The issue involves the following technologies: -
1. .NET 2.0 Framework
2. WSE2.0 (WS-Security)
3. X.509 certificates
4. BEA Weblogic 8.1.5
The issue is as follows: -
We need to achieve interoperability between .NET and Java web services that implement WS-Security using X.509 certificates. The scenarios are: -
a. Java Weblogic Client (website) consuming a .NET Web Service
b. .NET Client (website) consuming a Java Weblogic Web Service
A. Java Weblogic Client consuming a .NET Web Service
The Java web service must implement security features – Signing, Encryption using X.509 certificates and must also use Username tokens for authentication.
Expected behavior: The client must send Signed and Encrypted soap Requests using X.509 certificates and must also attach the Username token.The Service processes the requests and sends the Response which is also signed and encrypted using X.509 certificates.
Behavior encountered: The .Net Web Service is unable to understand the Signed and Encrypted Request sent by the Java client.
The article Web Services Security Interoperability Using WSE 2.0 SP3 and WebLogic Workshop 8.1.4 talks about the Different EncryptedData element Types to be the reason for this: -
“The security policy for the Math service specifies that the Body of the message must be encrypted. This is designated in the policy file by the wsp:Body() message part selection function (used with the http://schemas.xmlsoap.org/2002/12/wsse#part dialect). Appendix II of the WS-PolicyAssertions specification indicates that wsp:Body identifies the "Body" of the message. Strictly speaking, what WebLogic is doing is encrypting the first child of the Body element (not the contents of the entire Body). In this particular case this is effectively the same as the .NET generated message. However, in the general case they are not equivalent (consider the case where the Body has multiple children). Since the WSE policy checker is looking for the contents of the entire body to be encrypted (as called for by WS-PolicyAssertions), the policy check fails.”
B. .NET Client consuming a Java Weblogic Web Service
The .NET web service must implement security features – Signing, Encryption using X.509 certificates and must also use Username tokens for authentication.
Expected behavior: The client must send Signed and Encrypted soap Requests using X.509 certificates and must also attach the Username token.The Service processes the requests and sends the Response which is also signed and encrypted using X.509 certificates.
Behavior encountered: The .NET client Signs and Encrypts the Request and attaches the Username Token and forwards the request to the Java Web Service. The Web Service is able to understand the Request and hence, processes the requests and sends the response back to the client after signing and encrypting the same. However, the client is unable to understand the response and gives an error as “The signature or decryption was invalid”.
(Note: - the same .NET client is able to understand the response from the Web Service incase we are not encrypting it at the web service)
The article Web Services Security Interoperability Using WSE 2.0 SP3 and WebLogic Workshop 8.1.4 talks about the Response Encryption Failure to be the reason for this: -
“The problem is that WebLogic encrypts the response in such a way that the WSE client can't properly decrypt it (and so it throws an exception). The problem is the reference to the key in the header. WSE's reference is an X.509 subject key identifier. The WebLogic reference is a KeyName. With this issue such as it is, it's impossible for a WebLogic Web service to encrypt a response message and have it processed by a WSE client.”
We are expecting any workaround for this issue.
Thanks in advance ....Kuldeep