How to call a SOAP web service over HTTPS by using a client certificate?

Problem.

I needed to consume SOAP 1.2 web service over HTTPS where I have to authenticate using a certificate. So I received *.p12 (PKCS12), which contains a private key with its X.509 certificate. All of this should be working in batch. How it can be achieved?

Tool.

I find consuming web services pretty nice thing, but it turned out to be a much more complicated case, at least for me, because I had some troubles with all these certificate’s things.

But it’s working, so let me share how I got through it step by step!

Step by step.

  1. I received *.wsdl (web service description) in a file and *.p12 (PKCS12) with the private key and certificate.
  2. The first thing is to install your *.p12 file. HERE is a nice article from Microsoft how to do all this stuff, but what I would mark as mandatory steps are:
     
    1. If you are using multiple AOS, you have to do it on each of them. Install your certificates in „LOCAL MACHINE” store, not „CURRENT USER„.
    2. Make sure that CA certificate is placed in „Certificated Authorities” and the private key is in „Personal” store. After you double-click your private key, there should be no warnings, you should find out that it is valid and everything is working.
    3. Grant full access to all „system-related” users, which take part in executing a batch job.
      If everything is fine, the first step to validate our work is to enter your web service URL in the browser, which should ask you to select your private key. If your list is empty, something went wrong.
    4. NOTE: Some service vendors can maintain a whitelist of IPs, which are allowed to access it. If you think that you did everything fine and still cannot get to WS through browser, make sure you are „whitelisted”. It will save you a lot of time!
  3. If our private key and X.509 certificate are properly installed, we can create our Visual Studio project and add service reference.
  4. Now it’s an important step because there are a lot of bindings’ types and making decent research can save you some time trying to create a connection with the other side.

    In my case, app.config file after adding service reference looks like this:

    The only thing for me, as I am using it one-way (me sending data), is to say that this https connection requires to validate my client certificate, so I added „requireClientCertificate” to tag. Bindings are ready, so we have to load our client certificate and, as always, there are few ways to do it. Here is the most elegant one, but in Microsoft Dynamics AX2012, I found it problematic, especially when working with multiple AOS. Despite deploying the project from Visual Studio level and changes visible in \Program Files\Microsoft Dynamics AX\Server\* AOS *\bin\VSAssembly, the system somehow remembered previous configs and it made tests difficult. You can also create endpoint, bindings and load client certificate directly in Microsoft Dynamics AX2012 using .NET objects, but it will be much less readable and harder to maintain, so…Create endpoint behavior in your app.config, load your certificate from local machine store using any method, I used „FindByThumbprint” (I recommend rewriting it, not copying as there are invisible characters in front) and that’s all. Now assign this behavior to your client endpoint, so after all, app.config should look like this.

  5. If our application config is fine and the certificate is found and properly loaded, you should be able to create a connection with the service. You can create a console application in Visual Studio to validate it, you can save some time, because, of course, some things can go wrong in Microsoft Dynamics AX, so you will be sure that it is working from Visual Studio level.

  6. That’s all. You can now go to Microsoft Dynamics AX and call this web service. You should be able to reference your Visual Studio project and use objects, which were created after adding service reference.

I hope it will help you! 👏

If you think that there is a better way to solve this problem, please send me an email through „Contact” form or leave a comment, I will keep this post updated!

Dodaj komentarz