WCF consuming external Java WebService with HTTPS and proxy

4

I have a WCF service that consumes a Web Service (developed in Java) where I need to connect to HTTPS using a certificate. So far everything works fine, however, in production environment my client uses a proxy and I am not able to establish an SSL connection through the proxy.

My Binding of the web.config of the development environment (which works) looks like this:

<system.serviceModel>
<bindings>
  <customBinding>
    <binding name="DOCeManagerServiceSoap12Binding">
      <textMessageEncoding messageVersion="Soap12"/>
      <httpsTransport />
    </binding>
  </customBinding>
</bindings>
<client>
  <endpoint address="https://example.com.br:443/DFeWeb/services/DOCeManagerService.DOCeManagerServiceHttpsSoap12Endpoint/"
    behaviorConfiguration="TestServiceBehavior" binding="customBinding"
    bindingConfiguration="DOCeManagerServiceSoap12Binding" contract="DOCeManagerService.DOCeManagerServicePortType"
    name="DOCeManagerServiceHttpsSoap12Endpoint">
  </endpoint>
</client>
<behaviors>
  <endpointBehaviors>
    <behavior name="TestServiceBehavior">
      <clientCredentials>
        <clientCertificate findValue="01FE53"
                           storeName="TrustedPublisher"
                           storeLocation="LocalMachine"
                           x509FindType="FindBySerialNumber"/>
      </clientCredentials>
    </behavior>
  </endpointBehaviors>
  <serviceBehaviors>
    <behavior>
      <!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
      <serviceMetadata httpGetEnabled="true" />
      <!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
      <serviceDebug includeExceptionDetailInFaults="true"/>
    </behavior>
  </serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />

In the production environment I tried to modify this point only:

<httpsTransport bypassProxyOnLocal="true" proxyAddress="http://proxy.example.corp:8080" useDefaultWebProxy="false" >

I get the following error:

  

Could not establish trust relationship for SSL / TLS secure channel with authority 'subdomain.example.com'. The underlying connection was closed: Could not establish trust relationship for SSL / TLS secure channel. The remote certificate is invalid according to the validation procedure . "

I have tried numerous configurations but none of them solved my problem.

Update 1: I was thinking that the problem was related to the fact that I am making an SSL connection through a proxy that does not support SSL, but if I carry my code to console and inform the proxy to connect and consume the method. In this way, I did not understand how I was able to connect to SSL through an http proxy through the AppConsole and not WCF. Any ideas?

Update 2: On colleagues' recommendation I tried to run the service on IIS with my own user (same as I got SSL connection through AppConsole), but I do not know if I did it right or if something is missing, the service is unavailable ( Service Unavailable ). If someone has already done this and can help me it would be of good benefit to eliminate the possibility.

Update 3: I have updated the error message I get when I try to connect by adding the InnerException. When it says "The remote certificate is invalid according to the validation procedure." Does this refer to the server that I am consuming the service?

    
asked by anonymous 31.01.2014 / 20:21

3 answers

1

After much research and help from colleagues in the community, I discovered that the problem was the lack of configuration of Winhttp (Microsoft Windows HTTP Services) that does not use the same proxy configuration for users or is in IE, it's like something separate, just for services. Basically you need to configure whenever a service communicates through HTTP for external access through the proxy.

Below I will put the procedures that I executed in the environment (server 2003) through the proxy.cfg.exe tool

  • Run the command prompt with admin rights
  • To view the current configuration, enter only the name of the tool proxycfg.exe .
  • To configure a proxy, use the proxycfg.exe -p proxy.example.com:8080 "<local>" command. Make sure you replace the proxy correctly. The last parameter "<local>" is optional and equals where the proxy should be ignored.
  • Restart IIS and you're done!
  • For windows 2008 things change a little, proxycfg no longer exists and the configuration is by "netsh.exe"

  • Run the command prompt or power shell with admin rights
  • To view the current configuration, type the command netsl.exe Winhttp show proxy .
  • To configure a proxy, use the netsh.exe Winhttp set proxy proxy.example.com:8080 "<local>" command. Be sure to replace the proxy correctly. The last parameter "<local>" is optional and equals where the proxy should be ignored.
  • Restart IIS and you're done!
  • Well for my case this was enough to get to delete the error message:

      

    Could not establish trust relationship for SSL / TLS secure channel with authority 'subdomain.example.com'. The underlying connection was closed: Could not establish trust relationship for SSL / TLS secure channel. The remote certificate is invalid according to the validation procedure. "

    In Stackoverflow.com there is a response from colleague Raul Almeida that describes possible problems, including mentioning this one I posted. If you have the same error message and could not resolve with this procedure I described, I recommend taking a look at this answer !

    Sources:
    link
    link

    05.02.2014 / 19:31
    3

    It's not the first time I see this kind of situation happening.

    We often forget to plan the environment where our application will run and let this common type of situation go unnoticed.

    Since the proxy was not provided, the network can be configured to release access from your application / machine / port so that proxy authentication is not required.

    If this is not possible, you need to set up an authentication type programmatically.

    Your config should look something like this:

        <bindings>
            <customBinding>
                <binding name="...2Soap12">
    
                    <textMessageEncoding messageVersion="Soap12"/>
                    <httpsTransport authenticationScheme="...." requireClientCertificate="???"/>
                </binding>
            </customBinding>
        </bindings>
    

    And the client that will perform the call must be configured with an appropriate authentication type (plain, kerberos, etc.):

    client.ClientCredentials = ???
    

    But I leave the alert that setting all these settings is laborious on the first try and that's why I recommend avoiding the proxy at once.

        
    04.02.2014 / 16:42
    2

    Given the error message that appears, an answer on stackoverflow.com you should be aware of some assumptions among them that the new computer does not have the certificate chain that brings reliability to the certificate you are using.

    If this is not the case, the answer lists other points that you can check. If you have difficulty with English, flag.

        
    04.02.2014 / 18:52