All geek questions in one place

How can I implement WCF security with a self-signed certificate?

I did google to configure my WCF service using certificate security, and I found a bunch of articles, but I can't decide which article is easy to follow. Further, when I type these commands, some tools are in the Visual Studio Command Prompt, while some of them are not. Can someone tell me the exact steps or point me to some good links?

Thanks in advance:)

+3
source share
1 answer

- . , . , , . . . ( , " "... , . , .

 <system.serviceModel>
<services>
  <service name="MyService" behaviorConfiguration="MyServiceBehavior">
    <endpoint name="MyServiceEndpoint" address="" binding="netTcpBinding" bindingConfiguration="MyServiceBinding" contract="IMyContract"/>
    <host>
      <baseAddresses>
        <add baseAddress="address here"/>
      </baseAddresses>
    </host>
  </service>
</services>
<client>
  <endpoint name="MyClientEndpoint" address="address here" behaviorConfiguration="ClientCertificateBehavior" binding="netTcpBinding" bindingConfiguration="MyClientBinding" contract="IMyContract">
    <identity>
      <dns value="ServerCertificate"/>
    </identity>
  </endpoint>
</client>
<behaviors>
  <serviceBehaviors>
    <behavior name="MyServiceBehavior">
      <serviceMetadata/>
      <!--need this for mex to work properly!-->

      <!-- 
        The serviceCredentials behavior allows you to define a service certificate.
        A service certificate is used by the service to authenticate itself to its clients and to provide message protection.
        This configuration references the "localhost" certificate installed during the set up instructions.
      -->
      <serviceCredentials>
        <serviceCertificate findValue="ServerCertificate" storeLocation="CurrentUser" storeName="My" x509FindType="FindBySubjectName"/>
        <clientCertificate>
          <!-- 
          Setting the certificateValidationMode to PeerOrChainTrust means that if the certificate 
          is in the user Trusted People store, then it is trusted without performing a
          validation of the certificate issuer chain. This setting is used here for convenience so that the 
          sample can be run without having certificates issued by a certificate authority (CA).
          This setting is less secure than the default, ChainTrust. The security implications of this 
          setting should be carefully considered before using PeerOrChainTrust in production code. 
          -->
          <authentication certificateValidationMode="PeerOrChainTrust" trustedStoreLocation="CurrentUser"/>
        </clientCertificate>
      </serviceCredentials>
    </behavior>
  </serviceBehaviors>
  <endpointBehaviors>
    <behavior name="ClientCertificateBehavior">
      <dataContractSerializer maxItemsInObjectGraph="2147483647"/>
      <!-- 
      The clientCredentials behavior allows you to define a certificate to present to a service.
      A certificate is used by a client to authenticate itself to the service and provide message integrity.
      This configuration references the "client.com" certificate installed during the setup instructions.
      -->
      <clientCredentials>
        <clientCertificate findValue="WFCClient" storeLocation="CurrentUser" storeName="My" x509FindType="FindBySubjectName"/>
        <serviceCertificate>
          <!-- 
          Setting the certificateValidationMode to PeerOrChainTrust means that if the certificate 
          is in the user Trusted People store, then it is trusted without performing a
          validation of the certificate issuer chain. This setting is used here for convenience so that the 
          sample can be run without having certificates issued by a certificate authority (CA).
          This setting is less secure than the default, ChainTrust. The security implications of this 
          setting should be carefully considered before using PeerOrChainTrust in production code. 
          -->
          <authentication certificateValidationMode="PeerOrChainTrust" trustedStoreLocation="CurrentUser"/>
        </serviceCertificate>
      </clientCredentials>
    </behavior>
  </endpointBehaviors>
</behaviors>
<bindings>
  <netTcpBinding>
    <binding name="MyClientBinding" maxConnections="25000" listenBacklog="25000" portSharingEnabled="false" closeTimeout="00:05:00" openTimeout="00:05:00" sendTimeout="24:11:30" transferMode="Buffered" transactionFlow="false" hostNameComparisonMode="StrongWildcard" maxBufferSize="2097152000" maxReceivedMessageSize="2097152000" maxBufferPoolSize="2097152000">
      <readerQuotas maxStringContentLength="2000000000" maxArrayLength="2000000000" maxDepth="2000000000" maxBytesPerRead="2000000000" maxNameTableCharCount="2000000000"/>
      <security mode="Transport">
        <transport clientCredentialType="Certificate" protectionLevel="EncryptAndSign"/>
        <message clientCredentialType="Certificate"/>
      </security>
    </binding>
    <binding name="MyServiceBinding" maxConnections="25000" listenBacklog="25000" portSharingEnabled="false" closeTimeout="00:05:00" openTimeout="00:05:00" receiveTimeout="24:12:35" transferMode="Buffered" transactionFlow="false" hostNameComparisonMode="StrongWildcard" maxBufferSize="10485760" maxReceivedMessageSize="10485760" maxBufferPoolSize="104857600">
      <readerQuotas maxStringContentLength="2000000000" maxArrayLength="2000000000" maxDepth="2000000000" maxBytesPerRead="2000000000" maxNameTableCharCount="2000000000"/>
      <security>
        <transport clientCredentialType="Certificate"/>
      </security>
    </binding>
  </netTcpBinding>
</bindings>

+4

Source: https://habr.com/ru/post/1781033/

More articles:


All Articles