I recently had to update an .NET application to enable support for calling SOAP 1.1 Web Services using the WS-Security UsernameToken support over HTTPS with a self-signed TLS certificate. In the end, I had to use a custom binding, since there wasn’t a built in one that suited my requirements; for example, basicHttpBinding supports SOAP 1.1 but not HTTPS while wsHttpBinding supports HTTPS but only using SOAP 1.2.
Let’s break it down into steps:
Adding SOAP headers to send the username and password
The simplest way of adding credentials to every request is to add the SOAP header XML in your App.config:
<system.serviceModel>
<client>
<endpoint address="http://example.com/MyWebService" binding="basicHttpBinding" contract="IMyWebService">
<headers>
<wsse:UsernameToken xmlns:wsse='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' >
<wsse:Username>Username</wsse:Username>
<wsse:Password>Password</wsse:Password>
</wsse:UsernameToken>
</headers>
</endpoint>
</client>
</system.serviceModel>
Specify HTTPS and SOAP 1.1
In your App.config:
<system.serviceModel>
<bindings>
<customBinding>
<binding name="wsHttpSoap11">
<textMessageEncoding messageVersion="Soap11"/>
<httpsTransport/>
</binding>
</customBinding>
</bindings>
<client>
<endpoint address="https://example.com/MyWebService" binding="customBinding" bindingConfiguration="wsHttpSoap11" contract="IMyWebService">
...
</endpoint>
</client>
</system.serviceModel>
At this point, I received the error message “Could not establish trust relationship for the SSL/TLS secure channel with authority” because I was using a self-signed certificate. I had designated the certificate as trusted, and importantly, import it as a Trusted Root Certification Authority. This can be done using the following steps:
- Start -> Run -> mmc.exe
- File -> Add/Remove Snap-in…
- Add Certificates snap-in
- Select the Trusted Root Certification Authority folder
- Action -> All Tasks -> Import…