I am trying to use WCF to design web service over internet. The requirement is that we need to provide the TLS (Transport Layer Security) and MLS (Message Layer Security). For this purpose, we are using "ws2007HttpBinding" with security mode as "TransportWithMessageCredential". Here, I find that the request is transferred over SSL but when using Fiddler (for https) I find that the soap body is in clear text format.
For the transport level security, I have used ClientCredentialType as "None" and for message level security, I have used "Certificate" as ClientCredentialType.
I am using .net framework 3.5.
For your information, I am using different certificate for SSL & server.
My Web.config for Server is as follows.
<system.serviceModel>
<services>
<service behaviorConfiguration="API_WCF.Service1Behavior" name="API_WCF.API">
<endpoint address="https://localhost/API_WCF/API.svc" name="API" binding="ws2007HttpBinding" bindingConfiguration="customWsHttpBinding" contract="API_WCF.IARDAPI">
<identity>
<dns />
</identity>
</endpoint>
<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />
</service>
</services>
<bindings>
<ws2007HttpBinding>
<binding name="customWsHttpBinding">
<!-- For http -->
<!--
<security mode="Message">
<message clientCredentialType="Certificate" negotiateServiceCredential="false" establishSecurityContext="false"/>
</security>
-->
<!-- For https -->
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="None"/>
<message clientCredentialType="Certificate" negotiateServiceCredential="false" establishSecurityContext="false"/>
</security>
</binding>
</ws2007HttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="API_WCF.Service1Behavior">
<!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
<serviceMetadata httpsGetEnabled="true" httpsGetUrl="https://localhost/API_WCF/API.svc/API"/>
<serviceCredentials>
<serviceCertificate findValue="CN=WSE2QuickStartServer" storeLocation="LocalMachine" x509FindType="FindBySubjectDistinguishedName" storeName="My"/>
<clientCertificate>
<authentication certificateValidationMode="ChainTrust" revocationMode="NoCheck"/>
</clientCertificate>
</serviceCredentials>
<!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="true"/>
</behavior>
</serviceBehaviors>
</behaviors>
<diagnostics wmiProviderEnabled="true" performanceCounters="ServiceOnly">
<messageLogging logEntireMessage="true" logMalformedMessages="true" logMessagesAtServiceLevel="true" logMessagesAtTransportLevel="true" maxMessagesToLog="3000"/>
</diagnostics>
</system.serviceModel>
Kindly guide how to achieve to message level security with transport layer security in WCF over internet.