WCF-NetTcp Transport Properties Dialog Box, Send, Security Tab

Use the Security tab to define the security capabilities of the WCF-NetTcp send adapter.

Use this To do this

Security mode

Specify the type of security that is used. Valid values include the following:

  • None: Messages are not secured during transfer.

  • Transport: Transport security is provided using TLS over TCP or SPNego. It is possible to control the protection level with this mode.

  • Message: Security is provided using SOAP message security. By default, the SOAP Body is encrypted and signed. This mode offers a variety of features, such as whether the service credentials are available at the client out of band, and the algorithm suite to use.

  • TransportWithMessageCredential: Transport security is coupled with message security. Transport security is provided by TLS over TCP, or SPNego, and ensures integrity, confidentiality, and server authentication. SOAP message security provides client authentication. To use this mode, the CA certificate chain for the service's X.509 certificate must be installed in the Trusted Root Certification Authorities certificate store of this computer so that the service can be authenticated to the send port.

    Bb226379.note(en-us,BTS.20).gifNote
    This security mode cannot be used with the Transport client credential type property, None.

The default is Transport.

Transport client credential type

Specify the type of credential to be used when performing the send port authentication. Valid values include the following:

  • None: No authentication occurs at the transport level. This credential type supports only EncryptAndSign for the Transport protection level property. The CA certificate chain for the service's X.509 certificate must be installed in the Trusted Root Certification Authorities certificate store of this computer so that the service can be authenticated to the send port.

  • Windows: Windows integrated authentication of the client using SP Negotiation (Kerberos negotiation). The user account under which this send port runs is used for services to authenticate this send port. You must configure the User principal name property to the user account name running the destination service by using the Identity Editor dialog box.

  • Certificate: Client authentication using the client certificate specified through the Client certificate - Thumbprint property. This uses SSL Negotiation. This credential type supports only the EncryptAndSign for the Transport protection level property. The CA certificate chain for the service X.509 certificate must be installed in the Trusted Root Certification Authorities certificate store of this computer so that the service can be authenticated to the send port.

The default is Windows.

Transport protection level

Define security at the level of the TCP transport. Signing messages mitigates the risk of a third party tampering with the message while it is being transferred. Encryption provides data-level privacy during transport. Valid values include the following:

  • None: No protection.

  • Sign: Messages are signed.

  • EncryptAndSign: Messages are encrypted and signed.

The default value is EncryptAndSign.

Message client credential type

Specify the type of credential to be used when performing client authentication using message-based security. Valid values include the following:

  • None: This allows the service to interact with anonymous clients. This indicates that this send port does not provide any client credential. The CA certificate chain for the service X.509 certificate must be installed in the Trusted Root Certification Authorities certificate store of this computer so that the service can be authenticated to the send port.

  • Windows: Allow the SOAP exchanges to be under the authenticated context of a Windows credential. The user account under which this send port runs is used for services to authenticate this send port. The client credential is passed through the SOAP Header element using the WSS SOAP Message Security Kerberos Token Profile 1.0 protocol. You must configure the User principal name property to the user account name running the destination service by using the Identity Editor dialog box.

  • UserName: This send port is authenticated to services with a UserName credential. The credential is passed through the SOAP Header element using the WSS SOAP Message Security UsernameToken Profile 1.0 protocol. This option requires configuring the Client credentials property. The CA certificate chain for the service X.509 certificate must be installed in the Trusted Root Certification Authorities certificate store of this computer so that the service can be authenticated to the send port.

  • Certificate: This send port is authenticated to services using the client certificate specified through the Client certificate - Thumbprint property. The credential is passed through the SOAP Header element using the WSS SOAP Message Security X509 Token Profile 1.0 protocol. The CA certificate chain for the service X.509 certificate must be installed in the Trusted Root Certification Authorities certificate store of this computer so that the service can be authenticated to the send port.

The default is Windows.

Algorithm suite

Specify the message encryption and key-wrap algorithms. These algorithms map to those specified in the Security Policy Language (WS-SecurityPolicy) specification. Possible values are:

  • Basic128: Use Aes128 encryption, Sha1 for message digest, and Rsa-oaep-mgf1p for key wrap.

  • Basic256Rsa15: Use Aes256 for message encryption, Sha1 for message digest, and Rsa15 for key wrap.

  • Basic128Sha256: Use Aes256 for message encryption, Sha256 for message digest, and Rsa-oaep-mgf1p for key wrap.

  • Basic128Sha256Rsa15: Use Aes128 for message encryption, Sha256 for message digest, and Rsa15 for key wrap.

  • Basic192: Use Aes192 encryption, Sha1 for message digest, and Rsa-oaep-mgf1p for key wrap.

  • Basic192Rsa15: Use Aes192 for message encryption, Sha1 for message digest, and Rsa15 for key wrap.

  • Basic192Sha256: Use Aes192 for message encryption, Sha256 for message digest, and Rsa-oaep-mgf1p for key wrap.

  • Basic192Sha256Rsa15: Use Aes192 for message encryption, Sha256 for message digest, and Rsa15 for key wrap.

  • Basic256: Use Aes256 encryption, Sha1 for message digest, and Rsa-oaep-mgf1p for key wrap.

  • Basic256Rsa15: Use Aes256 for message encryption, Sha1 for message digest, and Rsa15 for key wrap.

  • Basic256Sha256: Use Aes256 for message encryption, Sha256 for message digest, and Rsa-oaep-mgf1p for key wrap.

  • Basic256Sha256Rsa15: Use Aes256 for message encryption, Sha256 for message digest, and Rsa15 for key wrap.

  • TripleDes: Use TripleDes encryption, Sha1 for message digest, Rsa-oaep-mgf1p for key wrap.

  • TripleDesRsa15: Use TripleDes encryption, Sha1 for message digest, and Rsa15 for key wrap.

  • TripleDesSha256: Use TripleDes for message encryption, Sha256 for message digest, and Rsa-oaep-mgf1p for key wrap.

  • TripleDesSha256Rsa15: Use TripleDes for message encryption, Sha256 for message digest, and Rsa15 for key wrap.

The default value is Basic256.

Client certificate -Thumbprint

Specify the thumbprint of the X.509 certificate for authenticating this send port to a service. The thumbprint can be selected by navigating the My store in the Current User location with the Browse button.

Bb226379.note(en-us,BTS.20).gifNote
You must install the client certificate into the Current User location of the user account for the send handler hosting this send port.

Minimum length: 0

Maximum length: 40

The default is an empty string.

Client credentials

Specify the credentials for sending messages when using UserName for the Message client credential type property. You can specify the property by clicking the Edit Credentials button.

The default value is Do not use Single Sign-On.

Community Additions

ADD
Show: