You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-user@axis.apache.org by Stadelmann Josef <jo...@axa-winterthur.ch> on 2010/10/04 12:09:18 UTC
[axis2-1.2 SV & MS .NET WCF 3.5 CL] Password encryption in a heterogeneous environment
Hi all,
has someone come allong with the following and gained experience in a
heterogenous environment on the following topics
a) How to setup / pass allong in a soap-header or boady / encrypt-
decrypt passwords
b) Encrypt at my MS Windows VISTA .NET WCF 3.5 Client
c) Decrypt the password and get clear text at my Axis2-1.2 or
Axis2-1.5.1 Web Service Server or Service (
d) Then use the password in clear text at the server to login
against the OpenVMS User Authentication facility (UAF)
Any hints welcome
Rampart would be fine but what shall I use on the Vista WCF 3.5 side?
Is there a wsdl fragment avail to generate code for the .NET WCF 3.5 PC
client to encrypt a password and
What woul dbe the counterpart at the axis2 web service engine side?
Josef
AW: [axis2-1.2 SV & MS .NET WCF 3.5 CL] Password encryption in a heterogeneous environment
Posted by Stadelmann Josef <jo...@axa-winterthur.ch>.
In .-1 I am asking some questions regarding interoperability of
Security. WSS10 and WSS11 and WS-Security and WS-TRUST etc. WS-*
Part of the potential answers are shown below.
Now - I would like to know from Axis2 / Rampart Experts,
The map from WCF WS-Security Models indicated below (supported by
example code) to Axis2 / Rampart Models?
"In particular which MS Approach shall I take to match a possible Axis2
WS-Security approach/policy/implementation?"
I must be able to encrypt the password for transport to the server,
there - I need access to the clear text password for login at the
servers legacy part using the OpenVMS UAF (user
authentication/authorization facility). That's it.
So - Which model supports what I want? i.e.
Message Security with username Client example shows how to make the
service authenticating toward the client with a X509 certificate, (not
what I need)
while the client sends the password encrypted (guess it is what I need)
but can I have it without the X509 stuff from the server?
Josef
Good references at MS MSDN
the following was taken from
http://msdn.microsoft.com/en-us/library/ms730301.aspx
Common Security Scenarios .NET Framework 4
Other Versions <javascript:;>
.NET Framework 3.5
<http://msdn.microsoft.com/en-us/library/ms730301(v=VS.90).aspx>
* .NET Framework 3.0
<http://msdn.microsoft.com/en-us/library/ms730301(v=VS.85).aspx>
The topics in this section catalog a number of possible client and
service security configurations.
Configurations vary according to a number of factors. For example,
whether a service or client is on an intranet,
or whether the security is provided by Windows or transport (such as
HTTPS).
In This Section
Internet Unsecured Client and Service
<http://msdn.microsoft.com/en-us/library/ms733091.aspx>
An example of a public, unsecured client and service.
Intranet Unsecured Client and Service
<http://msdn.microsoft.com/en-us/library/ms734784.aspx>
A basic Windows Communication Foundation (WCF) service developed to
provide information on a secure private network to a WCF application.
Transport Security with Basic Authentication
<http://msdn.microsoft.com/en-us/library/ms733775.aspx>
The application allows clients to log on using custom authentication.
Transport Security with Windows Authentication
<http://msdn.microsoft.com/en-us/library/ms733089.aspx>
Shows a client and service secured by Windows security.
Transport Security with an Anonymous Client
<http://msdn.microsoft.com/en-us/library/ms729789.aspx>
This scenario uses transport security (such as HTTPS) to ensure
confidentiality and integrity.
Transport Security with Certificate Authentication
<http://msdn.microsoft.com/en-us/library/ms731074.aspx>
Shows a client and service secured by a certificate.
Message Security with an Anonymous Client
<http://msdn.microsoft.com/en-us/library/ms733938.aspx>
Shows a client and service secured by WCF message security.
Message Security with a User Name Client
<http://msdn.microsoft.com/en-us/library/ms731058.aspx>
The client is a Windows Forms application that allows clients to log on
using a domain user name and password.
Message Security with a Certificate Client
<http://msdn.microsoft.com/en-us/library/ms733098.aspx>
Servers have certificates, and each client has a certificate. A security
context is established through Transport Layer Security (TLS)
negotiation.
Message Security with a Windows Client
<http://msdn.microsoft.com/en-us/library/ms729709.aspx>
A variation of the certificate client. Servers have certificates, and
each client has a certificate. A security context is established through
TLS negotiation.
Message Security with a Windows Client without Credential Negotiation
<http://msdn.microsoft.com/en-us/library/ms735117.aspx>
Shows a client and service secured by a Kerberos domain.
Message Security with Mutual Certificates
<http://msdn.microsoft.com/en-us/library/ms733102.aspx>
Servers have certificates, and each client has a certificate. The server
certificate is distributed with the application and is available out of
band.
Message Security with Issued Tokens
<http://msdn.microsoft.com/en-us/library/ms789013.aspx>
Federated security that enables the establishment of trust between
independent domains.
Trusted Subsystem
<http://msdn.microsoft.com/en-us/library/ms730288.aspx>
A client accesses one or more Web services that are distributed across a
network. The Web services access additional resources (such as databases
or other Web services) that must be secured.
Reference
System.ServiceModel
<http://msdn.microsoft.com/en-us/library/system.servicemodel.aspx>
Related Sections
Authorization <http://msdn.microsoft.com/en-us/library/ms733071.aspx>
Security Overview
<http://msdn.microsoft.com/en-us/library/ms735093.aspx>
Windows Communication Foundation Security
<http://msdn.microsoft.com/en-us/library/ms732362.aspx>
Bindings and Security
<http://msdn.microsoft.com/en-us/library/ms731172.aspx>
Securing Services and Clients
<http://msdn.microsoft.com/en-us/library/ms734736.aspx>
Authentication <http://msdn.microsoft.com/en-us/library/ms733082.aspx>
Authorization <http://msdn.microsoft.com/en-us/library/ms733071.aspx>
Federation and Issued Tokens
<http://msdn.microsoft.com/en-us/library/ms731161.aspx>
Auditing Security Events
<http://msdn.microsoft.com/en-us/library/ms731669.aspx>
See Also
Concepts
Security Guidance and Best Practices
<http://msdn.microsoft.com/en-us/library/ms731983.aspx>
Von: Stadelmann Josef [mailto:josef.stadelmann@axa-winterthur.ch]
Gesendet: Montag, 4. Oktober 2010 12:09
An: axis-user@ws.apache.org
Betreff: [axis2-1.2 SV & MS .NET WCF 3.5 CL] Password encryption in a
heterogeneous environment
Hi all,
has someone come allong with the following and gained experience in a
heterogenous environment on the following topics
a) How to setup / pass allong in a soap-header or boady / encrypt-
decrypt passwords
b) Encrypt at my MS Windows VISTA .NET WCF 3.5 Client
c) Decrypt the password and get clear text at my Axis2-1.2 or
Axis2-1.5.1 Web Service Server or Service (
d) Then use the password in clear text at the server to login
against the OpenVMS User Authentication facility (UAF)
Any hints welcome
Rampart would be fine but what shall I use on the Vista WCF 3.5 side?
Is there a wsdl fragment avail to generate code for the .NET WCF 3.5 PC
client to encrypt a password and
What woul dbe the counterpart at the axis2 web service engine side?
Josef