Wcf to WebSphere interop: ActivityId is not protected

@YaronNaveh

I recently had to call a secured WebSphere service from a Wcf client. Fine tuning all the settings was challenging so I turned on Wcf tracing. The latter gave me detailed errors which helped me to see where I was wrong. But after fixing everything I knew of, I got this new error:

An element, ActivityId, with nsuri, http://schemas.microsoft.com/2004/09/ServiceModel/Diagnostics, is not protected by signing algorithm, sha1, and digest algorithm Rejected by filter; SOAP fault sent

Having no idea where this ActivityId element comes from , I took a quick look at the message my Wcf client was sending:

  <s:Header>
    <ActivityId CorrelationId="db5feb51-ae82-4c1b-bd68-1bdb2d09bbc6" xmlns="http://schemas.microsoft.com/2004/09/ServiceModel/Diagnostics">f5aada53-669f-46d7-acc5-8d45e437ed86</ActivityId>
  </s:Header>

Where does this ActivityId come from?
Turns out this header is emitted by Wcf when we turn tracing on. Wcf uses this header to color the message as it flows between various layers so it can later show a single view of it.
In my case the WebSphere expected clients to sign all headers. This particular header was not signed (since wcf tracing just adds it as is) so WebSphere complained about a policy violation.
After turning off the Wcf trace settings the integration worked like a charm. So you can say the whole issue was kind of a drug side affect.

@YaronNaveh

What's next? get this blog rss updates or register for mail updates!

Xml stack for node.js that works on windows

@YaronNaveh

When I developed wcf.js I extensively used xml operations. Finding the right libraries was not an easy task so I thought to share my findings here. My requirements were to use dom style xml parsing and that the whole stack will be multi-platform (read: work on windows). It turned out that there are many libraries that fulfill one of these requirements but it was very hard to find one which fulfills both. Then I wanted to run xpath operations on the dom. And again I needed a library that works on windows and integrates well with the former dom parser.

I started my journey with googling for "node.js xml parser". I immediately found node-xml which is a pure javascript sax parser. Finding other sax parsers was also easy but that was not what I had in mind. I then moved to "node.js xml dom". This actually led me to the main listing of node libraries sorted by category, and I immediately turned to the xml section. I felt like I was drinking from the firehose: Over 15 xml parsers were listed. It was very disappointing to find out that most of them are based on libxml2 which means they will work on windows only via cygwin. That's evil.

xmldom
Just before I started to roll my own xml parser I have found xmldom. Xmldom is a pure javascript implementation of dom (and sax) which makes it fully portable to any environment.

xpath.js
I also needed an xpath engine. Finding one that is cross platform was not an easier task. I have finally found xpath.js. The latter was actually not written as a node.js module (it dates back to 2006) but it was fairly easy to migrate it there. As you can see here, I just added to it this method in the end:

function SelectNodes(doc, xpath)

{
  var parser = new XPathParser();
  var xpath = parser.parse(xpath);
  var context = new XPathContext();
  context.expressionContextNode = doc.documentElement;
  var res = xpath.evaluate(context)
  return res.toArray();
}

exports.SelectNodes = SelectNodes;

Making it all work together
The following sample shows how to parse an xml document and match an xpath on it.
Note you should include the updated xpath.js as part of your project (e.g. in /lib) and the second line in the sample should reference that path. You should also install xmldom using  npm install xmldom.

var select = require('./xpath').SelectNodes   //the path to xpath.js in your project
  , Dom = require('xmldom').DOMParser

var doc = new Dom().parseFromString('<x><y id="1"></y></x>')
  , res = select(doc, "//*[@id]") //select all nodes that has an "id" attribute

 if (res.length==1)
  console.log(res[0].localName); //prints "y"

@YaronNaveh

What's next? get this blog rss updates or register for mail updates!

Wcf and Node.js, better together

@YaronNaveh

(get wcf.js on github!)

Take a look at the following code:


Do you see anything...um, special? Well c# already has the "var" keyword since version 3.0 so maybe it is some kind of a c#-ish dialect? Or maybe it is a CTP for javascript as a CLR language? Or something related to the azure sdk for node.js?

Not at all. This is a snippet from wcf.js - a pure javascript node.js module that makes wcf and node.js work together!

As node assumes its central place in modern web development, many developers build node apps that must consume downstream wcf services. Now if these services use WCF Web API ASP.NET Web API it is very easy. It is also a breeze if you are in a position to add a basic http binding to the Wcf service, and just a little bit of more work if you plan to employ a wcf router to do the protocol bridging. Wcf.js is a library that aims to provide a pure-javascript development experiece for such scenarios.

Note that building new node.js ws-* based services is a non-goal for this project. Putting aside all the religious wars, Soap is not the "node way", so you should stick to Rest where you'll get good language support (json) and built-in libraries.

"Hello, Wcf... from node"

You are closer than you think to consume your first Wcf service node.js:

1. Create a new wcf web site in VS and call it "Wcf2Node". If you use .Net 4 than BasicHttpBinding is the default, otherwise in web.config replace WsHttp with BasicHttp. No need to deploy, just run the service in VS using F5.

2. Create anywhere a folder for the node side and from the command line enter its root and execute:

$> npm install wcf.js

3. In the same folder create test.js:

var BasicHttpBinding = require('wcf.js').BasicHttpBinding

  , Proxy = require('wcf.js').Proxy

  , binding = new BasicHttpBinding()

  , proxy = new Proxy(binding, " http://localhost:12/Wcf2Node/Service.svc")

  , message = '<Envelope xmlns=' +
            '"http://schemas.xmlsoap.org/soap/envelope/">' +
                 '<Header />' +
                   '<Body>' +
                     '<GetData xmlns="http://tempuri.org/">' +
                       '<value>123</value>' +
                     '</GetData>' +
                    '</Body>' +
               '</Envelope>'

proxy.send(message, "http://tempuri.org/IService/GetData", function(response, ctx) {
  console.log(response)
});

4. In test.js, change the port 12 (don't ask...) to the port your service runs on.

5. Now we can execute node:

$> node test.js

6. You should now see the output soap on the console.

Of course this sample is not very interesting and you may be better off sending the raw soap using request. Let's see something more interesting. If your service uses ssl + username token (transport with message credential), the config may look like this:

<wsHttpBinding>
    <binding name="NewBinding0">
        <security mode="TransportWithMessageCredential">
            <message clientCredentialType="UserName" />
        </security>
    </binding>
</wsHttpBinding>

The following modifications to the previous example will allow to consume it from node:

...
binding = new WSHttpBinding(
        { SecurityMode: "TransportWithMessageCredential"
        , MessageClientCredentialType: "UserName"
        })
...

proxy.ClientCredentials.Username.Username = "yaron";
proxy.ClientCredentials.Username.Password = "1234";
proxy.send(...)

And here is the wire soap:

<Envelope xmlns="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">

<Header>
  <o:Security>
    <u:Timestamp>
      <u:Created>2012-02-26T11:03:40Z</u:Created>
      <u:Expires>2012-02-26T11:08:40Z</u:Expires>
    </u:Timestamp>
    <o:UsernameToken>
      <o:Username>yaron</o:Username>
      <o:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">1234</o:Password>
    </o:UsernameToken>
  </o:Security>
</Header>

<Body>
  <EchoString xmlns="http://tempuri.org/">
    <s>123</s>
  </EchoString>
</Body>

If you use Mtom check out this code:

(The formatting here is a bit strage due to my blog layout - it looks much better in github!)

var CustomBinding = require('wcf.js').CustomBinding

  , MtomMessageEncodingBindingElement = require('wcf.js').MtomMessageEncodingBindingElement

  , HttpTransportBindingElement = require('wcf.js').HttpTransportBindingElement

  , Proxy = require('wcf.js').Proxy

  , fs = require('fs')

  , binding = new CustomBinding(

        [ new MtomMessageEncodingBindingElement({MessageVersion: "Soap12WSAddressing10"}),

        , new HttpTransportBindingElement()

        ])

  , proxy = new Proxy(binding, "http://localhost:7171/Service/mtom")

  , message = '<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">' +
                '<s:Header />' +
                  '<s:Body>' +
                    '<EchoFiles xmlns="http://tempuri.org/">' +
                      '<value xmlns:a="http://schemas.datacontract.org/2004/07/" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">' +
                        '<a:File1 />' +                   
                      '</value>' +
                    '</EchoFiles>' +
                  '</s:Body>' +
              '</s:Envelope>'

proxy.addAttachment("//*[local-name(.)='File1']", "me.jpg");

proxy.send(message, "http://tempuri.org/IService/EchoFiles", function(response, ctx) {

  var file = proxy.getAttachment("//*[local-name(.)='File1']")

  fs.writeFileSync("result.jpg", file)    

});

Mtom is a little bit trickier since wcf.js needs to know which nodes are binary. Using simple xpath can help you achieve that.

Getting your hands dirty with Soap
Wcf.js uses soap in its raw format. Code generation of proxies does not resonate well with a dynamic language like javascript. I also assume you are consuming an existing service which already has working clients so you should be able to get a working soap sample. And if you do like some level of abstraction between you and your soap I recommend node-soap, though it still does not integrate with wcf.js.

If you will use raw soap requests and responses you would need a good xml library. And while node has plenty of dom / xpath libraries, they are not windows friendly. My next post will be on a good match here.

Supported standards
Wcf implements many of the ws-* standards and even more via proprietary extensions. The first version of wcf.js supports the following:

MTOM

WS-Security (Username token only)

WS-Addressing (all versions)

HTTP(S)

The supported binding are:

BasicHttpBinding

WSHttpBinding

CustomBinding

What do you want to see next? Let me know.

Get the code
Wcf.js is hosted in GitHub, and everyone is welcome to contribute features and fixes if needed.
Wcf.js is powered by ws.js, the actual standards implementation, which I will introduce in an upcoming post.

@YaronNaveh

What's next? get this blog rss updates or register for mail updates!

I'm an MVP (again!)

@YaronNaveh

I guess I can skip the traditional email quote by now. I just got the 2011 MVP award in Connected System Developer. Becoming an MVP last year was the beginning of a very interesting year. I'm super exited to get this award for the second time. I'll do my best to justify this recognition.

@YaronNaveh

What's next? get this blog rss updates or register for mail updates!

Binding Box now supprots the Wcf Interop Bindings

@YaronNaveh

Earlier this week Microsoft had released the Wcf Interop Bindings and VS extension. You can download and try it from here.

Today I am proud to announce that the Wcf Binding Box supports these interoperability bindings.



What is the Wcf Binding Box?
It is an online bindings converter. You give it a binding configuration (e.g. WSHttpBinding) and it returns an equivalent custom binding.

Full explanation is here.

Why do we need it?
Because it's fun :) And also allows to take a working WSHttpBinding and further customize it with settings which it does not directly expose, for example MaxClockSkew.

How the interop bindings relate to this?
Suppose you use the interop bindings to author a Wcf service which WebLogic consumes. You may want to further configure your Wcf service with settings that the WebLogicBinding does not expose. Since the WebLogicBinding internally inherits from WSHttpBinding this is a similar use case to the original purpose of the binding box.

Example

Put this WebSphere binding as the input in the binding box:

<bindings>
   <webSphereBinding>
     <binding name="interopBinding" messageEncoding="Text">
       <security mode="MutualCertificate" establishSecurityContext="true" algorithmSuite="TripleDes" />
     </binding>
   </webSphereBinding>
</bindings>

and this is the custom binding output:

<customBinding>
   <binding name="NewBinding0">
     <transactionFlow transactionProtocol="WSAtomicTransaction11" />
     <security authenticationMode="SecureConversation" algorithmSuite="TripleDes" messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10">
       <secureConversationBootstrap authenticationMode="MutualCertificate" requireSignatureConfirmation="true" algorithmSuite="TripleDes" messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10" requireDerivedKeys="false" />
     </security>
     <textMessageEncoding />
     <httpTransport />
   </binding>
</customBinding>

Check out the binding box here.

@YaronNaveh

What's next? get this blog rss updates or register for mail updates!

Test drive the shiny new Wcf interop bindings

@YaronNaveh

wcf.codeplex.com is the place where most of the wcf action happens at these days. If you have been following it recently you have seen a lot of activity around Rest and Http. As of yesterday Soap officially joins the codepex party. Microsoft has just released the WCF Express Interop Bindings - a new Visual Studio extension for Soap web services interoperability. If you use Wcf this matters to you!

What did Microsoft release yesterday?

Web services interoperability is always a pain. When security is involved it is usualy more then a casual 'oouch'. Yes, WsHttpBinding has a specific permutation of settings which can interoperate with Oracle web logic. And I know a lot of people who have tried to find that permutation in a brute force manner. Mostly doing this is a waste of time which we prefer to invest in more productive areas.

So here's the idea behind yesterday's shipping: We now have a new binding, WebLogicBinding, which only allow us to configure settings which are interoperable with web logic. So all settings are interoperable! We also have bindings for web sphere, axis2 (wso2) and metro (wsit / glassfigh / tango).
In addition we got a nice wizard on top of Visual Studio's new project dialog which allows us to easily author interoperable services using these bindings.

But don't we already have WS-Policy for interoperability?

WS-Policy helps clients to generate proxies which complies with the service requirements as expressed by the Wsdl. The express bindings solves a prior problem: How to write from the first place a service which a specific client platform can support? Once we write such a service its Wsdl will contain the WS-Policy pixy dust so that the client can auto-configure itself.

Nice... I'll take two!
You can take four: MetroBinding, WebSphereBinding, WebLogicBinding and Wso2InteropBinding.
Take them from here.

Tutorial - WCF and Metro interop

Let's see why web services interoperability just got a whole lot easier.
We'll create a WCF service with mutual x.509 certificates in the message level and consume it with a Metro client.

1. Prepare the environment
You need VS 2010 and the express bindings. After you extract the bindings zip simply execute bin\Microsoft.ServiceModel.Interop.Extension.vsix which will install it on VS.


2. Create a new service

In VS create a new project. Note how the Wcf node now contains a new project type "Express Interop Wcf Service Application":

Choose that project type.

3. Configure the express binding wizard

A few moments after creating the project you will see the wizard.
First choose the platform our clients will use - Metro, this time.

Now we need to configure our security requirements. Choose "mutual certificate" which means both client and server will present an x.509 certificate in the message level. It also implies encryption and digital signature (in this case). To keep it simple we omit the secure conversation.

Next in the advanced settings use the Basic128 algorithm since it is the one Metro supports by default (for Basic256 a patch needs to be applied).

Finally configure the certificate.

I recommend to use this certificate (password: adminadmin):



Now run the service. This is a web site project so it will open the documentation page with the Wsdl link. Make sure to have the Wsdl url handy since we will use it in a moment.

Now we want to configure Metro.

1. Set up the environment

You should have NetBeans 7 (or higher), though NetBeans 6.7 also worked for me.


2. Create a new project of type Java Application:

Any of the default settings are fine:

3. Right click the package in the project view and add a new "web service client":

Now is a good time to paste that Wsdl url:

4. The service reference is now in the project view so right click it and edit the Web Service Attributes (similar to the Wcf configuration... just very different :):

5. This step is a workaround if your NetBeans version ships with Metro 2.0 (which is the case for NetBeans 7). See below how to know if you need it.

We can see that Metro had automatically identified that client and server certificates are required. This was due to the WS-Policy in the Wsdl.

Before we continue we need to do some trick. NetBeans 7 ships with Metro 2.0 which has a bug with certificates. In favor of those who reach this post via a search engine this is the error message:

java.lang.NullPointerException
...
at com.sun.xml.ws.security.impl.policy.CertificateRetriever.digestBST (CertificateRetriever.java:136)

To solve this you need to download Metro 2.1 (or higher). For now just extract it to some folder.

Now as part of this workaround check the "use development defaults" drop down in the quality attributes dialog you opened in step 4. Also approve any message you are prompt with.

Click Ok to close the dialog.

In the project pane expand the libraries node. It should look like this:

This workaround applies to version 2. If you see another version (even smaller) no need for this. What you need to do is delete all the references to Metro jar files (don't delete the jdk though). Instead of them right click the "libraries" node, choose "add jar/folder..." and choose the jar files in metro\bin folder from the metro 2.1 zip you just extracted. Add all jar files in that folder. The libraries node will now look like this:

6. We are now ready to do the actual configuration. Open again the web service quality attribute form as you did in step 4. Uncheck the "use development defaults" check box. Now configure the keystore and trust store. I recommend to use this java key store file:



Open "keystore..." and "Truststore.." each in its turn and do the below.
Set the path to the .jks file you extracted form the certificates file above, set the password to "adminadmin", and click "load alias". The alias for the key store is xws-security-client and for the trust store is xws-security-server.

7. Now we need to write the client code.

Since most of my readers are .Net developers let's see if we can pull this one out without any Java coding at all.

Drag the GetData node from the project pane to the main() method. It should now look like this (depending on the netbeans version):

public static void main(String[] args) {

  try { // Call Web Service Operation
     org.tempuri.Service service = new org.tempuri.Service();
     org.tempuri.IService port = service.getMetroBindingIService();
     // TODO initialize WS operation arguments here
     java.lang.Integer value = Integer.valueOf(0);
     // TODO process result here
     java.lang.String result = port.getData(value);
     System.out.println("Result = "+result);
  }
 catch (Exception ex) {

  }

}

if you use Netbeans 7 it will only generate a method so you would need to add code that calls it:

public static void main(String[] args) {
  try
  {
     String s = getData(2);
     System.out.println("result is" + s);
  } catch (Exception ex) {
     System.out.println(ex.getMessage() + ex.getStackTrace().toString());
  }
}

private static String getData(java.lang.Integer value) {
   org.tempuri.Service service = new org.tempuri.Service();
   org.tempuri.IService port = service.getMetroBindingIService();
   return port.getData(value);
}
}

7. Now run the application (F6).

Here is the output:

the result is: 2

Web services interoperability was never easier!

@YaronNaveh

What's next? get this blog rss updates or register for mail updates!

Cannot resolve KeyInfo for unwrapping key

@YaronNaveh

With web services sometimes your client is able to receive a good response from the server but your client will still throw exception due to some policy violation. With wcf / mutual authentication the following error can appear:

Cannot resolve KeyInfo for unwrapping key: KeyInfo 'SecurityKeyIdentifier
(
IsReadOnly = False,
Count = 1,
Clause[0] = X509IssuerSerialKeyIdentifierClause(Issuer = 'CN=MyCert', Serial = '-903515464456238801534567116928')
)
', available tokens 'SecurityTokenResolver
(
TokenCount = 0,
)

This error usually means that the server had digitally signed its response using an unexpected certificate. The expected certificate is the one which the client has configured as the server certificate and have possibly used to encrypt the message with.

So as with many of the security interoperability problems, you should verify that you use the correct certificate on both sides of the wire.

@YaronNaveh

What's next? get this blog rss updates or register for mail updates!