DataPower WCF integration

New in version 3.8.0

© 2010 IBM Corporation

380DataPowerWCFIntegration.ppt Page 1 of 19
 Microsoft environment requirements

� WCF 3.5 or above

– Geneva is not officially integrated, especially the federation case.
� Windows® 2003 Server or above
– Including the Active Directory®
– As KDC for Kerberos token features
� MS® Visual Studio® 2008
– For WCF side development and debugging
� Not required by DataPower®.

2 DataPower WCF integration © 2010 IBM Corporation

The Federation case in Geneva uses an encrypted SAML assertion which is not supported
by DataPower.

380DataPowerWCFIntegration.ppt Page 2 of 19
 What WCF features are integrated (1 of 3)

� wsHttpBinding
– Kerberos token without Secure Conversation
– Kerberos token with Secure Conversation
– X509 token without Secure Conversation
– X509 token with Secure Conversation

� ws2007HttpBinding
– Kerberos token without Secure Conversation
– Kerberos token with Secure Conversation
– X509 token without Secure Conversation
– X509 token with Secure Conversation

3 DataPower WCF integration © 2010 IBM Corporation

380DataPowerWCFIntegration.ppt Page 3 of 19
 What WCF features are integrated (2 of 3)

� wsFederationHttpBinding
– SAML1.1 token endorses X509 Token (Since 3.7.3)
– SAML2.0 token endorses X509 Token

� ws2007FederationHttpBinding
– SAML1.1 token endorses X509 Token
– SAML2.0 token endorses X509 Token

� WS Federation bindings require Secure Conversation all the time.

4 DataPower WCF integration © 2010 IBM Corporation

When ws*FederationBinding is used, secure conversation is mandatory. You will have to

configure DataPower to handle the Secure conversation which is explained in later slides.

380DataPowerWCFIntegration.ppt Page 4 of 19
 What WCF features are integrated (3 of 3)

� BasicHttpBinding
– Simple HTTP transport binding. (no special configuration for DP WS-SP)
– HTTPS transport binding (3DES or AES algorithm suite)
– HTTPS transport binding + mutual SSL Authentication
– HTTP/HTTPS transport + basic authentication. (use AAA to enforce the Authorization
header).

5 DataPower WCF integration © 2010 IBM Corporation

The BasicHttpBinding (without SSL) is a simple http transport binding which does not
involve any special configuration on the DP box. The BasicHttpBinding with SSL enabled
involves configuration of a Web service proxy with a https front side handler and optionally
including a policy file to check/enforce if the transport is secured. The BasicHttpBinding
with Mutual SSL authentication is when both DP and the WCF client are configured to
exchange certificates in addition to securing the network over SSL.
BasicHttpBinding with Basic Auth header (in addition to SSL) requires AAA to be
configured in DP in order to enforce the Authorization header.

380DataPowerWCFIntegration.ppt Page 5 of 19
 WCF WS http bindings
WCF Client
Web Service
3. Set up SecureConv
if needed DataPower Device In DMZ
(Kerberos->SCT)

4. Request secured
wsp­sp­1­2­ws2007HttpBinding
by #2 or #3
WS­SecurityPolicy 
Enabled 5.Req/Resp msg
6. Response secured
WS­Proxy
wsp­sp­1­1­wsHttpBinding
by #2 or #3

1.
Authentication Cancel the SecureConv
when all requests are done
2. Kerberos
Token decrypt
AAA
WS­Security
signEnabled Actions
verify
encrypt

Windows Server®
6 DataPower WCF integration © 2010 IBM Corporation

In this diagram, the Windows server acts as the KDC and the server principal name of the
DP box should be created in that KDC and the keytab should be copied on to DataPower,
so that DataPower can decrypt/verify the Kerberos tokens sent by the client. The secure
conversation mentioned in step 3 is optional and can be enabled/disabled at the WCF
client’s configuration. (set EstablishSecurityContext = false in the client’s app.config to
disable secure conversation)

380DataPowerWCFIntegration.ppt Page 6 of 19
 WCF WS federation http bindings
WCF Client
Web Service
3. Set up SecureConv
(STS X509 + DataPower Device In DMZ
Client SAML
-> SCT)

4. Request secured
wsp­sp­1­2­ws2007FederationHttpBinding
by SCT
WS­SecurityPolicy 
Enabled 5.Req/Resp msg

6. Response secured WS­Proxy

wsp­sp­1­1­wsFederationHttpBinding
by SCT

1.
Authentication Cancel the SecureConv
when all requests are done
2. SAML HoK
Token decrypt
SAML STS AAA
WS­Security
Windows Auth signEnabled Actions
verify
encrypt

7 DataPower WCF integration © 2010 IBM Corporation

The SAML STS in this diagram can be hosted anywhere. In the scenario we tried, it was
hosted on the Windows server itself. Note that DataPower is not yet supported to act as
this SAML STS.
The secure conversation shown in step 3 is not optional.

380DataPowerWCFIntegration.ppt Page 7 of 19
 The role of DataPower device

� DataPower is designed to off-load the

security for the WCF services.
– WCF client is the customer application,
talking to DataPower directly.
– The backend services need not to
handle WS-Security Policies, DP does
that.
– Recommend to use WS-Proxy type
service to automate the integration with
WS-SecurityPolicy wsdl files.

8 DataPower WCF integration © 2010 IBM Corporation

The Web Services Proxy shown in the screen capture are samples that can handle the
requests from the client configured to the corresponding binding.

380DataPowerWCFIntegration.ppt Page 8 of 19
 Wondering what to integrate? Answer the questions

� Consider the WCF client and DP environment together.

� Front End uses SSL?
– Use https FPH for the WCF Client.
– Just SSL?

Use BasicHttp binding to validate the TransportBinding assertion

� What client token is used?

– Federation - Use wsFederationHttp bindings (SAML endorsed X509 token)
– Kerberos - Use wsHttp bindings
– X509 without Federation - Use wsHttp bindings
– WCF SPNEGO is not supported by the WS-SecurityPolicy – no token negotiation.
– WCF username token is not officially integrated by the WS-SecurityPolicy

� What WS-SecurityPolicy version?

– BasicHttp, wsHttp and wsFederationHttp are using WS-SP version 1.1:
• Select the file store:///policies/templates/dotnot/wsp-sp-1-1-*.xml
– ws2007Http and ws2007FederationHttp are using WS-SP version 1.2:
• Select the file store:///policies/templates/dotnot/wsp-sp-1-2-*.xml

9 DataPower WCF integration © 2010 IBM Corporation

380DataPowerWCFIntegration.ppt Page 9 of 19
 Configuration – Policy template

� Choose the right template file provided by

DP.
– Make your own copy, if customization
is needed
� Pick the right policy-id for the token and
binding.
– In the template file, each policy has
detail comment regarding its use and
configuring policy parameters.
– Either embed them in wsdl or attach
them using the webgui.

10 DataPower WCF integration © 2010 IBM Corporation

The screen capture shown is the policy tab of the Web Services proxy. The policy references can be
attached to the wsdl, either in this tab as shown above or it can be included in the wsdl file itself as follows:
<wsdl:binding name = "WSHttpBinding_ICalculator" type = "i0:ICalculator">
<soap12:binding transport = "http://schemas.xmlsoap.org/soap/http"/>
<wsdl:operation name = "Add">
<wsp:PolicyReference URI="store:///policies/templates/dotnet/wsp-sp-1-1­
wsHttpBinding.xml#symmetric-x509-sc"/>
<soap12:operation soapAction = "http://Microsoft.ServiceModel.Samples/ICalculator/Add" style =
"document"/>
<wsdl:input>
<wsp:PolicyReference URI="store:///policies/templates/dotnet/wsp-sp-1-1­
wsHttpBinding.xml#input"/>
<soap12:body use = "literal"/>

</wsdl:input>

<wsdl:output>

<wsp:PolicyReference URI="store:///policies/templates/dotnet/wsp-sp-1-1­
wsHttpBinding.xml#output"/>
<soap12:body use = "literal"/>

</wsdl:output>

</wsdl:operation>

</wsdl:binding>

380DataPowerWCFIntegration.ppt Page 10 of 19
 Configuration – Policy parameters

� Pick the WS-SP policy parameter

– For just the policy domain as indicated by the template name.
– Must define “Interoperable with” with value “Microsoft .Net 3.5”

11 DataPower WCF integration © 2010 IBM Corporation

For all the WCF bindings, make sure to include the policy parameter “interoperable with
Microsoft .Net 3.5”.

380DataPowerWCFIntegration.ppt Page 11 of 19
 Configuration – Secure conversation

� If the WS-SecureConversation is
needed.
– A separate service is needed
to process request to
“/RequestSecurityToken”
– Don’t forget the WS-SC wsdl
file, it needs to use the same
template as the backend <wsdl:portType name="Test">

service. <wsdl:operation name="RequestSecurityToken">

<wsp:PolicyReference

URI="store:///policies/templates/dotnet/wsp-sp-1-2­
ws2007FederationHttpBinding.xml#symmetric-saml20­
endorsed-x509"/>

<wsdl:input message="tns:RequestSecurityToken"/>

<wsdl:output

message="tns:RequestSecurityTokenResponse"/>

</wsdl:operation>

</wsdl:portType>

12 DataPower WCF integration © 2010 IBM Corporation

A sample wsdl to handle secure conversation is as follows :

<?xml version="1.0" encoding="utf-8"?>

<wsdl:definitions targetNamespace="http://schemas.xmlsoap.org/ws/2005/02/trust"

xmlns:tns="http://schemas.xmlsoap.org/ws/2005/02/trust"

xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512"

xmlns:xs="http://www.w3.org/2001/XMLSchema"

xmlns:echo="http://com/ibm/was/wssample/sei/echo/"

xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/"

xmlns:wsp="http://www.w3.org/2006/07/ws-policy"

xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"

xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">

<wsdl:types>

<xs:schema targetNamespace="http://schemas.xmlsoap.org/ws/2005/02/trust" blockDefault="#all"

elementFormDefault="qualified">

<xs:element name="RequestSecurityToken">

<xs:complexType>

<xs:sequence>

<xs:any namespace="##any" maxOccurs="unbounded"/>

</xs:sequence>

<xs:anyAttribute namespace="##any" processContents="lax"/>

</xs:complexType>

</xs:element>

<xs:element name="RequestSecurityTokenResponse">

<xs:complexType>

<xs:sequence>

<xs:any namespace="##any"/>

</xs:sequence>

</xs:complexType>

</xs:element>

</xs:schema>

</wsdl:types>

<!-- Message part definitions for the bootstrap request/response.

-->

<wsdl:message name="RequestSecurityToken">

<wsdl:part name="Body" element="tns:RequestSecurityToken"/>

</wsdl:message>

<wsdl:message name="RequestSecurityTokenResponse">

<wsdl:part name="Body" element="tns:RequestSecurityTokenResponse"/>

</wsdl:message>

<!-- Endpoint/operation definition for bootstrap messages

Policy attach here must include

-->

<wsdl:portType name="Test">

<wsdl:operation name="RequestSecurityToken">

<wsp:PolicyReference URI="store:///policies/templates/dotnet/wsp-sp-1-2-ws2007HttpBinding.xml#symmetric-kerberos-sc-basic128"/>

<wsdl:input message="tns:RequestSecurityToken"/>

<wsdl:output message="tns:RequestSecurityTokenResponse"/>

</wsdl:operation>

</wsdl:portType>

<wsdl:binding name="T1Binding" type="tns:Test">

<soap12:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>

<wsdl:operation name="RequestSecurityToken">

<!-­
<soap12:operation soapAction="http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT"/>
<soap12:operation soapAction="http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel"/>

-->

<!-- attach the application binding to the wsdl:input and wsdl:output, so the

policy framework can figure out how to deal with other traffic, others than the

Issue

-->

<wsdl:input>

<wsp:PolicyReference URI="store:///policies/templates/dotnet/wsp-sp-1-2-ws2007HttpBinding.xml#input"/>

<soap12:body use="literal"/>

</wsdl:input>
<wsdl:output>

<wsp:PolicyReference URI="store:///policies/templates/dotnet/wsp-sp-1-2-ws2007HttpBinding.xml#output"/>

<soap12:body use="literal"/>

</wsdl:output>
</wsdl:operation>

</wsdl:binding>

<wsdl:service name="Test">

<wsdl:port name="BootstrapPort" binding="tns:T1Binding">

<soap12:address location="https://www.soaphub.org/RequestSecurityToken"/>

</wsdl:port>
</wsdl:service>
</wsdl:definitions>

380DataPowerWCFIntegration.ppt Page 12 of 19
 The most important to know about WCF integration (1 of 5)

� When using Kerberos with wsHttp or ws2007Http binding

– On Windows Server, generate the keytab file with right algorithm and correct kvno for
the right principal. And deploy the keytab to DP device.
ktpass -out dp.keytab -princ dpbox/wcfservice@realm -mapUser sp-user -mapOp set
-pass password
-crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -kvno 7
– Include the following as WS-SP parameters, needed for the specific policy domain only.
• kerberos server principal,
• kerberos client principal,
• kerberos keytab,
• interop with ‘microsoft’.
– The ‘verify’ action now enforces the correct ‘client’ (aka. ‘signer’) principal.

13 DataPower WCF integration © 2010 IBM Corporation

Steps to generate the service principal name and the keytab file on the Active directory:

1) Create an SPN to represent the service in Active Directory

In order for the client to obtain a Kerberos ticket to generate the Kerberos token, you need to create an SPN

(Service Principal Name) for the target.

You will need access to the Active Directory Users and Computers console and the "setspn.exe" utility (for

Windows 2003 you can download this from Microsoft or find it on the Windows 2003 tools CD)

a) create a AD pseudo-user which will be used to map the SPN. For this example, create an AD user

"service-provider"

b) create an SPN mapped to the "service-provider" user create above:

setspn -a HOST/hostname:port service-provider, where hostname and port represent hostname (or IP)

and port you will use for the front-side protocol handler for the DataPower Web service proxy

(NOTE: you could use any arbitrary SPN as well, we chose the HOST/... format since it works well to

represent a DataPower device®)

c) check to make sure the SPN was correctly registered: setspn -l service-provider. You should see the

SPN listed
2) Generate a Kerberos keytab for the SPN
In order for Kerberos to work, you will need to map the SPN to the user and create a Kerberos keytab which
will later be used with WebSphere® DataPower
To do this, you will use the "ktpass" utility
ktpass -out c:\temp\service-provider.keytab -princ HOST/hostname:port@DOMAIN -mapUser
usercreatedabove -mapOp set -pass passwordforuser -crypto RC4-HMAC-NT
Assuming that your Windows AD domain is MYDOMAIN.COM and that you create a user named service-
provider in a) above, the command would look like:
ktpass -out c:\temp\service-provider.keytab -princ HOST/hostname:port@MYDOMAIN.COM -mapUser
service-provider -mapOp set -pass passwordforuser -crypto RC4-HMAC-NT
NOTE:It is important to specify the -crypto option to be RC4-HMAC-NT in order to make this work

380DataPowerWCFIntegration.ppt Page 13 of 19
 The most important to know about WCF integration (2 of 2)

� When using X509 for non-federation

– That means wsHttpBinding or ws2007HttpBinding
– Deploy the following to DP device
• WCF client’s public cert
• The private key and public cert for WCF service, which is DP.
– Create crypto certificate objects for both client and service
– Create crypto key, idcred objects for service
– Optionally create valcred object for the client
– Include the following as WS-SP parameters, needed for the specific policy domain only.
• Set “interop with” with value ‘microsoft’
• Optionally set the “Verify ValCred” object with the client valcred..

14 DataPower WCF integration © 2010 IBM Corporation

380DataPowerWCFIntegration.ppt Page 14 of 19
 The most important to know about WCF integration (3 of 5)

� When WS-SecureConversation is needed

– Define a ws-SecureconVersation wsdl file for a separate service as explained earlier.
– Select the template and “policy-id” that supports ws-sc, both this service and backend
business service.
– No need to specify the WS-SC version policy parameter by default.
– The WS-SC service’s request/response schema validation should be disabled.
– The backend service then will use the SCT issued by DP,
when WS-SC is not enabled, the client X509/Kerberos token is used instead.

15 DataPower WCF integration © 2010 IBM Corporation

A configuration to be highlighted is as follows:

The output response is signed and encrypted. Once the message is encrypted, it will fail

the schema validation if schema validation is enabled.

Hence for STS > RequestSecurityToken

- Uncheck "Schema validate request messages" and "Schema validate response

messages"

And for the application,

- Uncheck "Schema validate response messages"

380DataPowerWCFIntegration.ppt Page 15 of 19
 The most important to know about WCF integration (4 of 5)

� When using X509 for wsFederation or ws2007Federation

– Deploy the following to DP device
• WCF SAML STS ’s public cert
• The private key and public cert for WCF service, which is DP.
– The WCF client identity is proven by the SAML token.
– Create crypto certificate object for the SAML STS.
– Optionally create valcred object for SAML STS too.
– Create crypto key, idcred objects for service
– Include the following as WS-SP parameters, needed for the specific policy domain only.
• Set “interop with” with value ‘microsoft’
• Optionally set the “Verify ValCred” object with the STS valcred..

16 DataPower WCF integration © 2010 IBM Corporation

380DataPowerWCFIntegration.ppt Page 16 of 19
 The most important to know about WCF integration (5 of 5)

� When using BasicHttpBinding with SSL

– Windows 2003 servers does not support AES based cipher suites in the SSL
handshake, so “disable-ssl-cipher-check” is always on for the TransportBinding assertion
when interop with “microsoft”
• You may use ‘disable-ssl-cipher-check’ parameter to disable cipher checks for any
TransportBinding assertions.
– The “Basic Auth Header” is not supported by default in the Web services proxy. A
custom configuration of an ‘on-error’ rule to inject the WWW-Authenticate header is
required to inter-op with WCF
– Include the following as WS-SP parameter, needed for the wsp-1-1 policy domain only.
• Set “interop with” with value ‘microsoft’

17 DataPower WCF integration © 2010 IBM Corporation

380DataPowerWCFIntegration.ppt Page 17 of 19
 Feedback

Your feedback is valuable

You can help improve the quality of IBM Education Assistant content to better meet your
needs by providing feedback.
� Did you find this module useful?
� Did it help you solve a problem or answer a question?
� Do you have suggestions for improvements?

Click to send e-mail feedback:

mailto:iea@us.ibm.com?subject=Feedback_about_380DataPowerWCFIntegration.ppt

This module is also available in PDF format at: ../380DataPowerWCFIntegration.pdf

18 DataPower WCF integration © 2010 IBM Corporation

You can help improve the quality of IBM Education Assistant content by providing
feedback.

380DataPowerWCFIntegration.ppt Page 18 of 19
 Trademarks, copyrights, and disclaimers
IBM, the IBM logo, ibm.com, and the following terms are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both:

DataPower DataPower device WebSphere

If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law
trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of other IBM
trademarks is available on the Web at "Copyright and trademark information" at http://www.ibm.com/legal/copytrade.shtml

Active Directory, Microsoft, MS, Visual Studio, Windows, Windows Server, and the Windows logo are registered trademarks of Microsoft Corporation in the United States, other countries,
or both.

Other company, product, or service names may be trademarks or service marks of others.

Product data has been reviewed for accuracy as of the date of initial publication. Product data is subject to change without notice. This document could include technical inaccuracies or
typographical errors. IBM may make improvements or changes in the products or programs described herein at any time without notice. Any statements regarding IBM's future direction
and intent are subject to change or withdrawal without notice, and represent goals and objectives only. References in this document to IBM products, programs, or services does not imply
that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business. Any reference to an IBM Program Product in this
document is not intended to state or imply that only that program product may be used. Any functionally equivalent program, that does not infringe IBM's intellectual property rights, may be
used instead.

THE INFORMATION PROVIDED IN THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY, EITHER EXPRESS OR IMPLIED. IBM EXPRESSLY DISCLAIMS ANY
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NONINFRINGEMENT. IBM shall have no responsibility to update this information. IBM products
are warranted, if at all, according to the terms and conditions of the agreements (for example, IBM Customer Agreement, Statement of Limited Warranty, International Program License
Agreement, etc.) under which they are provided. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other
publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related
to non-IBM products.

IBM makes no representations or warranties, express or implied, regarding non-IBM products and services.

The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents or copyrights. Inquiries regarding patent or copyright
licenses should be made, in writing, to:

IBM Director of Licensing

IBM Corporation
North Castle Drive
Armonk, NY 10504-1785
U.S.A.

Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. All customer examples described are presented as illustrations of
how those customers have used IBM products and the results they may have achieved. The actual throughput or performance that any user will experience will vary depending upon
considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance
can be given that an individual user will achieve throughput or performance improvements equivalent to the ratios stated here.

© Copyright International Business Machines Corporation 2010. All rights reserved.

Note to U.S. Government Users - Documentation related to restricted rights-Use, duplication or disclosure is subject to restrictions set forth in GSA ADP Schedule Contract and IBM Corp.

19 © 2010 IBM Corporation

380DataPowerWCFIntegration.ppt Page 19 of 19