none
MessageSecurityException: The security header element 'Timestamp' with the "TS-5EECBC4EA3744DD47B156568609927716" id must be signed. RRS feed

  • Question

  • I have a BizTalk Receive Location that is receiving a Signed and Encrypted message which has a Timestamp element under the wsse:Security element...

    The client here is SoapUI so if I turn off adding the Timestamp with the Signing and Encrypting Certificates the message is processed. Unfortunately the sending client is a third party who include the Timestamp element in their request.

    My Receive Location is set up thus...

    <?xml version="1.0"?>
    <configuration>
      <enterpriseLibrary.ConfigurationSource selectedSource="ESB File Configuration Source" />
      <system.serviceModel>
        <services>
          <service behaviorConfiguration="ServiceBehavior" name="BizTalk">
            <endpoint address="http://localhost/AVATS.eVisa.EnrolServiceV2/AVATS_eVisa_EnrolServiceV2_Orchestrations_EnrolmentRequest_EnrolmentServicePort.svc" behaviorConfiguration="EndpointBehavior" binding="customBinding" bindingConfiguration="97affdc6-4c76-4a9b-9880-276dbfe03e63" name="UK HO Atlas Enrolment Service - Enrolment Request Receive Location" contract="BizTalk" />
          </service>
        </services>
        <behaviors>
          <endpointBehaviors>
            <behavior name="EndpointBehavior" />
          </endpointBehaviors>
          <serviceBehaviors>
            <behavior name="ServiceBehavior">
              <serviceSecurityAudit auditLogLocation="Application" serviceAuthorizationAuditLevel="SuccessOrFailure" messageAuthenticationAuditLevel="SuccessOrFailure" />
              <serviceCredentials>
                <clientCertificate>
                  <certificate findValue="79ae210b94a77bce5ea78820becacf13be7b7cda" x509FindType="FindByThumbprint" />
                  <authentication revocationMode="NoCheck" />
                </clientCertificate>
                <serviceCertificate findValue="b6c5d26b759b4b488e44ad5127edaa94e3af0a21" x509FindType="FindByThumbprint" />
              </serviceCredentials>
            </behavior>
          </serviceBehaviors>
        </behaviors>
        <bindings>
          <customBinding>
            <clear />
            <binding name="97affdc6-4c76-4a9b-9880-276dbfe03e63">
              <security defaultAlgorithmSuite="Basic256Sha256Rsa15" enableUnsecuredResponse="true" authenticationMode="MutualCertificateDuplex" includeTimestamp="false" messageProtectionOrder="SignBeforeEncrypt">
                <localClientSettings detectReplays="false" />
                <localServiceSettings detectReplays="false" />
                <secureConversationBootstrap>
                  <localClientSettings detectReplays="false" />
                  <localServiceSettings detectReplays="false" />
                </secureConversationBootstrap>
              </security>
              <mtomMessageEncoding messageVersion="Soap12" />
              <httpTransport maxReceivedMessageSize="20000000" />
            </binding>
          </customBinding>
        </bindings>
      </system.serviceModel>
    </configuration>
    I can't seem to find a setting which disables the checking for a Timestamp so I am thinking of writing a custom component to strip off the Timestamp element as I don't need it in my Application. Problem is I am not sure what .NET class to override to achieve this.

    Tuesday, August 13, 2019 3:23 PM

All replies