Share via


<mutualCertificate10Security> Element

Represents a turnkey security assertion that uses X509SecurityToken security tokens to authenticate the client and protect SOAP messages. WS-Security 1.0 and 1.1 can be used with this assertion.

<policies> Element
  <policy> Element (Policy)

<mutualCertificate10Security
  clientActor
  establishSecurityContext="true|false"
  messageProtectionOrder="Signature and encryption order"
  renewExpiredSecurityContext="true|false"
  requireDerivedKeys="true|false"
  requireSignatureConfirmation="true|false"  
  serviceActor
  ttlInSeconds >
  <clientToken>
  <serviceToken>
  <protection>
</mutualCertificate10Security >

Microsoft.Web.Services3.Design.MutualCertificate10

Attributes and Elements

Attributes

Attribute Description

clientActor

Optional attribute. Specifies the actor attribute on the Security SOAP header for a SOAP message destined for a Web service client to which this policy assertion applies. When the SOAP message is not routed through an intermediary, such as a SOAP router, the actor attribute is an empty string (""). When the policy assertion applies to an intermediary, specify the URI for the intermediary. The default value is an empty string ("").

establishSecurityContext

Optional attribute. Specifies whether a secure conversation is established using SecurityContextToken security tokens. Possible values are true and false. true specifies that this security assertion secures the security token request and its response (the RST and RSTR) and SOAP messages exchanged between the client and the Web service are secured using SecurityContextToken security tokens. The default value is false.

messageProtectionOrder

Optional attribute. Specifies the order of operation for digital signatures and message encryption. SignBeforeEncrypt specifies that a digital signature is generated for the SOAP message before any portion of the SOAP message is encrypted, but the digital signature is not encrypted. SignBeforeEncryptAndEncryptSignature specifies that a digital signature is generated for the SOAP message before any portion of the SOAP message is encrypted, and the digital signature is encrypted.

EncryptBeforeSign is not supported by this policy assertion. The EncryptBeforeSign protection order can enable a man-in-the-middle attack where the attacker replaces the sender's signature without the recipient being able to detect that it has been replaced.

renewExpiredSecurityContext

Optional attribute. Specifies that a new SecurityContextToken security token is automatically requested as the current one expires when a secure conversation is established. This is applicable only when the establishSecurityContext attribute for this policy assertion is true.

requireDerivedKeys

Optional attribute. Specifies whether DerivedKeyToken security tokens are used. Possible values are true and false. The default value is false.

requireSignatureConfirmation

Optional attribute. Specifies whether the Web service sends a confirmation that verifies the client's digital signature and whether the client rejects SOAP responses without a signature confirmation. This is always false.

serviceActor

Optional attribute. Specifies the actor attribute on the Security SOAP header for a SOAP message destined for a Web service to which this policy assertion applies. When the SOAP message is not routed through an intermediary, such as a SOAP router, the actor attribute is an empty string (""). When the policy assertion applies to an intermediary, specify the URI for the intermediary. The default value is an empty string ("").

Note

When the serviceActor attribute is set to a value other than an empty string (""), then the establishSecurityContext attribute must be set to false.

ttlInSeconds

Optional attribute. Specifies the default number of seconds that a SOAP message is valid after its creation. The default value is 5 minutes (300 seconds).

Child Elements

Element Description

<clientToken> Element

Optional element. Specifies the security token that authenticates the client.

<protection> Element

Optional element. Specifies the SOAP message parts that are signed, encrypted, or both.

<serviceToken> Element (Policy)

Optional element. Specifies the X509SecurityToken security token that protects the SOAP messages.

If the details of the X509SecurityToken security token are not specified in the policy file, the security token must be specified using code.

Parent Elements

Element Description

<policy> Element

Specifies a SOAP message requirement.

Remarks

The mutualCertificate11Security turnkey security assertion is similar to this policy assertion, except it is intended to be used with WS-Security 1.1 and the security tokens that are used to digitally sign and encrypt SOAP messages are different. For more details about the mutualCertificate11Security turnkey security assertion, see <mutualCertificate11Security> Element.

This security assertion can have zero or more <protection> elements. Use more than one <protection> element to apply protection requirements for each operation using the requestAction attribute. Each of the <protection> elements must have a unique requestAction attribute unless the requestAction is omitted. Only one of the <protection> elements can omit the requestAction attribute, and that element defines the default protection requirements for the policy.

SOAP requests sent by the client and SOAP responses sent by the Web service are protected as specified in the following table.

SOAP message Protection Description

SOAP request

Digital Signature

The SOAP message parts specified in the <request> child element of the <protection> element are digitally signed using a EncryptedKeyToken security token that is created using the Web service's X509SecurityToken security token. The client's X509SecurityToken security token signs that digital signature.

SOAP request

Encryption

The SOAP message parts specified in the <request> child element of the <protection> element are encrypted using a EncryptedKeyToken security token that is created using the Web service's X509SecurityToken security token.

SOAP response

Digital Signature

The SOAP message parts specified in the <response> or <fault> child elements of the <protection> element are digitally signed using the EncryptedKeyToken security token that encrypted the SOAP request.

SOAP response

Encryption

The SOAP message parts specified in the <response> or <fault> child elements of the <protection> element are encrypted using the EncryptedKeyToken security token that encrypted the SOAP request.

Example

The following code example demonstrates how to secure a SOAP message exchange using the mutualCertificate10Security turnkey security assertion. This is the policy file for the client. The policy file for the Web service would be identical minus the clientToken element and its child elements.

<policies>
  <extensions>
    <extension name="mutualCertificate10Security" type="Microsoft.Web.Services3.Design.MutualCertificate10, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
    <extension name="x509" type="Microsoft.Web.Services3.Design.X509TokenProvider, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
    <extension name="requireActionHeader"
               type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
  </extensions>
  <policy name="ClientPolicy">
    <mutualCertificate10Security
      establishSecurityContext="false" 
      renewExpiredSecurityContext="true" 
      requireSignatureConfirmation="false" 
      messageProtectionOrder="SignBeforeEncrypt" 
      requireDerivedKeys="true" >
      <clientToken>
        <x509 
          storeLocation="CurrentUser"
          storeName="My"
          findValue="CN=WSE2QuickStartClient"
          findType="FindBySubjectDistinguishedName" />
      </clientToken>
      <serviceToken>
        <x509
          storeLocation="LocalMachine"
          storeName="My"
          findValue="CN=WSE2QuickStartServer"
          findType="FindBySubjectDistinguishedName" />
      </serviceToken>
      <protection>
        <request
          signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody"
          encryptBody="true" />
        <response 
          signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody"
          encryptBody="true" />
        <fault
          signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody"
          encryptBody="false" />
      </protection>
    </mutualCertificate10Security>
    <requireActionHeader />
  </policy>
</policies>

See Also

Tasks

How to: Secure a Web Service Using a Policy File

Reference

<mutualCertificate11Security> Element
<serviceToken> Element (Policy)
<clientToken> Element
<protection> Element
<policy> Element
X509SecurityToken

Concepts

Turnkey Security Assertions

Other Resources

Implementing Message Layer Security with X.509 Certificates in WSE 3.0
X.509 Technical Supplement