Skip to main content

Interoperability between WebSphere ESB Gateway and the Microsoft .NET WCF using WS-Security

Andrew J. Howes (andrew_howes@uk.ibm.com), Software Developer, WebSphere ESB System Verification Test Team, IBM
Andrew Howes is a Software Developer on the WebSphere ESB System Verification Test Team at the IBM Hursley Software Lab in the UK. You can contact Andrew at andrew_howes@uk.ibm.com.

Summary:  This article shows you how to set up a Microsoft .NET Windows Communication Foundation (WCF) Web service and client to operate with WebSphere ESB Service Gateway. WebSphere ESB V6.2 lets you configure a Service Gateway to act as an intermediary between many clients and services, so that a common set of actions can be performed on the headers or data of these disparate transactions. WebSphere ESB also lets you apply Web service policy sets such as WS-Transaction and WS-Security to mediation exports and imports.

Date:  03 Jun 2009
Level:  Intermediate
Activity:  2770 views
Comments:  

Introduction

IBM® WebSphere® Enterprise Service Bus V6.2 (hereafter called WebSphere ESB) lets you construct a Service Gateway that can act as an intermediary between many clients and services, so that a common set of actions can be performed on the headers or data of these disparate transactions. In addition, Policy Sets can be applied to WebSphere ESB exports and imports so that standard Web service quality of service headers can be required of or applied to messages. The example described in this article involves a Microsoft® .NET Windows® Communication Foundation (WCF) client and service using a WebSphere ESB Service Gateway as an intermediary. In this scenario, the client to the WebSphere ESB service interaction will have the WS-Security quality of service applied to it. The WebSphere ESB to .NET WCF service interface will be secured using SSL:

Microsoft .NET client => WS-Security => WebSphere ESB Gateway => SSL => .NET service. Requirements to set up of this example are:

  • Microsoft Windows® Vista Business.
  • Microsoft Visual Studio 2008 Professional Edition.
  • WebSphere Enterprise Service Bus 6.2.

Enable IIS

The created Web service will be hosted by Windows Internet Information Services Manager (IIS) and you must enable it before use:

  1. On the Vista system, select Windows Start => Control Panel.
  2. Select Programs and Features.
  3. In the right pane click Turn Windows features on or off.
  4. The Windows features dialogue box opens. Select the Internet Information Services check box.
  5. Double-click Web Management Tools, double-click IIS 6 Management Compatibility, and then select the IIS 6 Metabase and IIS 6 Configuration Compatibility check box.
  6. Double-click World Wide Web Services, double-click Application Development Features, and then select the ASP.NET check box.
  7. Click OK.

WCF Web service creation

  1. Select Windows Start => All Programs => Microsoft Visual Studio 2008 => Microsoft Visual Studio 2008.
  2. Select File => New => Web site.
  3. Select the WCF service template with Location => HTTP, URL => something like http://myhost/mywcfservice, and Language => Visual C#. Click OK.

The WCF service has four main components that need to be developed or configured:

  • Service.svc.
  • IService.cs.
  • Service.cs.
  • Web.config.

Service.svc

This is the actual endpoint for the service -- the service will be accessed using a URL such as http://myhost/mywcfervice/Service.svc. The file itself is simple and mainly defines where the service code is:

<%@ ServiceHost Language="C#" Debug="true" Service="Service" 
        CodeBehind="~/App_Code/Service.cs" %>

IService.cs

The IService.cs file of the WCF service contains an interface for the classes to be used by the service. Here is an example that defines a single method (LoanApplicationRequest) and the objects that will be used by the class (Customer, Loan, and so on):

using ...

[ServiceContract(SessionMode = SessionMode.Allowed)]
public interface IService
{
    [OperationContract]
    LoanApproval LoanApplicationRequest(LoanRequest request);
}

[DataContract]
// Customer Business Object
public class Customer
{
    [DataMember]
    public string FirstName;
    [DataMember]
    public string LastName;
    [DataMember]
    public string HouseNumber;
    [DataMember]
    public string PostCode;
    [DataMember]
    public DateTime DateOfBirth;
    [DataMember]
    public int CreditRating;
}
[DataContract]
// Loan Business Object
public class Loan
{
    [DataMember]
    public decimal Amount;
    [DataMember]
    public TimeSpan Duration;
    [DataMember]
    public DateTime StartDate;
    [DataMember]
    public decimal InterestRate;
}
[DataContract]
// LoanRequest Business Object
public class LoanRequest
{
    [DataMember]
    public Customer CustomerInformation;
    [DataMember]
    public Loan LoanInformation;

}
[DataContract]
// LoanApproval Business Object
public class LoanApproval
{
    [DataMember]
    public bool Approved;
    [DataMember]
    public string Comment;
    [DataMember]
    public string AccountNumber;
    [DataMember]
    public Customer CustomerInformation;
    [DataMember]
    public Loan LoanInformation;
}
[DataContract]
// LoanException Business Object
public class LoanException
{
    [DataMember]
    public string Message;
}

There is an OperationContract for each method in the class and a DataContract for each object used by the class.

Service.cs

The main part of the service code is in the Service.cs file, which uses the interface defined in the Iservice.cs file and provides the implementation for the methods. This example processes the input LoanRequest object and populates and returns a LoanApproval object:

using ...

[WebService(Namespace = "http://mywcf.org/")]
[WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)]
//
public class Service : IService
{

    /*
     * LoanApplicationRequest method
     * Used to check the incoming request data and decide if the loan
     * can be approved.
     * In:  LoanRequest
     * Returns: LoanApproval
     */
    [WebMethod]
 
    public LoanApproval LoanApplicationRequest(LoanRequest request)
    {

        LoanApproval response = new LoanApproval();

        Customer customer = request.CustomerInformation;

        Loan loan = request.LoanInformation;

        bool approved = false;
 
        int creditRating = customer.CreditRating;

        decimal loanAmount = loan.Amount;
        decimal tenK = 10000.0M;
        decimal fiveK = 5000.0M;

        if (loanAmount > tenK)
        {
	   approved = false;
        }
        if (creditRating > 7)
        {
            approved = true;
        }
        else if (creditRating > 5 && loanAmount <= fiveK)
        {
             approved = true;
        }
        response.Approved = approved;
        if (approved)
        {
             Random rnum = new Random();
             int accInt = 8 * rnum.Next(1000000);
             string accNo = accInt.ToString();
             response.AccountNumber = accNo;
             response.Comment = "Request Approved";
        }
        else
        {
             response.AccountNumber = "";
             response.Comment = "Credit rating is not sufficient";
        }                

        response.CustomerInformation = customer;
        response.LoanInformation = loan;
       
         return response;
    }
}

Several using statements need to be added to provide the references to classes used. Put these additional using statements at the head of your code:

	using System.Web;
	using System.Web.Services;

Web.config

The Web.config file can be edited manually or by using the Windows Service Configuration Editor. You will need to edit it later when security is configured for the Web site.

Configure the Web Service in IIS

In Visual Studio, select the Build => Build Web Site to check for coding errors. The most common problem is not having using statements at the top of the code.

Set up IIS to handle the WCF service:

  1. Select Windows Start => Control Panel.
  2. Double-click Administrative Tools.
  3. Double-click Internet Information Services (IIS) Manager.
  4. If your Web Service is not present under the Default Web Site, right-click and select Add Application.
  5. Provide an alias such as mywcf, and browse to the Web service location, such as C:\inetpub\wwwroot\mywcfservice.
  6. Select the new service and then double-click Handler Mappings from the IIS section.
  7. From the Actions section on the right, click Add Managed Handler.
  8. In the Request Path field type *.svc.
  9. In the Type: field type 
    System.ServiceModel.Activation.HttpHandler, System.ServiceModel,
Version=3.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089

  10. In the Name: field type svc-Integrated.
  11. Click OK.
  12. From the Actions section on the right click Add Script Map.
  13. In the Request Path field type *.svc.
  14. In the Executable field type C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_isapi.dll.
  15. In the Name field type svc-ISAPI-2.0.
  16. Click OK and answer Yes if a dialogue pops up.
  17. In the Handler Mappings screen ensure that the managed handler (svc-Integrated) appears before the aspnet_isapi (svc-ISAPI-2.0) handler in the list.

The above IIS configuration will update the Web.config of the Web Service that you are developing in .NET to add in the entries for the *.svc files.

Test the Web site

In Visual Studio, open the Service.svc file of you Web service and type Ctrl-F5 to open a browser to connect to the Web site:


Figure 1. Web site test
Web site test

WCF client creation

  1. Select Windows Start => All Programs => Microsoft Visual Studio 2008 => Microsoft Visual Studio 2008.
  2. Select File => New => Project.
  3. Select Visual C# under Project types.
  4. Select Console Application under Templates.
  5. Set the Name you would like for your client, such as myWCFClient, and click OK.

Create the Web service proxy APIs in the client.

  1. In the Solution Explorer pane on the right, right-click References and select Add Service Reference.
  2. In the Address field type the name of the Web service, such as http://myhostname/mywcfservice/Service.svc, and click Go.
  3. Under Services, expand Service and select the Iservice. Operations should be displayed in the right pane.
  4. In the Namespace, specify an appropriate namespace for the client to use, such as mywcf.org, and click OK.

The client has two main components that need to be developed or configured:

  • Program.cs.
  • app.config.

Program.cs

This file is where the client sets up the objects to be passed to the Web service and processes objects returned from it. The Web service is accessed via a proxy API call, the code for which is generated when the Web service reference is imported. This references a binding described in the app.config file. For example

myWCFClient.mywcf.org.ServiceClient mywcf =
                new myWCFClient.mywcf.org.ServiceClient("WSHttpBinding_IService", myURI);

Here is some sample code that populates the input data object. It then calls the Web service via the proxy and displays the values returned from the Web service.

using ...

namespace MyWCFClient
{
    class Program
    {
        static void Main(string[] args)
        {
            if (args.Count() < 1)
            {
                Console.WriteLine
         ("You must supply a target URL. For example: http://myhost/mywcfservice/Service.svc");   
            }
            else
            {
                // Set the endpoint address for the service
                EndpointAddress myURI = new EndpointAddress(args[0]);

                myWCFClient.mywcf.org.ServiceClient mywcf = 
             new myWCFClient.mywcf.org.ServiceClient("WSHttpBinding_IService", myURI);

                string url = mywcf.Endpoint.Address.ToString();

                // Create some input data

                string firstName = "Gerrard";
                string lastName = "Bottles";
                string houseNumber = "222";
                string postCode = "PO12 9UW";
                DateTime dob = System.Convert.ToDateTime("22/02/82");
                int creditRating = 6;
                decimal amount = System.Convert.ToDecimal("1000.0");
                TimeSpan duration = new TimeSpan(System.Convert.ToInt32("3"));
                DateTime startDate = System.Convert.ToDateTime("03/10/2008");
                decimal interest = System.Convert.ToDecimal("5.4");

                // Populate the request data (Customer and Loan)
                myWCFClient.mywcf.org.LoanRequest request = 
                                                new myWCFClient.mywcf.org.LoanRequest();
                myWCFClient.mywcf.org.Customer customer = 
                                                   new myWCFClient.mywcf.org.Customer();
                customer.FirstName = firstName;
                customer.LastName = lastName;
                customer.HouseNumber = houseNumber;
                customer.PostCode = postCode;
                customer.DateOfBirth = dob;
                customer.CreditRating = creditRating;

                request.CustomerInformation = customer;

                myWCFClient.mywcf.org.Loan loan = new myWCFClient.mywcf.org.Loan();

                loan.Amount = amount;

                loan.Duration = duration;
                loan.StartDate = startDate;
                loan.InterestRate = interest;

                request.LoanInformation = loan;

                // Initiate the request to the service
                myWCFClient.mywcf.org.LoanApproval approval = 
                                                 mywcf.LoanApplicationRequest(request);

                Console.WriteLine("Approval state is " + approval.Approved.ToString());
                Console.WriteLine
  ("Approval credit rating is " + approval.CustomerInformation.CreditRating.ToString());
                Console.WriteLine("Comment is        " + approval.Comment);
                Console.WriteLine("Account Number is " + approval.AccountNumber);

                Console.WriteLine("URL is            " + url);

            }
        }
    }
}

Some using statements need to be added to provide the references to classes used. Ensure that you have these using statements at the head of your code: using System.ServiceModel;. Save the Program.cs file (File => Save Program.cs).

app.config

The app.config file can be edited manually or using the Windows Service Configuration Editor. This will be edited later when security is configured for the client.

Test the client against the Web site

Build the client from the Visual Studio menu: Build => Build myWCFClient. Open a console window and run the client, providing the address of the Web service as a parameter. It should print out an approved result, such as:

"C:\Users\myuser\Documents\Visual Studio 2008\Projects\
     myWCFClient\myWCFClient\bin\Debug\myWCFClient" 
        http://myvistahost/mywcfservice/Service.svc

Approval state is True
Approval credit rating is 6
Comment is        Request Approved
Account Number is 7106392
URL is           http://myvistahost/mywcfservice/Service.svc

Setup certificates on the Vista Web Service host

On the Vista machine, create a certificate authority for the Vista server using the command-line tool makecert.

"C:\Program Files\Microsoft SDKs\Windows\v6.0A\Bin\makecert" -sk testRootCA 
    -sky signature -sr localmachine -n "CN=RootTrustedCA" -ss TRUST 
    -r RootTrustedCA.cer

Ensure that this is the only certificate authority of that name in the TRUST keystore: certutil -viewstore TRUST. If it is not, then remove other certificate authorities using certutil -viewdelstore TRUST. Create a certificate based on the certificate authority that can perform key exchange.

"C:\Program Files\Microsoft SDKs\Windows\v6.0A\Bin\makecert" -sk testServer 
    -ss MY -sky exchange -sr localmachine -n "CN=myvistahost" 
    -ic RootTrustedCA.cer -is TRUST myvistahost.cer -pe

where myvistahost is the name of the Vista Web Service host.

Ensure that the default Vista NETWORK user can access the certificates:

"C:\Program Files (x86)\Microsoft WSE\v3.0\Samples\winhttpcertcfg" 
                               -g -c LOCAL_MACHINE\My -s myvistahost -a "NETWORK SERVICE"

"C:\Program Files (x86)\Microsoft WSE\v3.0\Samples\winhttpcertcfg" 
                               -l -c LOCAL_MACHINE\My -s myvistahost

Import the Vista certificates into the Vista certificate store using mmc:

  1. Select Windows Start.
  2. In the Start Search box, type mmc and press Enter.
  3. Select File => Add\Remove Snap-in.
  4. Select Certificates and click Add.
  5. Select Computer Account, select Next, ensure that Local computer is selected and then click Finish.
  6. Right-click on Trusted Root Certification Authorities and select All Tasks => Import.
  7. Follow the wizard through to completion, selecting the certificate authority file name, such as RootTrustedCA.cer.
  8. Right click on Personal and select All Tasks => Import.
  9. Follow the wizard through to completion, selecting the key exchange certificate file name, such as myvistahost.cer.

Securing WCF service and client

The WCF Service will be configured to participate in an SSL handshake with the calling (gateway) client. The WCF Client will be configured to use WS-Security when invoking the (gateway) service. Once this is done, the WCF client and service will not be able to operate directly because the client is producing WS-Security headers which the service is not expecting, and the service is expecting SSL encrypted messages which the client is not producing. The WebSphere ESB gateway mediation will sit between the .NET client and the .NET service. The export of the WebSphere ESB mediation will have a policy set that expects WS-Security and the import of the mediation will be set up to produce SSL encrypted messages.

Web.config SSL configuration

To configure SSL that will operate with WebSphere ESB, you need to create a new custom binding and configure it to use SOAP 1.1. The Web.config file can be edited manually or with the Windows Service Configuration Editor.

  1. Select Windows Start.
  2. In the Start Search box type conf and from the Programs menu select Service Configuration Editor.
  3. Select File => Open => Config File.
  4. Browse to the Web.config file for your service (usually located under C:\inetpub\wwwroot\mywcfservice) and click Open.
  5. In the Configuration panel, right-click Bindings and select New Binding Configuration.
  6. Select customBinding from the pop-up dialogue and click OK.
  7. Set the name of the custom binding, such as custom11.
  8. Expand the new customBinding in the Configuration pane and select textMessageEncoding.
  9. Set the MessageVersion to Soap11.
  10. Select the new customBinding in the Configuration pane, select httpTransport in the Binding element extension position table, and click Remove.
  11. Select the new customBinding in the Configuration pane and click Add, then select httpsTransport and click Add. Here is the custom binding stanza in the Web.config file: 
    <customBinding>
    <binding name="custom11">
        <textMessageEncoding messageVersion="Soap11" />
        <httpsTransport />
    </binding>
</customBinding>

  12. In the Configuration pane, navigate to Advanced => Service Behaviors => ServiceBehavior => serviceMetadata.
  13. Set HttpGetEnabled to False, HttpsGetEnabled to True, and specify an HttpsGetUrl of the form https://myhostname:444/Securemywcfservice/Service.svc. You will see later how to set up the appropriate secure Web site using IIS.
  14. Select File => Save => File => Exit the Service Configuration Editor.
  15. In Visual Studio, in the Solution Explorer pane on the right, right-click Web.config and select Open.
  16. Find the <service> entry for your service, such as <service behaviorConfiguration="ServiceBehavior" name="Service">.
  17. Update the service endpoint to change it from a wsHttpBinding to a customBinding with reference to the new custom binding (such as custom11). Also, change the metadata exchange binding to mexHttpsBinding. Set both endpoints to have https style addresses, and create a <host> stanza with a https style baseAddress.Here is an example: 
    <service behaviorConfiguration="ServiceBehavior" name="Service">
    <endpoint address="https://myhostname:444/Securemywcfservice/Service.svc"
        binding="customBinding" bindingConfiguration="custom11" contract="IService">
        <identity>
            <dns value="localhost" />
        </identity>
    </endpoint>
    <endpoint address="https://myhostname:444/Securemywcfservice/Service.svc/mex"
                     binding="mexHttpsBinding" contract="IMetadataExchange" />
    <host>
      <baseAddresses>
        <add baseAddress="https://myhostname:444/Securemywcfservice/Service.svc" />
      </baseAddresses>
    </host>
</service>

  18. Under the <system.web> stanza, add a new <webServices> stanza to ensure that any SOAP protocol level can be consumed (the default is to consume only SOAP 1.2). For example: . 
    <webServices>
    <protocols>
        <add name="AnyHttpSoap" />
    </protocols>
</webServices>

  19. Save the Web.config file.

Create a secure Web site for use with SSL

For a Web service to be used with SSL, it must be run on an https server, and IIS must be configured to support the service on https.

  1. Select Windows Start => Control Panel.
  2. Double-click Administrative Tools.
  3. Double-click Internet Information Services (IIS) Manager.
  4. In the Connections pane, select Web Sites, right click, and click Add Web Site.
  5. Set Web site name. For example: Secure Web Site.
  6. Create a new directory. For example: C:\inetpub\wwwsroot and set Physical path to this directory.
  7. Set Binding Type to https.
  8. Set Port to 444.
  9. Set SSL Certificate to the Vista Web Service host certificate and click OK.
  10. On the newly created secure Web site, right-click and Add Application.
  11. Set the Alias to Securemywcfservice, ensuring that it matches up with the https Web site values given in the Web.Config entries.
  12. Set the physical path to the existing unsecured Web site. Foe example: C:\inetpub\wwwroot\mywcfservice and click OK.
  13. You should now be able to access your secure Web site via a browser using the secure address, such as https://myhostname:444/Securemywcf/Service.svc (you will probably have to accept the certificate).

Configure client to use WS-Security

The client reference to the service needs to be regenerated to reflect the changes that have been made to the service. This step updates the app.config file accordingly.

  1. Open the client (myWCFClient) in Visual Studio, and in the Solution Explorer expand Service References.
  2. Right-click the reference to the service (mywcf.org) and click Delete.
  3. Right-click Service References and click Add Service Reference.
  4. Type the name of the secure Web service in the Address field, such as https://myhostname:444/Securemywcfservice/Service.svc. Click Go (you will probably need to accept the certificate).
  5. Under Services, expand Service and select the Iservice. Operations should be displayed in the right pane.
  6. In the Namespace, specify an appropriate namespace for the client to use, such as mywcf.org. Click OK.

Update Program.cs to use a certificate

Add the following code to Program.cs after the creation of the proxy object (mywcf in the example above)

mywcf.ClientCredentials.ServiceCertificate.SetDefaultCertificate( 
    System.Security.Cryptography.X509Certificates.StoreLocation.LocalMachine,
        System.Security.Cryptography.X509Certificates.StoreName.My,
System.Security.Cryptography.X509Certificates.X509FindType.FindBySubjectDistinguishedName,
        "CN=wesbhost, O=mycompany, C=UK"
        );

where wesbhost is the certificate alias for the WebSphere ESB host (see Key creation and exchange section below).

Update app.config to use WS-Security

The app.config file can be edited manually or by using the Windows Service Configuration Editor. For this example SSL security will be configured:

  1. Select Windows Start.
  2. In the Start Search box, type conf, and from the Programs menu, select Service Configuration Editor.
  3. Select File => Open => Config File.
  4. Browse to the app.config file for your service (usually located under C:\Users\myuser\Documents\Visual Studio 2008\Projects\myWCFClient\myWCFClient) and click Open.
  5. Navigate to Advanced => Endpoint Behaviors.
  6. Right-click and select New Endpoint Behavior Configuration.
  7. In the Name field give a name, such as Client-Cert-Behavior.
  8. Click Add in the Behavior element extension position pane.
  9. From the pop-up. select clientCredentials and click Add.
  10. In the Configuration pane, expand the new behavior and select clientCredentials => clientCertificate.
  11. Set the FindValue to the name of the local host machine certificate (myvistahost), the StoreLocation to LocalMachine, leave the StoreName as My, and set the X509FindType to FindBySubjectName.
  12. Expand serviceCertificate and select defaultCertificate.
  13. Set the FindValue to the name of the WebSphere ESB Web Service host certificate (see the Key creation and exchange section for definition of this certificate). Set the StoreLocation to LocalMachine, set the StoreName to TrustedPeople, and set the X509FindType to FindBySubjectName.
  14. In the Configuration pane right-click Bindings and select New Binding Configuration.
  15. Select customBinding and click OK.
  16. Set the name of the new custom binding (Custom11).
  17. In the Configuration pane, select the new custom binding textMessageEncoding item.
  18. Set the MessageVersion to Soap11.
  19. In the Configuration pane, select the new custom binding. Under the Binding element extension position pane, click Add.
  20. Select security and click Add.
  21. In the Configuration pane, select the security item under the new custom binding.
  22. Set the AuthenticationMode to MutualCertificate, set the DefaultAlgorithmSuite to Basic128Rsa15, and set the MessageSecurityVersion to WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10.

    The MessageProtectionOrder field seems to require different values depending on the service or its platform. Take the default value SignBeforeEncryptAndEncryptSignature initially, but if this gives an error like The primary signature must be encrypted, then change it to SignBeforeEncrypt.

  23. In the Configuration pane, select the existing endpoint CustomBinding_IService.
  24. Set the BehaviorConfiguration to the new Endpoint Behavior (Client-Cert-Behavior), set the Binding to customBinding, and ensure the BindingConfiguration is the name of your custom binding (Custom11).
  25. Select File => Save and File => Close.
  26. In Visual Studio, select Project => myWCFClient Properties.
  27. Click the Security tab on the left side.
  28. Tick Enable Click Once Security Settings.
  29. Ensure that This is a full trust application is selected and click Save.
  30. Build the client: Select Build => Build myWCFClient.

Update Program.cs to use the new binding

Update the following code in Program.cs for the creation of the proxy object (mywcf in the example above)

myWCFClient.mywcf.org.ServiceClient mywcf = 
                 new myWCFClient.mywcf.org.ServiceClient("CustomBinding_IService", myURI);

Save the file and rebuild the client: Select Build => Build myWCFClient.

Key creation and exchange

Certificates for WS-Security (.NET client => WebSphere ESB Gateway)

On the WebSphere ESB host, create a key and keystore with the alias set to the name of the host (here shown as wesbhost), for example:

keytool -genkey -v -alias wesbhost -validity 365 -keyalg "RSA" -keypass keypwd 
        -storepass storepwd -dname "CN=wesbhost,O=mycompany,C=UK" 
            -keystore /opt/ibm/ESB/etc/ws-security/mySysKeys/wesbstore.jks

Export a certificate from the store that will be imported into a keystore on the Vista machine. For example:

keytool -export -v -alias wesbhost -file wesbhost.cer -rfc -storepass storepwd 
	-keystore  /opt/ibm/ESB/etc/ws-security/mySysKeys/wesbstore.jks

The key creation on the Vista machine was done in the Setup certificates on the Vista Web Service host section.

Copy the WebSphere ESB host certificate (wesbhost.cer) to the Vista machine and import it into the Trusted People Certificates store and the Personal Certificates store using mmc.

Copy the Vista host certificate created in the Setup certificates on the Vista Web Service host section (myvistahost.cer) to the WebSphere ESB host machine and import it into the keystore:

keytool -import -v -trustcacerts -alias myvistahost -file /home/myuser/myvistahost.cer 
	-storepass storepw -keystore  /opt/ibm/ESB/etc/ws-security/mySysKeys/wesbstore.jks
keytool -list -keystore  /opt/ibm/ESB/etc/ws-security/mySysKeys/wesbstore.jks

Certificates for SSL (WebSphere ESB Gateway => .NET service)

Create a self-signed certificate from the WebSphere ESB server and import into the Vista server key store

  1. In the admin console select Security => SSL Certificate and key management => Key Store and Certificates:

    Figure 2. Key Store and Certificates
    Key Store and Certificates

  2. Select the CellDefaultKeyStore.
  3. Select Personal certificates and click Create a self-signed certificate:

    Figure 3. Personal certificates
    Personal certificates

  4. Enter the full WebSphere ESB hostname for the Alias and the Common name (such as wesbhost.company.com) with relevant text in the Organization field. Click OK and Save:

    Figure 4. Self-signed certificate
    Self-signed certificate

  5. Tick the new certificate and click Extract.
  6. Type in a full path to the location of the file to be created (such as /tmp/wesbhost.cer) and ensure that the data type is Base64-encoded ASCII data. Click OK:

    Figure 5. Extract
    Extract

    this file will be copied to the Vista host and imported into its key store.

  7. Navigate to Security => SSL Certificate and key management => SSL Configurations.
  8. Select CellDefaultSSLSettings.
  9. Select the certificate you have just created for the Default server certificate alias and the Default client certificate alias. Click OK:

    Figure 6. CellDefaultSSLSettings
    CellDefaultSSLSettings

  10. Navigate to Security => SSL Certificate and key management => Key Store and Certificates.
  11. Ensure that the CellDefaultKeyStore and CellDefaultTrustStore are checked and click Exchange signers:

    Figure 7. Exchange signers
    Exchange signers

  12. Select the WebSphere ESB host certificate (such as wesbhost.company.com) and click Add => OK => Save:

    Figure 8. Exchange Add
    Exchange Add

  13. Stop the deployment manager by using the command line (you will be prompted to add signer to the trust store -- answer yes). Restart the deployment manager.
  14. Copy the extracted certificate to the Vista host and import it into the Trusted Root Certification Authority store and the Personal Certificates store using mmc.

Import the Vista host certificate into the WebSphere ESB host trust store

  1. Navigate to Security => SSL certificate and key management => Key stores and certificates.
  2. Select CellDefaultTrustStore.
  3. Select Signer certificates.
  4. Click Retrieve from port:

    Figure 9. Retrieve from port
    Retrieve from port

  5. Enter the Vista server hostname in the Host field (such as myvistahost). Enter the secure Web service port for the Vista server (such as 444) and a suitable alias name (such as myvistahost_444). Click Retrieve signer information:

    Figure 10. Retrieve certificate
    Retrieve certificate

  6. Click OK and Save.

WebSphere ESB Service Gateway setup

This setup creates a simple gateway mediation that will just route the input message from the .NET client to the .NET service:

  1. Start WID 6.2 and go to the Business Integration perspective.
  2. Create a Gateway Library, File => New => Library.
  3. Give it an appropriate Library name, such as GatewayLibrary. Click Finish.
  4. Expand the library and Double-click on the Dependencies item.
  5. This opens the Dependencies editor, open the Predefined Resources section.
  6. Tick the Service gateway interface and schema files item then click the Save icon:

    Figure 11. Service gateway schema
    Service gateway schema

  7. Create a mediation module (File => New => Mediation Module).
  8. Give it an appropriate Module name GatewayModule and set the Target runtime environment to WebSphere ESB Server 6.2 and click Next.
  9. Select the GatewayLibrary as a required library and click Finish.
  10. On the Assembly Diagram right-click the Mediation component (GatewayModule) and select Add => Interface.
  11. Select the ServiceGateway interface and click OK:

    Figure 12. Service gateway interface
    Service gateway interface

  12. Right-click the Mediation component and select Add => Reference.
  13. Select ServiceGateway and click OK.
  14. Drag an Import onto the Assembly Diagram to the right of the Mediation component.
  15. Right-click the Import and select Add Interface from the menu.
  16. Select ServiceGateway and click OK.
  17. Right-click the Import and select Generate Binding => Web Service Binding from the menu.
  18. On the Transport Selection dialogue select SOAP1.1/HTTP and click OK.
  19. Wire the reference of the Mediation component to the interface of the Import.
  20. Right-click the Mediation component and select Generate Export => Web Service Binding.
  21. On the Transport Selection dialogue select SOAP1.1/HTTP and click OK:

    Figure 13 Assembly
    Assembly

  22. Double-click on the Mediation component to generate the implementation.
  23. In the Mediation Flow Editor under the Operation connections, wire the requestResponse of the ServiceGateway to the requestResponse of the ServiceGatewayPartner:

    Figure 14. Operation connections
    Operation connections

  24. In the Request flow, drag a MessageElementSetter primitive onto the canvas and wire the Input primitive to its input terminal and its output terminal to the callout node:

    Figure 15. Request flow
    Request flow

  25. Select the Details tab of the MessageElementSetter and click Add.
  26. Leave the Action as Set.
  27. Browse the Target and expand header => SMOHeader => Target, Double-click address, and click Finish

    Figure 16. MES Address
    MES Address

  28. In the Value field, type the endpoint to which you want the gateway to send the message, such as https://myvistahost:444/Securemywcfservice/Service.svc, and then click Finish:

    Figure 17. Endpoint
    Endpoint

  29. Click Add again.
  30. Leave the Action as Set.
  31. Browse the Target and expand header => SMOHeader. Double-click Action and click Finish:

    Figure 18. MES Action
    MES Action

  32. In the Value field, type the path to the operation to invoke as specified in the service WSDL, such as http://tempuri.org/IService/LoanApplicationRequest. Then click Finish:

    Figure 19. Operation
    Operation

  33. Click the Response tab and wire the input node direct to the response node:

    Figure 20. Response flow
    Response flow

  34. Save the Flow and Assembly diagrams.
  35. In the Projects view, right-click the Mediation module project (GatewayModule ) and select Export from the menu.
  36. In the Export dialog, expand Business Integration, select Integration module, and click Next.
  37. Ensure that Export usage is set to EAR files for server deployment and that the GatewayModule box is ticked. Click Next.
  38. Browse to a suitable target directory and click Finish.
  39. Deploy the EAR file to a WebSphere ESB server.

WebSphere ESB Policy Set configuration

A WS-Security policy needs to be created and applied to the Gateway service.

Create a custom policy set

  1. In the left pane, select Services => Policy sets =>Application policy sets.
  2. In the right pane, check WSSecurity default and click Copy at the top of the page.

    Figure 21. Application policy sets
    Application policy sets

  3. In the Name field, enter WSSecGW and click OK.
  4. Select the newly created WSSecGW policy set.
  5. Check WS-Addressing, then click Delete.
  6. Click Save at the top of the page:

    Figure 22. Delete WS-Addressing
    Delete WS-Addressing

  7. In the left pane, select Services => Policy sets => Application policy sets. Select WSSecGW, then WS-Security, then Main policy:

    Figure 23. Main policy
    Main policy

  8. Select Request message part protection.
  9. Under Encrypted parts, select app_encparts, and click Edit:

    Figure 24. Request message part
    Request message part

  10. Remove the two XPath statements: select each XPath expression and then click Remove Selected Elements.
  11. Click OK:

    Figure 25. Request message XPath
    Request message XPath

  12. Go back to the Main policy dialog.
  13. Click Response message part protection.
  14. Under Encrypted parts, select app_encparts and click Edit.
  15. Remove the two XPath statements: select each XPath expression and click Remove Selected Elements.
  16. Click OK, then Save, and go back to the Main policy dialog.
  17. Ensure Include timestamp in security header is checked.
  18. Click OK, then Save.

Attach the custom policy set and custom binding

To assign the policy set to your Service:

  1. In the left pane, select Services => Service providers.
  2. Select your service ServiceGatewayExport1_ServiceGatewayHttpService, then tick the checkbox next to ServiceGatewayExport1_ServiceGatewayHttpService. Click Attach.
  3. Select WSSecGW from the drop-down list.

To assign the custom binding to your Service:

  1. In the left pane, select Services => Service providers.
  2. Select your Service, then check your Service, then select Assign Binding => New.
  3. Specify WS-GW-Binding as the name.
  4. Click Add, and then select WS-Security.
  5. Click Save:

    Figure 26. Assign Binding
    Assign Binding

Configure the Service request signature consumer security bindings

  1. In the left pane, select Services => Service providers.
  2. Select your service ServiceGatewayExport1_ServiceGatewayHttpService, then WS-GW-Binding, then WS-Security.
  3. Select Authentication and protection:

    Figure 27. Authentication and protection
    Authentication and protection

  4. Click AsymmetricBindingInitiatorSignatureToken0.
  5. Verify that the JAAS login is wss.consume.x509.
  6. Click Apply to generate a callback handler binding:

    Figure 28. AsymmetricBindingInitiatorSignatureToken0
    AsymmetricBindingInitiatorSignatureToken0

  7. Click the Callback handler link. In the Callback handler dialogue, make sure that Trust any certificate is checked.
  8. In the Keystore section, select Custom as the name, then select the Custom keystore configuration link.
  9. In the Custom keystore configuration dialog, enter the full path name for the keystore, such a /opt/ibm/ESB/etc/ws-security/mySysKeys/wesbstore.jks.
  10. For Type, select JKS.
  11. For Password, enter the keystore password.
  12. For Confirm password, enter the keystore password.
  13. In the Key section, enter the certificate label for the Vista Web service host CN=myvistahost in the Name field, and the Vista hostname (certificate alias). For example: myvistahost in the Alias field.
  14. Click OK three times, then click Save:

    Figure 29. Key Store
    Key Store

    The AsymmetricBindingInitiatorSignatureToken0 is now shown as Configured

    .
  15. In the Request message signature and encryption protection section, select request:app signparts.
  16. In the Name field, enter reqSign, and then click Apply.
  17. In the Message part reference section, select request:app_signparts, the click Edit.
  18. Under Transform algorithms, click New.
  19. In the URL field, enter http://www.w3.org/2001/10/xml-exc-c14n#.
  20. Click OK twice:

    Figure 30. Transform algorithms
    Transform algorithms

  21. Under Signing key information, click New.
  22. Enter reqSignKey in the Name field.
  23. Ensure that AsymmetricBindingInitiatorSignatureToken0 is selected in the Token generator or consumer name field. Click OK:

    Figure 31. Signing key
    Signing key

  24. Under Signing key information, select reqSignKey, then click Add.
  25. Click OK, and then Save:

    Figure 32. Request key
    Request key

    The request:app_signparts is now shown as Configured.

Configure the Service request encryption consumer security bindings

  1. In the left pane, select Services => Service providers.
  2. Select your Service, then WS-Server-Binding, then WS-Security.
  3. Select Authentication and protection.
  4. Select AsymmetricBindingRecipientEncryptionToken0.
  5. Verify that the JAAS login is wss.consume.x509.
  6. Click Apply to generate a callback handler binding.
  7. Select the Callback handler link.
  8. Under Certificates, make sure Trust any certificate is checked.
  9. In the Keystore section, select Custom as the name, then select the Custom keystore configuration link.
  10. Enter the full path name for the keystore. For example: /opt/ibm/ESB/etc/ws-security/mySysKeys/wesbstore.jks.
  11. For Type, select JKS.
  12. For Password, enter the keystore password.
  13. For Confirm password, enter the keystore password.
  14. In the Key section enter the label for the WebSphere ESB host certificate. For example: CN=wesbhost in the Name field.
  15. Put the name of the WebSphere ESB host (the certificate alias) wesbhost in the Alias field.
  16. For keypass Password, enter the key password.
  17. For Confirm keypass password, enter the key password.
  18. Click OK three times, then click Save. The AsymmetricBindingRecipientEncryptionToken0 is now shown as Configured.
  19. Under Request message signature and encryption protection, click request:app encparts.
  20. In the Name field, enter reqEnc, then click Apply.
  21. Under Key information, click New.
  22. Enter reqEncKey for the name.
  23. Ensure AsymmetricBindingRecipientEncryptionToken0 is selected for Token generator or consumer name. Click OK.
  24. Under Key information, select reqEncKey, then click Add.
  25. Click OK, and then Save. The request:app encparts item is now shown as Configured.

Configure the Service response signature generator security bindings

  1. In the left pane, select Services => Service providers.
  2. Select your Service, then WS-Server-Binding, then WS-Security.
  3. Select Authentication and protection.
  4. Select AsymmetricBindingRecipientSignatureToken0.
  5. Verify that the JAAS login is wss.generate.x509.
  6. Click Apply to generate a callback handler binding.
  7. Select the Callback handler link.
  8. In the Keystore section, select Custom as the name, then select the Custom keystore configuration link.
  9. Enter the full path name for the keystore. For example: /opt/ibm/ESB/etc/ws-security/mySysKeys/wesbstore.jks.
  10. For Type, select JKS.
  11. For Password, enter the keystore password.
  12. For Confirm password, enter the keystore password.
  13. In the Key section enter the label for the WebSphere ESB host certificate CN=wesbhost in the Name field.
  14. Put the name of the WebSphere ESB host (the certificate alias) wesbhost in the Alias field.
  15. For Password, enter the key password.
  16. For Confirm keypass password, enter the key password.
  17. Click OK three times, then click Save. The AsymmetricBindingRecipientSignatureToken0 is now shown as Configured.
  18. Under Response message signature and encryption protection, click response:app signparts.
  19. In the Name field, enter respSign.
  20. Under Signing key information, click New.
  21. In the Name field, enter respSignKey.
  22. Under Type, select X509 issuer name and issuer serial.
  23. Ensure AsymmetricBindingRecipientSignatureToken0 is selected for Token generator or consumer name, then click OK, then Apply.
  24. Under Message part reference, select response:app_signparts, and click Edit.
  25. Under Transform algorithms, click New.
  26. In the URL field, enter http://www.w3.org/2001/10/xml-exc-c14n#.
  27. Click OK twice.
  28. Under Signing key information, make sure respSignKey is selected, then click OK => Save. The response:app signparts item is now shown as Configured.

Configure the Service response encryption generator security bindings

  1. In the left pane, select Services => Service providers => your Service.
  2. Select WS-Server-Binding, then WS-Security.
  3. Select Authentication and protection.
  4. Select AsymmetricBindingInitiatorEncryptionToken0.
  5. Verify that JAAS login is wss.generate.x509.
  6. Click Apply to generate a callback handler binding.
  7. Select the Callback handler link.
  8. In the Keystore section, select Custom as the name, then select the Custom keystore configuration link.
  9. Enter the full path name for the keystore. For example: /opt/ibm/ESB/etc/ws-security/mySysKeys/wesbstore.jks.
  10. For Type, select JKS.
  11. For Password, enter the keystore password.
  12. For Confirm password, enter the keystore password.
  13. In the Key section, enter the certificate label for the Vista Web service host CN=myvistahost in the Name field.
  14. Enter the Vista hostname (certificate alias) myvistahost in the Alias field.
  15. Click OK three times, then click Save. The AsymmetricBindingInitiatorEncryptionToken0 is now shown as Configured.
  16. Under Response message signature and encryption protection, click response:app encparts.
  17. In the Name field, enter respEnc and then click Apply.
  18. Under Key information, click New.
  19. Enter respEncKey for the name.
  20. Under Type, select X509 issuer name and issuer serial.
  21. Ensure AsymmetricBindingInitiatorEncryptionToken0 is selected for Token generator or consumer name, and click OK.
  22. Ensure respEncKey is selected, click OK, and then Save. The response:app encparts item is now shown as Configured.

Test the .NET Client/Service communication via the WebSphere ESB Gateway

To invoke the service from the client open a command console on the Vista machine and use the client command, providing the address of the WebSphere ESB service gateway as a parameter:

"C:\Users\myuser\Documents\Visual Studio 2008\Projects\
               myWCFClient\myWCFClient\bin\Debug\myWCFClient" 
               http://wesbhost:9080/GatewayModuleWeb/sca/ServiceGatewayExport1

Approval state is True
Approval credit rating is 6
Comment is        Request Approved
Account Number is 413464
URL is                http://wesbhost:9080/GatewayModuleWeb/sca/ServiceGatewayExport1

Conclusion

This article has shown you how to set up interoperability between .NET WCF services and WebSphere ESB V6.2 Service Gateway. In addition it has shown that by using WebSphere ESB policy sets, the interactions between .NET and WebSphere ESB can have Web service Quality of Service applied to them.


Resources

About the author

Andrew Howes is a Software Developer on the WebSphere ESB System Verification Test Team at the IBM Hursley Software Lab in the UK. You can contact Andrew at andrew_howes@uk.ibm.com.

Comments

Back to top

Trademarks  |  My developerWorks terms and conditions

Close [x]

Help: Update or add to My dW interests

What's this?

This little timesaver lets you update your My developerWorks profile with just one click! The general subject of this content (AIX and UNIX, Information Management, Lotus, Rational, Tivoli, WebSphere, Java, Linux, Open source, SOA and Web services, Web development, or XML) will be added to the interests section of your profile, if it's not there already. You only need to be logged in to My developerWorks.

And what's the point of adding your interests to your profile? That's how you find other users with the same interests as yours, and see what they're reading and contributing to the community. Your interests also help us recommend relevant developerWorks content to you.

View your My developerWorks profile

Return from help

Close [x]

Help: Remove from My dW interests

What's this?

Removing this interest does not alter your profile, but rather removes this piece of content from a list of all content for which you've indicated interest. In a future enhancement to My developerWorks, you'll be able to see a record of that content.

View your My developerWorks profile

Return from help

static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=WebSphere
ArticleID=394486
ArticleTitle=Interoperability between WebSphere ESB Gateway and the Microsoft .NET WCF using WS-Security
publish-date=06032009
author1-email=andrew_howes@uk.ibm.com
author1-email-cc=

Table of contents

Next steps from IBM

WebSphere Portal can help your small and midsize business achieve better website security, along with faster time to value with easily deployable and customizable example Web sites.

My developerWorks community

Interact, share, and communicate with developers worldwide.

My developerWorks overview

Tags

Help
Use the search field to find all types of content in My developerWorks with that tag.

Use the slider bar to see more or fewer tags.

Popular tags shows the top tags for this particular content zone (for example, Java technology, Linux, WebSphere).

My tags shows your tags for this particular content zone (for example, Java technology, Linux, WebSphere).

Use the search field to find all types of content in My developerWorks with that tag. Popular tags shows the top tags for this particular content zone (for example, Java technology, Linux, WebSphere). My tags shows your tags for this particular content zone (for example, Java technology, Linux, WebSphere).

 

Dig deeper into WebSphere on developerWorks

Rate a product. Write a review.

Rate a product. Write a review.

Write a review for Rational products today!

Special offers

No-cost WebSphere Application Server development

Free trial IBM TXSeries for Multiplatforms

Cloud computing for developers

More offers