<secureConversationBootstrap>

Specifies the default values used for initiating a secure conversation service.

<configuration>
  <system.serviceModel>
    <bindings>
      <customBinding>
        <binding>
          <security>
            <secureConversationBootstrap>

Syntax

<secureConversationBootstrap allowSerializedSigningTokenOnReply="Boolean"
                             authenticationMode="AuthenticationMode"
                             defaultAlgorithmSuite="SecurityAlgorithmSuite"
                             includeTimestamp="Boolean"
                             requireDerivedKeys="Boolean"
                             keyEntropyMode="ClientEntropy/ServerEntropy/CombinedEntropy"
                             messageProtectionOrder="SignBeforeEncrypt/SignBeforeEncryptAndEncryptSignature/EncryptBeforeSign"
                             messageSecurityVersion="WSSecurityJan2004/WSSecurityXXX2005"
                             requireDerivedKeys="Boolean"
                             requireSecurityContextCancellation="Boolean"
                             requireSignatureConfirmation="Boolean"
                             securityHeaderLayout="Strict/Lax/LaxTimestampFirst/LaxTimestampLast" />

Type

Type

Attributes and Elements

The following sections describe attributes, child elements, and parent elements.

Attributes

Attribute Description
allowSerializedSigningTokenOnReply Optional. A Boolean value that specifies if a serialized token can be used on reply. The default value is false. When using a dual binding, the setting defaults to true any setting made will be ignored.
authenticationMode Specifies the SOAP authentication mode used between the initiator and the responder.

The default is sspiNegotiated.

This attribute is of type AuthenticationMode.
defaultAlgorithmSuite Security algorithm suite defines of a variety of algorithms such as Canonicalization, Digest, KeyWrap, Signature, Encryption, and KeyDerivation algorithms. Each of the security algorithm suites defines values for these different parameters. Message-based security is achieved using these algorithms.

This attribute is used when working with a different platform that opts for a set of algorithms different than the default. You should be aware of the strengths and weaknesses of the relevant algorithms when making modifications to this setting. This attribute is of type SecurityAlgorithmSuite. The default is Basic256.
includeTimestamp A Boolean value that specifies whether time stamps are included in each message. The default is true.
keyEntropyMode Specifies the way that keys for securing messages are computed. Keys can be based on the client key material only, on the service key material only or a combination of both. Valid values are:

- ClientEntropy: The session key is based off the client provided key material.
- ServerEntropy: The session key is based off the service provided key material.
- CombinedEntropy: The session key is based off the client and service provided keying material.

The default is CombinedEntropy.

This attribute is of type SecurityKeyEntropyMode.
messageProtectionOrder Sets the order in which message level security algorithms are applied to the message. Valid values include the following:

- SignBeforeEncrypt: Sign first, then encrypt.
- SignBeforeEncryptAndEncryptSignature: Sign, encrypt, and encrypt signature.
- EncryptBeforeSign: Encrypt first, then sign.

SignBeforeEncryptAndEncryptSignature is the default value when using mutual certificates with WS-Security 1.1. SignBeforeEncrypt is the default value with WS-Security 1.0.

This attribute is of type MessageProtectionOrder.
messageSecurityVersion Sets the version of WS-Security that is used. Valid values include the following:

- WSSecurityJan2004
- WSSecurityXXX2005

The default is WSSecurityXXX2005. This attribute is of type MessageSecurityVersion.
requireDerivedKeys A Boolean value that specifies whether keys can be derived from the original proof keys. The default is true.
requireSecurityContextCancellation A Boolean value that specifies whether security context should be cancelled and terminated when it is no longer required. The default is true.
requireSignatureConfirmation A Boolean value that specifies whether WS-Security signature confirmation is enabled. When set to true, message signatures are confirmed by the responder. The default is false.

Signature confirmation is used to confirm that the service is responding in full awareness of a request.
securityHeaderLayout Specifies the ordering of the elements in security header. Valid values are:

- Strict. Items are added to the security header according to the general principle of "declare before use".
- Lax. Items are added to the security header in any order that confirms to WSS: SOAP Message security.
- LaxWithTimestampFirst. Items are added to the security header in any order that confirms to WSS: SOAP Message security except that the first element in the security header must be a wsse:Timestamp element.
- LaxWithTimestampLast. Items are added to the security header in any order that confirms to WSS: SOAP Message security except that the last element in the security header must be a wsse:Timestamp element.

The default is Strict.

This element is of type SecurityHeaderLayout.

Child Elements

Element Description
<issuedTokenParameters> Specifies a current issued token. This element is of type IssuedTokenParametersElement.
<localClientSettings> Specifies the security settings of a local client for this binding. This element is of type LocalClientSecuritySettingsElement.
<localServiceSettings> Specifies the security settings of a local service for this binding. This element is of type LocalServiceSecuritySettingsElement.

Parent Elements

Element Description
<security> Specifies the security options for a custom binding.

See also