken0 dialog displays, as shown in Figure 10.

Figure 10. AsymmetricBindingInitiatorSignatureToken0 dialog

5. Verify that the JAAS login is wss.consume.x509.6. Click Apply to generate a callback handler binding, as shown in Figure 11.

Figure 11. Generated callback handler

7. Select Callback handler.8. In the Callback handler dialog, make sure that Trust any certificate is checked,

as shown in Figure 12.9. In the Keystore section, select Custom as the name, then select Custom keystore

configuration, as shown in Figure 12.

Figure 12. Callback handler dialog

10. In the Custom keystore configuration dialog, enter the full path name for the receiver.jks keystore. For example:

C:\Program Files\IBM\WebSphere\AppServer\etc\wssecurity\mySysKeys\receiver.jks

11. For Type, select JKS.

12. For Password, enter sampleapp.13. For Confirm password, enter sampleapp.14. In the Key section, enter cn=alice,ou=myou,o=myco in the Name field, and

alice in the Alias field.

Figure 13 shows the proper setting for the custom keystore configuration.

Figure 13. Custom keystore configuration dialog

15. Click OK three times, then click Save.

The AsymmetricBindingInitiatorToken0 is now configured, as shown in Figure 14.

Figure 14. AsymmetricBindingInitiatorToken0 configured

16. In the Request message signature and encryption protection section, select request:app signparts.

17. In the Name field, enter req-sign-msg-part, and then click Apply. The Signed message part dialog displays, as shown in Figure 15.

Figure 15. Signed message part dialog

18. In the Message part reference section, select request:app_signparts, the click Edit. The request:app_signparts dialog displays, as shown in Figure 16.

Figure 16. request:app_signparts panel

19. Under Transform algorithms, click New.20. In the URL field, enter http://www.w3.org/2001/10/xml-exc-c14n#, as

shown in Figure 17.

Figure 17. New dialog

21. Click OK twice.22. Under Signing key information, click New.23. Enter req-sign-keyinfo in the Name field, as shown in Figure 18.

Figure 18. Signing key information dialog

24. Ensure that AsymmetricBindingInitiatorSignatureToken0 is selected in the Token generator or consumer name field, then click OK.

25. Under Signing key information, select req-sign-keyinfo, then click Add, as shown in Figure 19.

Figure 19. Add req-sign-keyinfo

Click OK, and then Save. The request:app_signpart is now configured, as shown in Figure 20.

Figure 20. request:app_signpart configured

Configure the EchoService request encryption consumer security bindings

1. In the left pane, select Services => Service providers.2. Select EchoService, then WS-Server-Binding, then WS-Security.3. Select Authentication and protection.4. Select AsymmetricBindingRecipientEncryptionToken0.5. Verify that the JAAS login is wss.consume.x509.6. Click Apply to generate a callback handler binding.7. Select Callback handler.8. Under Certificates, make sure Trust any certificate is checked.9. In the Keystore section, select Custom as the name, then select Custom keystore

configuration.10. Enter the full path name for the receiver.jks keystore. For example:

C:\Program Files\IBM\WebSphere\AppServer\etc\wssecurity\mySysKeys\receiver.jks

11. For Type, select JKS.12. For Password, enter sampleapp.13. For Confirm password, enter sampleapp.14. Under Key, enter cn=bob,ou=myou,o=myco in the Name field.15. Enter bob in the Alias field.16. For keypass Password, enter sampleapp. 17. For Confirm keypass password, enter sampleapp. 18. Click OK three times, then click Save.19. Under Request message signature and encryption protection, click

request:app encparts.20. In the Name field, enter req-enc-msg-part, then click Apply.21. Under Key information, click New.22. Enter req-enc-keyinfo for the name.23. Ensure AsymmetricBindingRecipientEncryptionToken0 is selected for Token

generator or consumer name, then click OK.24. Under Key information, select req-enc-keyinfo, then click Add.25. Click OK, and then Save.

Configure the EchoService response signature generator security bindings

1. In the left pane, select Services => Service providers.2. Select EchoService, then WS-Server-Binding, then WS-Security.3. Select Authentication and protection.4. Select AsymmetricBindingRecipientSignatureToken0.5. Verify that the JAAS login is wss.generate.x509.6. Click Apply to generate a callback handler binding.7. Select Callback handler.8. Under Certificates, make sure Trust any certificate is checked.

9. In the Keystore section, select Custom as the name, then select Custom keystore configuration.

10. Enter the full path name for the receiver.jks keystore. For example: C:\Program Files\IBM\WebSphere\AppServer\etc\wssecurity\mySysKeys\receiver.jks

11. For Type, select JKS.12. For Password, enter sampleapp.13. For Confirm password, enter sampleapp14. Under Key, enter cn=bob,ou=myou,o=myco in the Name field.15. Enter bob in the Alias field.16. For Password, enter sampleapp. 17. For Confirm keypass password, enter sampleapp. 18. Under Response message signature and encryption protection, click

response:app signparts.19. In the Name field, enter resp-sign-msg-part.20. Under Signing key information, click New.21. In the Name field, enter resp-sign-keyinfo.22. Under Type, select Key identifier. 23. Ensure AsymmetricBindingRecipientSignatureToken0 is selected forToken

generator or consumer name, then click OK, then Apply.24. Under Message part reference, select response:app_signparts, and click Edit.25. Under Transform algorithms, click New.26. In the URL field, enter http://www.w3.org/2001/10/xml-exc-c14n#.27. Click OK twice.28. Under Signing key information, make sure resp-sign-keyinfo is selected, then

click OK, and then Save.

Configure the EchoService response encryption generator security bindings

1. In the left pane, select Services => Service providers => EchoService.2. Select WS-Server-Binding, then WS-Security.3. Select Authentication and protection.4. Select AsymmetricBindingInitiatorEncryptionToken05. Verify that JAAS login is wss.generate.x509.6. Click Apply to generate a callback handler binding.7. Select Callback handler.8. In the Keystore section, select Custom as the name, then select Custom keystore

configuration.9. Enter the full path name for the receiver.jks keystore. For example:

C:\Program Files\IBM\WebSphere\AppServer\etc\wssecurity\mySysKeys\receiver.jks

10. For Type, select JKS.11. For Password, enter sampleapp.12. For Confirm password, enter sampleapp.13. Under Key, enter cn=alice,ou=myou,o=myco in the Name field.

14. Enter alice in the Alias field.15. Click OK three times, then click Save.16. Under Response message signature and encryption protection, click

response:app encparts.17. In the Name field, enter resp-enc-msg-part, and then click Apply.18. Under Key information, click New.19. Enter resp-enc-keyinfo for the name.20. Under Type, select Key identifier.21. Ensure AsymmetricBindingInitiatorEncryptionToken0 is selected for Token

generator or consumer name, and click OK.22. Ensure resp-enc-keyinfo is selected, click OK, and then Save.

Configure EchoService service timestamp to expire in 5 minutes1. In the left pane, select Services => Service providers => EchoService.2. Select WS-Server-Binding, then WS-Security.3. Select Message expiration.4. Select Enable message expiration, and enter 5 in the Message timeout interval

field.5. Click OK, and then Save.

Attach the custom policy set and custom binding to the EchoService client

In this section, we’ll attach the WSSInterop policy set to the EchoService client, and then assign a custom binding to the EchoService client.

Assign the policy set to the EchoService client 1. In the left pane, select Services => Service clients.2. Select EchoService, check EchoService, then click Attach.3. Select WSSInterop from the drop-down list.

Assign the custom binding to the EchoService client1. In the left pane, select Services => Service clients.2. Select EchoService, check EchoService, then Assign Binding, and click New.3. Specify WS-Client-Binding as the name.4. Click Add, and select WS-Security, then click Save.

Configure the custom binding for the EchoService client

In this section, we’ll configure the custom binding for the EchoService client, including configuring both the request message and response message key information. For response messages, we’ll configure the client to use Bob’s public key to validate the inbound messages, and Alice’s private key to decrypt the inbound messages. For request messages, we’ll configure the client to use Alice’s private key to sign the outbound messages while encrypting the outbound message using Bob’s public key. Finally, we’ll set a message expiration timeout. The timeout value defines the lifetime for the message.

Configure the EchoService client response signature consumer security bindings

1. In the left pane, select Services => Service clients.2. Select EchoService, then WS-Client-Binding, then WS-Security.3. Select Authentication and protection.4. Select AsymmetricBindingRecipientSignatureToken0.5. Verify that JAAS login is wss.consume.x509.6. Click Apply to generate a callback handler binding.7. Select Callback handler.8. Under Certificates, make sure Trust any certificate is checked.9. In the Keystore section, select Custom as the name, then select Custom keystore

configuration.10. Enter the full path name for the sender.jks keystore. For example:

C:\Program Files\IBM\WebSphere\AppServer\etc\wssecurity\mySysKeys\sender.jks11. For Type, select JKS.12. For Password, enter sampleapp.13. For Confirm password, enter sampleapp.14. Under Key, enter cn=bob,ou=myou,o=myco in the Name field.15. Enter bob in the Alias field.16. Click OK three times, then click Save.17. Under Response message signature and encryption protection, click

response:app signparts.18. In the Name field, enter resp-sign-msg-part then click Apply.19. Under Signing key information, click New.20. Enter resp-sign-keyinfo in the Name field.21. Under Token generator or consumer name, make sure that

AsymmetricBindingRecipientSignatureToken0 is selected, and click OK.22. Under Message part reference, select response:app_signparts, and click Edit.23. Under Transform algorithms, click New.24. In the URL field, enter http://www.w3.org/2001/10/xml-exc-c14n# 25. Click OK twice.26. Under Signing key information, select resp-sign-keyinfo, then click Add.27. Click OK, then click Save.

Configure the EchoService client response encryption consumer security bindings

1. In the left pane, select Services => Service clients.2. Select EchoService, then WS-Client-Binding, then WS-Security.3. Select Authentication and protection.4. Select AsymmetricBindingInitiatorEncryptionToken0.5. Verify that JAAS login is wss.consume.x509.6. Click Apply to generate a callback handler binding.7. Select Callback handler.8. Under Certificates, make sure Trust any certificate is checked.9. In the Keystore section, select Custom as the name, then select Custom keystore

configuration.10. Enter the full path name for the sender.jks keystore. For example:

C:\Program Files\IBM\WebSphere\AppServer\etc\wssecurity\mySysKeys\sender.jks

11. For Type, select JKS.12. For Password, enter sampleapp.13. For Confirm password, enter sampleapp.14. Under Key, enter cn=alice,ou=myou,o=myco in the Name field.15. Enter alice in the Alias field.16. For Password, enter sampleapp.17. For Confirm password, enter sampleapp.18. Click OK three times, then click Save.19. Under Response message signature and encryption protection, select

response:app encparts.20. In the Name field, enter resp-enc-msg-part, then click Apply.21. Under Key information, click New.22. Enter resp-enc-keyinfo in the Name field.23. Ensure AsymmetricBindingInitiatorEncryptionToken0 is selected for Token

generator or consumer name, then click OK.24. Under Key information, select resp-enc-keyinfo, and click Add.25. Click OK, then click Save.

Configure the EchoService client request signature generator security bindings

1. In the left pane, select Services => Service clients.2. Select EchoService, then WS-Client-Binding, then WS-Security.3. Select Authentication and protection.4. Select AsymmetricBindingInitiatorSignatureToken0.5. Verify that JAAS login is wss.generate.x509.6. Click Apply to generate a callback handler binding.7. Select Callback handler.8. In the Keystore section, select Custom as the name, then select Custom keystore

configuration.9. Enter the full path name for the sender.jks keystore. For example:

C:\Program Files\IBM\WebSphere\AppServer\etc\wssecurity\mySysKeys\sender.jks

10. For Type, select JKS.11. For Password, enter sampleapp.12. For Confirm password, enter sampleapp.13. Under Key, enter cn=alice,ou=myou,o=myco in the Name field.14. Enter alice in the Alias field.15. For Password, enter sampleapp.16. For Confirm password, enter sampleapp.17. Click OK three times, then click Save.18. Under Request message signature and encryption protection, select

request:app signparts.19. In the Name field, enter req-sign-msg-part20. Under Signing key information, click New.21. Enter req-sign-keyinfo for the name.22. Under Type, select Security Token Reference. 23. Ensure AsymmetricBindingInitiatorSignatureToken0 is selected for Token

generator or consumer name, then click OK, then click Apply.24. Under Message part reference, select request:app_signparts, then click Edit.25. Under Transform algorithms, click New.26. In the URL field, enter http://www.w3.org/2001/10/xml-exc-c14n#, and

click OK twice.27. Under Signing key information, ensure req-sign-keyinfo is selected, then click

OK, and then Save.

Configure the EchoService client request encryption generator security bindings

1. In the left pane, select Services => Service clients.2. Select EchoService, then WS-Client-Binding, then WS-Security.3. Select Authentication and protection.4. Select AsymmetricBindingRecipientEncryptionToken0.5. Verify that JAAS login is wss.generate.x509.6. Click Apply to generate a callback handler binding.7. Select Callback handler.8. In the Keystore section, select Custom as the name, then select Custom keystore

configuration.9. Enter the full path name for the sender.jks keystore. For example:

C:\Program Files\IBM\WebSphere\AppServer\etc\wssecurity\mySysKeys\sender.jks

10. For Type, select JKS.11. For Password, enter sampleapp.12. For Confirm password, enter sampleapp.13. Under Key, enter cn=bob,ou=myou,o=myco in the Name field.14. Enter bob in the Alias field.15. Click OK three times, then click Save.

16. Under Request message signature and encryption protection, select request:app encparts.

17. In the Name field, enter req-enc-msg-part18. Under Key information, click New.19. Enter req-enc-keyinfo for the name.20. Under Type, select Key identifier. 21. Ensure AsymmetricBindingRecipientEncryptionToken0 is selected for Token

generator or consumer name, and then click OK.22. Under Request message signature and encryption protection, select

request:app_encparts, then click OK.23. Under Key information, select req-enc-keyinfo. 24. Click OK, and then Save.

Configure the EchoService client timestamp to expire in five minutes

1. In the left pane, select Services => Service clients.2. Select EchoService, then WS-Client-Binding, then WS-Security.1. Select Message expiration.2. Select Enable message expiration and enter 5 in the Message timeout interval

field.3. Click OK, and then Save.

Test the EchoService

In this section, we’ll use the SEI Samples demo to test the WebSphere EchoService client to WebSphere EchoService service to validate our security configuration.

Start the SEI samples demo user interfaceTo test the EchoService using the SEI samples demo UI, point your browser to http://:port/wssamplessei/demo. For example: http://localhost:9081/wssamplesei/demo

Note: The port may vary based on your Application Server configuration.

This command opens the SEI Samples demo UI, as shown in Figure 21.

Figure 21. SEI samples demo

For a description of the SEI samples UI, see Part 1 of this series.

Test the EchoService client and serviceTo validate the EchoService client and EchoService service are properly configured, select Synchronous Echo for Message Type, enter some text (Example: test) in the Message String field, enter hostname and port number of the service endpoint (Example: http://localhost:9081) then press Send Message.

Figure 22 shows the successful response of the Synchronous Echo MEP. The response box shows the connection status, the Message Request, and the Message Response. Note that the Message Response is JAX-WS==>>test. The service prepends JAX-WS==>> to the Message Request string test. If you see an exception in the Message Response box,

http://www.ibm.com/developerworks/websphere/library/techarticles/0710_levay/0710_levay.html

check the System.out log and review the security custom binding configurations for both the client and the service. You should resolve these problems before you continue to the WCF configuration.

Figure 22. Synchronous Echo MEP example

Configure the WCF client customBinding

In this section, we’ll configure the WCF client customBinding using the Microsoft Service Configuration Editor. We’ll add a security binding extension, configure the

security settings to match the WebSphere configuration, and add an advanced endpoint behavior with the certificate information.

1. Open the Service Configuration Editor.2. Select File => Open => Config File => WCFClient. 3. Select WSWindowsClient.exe.config, and click Open.4. In the left pane, select Bindings EchoSOAP(customBinding), as shown in

Figure 23.

Figure 23. customBinding:EchoSOAP

5. In the right pane, click Add to open the Adding Binding Element Extensions dialog, as shown in Figure 24.

Figure 24 Adding Binding Element Extension dialog

6. Select security and click Add.7. In the left pane, select security, as shown in Figure 25.

Figure 25. Default security settings

8. Change the following settings:• AuthenticationMode to MutualCertificate• Default Algorithm to Basic128Rsa15• MessageProtectionOrder to SignBeforeEncrypt• MessageSecurityVersion to

WSSecurity10WSTrustFebruaryWSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10

Figure 26 shows the properly configured security settings.

Figure 26. Configured security settings

9. In the left, select Advanced => Endpoint Behaviors, then select New Endpoint Behavior Configuration in the right pane, as shown in Figure 27.

Figure 27. Endpoint Behaviors dialog

10. Enter Client-Cert-Behavior in the Name field, and then click Add to display the Adding Behavior Element Extension Sections dialog, as shown in Figure 28.

Figure 28. New Endpoint Behavior dialog

11. Select clientCredentials, then click Add, as shown in Figure 29.

Figure 29. Adding Behavior Element Extension Sections dialog

Figure 30 shows the results.

12. In the left pane, select Client-Cert-Behavior => clientCredentials => clientCertificate.

Figure 30. clientCredentials added

13. In the right pane, set the following values, as shown in Figure 31:• FindValue: 12• X509FindType: FindBySerialNumber

Figure 31. clientCertificate configured

14. In the left pane, select serviceCertificate => defaultCertificate.15. In the right pane, set the following values, as shown in Figure 32:

• FindValue: 13• StoreName: TrustedPeople• X509FindType: FindBySerialNumber

Figure 32. serviceCertificate configured

16. In the left pane, select Client => Endpoints =>EchoServicePort.17. In the right pane, set the following values, as shown in Figure 33:

• Address: http://:port/WSSampleSei/EchoService, where hostname and port are the values for the service endpoint.

• BehaviorConfiguration: Client-Cert-Behavior

Figure 33. Client Endpoint (General tab) configured

18. Switch to the Identity tab, and set the DNS to Bob, as shown in Figure 34.

Figure 34. Client Endpoint (Identity tab) configured

19. Select Save to save the changes to the WSWindowsClient.exe.config file.

Configure the WCF service customBinding

1. Open the Service Configuration Editor.2. Select File => Open => Config File => WCFService.3. Select wswindowsservice.exe.config, and click Open.4. In the left pane, select Bindings EchoSOAP(customBinding).5. In the right pane, click Add to open the Adding Binding Element Extensions

dialog.6. Select security, then click Add.7. In the left pane, select security. 8. Change the following settings:

• AuthenticationMode to MutualCertificate• Default Algorithm to Basic128Rsa15• MessageProtectionOrder to SignBeforeEncrypt• MessageSecurityVersion to:

WSSecurity10WSTrustFebruaryWSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10

9. In the left pane, select Advanced => Service Behaviors.

10. In the right pane, select New Service Behavior Configuration.11. Enter Server-Cert-Behavior in the Name field, and then click Add to display

the Adding Behavior Element Extension Sections dialog.12. Select serviceCredentials, then click Add.13. In the left pane, select Server-Cert-Behavior => serviceCredentials =>

serviceCertificate.14. In the right pane, set the following values:

• FindValue: 13• X509FindType: FindBySerialNumber

15. In the left pane, select clientCertificate.16. In the right pane, set the following values:

• CertificateValidationMode: None• IncludeWindowsGroups: False• FindValue: 12• StoreName: TrustedPeople• X509FindType: FindBySerialNumber

17. In the left pane, select Services => com.ibm.was.wssample.sei.EchoServicePortImpl.

18. In the right pane, select Server-Cert-Behavior for BehaviorConfiguration.19. In the left pane, select Services =>

com.ibm.was.wssample.sei.PingServicePortImpl.20. In the right pane, select Server-Cert-Behavior for BehaviorConfiguration.21. Select Save to save the changes to wswindowsservice.exe.config.

Test the WCF samples

In this section, you’ll learn how to run the WCF samples, including how to correctly start the WCF services, and how to use the commands for the WCF client.

Start the WCF servicesTo start the WCF services, do the following:

1. Select Start => Run => cmd to open a command window.2. Change to the \WCF\WCFService directory.3. Enter WSWindowService.exe -? to see command usage information as shown

here:

WSWindowsService –p [port] –e [echoSuffix] –f [pingSuffix]

Default values:port = 9080echoSuffix = /WSSampleSei/EchoServicepingSuffix = /WSSampleSei/PingService

Make sure that you start the service using an open port, such as port 9082. Otherwise, you’ll get an error stating that the port is already in use. The following is an example of the correct command line argument usage.

WSWindowsService.exe -p 9082 -e /WSSampleSei/EchoService

To stop the WCF services, press Enter in the command window.

Run the WCF clientTo run the WCF client, do the following:

1. Select Start => Run => cmd to open a command window. 2. Change to the \WCF\WCFClient directory,3. Enter WSWindowClient.exe -? to see command usage information as shown

here:

WSWindowsClient [-e |–h [hostname] –p [port] –f [urlSuffix]] –m [testMessage] –s [echo | ping | async] –t [asynctimeout]

Options:-e Create the service proxy with no endpoint address

-h hostname = localhost-p port = 9080-f urlSuffix = /WSSampleSei/EchoService-m testMessage = “hello”-s service = echo-t asynctimeout = 120

The version of the WCF client used in this article has a new option -e. The client code has been modified to create the service proxy using the endpoint information in WSWindowsClient.exe.config. Therefore, you need to make sure to define the service endpoint as described in the previous section. You must use the -e option for this test.

The following example shows how to run the WCF client from the command line and verify that both the WCF services and client are configured correctly. The example assumes the service endpoint in the WSWindowsClient.exe.config file is configured to point to the WCF service started in Start the WCF services. The service endpoint should be defined as: http://localhost:9082/WSSampleSei/EchoService.

Following is an example command for the Echo sample:

WSWindowsClient.exe –e

The service response to the client request is DotNet==>>hello. The service prepends DotNet==>> to the test message hello. You should see the hello message in the service window.

Test interoperability between WebSphere and WCF

This section describes how to test the interoperability between WebSphere and WCF configured to use WS-Security. By now you should have verified that the WebSphere client to WebSphere service is working correctly, and that the WCF client to WCF service is working correctly.

Test the WCF client to WebSphere serviceTo test the WCF client to WebSphere service interoperability, you need to set the service endpoint to be your WebSphere service endpoint in the WSWindowsClient.exe.config file. For example: http://localhost:9081/WSSampleSei/EchoService.

Run the WCF client using the same command shown in Run the WCF client .

The WebSphere service response to the WCF client request should be JAX-WS==>>hello.

Test the WebSphere client to WCF service To test the WebSphere client to WCF service interoperability using the SEI sample demo UI, select Synchronous Echo for Message Type, enter some text (such as, test) in the Message String field, enter the hostname and port number of the WCF service endpoint (for example: http://localhost:9082) then click Send Message.

The WCF service response to the WebSphere client request should be DotNet==>>test.

SummaryIn this article, we leveraged WS-Security 1.0 to secure SOAP messages exchanged between WebSphere Application Server Version 6.1 Feature Pack for Web Services and Windows Communication Foundation 3.0. You learned how to create a WS-Security based policy set and custom binding using the new policy-based administration features for JAX-WS Web services deployed on WebSphere Application Server,. You also learned how to configure an equivalent WS-Security based customBinding for WCF. You can use this custom policy set and custom bindings applied to the SEI sample EchoService client and service to demonstrate WS-Security interoperability with a Windows Communication Foundation client and service configured for WS-Security using this customBinding.

In a heterogeneous business process environment, this scenario can be applied to secure Web service messages between two processes. In this case, one process can be a J2EE

application on WebSphere and consumed by a Microsoft WCF client or vice versa. You’ve seen how WS-Security provides an interoperable method for securing business-level Web service messages.

AcknowledgmentsWe would like to thank Dassault Systèmes for the inspiration for this scenario, and for their cooperation and input during the writing of this article.

ResourcesSpecificationsWeb Services Security: SOAP Message Security 1.0 WS-Security (2004)

WSFP and developerWorks Feature Pack for Web Services Information center

Achieving Web services interoperability between the WebSphere Web Services Feature Pack and Windows Communication Foundation, Part 1 (developerWorks 2007): Part 1 of this series describes how to use the WebSphere Application Server Version 6.1 Feature Pack for Web Services Service Endpoint Interface samples to demonstrate interoperability with Microsoft Windows Communication Foundation. It provides step-by-step instructions on how to achieve basic Web services interoperability for SOAP 1.1, SOAP 1.2, and WS-Addressing.

Windows Communication FoundationWeb Services Protocols Interoperability Guide: This topic provides a list of Web Services Protocols implemented by WCF.

Web Services Protocols Supported by System-Provided Interoperability Bindings: This topic lists specifications that are supported by system-provided interoperable bindings.

About the authorsCharles Le Vay is a senior software architect responsible for Web service interoperability for WebSphere Application Server. He represents IBM on the Web Service Interoperability Organization (WS-I) Reliable Secure Profile (RSP) Working Group. As an interoperability architect, Charles ensures IBM products meet industry standard interoperability criteria. He is responsible for identifying and detailing best practices for Web services interoperability.

Prior to this position, Charles specialized in mobile application development, wireless technology, and extending enterprise applications securely to mobile devices. Before joining IBM, Charles developed advanced submarine sonar systems for the Navy and

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0.pdfhttp://msdn2.microsoft.com/en-us/library/ms730294.aspxhttp://msdn2.microsoft.com/en-us/library/ms734776.aspxhttp://www.ibm.com/developerworks/websphere/library/techarticles/0710_levay/0710_levay.htmlhttp://www.ibm.com/developerworks/websphere/library/techarticles/0710_levay/0710_levay.htmlhttp://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/com.ibm.websphere.wsfep.multiplatform.doc/info/ae/ae/welc6tech_wbs_intro.html

specialized in signal processing and underwater acoustics. He is a graduate of Duke University with a degree in physics.

Salim Zeitouni works as an advisory software engineer on the IBM WebSphere web services interoperability team. Salim is an active member of the WS-I community, an open industry organization chartered to promote Web services interoperability and currently Chairs the Sample Applications Work Group.

Prior to joining the web services group, Salim was a team lead on several IBM WebSphere products that provide integrated client-server environment and application development tools to extend business applications and data to mobile users. Since joining IBM in 1996, Salim has worked on several of the WebSphere, Tivoli, and Lotus software products.

IntroductionScenario overviewGet startedImport certificates and custom keystores into Application ServerImport certificates into Windows XP certificate storeCreate a custom policy set for the EchoServiceAttach the custom policy set and custom binding to EchoService Configure the custom binding for EchoService Configure EchoService request signature consumer security bindingsConfigure the EchoService request encryption consumer security bindingsConfigure the EchoService response signature generator security bindingsConfigure the EchoService response encryption generator security bindingsConfigure EchoService service timestamp to expire in 5 minutes

Attach the custom policy set and custom binding to the EchoService clientAssign the policy set to the EchoService client Assign the custom binding to the EchoService client

Configure the custom binding for the EchoService clientConfigure the EchoService client response signature consumer security bindingsConfigure the EchoService client response encryption consumer security bindingsConfigure the EchoService client request signature generator security bindingsConfigure the EchoService client request encryption generator security bindingsConfigure the EchoService client timestamp to expire in five minutes

Test the EchoServiceStart the SEI samples demo user interfaceTest the EchoService client and service

Configure the WCF client customBindingConfigure the WCF service customBinding

Test the WCF samplesStart the WCF servicesRun the WCF client

Test interoperability between WebSphere and WCFTest the WCF client to WebSphere serviceTest the WebSphere client to WCF service

SummaryAcknowledgmentsResourcesSpecificationsWSFP and developerWorks Windows Communication Foundation

About the authors