Best IT Recipes

WCF Service - Certificates and Message Security with UserName Authentication

I am going to create a WCF service that our customers can use to update data on our system. Therefore, it must be accessible via the Internet. I have a book on WCF from which I know that Message Security is the way to go when you make the WCF service available over the Internet. This is because you should not use transport security because you should only use it in environments where you can guarantee that a point-to-point connection exists between the service and the client. Did I understand correctly? Therefore, I want to use Message Security in conjunction with UserName user authentication. I understand that for this I need to get a certificate. Our company already owns the SSL certificate that is used for our websites.

  • Can I use the same certificate for WCF service message security?

and

  • Is a way to protect messages interacting with clients waiting for ASMX web services?

For testing purposes, I created my own certificate using Makecert. It worked fine, but I always had to add the certificate to Trusted Persons on the client machine.

  • Is it possible to enable Message Security with the above certificate without forcing the client to manually add the certificate to Trusted Persons ?

Now suppose the following scenario:

Company infrastructure

Behind the ISA server / firewall, there are two Web servers. This ISA server contains the certificate for www.company.com. Thus, all SSL materials are processed by him. It also routes incoming requests to web servers accordingly. The newly created WCF service should run on a second web server.

  • Do I need to copy a certificate to a web server in order to be able to use Message Security ?

If so, I heard that copying certificates is not good practice because it reduces security. Moving a certificate to a web server is not an option, as it is necessary for websites on a web server1.

  • What are my options in this case?

and

  • What would be the best practice for this scenario, regardless of these requirements?

Thank...

+15
authentication certificate wcf
Jan 13 2018-11-11T00:
source share
1 answer

Well prepared question. First of all, I probably read the same book, and I would like to clarify this statement:

This is because you should not use transport security, because it should only be used in environments where you can guarantee that there is a point-to-point between the service and the client.

Yes. HTTPS (Transport Security) offers only point-to-point protection, but IMO people do not understand this scenario correctly. Do you think that if you connect to Internet banking through an HTTP server, it will happen to be somewhere in the middle of exchanging exchanges over the Internet from HTTPS to HTTP? NO! Point-to-point connection means a secure transport channel between a client and an available gateway providing the requested URL. In your scenario, this means a secured transport channel between the client and your ISA server. Communication will not be secure between your ISA and Web server 2. If you want the end-to-end interface to provide a secure channel between the client and Web server 2 (ISA will not be able to intercept messages), you need message security.

Now to your other questions:

Can I use the same certificate for WCF service message security?

Yes you can, but you need to copy the private key to your web server 2.

Is the message protection method compatible with clients who expect ASMX Webservice?

No. ASMX Pure Client cannot use message protection unless you encode many custom headers and SOAP extensions or install WSE 3.0.

Is it possible to include the Security message with the aforementioned certificate without forcing the client to add the certificate to a trusted person manually?

Yes, but the certification authority that published the certificate must be trusted on the client machine. Same thing with HTTPS. In addition, message-protected services may expose a certificate fingerprint within the WSDL. Customers can verify the identity of the service with this fingerprint. I think that in this case, you also do not need to install the certificate on the client, but after the expiration of the certificate all clients must be updated.

Do I need to copy a web server certificate to be able to use Message Security?

Yes you should. But this can be a problem, because a security certificate can be marked as not exportable. The best solution is to request a new certificate for this purpose only.

+12
Jan 13 '11 at 12:20
source share


More articles:


All Articles