WCF consuming external Java Webservice with HTTPS and proxy

Asked

Viewed 986 times

4

I have a WCF service that consumes a web service (developed in Java) where I need to connect with HTTPS using a certificate. So far everything works well, however, in production environment my client uses a proxy and I’m not able to establish a SSL connection through proxy.

My development environment web.config Binding (that works) looks like this:

<system.serviceModel>
<bindings>
  <customBinding>
    <binding name="DOCeManagerServiceSoap12Binding">
      <textMessageEncoding messageVersion="Soap12"/>
      <httpsTransport />
    </binding>
  </customBinding>
</bindings>
<client>
  <endpoint address="https://example.com.br:443/DFeWeb/services/DOCeManagerService.DOCeManagerServiceHttpsSoap12Endpoint/"
    behaviorConfiguration="TestServiceBehavior" binding="customBinding"
    bindingConfiguration="DOCeManagerServiceSoap12Binding" contract="DOCeManagerService.DOCeManagerServicePortType"
    name="DOCeManagerServiceHttpsSoap12Endpoint">
  </endpoint>
</client>
<behaviors>
  <endpointBehaviors>
    <behavior name="TestServiceBehavior">
      <clientCredentials>
        <clientCertificate findValue="01FE53"
                           storeName="TrustedPublisher"
                           storeLocation="LocalMachine"
                           x509FindType="FindBySerialNumber"/>
      </clientCredentials>
    </behavior>
  </endpointBehaviors>
  <serviceBehaviors>
    <behavior>
      <!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
      <serviceMetadata httpGetEnabled="true" />
      <!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
      <serviceDebug includeExceptionDetailInFaults="true"/>
    </behavior>
  </serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />

In the production environment I tried to modify only this point:

<httpsTransport bypassProxyOnLocal="true" proxyAddress="http://proxy.example.corp:8080" useDefaultWebProxy="false" >

I get the following error:

Could not Establish trust Relationship for the SSL/TLS Secure Channel with Authority 'Subdominio.example.com.br'. The underlying Connection was closed: Could not Establish trust Relationship for the SSL/TLS Secure Channel. The remote Certificate is invalid According to the validation Procedure."

I have tried numerous settings but none of them solved my problem.

Update 1: I was thinking that the problem was related to the fact that I am making an SSL connection through a proxy that does not support SSL, however, if I port my code to a console and inform the proxy I can make the connection and consume the method. This way, I did not understand how I managed to connect with SSL through an http proxy by Appconsole and WCF not. Any idea?

Update 2: On recommendation of colleagues I tried to run the service on IIS with my own user (the same who got SSL connection through Appconsole), but I do not know if I did it right or if something is missing, the service is unavailable (Service Unavailable). If anyone has already done this and can assist me would be of good use to eliminate the possibility.

Update 3: I’ve updated the error message I get when I try to connect by adding Innerexception. When you say "The remote Certificate is invalid According to the validation Procedure." refers to the server I am consuming the service?

  • Have you tried changing the endpoint to the production address? From the error message, I assume you forgot to change the example.com.

  • Thanks for the return Cleiton, but I’m already using the production address, just changed to post here. In place of example.com are the appropriate domains for the proxy and the external service. Abç

  • 1

    Eric had a similar problem (no SSL). It gave proxy error for the hosted application on IIS and worked well on a desktop. In this case the problem was the user of AppPool which application I used. It was a user with different access to mine and therefore behaved differently from when I ran the desktop app. You are allowed to place your user directly in Apppool and select to upload the user profile to test?

  • Vitor thanks for the reply! If I understand correctly, I need to change the identity that my Apppool wheel, right? If so, I went up to properties of my Apppool, on the flap Identity chose the option Configurable and put the user I got with the console app. I tested with two different users (one from the domain and another location) but in none of the cases the service worked, I get the message Service Unavailable.I also tried to change between options Predefined, Local Service obtained the same message and with the option Local System the service runs but continuous without SSL connection

  • @Vitorcanova I’m sorry I said wrong, when I put Local Service the service runs yes (IIS had to be restarted) but I will receive the message There was an error in serializing body of message synDOCeDownloadXmlRequest: 'Unable to generate a Temporary class (result=1). error CS2001: Source file 'C: WINDOWS TEMP qwg3osjc.0.Cs' could not be found error CS2008: No inputs specified '. Please see Innerexception for more Details. The problem still persists.

  • Just to confirm, in the latter case there are no InnerExceptions?

  • In this case Innerexception is part of the Exception itself Unable to generate a Temporary class (result=1). CS2001 error: Source file 'C: WINDOWS TEMP qwg3osjc.0.Cs' could not be found error CS2008: No inputs specified . The strange thing is that I can’t run the service when I inform my own user.

Show 2 more comments

3 answers

3

It’s not the first time I’ve seen this kind of situation happen.

Often we forget to plan the environment where our application will run and we overlook this common type of situation.

Since the proxy was not foreseen, the network can be configured to free the access of your application/machine/port so that it is not necessary to authenticate in the proxy.

If not possible, you need to configure a type of authentication programmatically.

Your config should look something like this:

    <bindings>
        <customBinding>
            <binding name="...2Soap12">

                <textMessageEncoding messageVersion="Soap12"/>
                <httpsTransport authenticationScheme="...." requireClientCertificate="???"/>
            </binding>
        </customBinding>
    </bindings>

And the client who will make the call must be configured with an appropriate authentication type ( Plain, Kerberos, etc ):

client.ClientCredentials = ???

However I leave the alert that to hit all these settings is laborious on the first try and that why I recommend to avoid at once the proxy.

  • Indeed often lack planning, perhaps often due to lack of knowledge of the technology used (my case). Maybe that is why, I did not understand very well the answer, you said that in the client who will make the call I must inform the credentials, in fact my service is client of the external webservice, this in turn needs certificate and the external access who should provide is the proxy that does not ask me any authentication, because in the Appconsole I did got SSL connection just stating the proxyAddress="http://proxy.example.corp:8080" and useDefaultWebProxy="false". Thank you.

2

Seen the error message displayed, an answer in stackoverflow.com you should consider some hypotheses among them that the new computer does not have the certification chain that brings reliability to the certificate you are using.

If this is not the case, the answer lists other points you can check. If you have difficulty in English, signal.

  • 2

    Thank you, that’s where I found the solution to my problem!

1


After much research and help from colleagues in the community, I discovered that the problem was the lack of configuration of Winhttp (Microsoft Windows HTTP Services) that does not use the same proxy configuration for users or that is in IE, it’s like something separate, only for services. Basically you need to set up whenever a service communicates through HTTP for external access through the proxy.

Below I will put the procedures I executed in the environment (server 2003) through the tool "proxy.cfg.exe"

  1. Run command prompt with administrator rights
  2. To view the current configuration, type only the tool name proxycfg.exe.
  3. To set up a proxy, use the command proxycfg.exe -p proxy.example.com:8080 "<local>". Take care to replace the proxy correctly. The last parameter "<local>" is optional and equals where the proxy should be ignored.
  4. Restart the OSI and you’re done!

For windows 2008 things change a little, proxycfg no longer exists and the configuration is given by "netsh.exe"

  1. Run command prompt or power shell with administrator rights
  2. To view the current configuration, type the command netsl.exe Winhttp show proxy.
  3. To set up a proxy, use the command netsh.exe Winhttp set proxy proxy.example.com:8080 "<local>".Take care to replace the proxy correctly. The last parameter "<local>" is optional and equals where the proxy should be ignored.
  4. Restart the OSI and you’re done!

Well for my case that was enough to get eliminate the error message:

Could not Establish trust Relationship for the SSL/TLS Secure Channel with Authority 'Subdominio.example.com.br'. The underlying Connection was closed: Could not Establish trust Relationship for the SSL/TLS Secure Channel. The remote Certificate is invalid According to the validation Procedure."

In Stackoverflow.com there is an answer given by colleague Raul Almeida that describes possible problems, including mentions this that I posted. If you have the same error message and failed to resolve with this procedure I described, recommend taking a look at this response!

Sources:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa382925(v=vs.85). aspx
http://technet.microsoft.com/library/cc731131(WS.10). aspx
http://msdn.microsoft.com/en-us/library/windows/desktop/aa384069(v=vs.85). aspx

I hope to help someone with that!

Browser other questions tagged

You are not signed in. Login or sign up in order to post.