Question
Coforge
GB
Last activity: 31 Mar 2025 9:20 EDT
Unable to connect to WCF webservice using SOAP Connector
Hi All,
We have a requirement to call WCF webservice. We are on Pega 24.2, pega cloud.
Steps done:
1) I have added JKS using CSR and in my keystore , and client installed this CSR as well.
2) Created WS-Security rule and referred in my connect rule, configured outflow and added signature.
3) But in Pega I am getting runtime exception when we run connector.
Not sure how to proceed further.
QS:
1)WsHttpBinding - is this supported now in Pega ?
2)Do we need to customise InvokeAxix2 activity?
3)How to add these below highlighted elements in request XML.
Pls can someone throw somelight here?
Requirement of the WCF service:
- WCF Security Mode
The (XYZ) WCF implementation uses the TransportWithMessageCredential security mode with CertificateOverTransport authentication mode. This provides the confidentiality and integrity of the transmitted messages (SSL over HTTP [HTTPS] in our case) and the details required to perform the service authentication. The client authentication is performed by putting the client credentials directly in the message. (XYZ) WCF uses ClientCredentialType = ”Certificate” for authentication.
Hi All,
We have a requirement to call WCF webservice. We are on Pega 24.2, pega cloud.
Steps done:
1) I have added JKS using CSR and in my keystore , and client installed this CSR as well.
2) Created WS-Security rule and referred in my connect rule, configured outflow and added signature.
3) But in Pega I am getting runtime exception when we run connector.
Not sure how to proceed further.
QS:
1)WsHttpBinding - is this supported now in Pega ?
2)Do we need to customise InvokeAxix2 activity?
3)How to add these below highlighted elements in request XML.
Pls can someone throw somelight here?
Requirement of the WCF service:
- WCF Security Mode
The (XYZ) WCF implementation uses the TransportWithMessageCredential security mode with CertificateOverTransport authentication mode. This provides the confidentiality and integrity of the transmitted messages (SSL over HTTP [HTTPS] in our case) and the details required to perform the service authentication. The client authentication is performed by putting the client credentials directly in the message. (XYZ) WCF uses ClientCredentialType = ”Certificate” for authentication.
The most significant difference from the previous WSE-based (XYZ) Web Service is there no longer any need for the client to encrypt the request using the (XYZ) certificate or decrypt the response using their client certificate – encryption is performed by the Transport (SSL), with the client certificate only used for identification/authentication purposes.
The main steps in the WCF process are as follows: -
- Client connects to (XYZ) over HTTPS - it validates trust to the (XYZ) certificate to build the HTTPS connection
- HTTPS itself (transport security) ensures encryption and integrity on the transport level
- Certificate is only for client authentication - no need to encrypt the message
- Client passes the client certificate (public key) to (XYZ) and uses its private key to sign headers
- (XYZ) receives the certificate details in the request and validates that it trusts it
- (XYZ) uses received public key to validate signatures
- (XYZ) processes the request and returns response – it doesn't sign headers in the response
- Client receives the response, and it is simply trusted because it is returned over an HTTPS connection established by the client
Pegasystems Inc.
GB
⚠ This is a GenAI-powered tool. All generated answers require validation against the provided references.
Regarding WsHttpBinding Support
WsHttpBinding is a common binding type in WCF services that supports transport security with message credentials. While Pega's SOAP connector doesn't explicitly advertise support for specific WCF binding types by name, it does support the underlying security mechanisms that WsHttpBinding uses, particularly when configured with TransportWithMessageCredential security mode and CertificateOverTransport authentication.
Customizing InvokeAxis2 Activity
Yes, you likely need to customize the InvokeAxis2 activity to handle the specific requirements of your WCF service. The InvokeAxis2 activity is the core component that Pega uses to execute SOAP calls. For certificate-based authentication with WCF services, you'll need to:
- Ensure the activity correctly passes your client certificate in the request
- Configure it to handle the TransportWithMessageCredential security mode
- Modify it to properly sign the required headers with your private key
This customization typically involves creating a custom activity that extends or wraps around the standard InvokeAxis2 activity, adding the necessary certificate handling logic.
⚠ This is a GenAI-powered tool. All generated answers require validation against the provided references.
Regarding WsHttpBinding Support
WsHttpBinding is a common binding type in WCF services that supports transport security with message credentials. While Pega's SOAP connector doesn't explicitly advertise support for specific WCF binding types by name, it does support the underlying security mechanisms that WsHttpBinding uses, particularly when configured with TransportWithMessageCredential security mode and CertificateOverTransport authentication.
Customizing InvokeAxis2 Activity
Yes, you likely need to customize the InvokeAxis2 activity to handle the specific requirements of your WCF service. The InvokeAxis2 activity is the core component that Pega uses to execute SOAP calls. For certificate-based authentication with WCF services, you'll need to:
- Ensure the activity correctly passes your client certificate in the request
- Configure it to handle the TransportWithMessageCredential security mode
- Modify it to properly sign the required headers with your private key
This customization typically involves creating a custom activity that extends or wraps around the standard InvokeAxis2 activity, adding the necessary certificate handling logic.
Adding Required XML Elements to Request
Based on the WCF service requirements you shared, you need to add elements related to certificate authentication in your SOAP request. Here's how to approach this:
- Certificate Elements: You'll need to ensure your client certificate is properly included in the request. This can be done by:
- Configuring WS-Security settings on the Advanced tab of your SOAP connector
- Creating a WS-Security profile that includes certificate details
- Ensuring the client certificate is properly referenced in the security header
- Message Signing: For the client certificate to be used for authentication:
- Configure the connector to sign the appropriate headers using your private key
- Ensure the public key (certificate) is passed to the service
- Transport Security: Since you're using TransportWithMessageCredential with CertificateOverTransport:
- Ensure your connector is configured to use HTTPS
- Verify that the server's certificate is trusted by your Pega environment
Next Steps
Based on your current setup, I recommend the following approach:
- Verify Certificate Configuration:
- Confirm that your JKS keystore is properly configured and accessible
- Ensure the client certificate is correctly installed and referenced
- WS-Security Configuration:
- On the Advanced tab of your Connect SOAP rule, configure WS-Security
- Create a WS-Security profile that includes your certificate details
- Configure the outflow to include signature elements
- Examine SOAP Faults:
- Capture the exact SOAP fault messages you're receiving
- These will provide specific details about what's missing in your request
- Test with Simplified Request:
- Create a simplified test connector that focuses only on authentication
- Once authentication works, add the actual service operations
If you continue to experience issues, it would be helpful to see the exact error messages from the runtime exception, as they often contain specific details about what's missing in the request.
References: [1] https://docs.pega.com/bundle/platform-241/page/platform/data-integration/connect-soap-rules.html [2] https://docs.pega.com/bundle/platform-241/page/platform/data-integration/configuring-advanced-details-soap-connector.html [3] https://docs.pega.com/bundle/platform-241/page/platform/data-integration/using-ws-security-enhance-soap-messages.html