Calling a SOAP 1.1 Web Service using WS-Security and HTTPS

I recently had to update an .NET application to enable support for calling SOAP 1.1 Web Services using the WS-Security UsernameToken support over HTTPS with a self-signed TLS certificate. In the end, I had to use a custom binding, since there wasn’t a built in one that suited my requirements; for example, basicHttpBinding supports SOAP 1.1 but not HTTPS while wsHttpBinding supports HTTPS but only using SOAP 1.2.

Let’s break it down into steps:

Adding SOAP headers to send the username and password

The simplest way of adding credentials to every request is to add the SOAP header XML in your App.config:

<system.serviceModel>
  <client>
    <endpoint address="http://example.com/MyWebService" binding="basicHttpBinding" contract="IMyWebService">
      <headers>
        <wsse:UsernameToken xmlns:wsse='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' >
          <wsse:Username>Username</wsse:Username>
          <wsse:Password>Password</wsse:Password>
        </wsse:UsernameToken>
      </headers>
    </endpoint>
  </client>
</system.serviceModel>

Specify HTTPS and SOAP 1.1

In your App.config:

<system.serviceModel>
  <bindings>
    <customBinding>
      <binding name="wsHttpSoap11">
        <textMessageEncoding messageVersion="Soap11"/>
        <httpsTransport/>
      </binding>
    </customBinding>
  </bindings>
  <client>
    <endpoint address="https://example.com/MyWebService" binding="customBinding" bindingConfiguration="wsHttpSoap11"  contract="IMyWebService">
...
    </endpoint>
  </client>
</system.serviceModel>

At this point, I received the error message “Could not establish trust relationship for the SSL/TLS secure channel with authority” because I was using a self-signed certificate. I had designated the certificate as trusted, and importantly, import it as a Trusted Root Certification Authority. This can be done using the following steps:

  1. Start -> Run -> mmc.exe
  2. File -> Add/Remove Snap-in…
  3. Add Certificates snap-in
  4. Select the Trusted Root Certification Authority folder
  5. Action -> All Tasks -> Import…