You are viewing a plain text version of this content. The canonical link for it is here.

Posted to java-user@axis.apache.org by Stadelmann Josef <jo...@axa-winterthur.ch> on 2010/10/04 12:09:18 UTC

[axis2-1.2 SV & MS .NET WCF 3.5 CL] Password encryption in a heterogeneous environment

Hi all,

has someone come allong with the following and gained experience in a
heterogenous environment on the following topics
a)	How to setup / pass allong in a soap-header or boady / encrypt-
decrypt passwords 
b)	Encrypt at my MS Windows VISTA .NET WCF 3.5 Client  
c)	Decrypt the password and get clear text at my Axis2-1.2 or
Axis2-1.5.1 Web Service Server or Service (
d)	Then use the password in clear text at the server to login
against the OpenVMS User Authentication facility (UAF)

Any hints welcome

Rampart would be fine but what shall I use on the Vista WCF 3.5 side?

Is there a wsdl fragment avail to generate code for the .NET WCF 3.5 PC
client to encrypt a password and
What woul dbe the counterpart at the axis2 web service engine side?


Josef

AW: [axis2-1.2 SV & MS .NET WCF 3.5 CL] Password encryption in a heterogeneous environment

Posted by Stadelmann Josef <jo...@axa-winterthur.ch>.

In .-1 I am asking some questions regarding interoperability of
Security. WSS10 and WSS11 and WS-Security and WS-TRUST etc. WS-*

 

Part of the potential answers are shown below.

 

Now - I would like to know from Axis2 / Rampart Experts,  

The map from WCF WS-Security Models indicated below (supported by
example code) to Axis2 / Rampart Models?

 

 "In particular which MS Approach shall I take to match a possible Axis2
WS-Security approach/policy/implementation?" 

 

I must be able to encrypt the password for transport to the server,
there - I need access to the clear text password for login at the 

servers legacy part using the OpenVMS UAF (user
authentication/authorization facility). That's it.

 

 

So - Which model supports what I want? i.e. 

Message Security with username Client example shows how to make the
service authenticating toward the client with a X509 certificate, (not
what I need) 

while the client sends the password encrypted (guess it is what I need)
but can I have it without the X509 stuff from the server?

 

Josef

 

 

Good references at MS MSDN

the following was taken from
http://msdn.microsoft.com/en-us/library/ms730301.aspx

Common Security Scenarios .NET Framework 4

 

Other Versions <javascript:;> 
.NET Framework 3.5
<http://msdn.microsoft.com/en-us/library/ms730301(v=VS.90).aspx> 

*	.NET Framework 3.0
<http://msdn.microsoft.com/en-us/library/ms730301(v=VS.85).aspx> 

The topics in this section catalog a number of possible client and
service security configurations. 

Configurations vary according to a number of factors. For example,
whether a service or client is on an intranet, 
or whether the security is provided by Windows or transport (such as
HTTPS).


In This Section

 

Internet Unsecured Client and Service
<http://msdn.microsoft.com/en-us/library/ms733091.aspx> 

An example of a public, unsecured client and service. 

 

Intranet Unsecured Client and Service
<http://msdn.microsoft.com/en-us/library/ms734784.aspx> 

A basic Windows Communication Foundation (WCF) service developed to
provide information on a secure private network to a WCF application. 

 

Transport Security with Basic Authentication
<http://msdn.microsoft.com/en-us/library/ms733775.aspx> 

The application allows clients to log on using custom authentication. 

 

Transport Security with Windows Authentication
<http://msdn.microsoft.com/en-us/library/ms733089.aspx> 

Shows a client and service secured by Windows security. 


Transport Security with an Anonymous Client
<http://msdn.microsoft.com/en-us/library/ms729789.aspx> 

This scenario uses transport security (such as HTTPS) to ensure
confidentiality and integrity. 

 

Transport Security with Certificate Authentication
<http://msdn.microsoft.com/en-us/library/ms731074.aspx> 

Shows a client and service secured by a certificate. 

 

Message Security with an Anonymous Client
<http://msdn.microsoft.com/en-us/library/ms733938.aspx> 

Shows a client and service secured by WCF message security. 

 

Message Security with a User Name Client
<http://msdn.microsoft.com/en-us/library/ms731058.aspx> 

The client is a Windows Forms application that allows clients to log on
using a domain user name and password. 

 

Message Security with a Certificate Client
<http://msdn.microsoft.com/en-us/library/ms733098.aspx> 

Servers have certificates, and each client has a certificate. A security
context is established through Transport Layer Security (TLS)
negotiation. 

 

Message Security with a Windows Client
<http://msdn.microsoft.com/en-us/library/ms729709.aspx> 

A variation of the certificate client. Servers have certificates, and
each client has a certificate. A security context is established through
TLS negotiation. 

 

Message Security with a Windows Client without Credential Negotiation
<http://msdn.microsoft.com/en-us/library/ms735117.aspx> 

Shows a client and service secured by a Kerberos domain. 

 

Message Security with Mutual Certificates
<http://msdn.microsoft.com/en-us/library/ms733102.aspx> 

Servers have certificates, and each client has a certificate. The server
certificate is distributed with the application and is available out of
band. 

 

Message Security with Issued Tokens
<http://msdn.microsoft.com/en-us/library/ms789013.aspx> 

Federated security that enables the establishment of trust between
independent domains. 

 

Trusted Subsystem
<http://msdn.microsoft.com/en-us/library/ms730288.aspx> 

A client accesses one or more Web services that are distributed across a
network. The Web services access additional resources (such as databases
or other Web services) that must be secured. 

 

Reference

System.ServiceModel
<http://msdn.microsoft.com/en-us/library/system.servicemodel.aspx> 

 

Related Sections

Authorization <http://msdn.microsoft.com/en-us/library/ms733071.aspx> 

Security Overview
<http://msdn.microsoft.com/en-us/library/ms735093.aspx> 

Windows Communication Foundation Security
<http://msdn.microsoft.com/en-us/library/ms732362.aspx> 

Bindings and Security
<http://msdn.microsoft.com/en-us/library/ms731172.aspx> 

Securing Services and Clients
<http://msdn.microsoft.com/en-us/library/ms734736.aspx> 

Authentication <http://msdn.microsoft.com/en-us/library/ms733082.aspx> 

Authorization <http://msdn.microsoft.com/en-us/library/ms733071.aspx> 

Federation and Issued Tokens
<http://msdn.microsoft.com/en-us/library/ms731161.aspx> 

Auditing Security Events
<http://msdn.microsoft.com/en-us/library/ms731669.aspx> 

 

See Also

Concepts

Security Guidance and Best Practices
<http://msdn.microsoft.com/en-us/library/ms731983.aspx> 

 

 

Von: Stadelmann Josef [mailto:josef.stadelmann@axa-winterthur.ch] 
Gesendet: Montag, 4. Oktober 2010 12:09
An: axis-user@ws.apache.org
Betreff: [axis2-1.2 SV & MS .NET WCF 3.5 CL] Password encryption in a
heterogeneous environment

 

Hi all,

has someone come allong with the following and gained experience in a
heterogenous environment on the following topics

a)      How to setup / pass allong in a soap-header or boady / encrypt-
decrypt passwords 

b)      Encrypt at my MS Windows VISTA .NET WCF 3.5 Client  

c)      Decrypt the password and get clear text at my Axis2-1.2 or
Axis2-1.5.1 Web Service Server or Service (

d)      Then use the password in clear text at the server to login
against the OpenVMS User Authentication facility (UAF)

Any hints welcome

Rampart would be fine but what shall I use on the Vista WCF 3.5 side?

Is there a wsdl fragment avail to generate code for the .NET WCF 3.5 PC
client to encrypt a password and

What woul dbe the counterpart at the axis2 web service engine side?

Josef