more than one certificate in a policy

haller

Hello everybody,
I am developing a multithreaded windows service in C# whose purpose is to be
a client for a WSE web service with X-509 authentication.

I have to configure a policy file using more than one digital certificate.
In fact, my service must have the possibility to use one certificate per
thread. I know I can configure one <policy> element for each endpoint url,
but I'm looking for a way to use different certificates at the same time.
Here's an extraction of my policy where it sets the cerificates:
<wssp:Integri ty wsp:Usage="wsp: Required">
<wssp:TokenInfo >
<wssp:SecurityT oken>
<wssp:TokenType >http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
</wssp:TokenType>
<wssp:Claims>
<wse:Parent>
<wssp:SecurityT oken>
<wssp:TokenType >
http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
</wssp:TokenType>
<wssp:Claims>
<wse:BaseToke n>
<wssp:SecurityT oken>

<wssp:TokenType >http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3</wssp:TokenType>
<wssp:TokenIssu er>C=it, O=GRTN, OU=CA
GRTN</wssp:TokenIssue r>
<wssp:Claims>
<wssp:SubjectNa me
MatchType="wssp :Exact">CLIENT_ CERTIFICATO_SUB JECT_NAME</wssp:SubjectNam e>
<wssp:X509Exten sion OID="2.5.29.14"
MatchType="wssp :Exact">CLIENT_ CERTIFICATO_KEY _IDENTIFIER</wssp:X509Extens ion>
</wssp:Claims>
</wssp:SecurityTo ken>
</wse:BaseToken>
<wse:IssuerToke n>
<wssp:SecurityT oken>

<wssp:TokenType >http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3</wssp:TokenType>
<wssp:TokenIssu er>C=it, O=GRTN, OU=CA
GRTN</wssp:TokenIssue r>
<wssp:Claims>
<wssp:SubjectNa me
MatchType="wssp :Exact">SERVER_ CERTIFICATO_SUB JECT_NAME</wssp:SubjectNam e>
<wssp:X509Exten sion OID="2.5.29.14"
MatchType="wssp :Exact">SERVER_ CERTIFICATO_KEY _IDENTIFIER</wssp:X509Extens ion>
</wssp:Claims>
</wssp:SecurityTo ken>
</wse:IssuerToken >
</wssp:Claims>
</wssp:SecurityTo ken>
</wse:Parent>
</wssp:Claims>
</wssp:SecurityTo ken>
</wssp:TokenInfo>
<wssp:MessagePa rts
Dialect="http://schemas.xmlsoap .org/2002/12/wsse#part">wsp: Body()
wsp:Header(wsa: Action) wsp:Header(wsa: FaultTo) wsp:Header(wsa: From)
wsp:Header(wsa: MessageID) wsp:Header(wsa: RelatesTo) wsp:Header(wsa: ReplyTo)
wsp:Header(wsa: To) wse:Timestamp() </wssp:MessagePar ts>
</wssp:Integrity>
Is it sufficient to add others similar sections to my my policy with
different certificate references? In that case, how can I decide what
certificate to use in runtime without using manual certificate selection
pop-up dialog ?

Thanks in advance to anybody helping me

Nov 23 '05 #1

Subscribe Reply

2458

Keith

I am wrestling with a similar issue, but what I have found so far may be of
help. I have found that if you wrap multiple <SecurityToke n> elements with a
<wsp:OneOrMor e> element then, at least on the request side, the web service
can take any of the certs I use on the client side. Now if I can find a way
to specify on the return trip that the cert used on the request is the one to
use on the response message, I'll be golden. Anyone?

HTH,
Keith

"haller" wrote:

Hello everybody,
I am developing a multithreaded windows service in C# whose purpose is to be
a client for a WSE web service with X-509 authentication.

I have to configure a policy file using more than one digital certificate.
In fact, my service must have the possibility to use one certificate per
thread. I know I can configure one <policy> element for each endpoint url,
but I'm looking for a way to use different certificates at the same time.
Here's an extraction of my policy where it sets the cerificates:
<wssp:Integri ty wsp:Usage="wsp: Required">
<wssp:TokenInfo >
<wssp:SecurityT oken>
<wssp:TokenType >http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
</wssp:TokenType>
<wssp:Claims>
<wse:Parent>
<wssp:SecurityT oken>
<wssp:TokenType >
http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
</wssp:TokenType>
<wssp:Claims>
<wse:BaseToke n>
<wssp:SecurityT oken>

<wssp:TokenType >http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3</wssp:TokenType>
<wssp:TokenIssu er>C=it, O=GRTN, OU=CA
GRTN</wssp:TokenIssue r>
<wssp:Claims>
<wssp:SubjectNa me
MatchType="wssp :Exact">CLIENT_ CERTIFICATO_SUB JECT_NAME</wssp:SubjectNam e>
<wssp:X509Exten sion OID="2.5.29.14"
MatchType="wssp :Exact">CLIENT_ CERTIFICATO_KEY _IDENTIFIER</wssp:X509Extens ion>
</wssp:Claims>
</wssp:SecurityTo ken>
</wse:BaseToken>
<wse:IssuerToke n>
<wssp:SecurityT oken>

<wssp:TokenType >http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3</wssp:TokenType>
<wssp:TokenIssu er>C=it, O=GRTN, OU=CA
GRTN</wssp:TokenIssue r>
<wssp:Claims>
<wssp:SubjectNa me
MatchType="wssp :Exact">SERVER_ CERTIFICATO_SUB JECT_NAME</wssp:SubjectNam e>
<wssp:X509Exten sion OID="2.5.29.14"
MatchType="wssp :Exact">SERVER_ CERTIFICATO_KEY _IDENTIFIER</wssp:X509Extens ion>
</wssp:Claims>
</wssp:SecurityTo ken>
</wse:IssuerToken >
</wssp:Claims>
</wssp:SecurityTo ken>
</wse:Parent>
</wssp:Claims>
</wssp:SecurityTo ken>
</wssp:TokenInfo>
<wssp:MessagePa rts
Dialect="http://schemas.xmlsoap .org/2002/12/wsse#part">wsp: Body()
wsp:Header(wsa: Action) wsp:Header(wsa: FaultTo) wsp:Header(wsa: From)
wsp:Header(wsa: MessageID) wsp:Header(wsa: RelatesTo) wsp:Header(wsa: ReplyTo)
wsp:Header(wsa: To) wse:Timestamp() </wssp:MessagePar ts>
</wssp:Integrity>
Is it sufficient to add others similar sections to my my policy with
different certificate references? In that case, how can I decide what
certificate to use in runtime without using manual certificate selection
pop-up dialog ?

Thanks in advance to anybody helping me

Nov 30 '05 #2

Similar topics

11328

Client Certificate Validation

by: Matt Frame | last post by:

I am working on a special ASP.Net application that receives files from customers. The connection is made via HTTPS and the client sends the file as a POST to my ASP.Net listener. All of this works fine. Now I am looking at how to validate the clients certificate programmatically. The client application sends to me with something like: .... Dim myHttp As HttpWebRequest = CType(WebRequest.Create(https://myserver/Receive.aspx),...

ASP.NET

3111

SOAP access denied when IIS set to required client certificate

by: Bob | last post by:

I'm building a .NET web service which requires client certificate for strong security. I set IIS to require SSL and client certificate (under site properties in IIS admin, Directory Security tab, Secure Communication, Edit... button. then check Require Secure Channel and Require Client Certificates). Then in my client side code, I add my client certificate to the property HttpWebClientProtocol.Certificates. However, I keep getting a...

ASP.NET

1973

Q: to create a certificate

by: JIM.H. | last post by:

Hello, I am trying to create a certificate for our internet for our employees so that they can login to system from home. Do I have to go, for example, VeriSign to get a certificate? Can I create my own certificate and use it since it is not actually a public web site? Thanks,

ASP.NET

2703

securityTokenManager loading X509 certificate

by: | last post by:

Hi, I'd like to store X509 cetificates in a central location (file server, database, etc), and load them when needed, is it practical ? and in term of implementation, can this be achieved by subclass 'securityTokenManager'? has anyone done something similar and shed some lights on it? thanks, -Jason

.NET Framework

2743

Active Direcotory - Map a certificate to a user account

by: jakobsgaard | last post by:

It is possible to Map a certificate to a Active Directory User Account from DotNet? Please provide an example. Best regards, Ejnar Jakobsgaard ------------------------------------------------- To map a certificate to a user account Open Active Directory Users and Computers.

.NET Framework

8991

Accessing private key in a X.509 certificate

by: ucb01 | last post by:

Hi, I am working with Visual Studio 2005 in C#. Using makecert I create a self-signed certificate A with a private key then a certificate B based on A. The first is installed in the 'Certificate Authorities .. ' store, the second in the 'Personal' one. My application need to use the certificate B to sign binary data. In debug mode, my application runs perfectly (under Cassini, VS web server) but after deployment there is no way to...

.NET Framework

2558

how to sign an x.509 certificate?

by: GaryDean | last post by:

This post is a "sanity check".... I have located the docs on how to sign a x.509 certificate http://msdn.microsoft.com/en-us/library/aa529277.aspx http://msdn.microsoft.com/en-us/library/aa528788.aspx http://msdn.microsoft.com/en-us/library/aa528756.aspx Step 2 in the first one refers to the second one "creating a custom policy assertion". Just a brief scan of the first and second link depicts a huge

ASP.NET

2264

Live communications server requires a certificate that has a valid

by: =?Utf-8?B?RGxpbng=?= | last post by:

I am getting the following error: Live communications server requires a certificate that has a valid certificate chain after I add in the policy; certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2 net stop certsvc net start certsvc and generate the cert using the directions on the LCS doc. Has anyone else had this issue?

.NET Framework

9589

What is ONU?

by: marktang | last post by:

ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...

General

10215

Problem With Comparison Operator <=> in G++

by: Oralloy | last post by:

Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...

C / C++

10049

Maximizing Business Potential: The Nexus of Website Design and Digital Marketing

by: jinu1996 | last post by:

In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...

Online Marketing

8872

AI Job Threat for Devs

by: agi2029 | last post by:

Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...

Career Advice

7410

Access Europe - Using VBA to create a class based on a table - Wed 1 May

by: isladogs | last post by:

The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...

Microsoft Access / VBA

5307

Trying to create a lan-to-lan vpn between two differents networks

by: TSSRALBI | last post by:

Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...

Networking - Hardware / Configuration

5447

Windows Forms - .Net 8.0

by: adsilva | last post by:

A Windows Forms form does not have the event Unload, like VB6. What one acts like?

Visual Basic .NET

3964

transfer the data from one system to another through ip address

by: 6302768590 | last post by:

Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system

C# / C Sharp

2815

Comprehensive Guide to Website Development in Toronto: Expert Insights from BSMN Consultancy

by: bsmnconsultancy | last post by:

In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

General