Connect SoapUI to WCF service certificate authentication

Is it possible to connect SoapUI to WCF Service certificate authentication, the answer is yes! If you search on the internet, there is little information about this topic but it is really possible!

Adding security to your WCF service is a best practice. Not only when your creating services connected by the internet but also inside your company.

One way for securing your WCF service is adding certificates for authentication. But also signing your message is good way to preserve the integrity of your message. So to use a secure service we can enable transport and message security. See a list of common security scenarios with WCF for a good reference. In that way we can use SSL in IIS.

Service configuration

Add a service to your application with a WsHttpBinding. See for an example the following config:

<?xml version="1.0" encoding="utf-8" ?>
<system.serviceModel>
  <services>
    <service name="SampleService">
      <endpoint binding="wsHttpBinding" contract="ISampleService" bindingNamespace="http://your/binding/namespace"/>
    </service>
  </services>
  <behaviors>
    <serviceBehaviors>
      <behavior name="">
        <serviceMetadata httpsGetEnabled="true" />
        <serviceCredentials>
          <serviceCertificate findValue="YourThumbprint" storeName="My" storeLocation="LocalMachine" x509FindType="FindByThumbprint" />
          <clientCertificate>
            <certificate findValue="YourThumbprint" storeName="My" storeLocation="LocalMachine" x509FindType="FindByThumbprint" />
            <authentication certificateValidationMode="ChainTrust" revocationMode="NoCheck" />
            <!-- Check revocationMode for production -->
          </clientCertificate>
        </serviceCredentials>
        <serviceDebug includeExceptionDetailInFaults="true" />
      </behavior>
    </serviceBehaviors>
  </behaviors>
  <bindings>
    <wsHttpBinding>
      <binding maxReceivedMessageSize="10485760">
        <readerQuotas maxDepth="32" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="4096" maxNameTableCharCount="16384" />
        <security mode="TransportWithMessageCredential">
          <message clientCredentialType="Certificate" algorithmSuite="Basic256Sha256Rsa15" negotiateServiceCredential="false" establishSecurityContext="false" />
        </security>
      </binding>
    </wsHttpBinding>
  </bindings>
  <serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
</system.serviceModel>

Client Configurations

Configuration .NET

Then use in your .NET client the following config. The assumption is that you already know how to add a service.

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
  <system.serviceModel>
    <bindings>
      <wsHttpBinding>
        <binding name="WsHttpBinding_ISampleService">
          <security mode="TransportWithMessageCredential">
            <message clientCredentialType="Certificate" algorithmSuite="Basic256Sha256Rsa15"/>
          </security>
        </binding>
      </wsHttpBinding>
    </bindings>
    <behaviors>
      <endpointBehaviors>
        <behavior name="">
          <clientCredentials>
            <clientCertificate findValue="your thumbprint" storeName="My" storeLocation="LocalMachine" x509FindType="FindByThumbprint" />

            <serviceCertificate>
              <defaultCertificate findValue="your thumbprint" storeName="My" storeLocation="LocalMachine" x509FindType="FindByThumbprint" />
              <authentication certificateValidationMode="ChainTrust" revocationMode="NoCheck" /><!-- Check revocationMode for production -->
            </serviceCertificate>
          </clientCredentials>
        </behavior>
      </endpointBehaviors>
    </behaviors>
    <client>
      <endpoint address="https://url/SampleService.svc"
          binding="wsHttpBinding" bindingConfiguration="WsHttpBinding_ISampleService"
          contract="ISampleService" name="WsHttpBinding_ISampleService1">
        <identity>
          <dns value="IngHubServerTest"/>
        </identity>
      </endpoint>
    </client>
  </system.serviceModel>
</configuration>

Configuration SoapUI

If you want to connect to this service with SoapUI it is more difficult. I’m not a Java developer so I use SoapUI for an easier understanding of connecting to our WCF Service in a different language. For this example I use the curret latest version 5.3. See for an overview of WS-Security the following help page.

Follow the steps below for adding a new project to SoapUI with the right configuration.

Project configuration

  1. First of all create a new project and add the url to the wsdl. A new project is generated with a sample request for your service.
  2. Now double click the project or use right click of the mouse to open the “Project view”.
  3. Navigate to the “WS-Security Configurations” tab
  4. Select the “Keystores” tab and add the certificate with private key so we can sign the request.
  5. Go to the “Outgoing WS-Security Configurations” and add a new configuration with the name that you like.
  6. Add in the newly created configuration a “Signature”.
  7. Configure the keystore that you’ve added.
  8. Use “Binary Security Token” as Key Identifier Type.
  9. Set the right Algorithms that you have configured in the service. I change the configuration to a higher security because the default uses SHA1 and that is not a best practice anymore. I changed the configuration in my WCF service to algorithmSuite=”Basic256Sha256Rsa15″ in the message element of the binding. See this page for more information. Then it uses RSA-SHA256 for signature algorithm, XML-EXC-C14n# for Signature Canonicalization and XMLENC#SHA256 for the Digest Algorithm.
  10. Check the “Use single certificate” checkbox.
  11. By default SoapUI signs the whole request but that isn’t the default by WCF so we have to set the parts that we want to sign. So add as Name “To”, Namespace “http://www.w3.org/2005/08/addressing” (this is my namespace but check yours) and set Encode to “Element”.
  12. Add a timestamp and set it to 300. Use milisecond precision.
  13. Check the order on the left. So first signature and then timestamp!

Request configuration

  1. Adjust the sample request body so it is a valid request.
  2. Go back to your request.
  3. Under the request open the “Auth” panel. Add Basic security. Leave everything blank except the “Outgoing WSS” configuration. Select the configuration that you have created.
  4. Go to the WS-A panel and check  the “Enable WS-A addressing” checkbox.
  5. Finally the last thing that you have to do is check the checkbox “Add default wsa:To”. This in combination with the signature parts “To” configuration passes the right header values to the server. If you don’t do this you will get the following exception “The message received over Transport security has unsigned ‘To’ header”. See this StackOverflow post for simulair issue.

Hopefully this helped somebody. I spend to much time to this issue with SoapUI. Just to show that SoapUI works with a WCF soap service and high security configuration. The conclusion is that it works! It’s just soap… why wouldn’t…

Master-Detail with Silverlight RIA Services

Ralph Jansen

If you want to have a master detail view of you data in Silverlight with RIA Services you have to do two things. One thing is to tell your RIA Services meta data file that you’re including the related entities and you will have to tell your domain service as well that your including the related entities. Follow the tutorial beneath to accomplish an example for creating a master detail relation with Silverlight RIA Services.

Silverlight application

Create a new Silverlight 4 application in VS2010 and enable RIA Services. Also don’t forget to check the box to host your Silverlight application in a website.

Model

Create your Entity Framework 4.0 model so we can generate some RIA Service over it. Just use a simple example so we can practice the master detail relationships. The example that I use is shown below.

image

RIA Services

After your model is created we have to create the Domain Service that exposes your model from the server to the client. If you haven’t used RIA Services before, I suggested you should read the documentation on the http://www.silverlight.net homepage.

Select add new item on your server website. The same place as you created your Entity Framework model. Now search for the Domain Service template. After you clicked the OK button, you will get a popup that is asking you to specify which entity the domain service should expose from your Entity Framework model. Click the Brands and Product collections, select the checkbox to generate meta data files and to enable client access.

Your Domain Service would look something like this:
image

Creating the UI

Open your MainPage.xaml file that is generated by creating the Silverlight Application. Open your Data Sources window in VS2010 and drag the Brands and Products grids to your MainPage. You have to drag your Products from the inner collection of Brands.

image

Now if you run your code. Only the brands will be shown because the UI is connected to the GetBrandsQuery. Now we want to include the products to create a Master Detail relation.

Configure the Meta data

Open your meta data file that is generated by the Domain Service. Find your Brands Entity and in that entity the inner collection property of Products. Add the [Include] attribute above the inner collection of products. In that way we tell RIA Services to include the products for the brand if the products are available.

image

Make the products available

To make the products available for RIA Services you should include them in the correct query that is used in the client. In our case it is the GetBrands in the Domain Service class.

image

Add the include statement like below to the query.

image

Now you are ready to run your code and see a nice example of a master detail relationship in the client.

Note:

It is better to create a new query then change the default query. In that way the performance is better because you don’t need the products every time you use the GetBrands query. You can create a query like GetBrandsWithProducts. If you do this, don’t forget to change the query name in the client. This is still referenced to the GetBrands query!!!

Building a Service Oriented Architecture (SOA)

Sorry but this post is only available in dutch.

Afgelopen dinsdag was het zover. Een aantal weken geleden was er een mail verstuurd waarin twee events werden aangekondigd. Deze events zouden gaan over het opzetten van een Service Oriented Architecture (SOA). In deze blog wil ik het hebben over het eerste event die dinsdag 15 december 2009 plaats vond.

De presentatie werd gegeven door Dennis Doomen. Dennis Doomen is een Software Architect die zich voornamelijk richt op SOA omgevingen. Als eerste werd aangegeven wat het nut was van een SOA omgeving. Het ideale binnen een bedrijf is namelijk dat alle cliënts via dezelfde service laag lopen. Op deze manier praat elke cliënt tegen dezelfde Business Logic aan waardoor het aantal fouten minimaal is. Mocht er iets veranderen in de logica, dan hoeft dit maar op één plek te worden gedaan.

Voor het aanmaken van een servicelaag werd er gebruik gemaakt van de “webservice software factory” tool. Het voordeel van deze tool is dat er minder hoeft te worden geprogrammeerd. De webservices, de host en de entiteiten kunnen worden gemoduleerd. Nadat alles is gemoduleerd kan alles worden gegenereerd. De tool maakt zelf alle projecten, classes en knoopt alles aan elkaar vast. Vervolgens hoeft alleen de logica te worden geschreven.

Meer details over het event zijn te vinden in de presentatie. Deel twee van het event zal plaats vinden in het nieuwe jaar. Namelijk op 5 januari 2010 in de avond. In deel 2 van dit event zal er meer inhoudelijk op de onderwerpen worden ingegaan. Daarnaast zullen er voorbeelden worden gegeven over het maken van een SOA.

Hopelijk zie ik jullie dan ook op het tweede deel van het event. Voor nu een fijne kerst en alvast een gelukkig nieuwjaar!!