Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
380DataPowerWCFIntegration.ppt Page 1 of 19
Microsoft environment requirements
The Federation case in Geneva uses an encrypted SAML assertion which is not supported
by DataPower.
380DataPowerWCFIntegration.ppt Page 2 of 19
What WCF features are integrated (1 of 3)
� wsHttpBinding
– Kerberos token without Secure Conversation
– Kerberos token with Secure Conversation
– X509 token without Secure Conversation
– X509 token with Secure Conversation
� ws2007HttpBinding
– Kerberos token without Secure Conversation
– Kerberos token with Secure Conversation
– X509 token without Secure Conversation
– X509 token with Secure Conversation
380DataPowerWCFIntegration.ppt Page 3 of 19
What WCF features are integrated (2 of 3)
� wsFederationHttpBinding
– SAML1.1 token endorses X509 Token (Since 3.7.3)
– SAML2.0 token endorses X509 Token
� ws2007FederationHttpBinding
– SAML1.1 token endorses X509 Token
– SAML2.0 token endorses X509 Token
380DataPowerWCFIntegration.ppt Page 4 of 19
What WCF features are integrated (3 of 3)
� BasicHttpBinding
– Simple HTTP transport binding. (no special configuration for DP WS-SP)
– HTTPS transport binding (3DES or AES algorithm suite)
– HTTPS transport binding + mutual SSL Authentication
– HTTP/HTTPS transport + basic authentication. (use AAA to enforce the Authorization
header).
The BasicHttpBinding (without SSL) is a simple http transport binding which does not
involve any special configuration on the DP box. The BasicHttpBinding with SSL enabled
involves configuration of a Web service proxy with a https front side handler and optionally
including a policy file to check/enforce if the transport is secured. The BasicHttpBinding
with Mutual SSL authentication is when both DP and the WCF client are configured to
exchange certificates in addition to securing the network over SSL.
BasicHttpBinding with Basic Auth header (in addition to SSL) requires AAA to be
configured in DP in order to enforce the Authorization header.
380DataPowerWCFIntegration.ppt Page 5 of 19
WCF WS http bindings
WCF Client
Web Service
3. Set up SecureConv
if needed DataPower Device In DMZ
(Kerberos->SCT)
4. Request secured
wspsp12ws2007HttpBinding
by #2 or #3
WSSecurityPolicy
Enabled 5.Req/Resp msg
6. Response secured
WSProxy
wspsp11wsHttpBinding
by #2 or #3
1.
Authentication Cancel the SecureConv
when all requests are done
2. Kerberos
Token decrypt
AAA
WSSecurity
signEnabled Actions
verify
encrypt
Windows Server®
6 DataPower WCF integration © 2010 IBM Corporation
In this diagram, the Windows server acts as the KDC and the server principal name of the
DP box should be created in that KDC and the keytab should be copied on to DataPower,
so that DataPower can decrypt/verify the Kerberos tokens sent by the client. The secure
conversation mentioned in step 3 is optional and can be enabled/disabled at the WCF
client’s configuration. (set EstablishSecurityContext = false in the client’s app.config to
disable secure conversation)
380DataPowerWCFIntegration.ppt Page 6 of 19
WCF WS federation http bindings
WCF Client
Web Service
3. Set up SecureConv
(STS X509 + DataPower Device In DMZ
Client SAML
-> SCT)
4. Request secured
wspsp12ws2007FederationHttpBinding
by SCT
WSSecurityPolicy
Enabled 5.Req/Resp msg
1.
Authentication Cancel the SecureConv
when all requests are done
2. SAML HoK
Token decrypt
SAML STS AAA
WSSecurity
Windows Auth signEnabled Actions
verify
encrypt
The SAML STS in this diagram can be hosted anywhere. In the scenario we tried, it was
hosted on the Windows server itself. Note that DataPower is not yet supported to act as
this SAML STS.
The secure conversation shown in step 3 is not optional.
380DataPowerWCFIntegration.ppt Page 7 of 19
The role of DataPower device
The Web Services Proxy shown in the screen capture are samples that can handle the
requests from the client configured to the corresponding binding.
380DataPowerWCFIntegration.ppt Page 8 of 19
Wondering what to integrate? Answer the questions
380DataPowerWCFIntegration.ppt Page 9 of 19
Configuration – Policy template
The screen capture shown is the policy tab of the Web Services proxy. The policy references can be
attached to the wsdl, either in this tab as shown above or it can be included in the wsdl file itself as follows:
<wsdl:binding name = "WSHttpBinding_ICalculator" type = "i0:ICalculator">
<soap12:binding transport = "http://schemas.xmlsoap.org/soap/http"/>
<wsdl:operation name = "Add">
<wsp:PolicyReference URI="store:///policies/templates/dotnet/wsp-sp-1-1
wsHttpBinding.xml#symmetric-x509-sc"/>
<soap12:operation soapAction = "http://Microsoft.ServiceModel.Samples/ICalculator/Add" style =
"document"/>
<wsdl:input>
<wsp:PolicyReference URI="store:///policies/templates/dotnet/wsp-sp-1-1
wsHttpBinding.xml#input"/>
<soap12:body use = "literal"/>
</wsdl:input>
<wsdl:output>
<wsp:PolicyReference URI="store:///policies/templates/dotnet/wsp-sp-1-1
wsHttpBinding.xml#output"/>
<soap12:body use = "literal"/>
</wsdl:output>
</wsdl:operation>
</wsdl:binding>
380DataPowerWCFIntegration.ppt Page 10 of 19
Configuration – Policy parameters
For all the WCF bindings, make sure to include the policy parameter “interoperable with
Microsoft .Net 3.5”.
380DataPowerWCFIntegration.ppt Page 11 of 19
Configuration – Secure conversation
� If the WS-SecureConversation is
needed.
– A separate service is needed
to process request to
“/RequestSecurityToken”
– Don’t forget the WS-SC wsdl
file, it needs to use the same
template as the backend <wsdl:portType name="Test">
<wsp:PolicyReference
URI="store:///policies/templates/dotnet/wsp-sp-1-2
ws2007FederationHttpBinding.xml#symmetric-saml20
endorsed-x509"/>
<wsdl:input message="tns:RequestSecurityToken"/>
<wsdl:output
message="tns:RequestSecurityTokenResponse"/>
</wsdl:operation>
</wsdl:portType>
<wsdl:definitions targetNamespace="http://schemas.xmlsoap.org/ws/2005/02/trust"
xmlns:tns="http://schemas.xmlsoap.org/ws/2005/02/trust"
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:echo="http://com/ibm/was/wssample/sei/echo/"
xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/"
xmlns:wsp="http://www.w3.org/2006/07/ws-policy"
xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsdl:types>
elementFormDefault="qualified">
<xs:element name="RequestSecurityToken">
<xs:complexType>
<xs:sequence>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="RequestSecurityTokenResponse">
<xs:complexType>
<xs:sequence>
<xs:any namespace="##any"/>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>
</wsdl:types>
-->
<wsdl:message name="RequestSecurityToken">
</wsdl:message>
<wsdl:message name="RequestSecurityTokenResponse">
</wsdl:message>
-->
<wsdl:portType name="Test">
<wsdl:operation name="RequestSecurityToken">
<wsp:PolicyReference URI="store:///policies/templates/dotnet/wsp-sp-1-2-ws2007HttpBinding.xml#symmetric-kerberos-sc-basic128"/>
<wsdl:input message="tns:RequestSecurityToken"/>
<wsdl:output message="tns:RequestSecurityTokenResponse"/>
</wsdl:operation>
</wsdl:portType>
<wsdl:operation name="RequestSecurityToken">
<!-
<soap12:operation soapAction="http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT"/>
<soap12:operation soapAction="http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel"/>
-->
<!-- attach the application binding to the wsdl:input and wsdl:output, so the
policy framework can figure out how to deal with other traffic, others than the
Issue
-->
<wsdl:input>
<wsp:PolicyReference URI="store:///policies/templates/dotnet/wsp-sp-1-2-ws2007HttpBinding.xml#input"/>
<soap12:body use="literal"/>
</wsdl:input>
<wsdl:output>
<wsp:PolicyReference URI="store:///policies/templates/dotnet/wsp-sp-1-2-ws2007HttpBinding.xml#output"/>
<soap12:body use="literal"/>
</wsdl:output>
</wsdl:operation>
</wsdl:binding>
<wsdl:service name="Test">
<soap12:address location="https://www.soaphub.org/RequestSecurityToken"/>
</wsdl:port>
</wsdl:service>
</wsdl:definitions>
380DataPowerWCFIntegration.ppt Page 12 of 19
The most important to know about WCF integration (1 of 5)
Steps to generate the service principal name and the keytab file on the Active directory:
In order for the client to obtain a Kerberos ticket to generate the Kerberos token, you need to create an SPN
You will need access to the Active Directory Users and Computers console and the "setspn.exe" utility (for
Windows 2003 you can download this from Microsoft or find it on the Windows 2003 tools CD)
a) create a AD pseudo-user which will be used to map the SPN. For this example, create an AD user
"service-provider"
setspn -a HOST/hostname:port service-provider, where hostname and port represent hostname (or IP)
and port you will use for the front-side protocol handler for the DataPower Web service proxy
(NOTE: you could use any arbitrary SPN as well, we chose the HOST/... format since it works well to
c) check to make sure the SPN was correctly registered: setspn -l service-provider. You should see the
SPN listed
2) Generate a Kerberos keytab for the SPN
In order for Kerberos to work, you will need to map the SPN to the user and create a Kerberos keytab which
will later be used with WebSphere® DataPower
To do this, you will use the "ktpass" utility
ktpass -out c:\temp\service-provider.keytab -princ HOST/hostname:port@DOMAIN -mapUser
usercreatedabove -mapOp set -pass passwordforuser -crypto RC4-HMAC-NT
Assuming that your Windows AD domain is MYDOMAIN.COM and that you create a user named service-
provider in a) above, the command would look like:
ktpass -out c:\temp\service-provider.keytab -princ HOST/hostname:port@MYDOMAIN.COM -mapUser
service-provider -mapOp set -pass passwordforuser -crypto RC4-HMAC-NT
NOTE:It is important to specify the -crypto option to be RC4-HMAC-NT in order to make this work
380DataPowerWCFIntegration.ppt Page 13 of 19
The most important to know about WCF integration (2 of 2)
380DataPowerWCFIntegration.ppt Page 14 of 19
The most important to know about WCF integration (3 of 5)
The output response is signed and encrypted. Once the message is encrypted, it will fail
messages"
380DataPowerWCFIntegration.ppt Page 15 of 19
The most important to know about WCF integration (4 of 5)
380DataPowerWCFIntegration.ppt Page 16 of 19
The most important to know about WCF integration (5 of 5)
380DataPowerWCFIntegration.ppt Page 17 of 19
Feedback
You can help improve the quality of IBM Education Assistant content by providing
feedback.
380DataPowerWCFIntegration.ppt Page 18 of 19
Trademarks, copyrights, and disclaimers
IBM, the IBM logo, ibm.com, and the following terms are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both:
If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law
trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of other IBM
trademarks is available on the Web at "Copyright and trademark information" at http://www.ibm.com/legal/copytrade.shtml
Active Directory, Microsoft, MS, Visual Studio, Windows, Windows Server, and the Windows logo are registered trademarks of Microsoft Corporation in the United States, other countries,
or both.
Other company, product, or service names may be trademarks or service marks of others.
Product data has been reviewed for accuracy as of the date of initial publication. Product data is subject to change without notice. This document could include technical inaccuracies or
typographical errors. IBM may make improvements or changes in the products or programs described herein at any time without notice. Any statements regarding IBM's future direction
and intent are subject to change or withdrawal without notice, and represent goals and objectives only. References in this document to IBM products, programs, or services does not imply
that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business. Any reference to an IBM Program Product in this
document is not intended to state or imply that only that program product may be used. Any functionally equivalent program, that does not infringe IBM's intellectual property rights, may be
used instead.
THE INFORMATION PROVIDED IN THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY, EITHER EXPRESS OR IMPLIED. IBM EXPRESSLY DISCLAIMS ANY
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NONINFRINGEMENT. IBM shall have no responsibility to update this information. IBM products
are warranted, if at all, according to the terms and conditions of the agreements (for example, IBM Customer Agreement, Statement of Limited Warranty, International Program License
Agreement, etc.) under which they are provided. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other
publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related
to non-IBM products.
IBM makes no representations or warranties, express or implied, regarding non-IBM products and services.
The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents or copyrights. Inquiries regarding patent or copyright
licenses should be made, in writing, to:
Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. All customer examples described are presented as illustrations of
how those customers have used IBM products and the results they may have achieved. The actual throughput or performance that any user will experience will vary depending upon
considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance
can be given that an individual user will achieve throughput or performance improvements equivalent to the ratios stated here.
Note to U.S. Government Users - Documentation related to restricted rights-Use, duplication or disclosure is subject to restrictions set forth in GSA ADP Schedule Contract and IBM Corp.
380DataPowerWCFIntegration.ppt Page 19 of 19