WSE message body encryption on CSF for dummies:-)
In this post I'm showing how to enable WSE policy and body message encryption for CSF using one of the standard CSF examples: the Counting Scenario.
Prerequisites
In order to be sure that CSF installation is correct, the counting scenario have to work fine before to do any of the following actions.
Background
Counting scenario start through "CountingScenarioApp.exe" application. When you press "createSession" button follow messages will be routed:
Counting scenario start through "CountingScenarioApp.exe" application. When you press "createSession" button follow messages will be routed:
- CountingApp --> ServiceCatalog (ServiceCatalogGetUris)
- ServiceCatalog -->CountingApp (ServiceCatalogGetUrisResponse)
- CountingApp --> Session (CreateSession)
- Session -->CountingApp (CreateSessionResponse)
our objective is to have ServiceCatalogGetUris message encrypted.
Step1: enable policy config
- open c:\program files\microsoft csf\configuration\policycache.config
- add as endpoint your CountingScenarioApp.exe application: you'll have to add something like:
<endpoint uri="soap.tcp://localhost:9111/UiFormService">
<operation requestAction="http://schemas.microsoft.com/wse/2003/06/RequestDescription">
<request policy="" />
</operation>
<operation requestAction="Notify">
<request policy="" />
</operation>
<defaultOperation>
<request policy="#DefaultSecurityPolicy" />
</defaultOperation>
</endpoint>
<operation requestAction="http://schemas.microsoft.com/wse/2003/06/RequestDescription">
<request policy="" />
</operation>
<operation requestAction="Notify">
<request policy="" />
</operation>
<defaultOperation>
<request policy="#DefaultSecurityPolicy" />
</defaultOperation>
</endpoint>
Verify that enpoint of session and servicecatalog components have as URI the same name used by CountingScenarioApp.exe: usually in the file you find http://localhost/servicecatalog/... while the application call http://MYMACHINE/servicecatalog/...
Step2: configure applications
configure session web.config, servicecatalog web.config and countingscenarioapp.exe.config files to use the correct policycache.config file, adding following code under <microsoft.web.services2> node:
configure session web.config, servicecatalog web.config and countingscenarioapp.exe.config files to use the correct policycache.config file, adding following code under <microsoft.web.services2> node:
<policy>
<cache name="C:\Program Files\Microsoft CSF\Configuration\PolicyCache.config" />
</policy>
<cache name="C:\Program Files\Microsoft CSF\Configuration\PolicyCache.config" />
</policy>
you can also add <policyTrace> to have policy logs
Step3: iisreset
Now CreateSession and TerminateSession form countingscenarioapp.exe should work fine. Please check also on event viewer to verify that no error appairs.
Step4: load a certificate to encrypt the message body
Follow instruction you find in "C:\Program Files\Microsoft WSE\v2.0\Samples\Sample Test Certificates\read.htm" to install "Server Private.pfx" certificate. You can also generate a brend new certificate as well.
Follow instruction you find in "C:\Program Files\Microsoft WSE\v2.0\Samples\Sample Test Certificates\read.htm" to install "Server Private.pfx" certificate. You can also generate a brend new certificate as well.
Step5: configure servicecatalog to accept messages with encrypted body
Open policycache.config file and under <policies> ---> <Policy> ---> "EncryptMessage" set: <wssp:SubjectName>CN=WSE2QuickStartServer</wssp:SubjectName>.
Open policycache.config file and under <policies> ---> <Policy> ---> "EncryptMessage" set: <wssp:SubjectName>CN=WSE2QuickStartServer</wssp:SubjectName>.
Please use subject name of your certificate here!
Step6: modify servicecatalog endpoint as follows
<endpoint uri="http://MACHINENAME/ServiceCatalog/ServiceCatalogConnector.ashx">
I <operation requestAction="CSFSessionAckResponse">
<request policy="" />
</operation>
<operation requestAction="CSFSessionNAckResponse">
<request policy="" />
</operation>
<defaultOperation>
<request policy="#EncryptMessage" />
</defaultOperation>
</endpoint>
I <operation requestAction="CSFSessionAckResponse">
<request policy="" />
</operation>
<operation requestAction="CSFSessionNAckResponse">
<request policy="" />
</operation>
<defaultOperation>
<request policy="#EncryptMessage" />
</defaultOperation>
</endpoint>
Step 5: IISRESET
Now run CountingScenarioApp.exe and select CreateSession button. If everything still works, you'll obtain services URIs from the SC, with service catalog request "ServiceCatalogGetUris" body encrypted (look at WSE trace).
TIP: in case of error, check the event viewer. If you find as error "System.InvalidOperationException: Private Key is not available..." this suggests that the certificate was found but there was not enought permission given to access the private key file of the certificate. You can give these permission to any account using WSE certificate tool, clicking on the private key properties and then adding the selected user to the ACL's of the file.
Good luck!