In my latest project I had to make an integration system between two HR products.
Allegro HR and SAP Success Factors. It was very though job as both data models and internal proceses are so diferent. Part of the solution had to include versioning data and posting it to the SOAP web service ( Since we had to send sensitive (HR) data it was required to encrypt the channel and also Sign and Encrypt the body of the SOAP envelope.

They fastest way around was to simple Add Service Reference and use WCF Client to do the job:

and simply call it in the code:

The solution required creation of two certificates:

  • client cert
  • service cert

Install client(key pair) and service(public) certificates on the client machine and pack service(key pair) and client(public) certficiates into JKS and set it up with Java Web Service (in my case Apache CXF

... and that's it!

However, when performing the first test we hit a bit ambigious error message from WCF client:

"The EncryptedKey clause was not wrapped with the required encryption token 'System.IdentityModel.Tokens.X509SecurityToken'."

It indicates that our certificates are wrong but the self-signed certificates I was provided by SAP consultant work fantastically when testing the service with SOAPUI. So what's going on there?

I downloaded and setup Reference source code and set it up with Visual Studio for debugging and found that we were tricked by SOAPUI a bit. SOAPUI allowed us to use those self-signed certificates and WCF client found them incomplete. The self-sign certificates as generatted using KeyStore Explorer were missing SKI (Subject Key Identifier) which WCF requires to work.