So in Programming WCF Security - One,we discussed core security features that WCF addresses & Transport Level Security, Let's move to next...
makecert.exe -sr CurrentUser -ss My -a sha1 -n CN=WcfMsgTestClient -sky exchange -pe
By
These changes client will be able to communicate with service using message
level security.
Message Level Security...
The main difference between transport &
message security is that the message security includes required
credentials & claims along with message. Contrast this with transport security,
use handshaking or external resources such as active directory to
verify credentials associated with message…
The Biggest reason for choosing message level
security over transport level is that message is self-contained because it
allows number of scenarios that are not possible using transport security e.g.
When using transport security, it secures message from endpoint
to endpoint over channel . After message has been received, it’s not
encrypted... while Message level security provides end to
end encryption... Even after a message
has been received it’s still encrypted....A second reason
for consideration is different parts of message can be secured using different
encryption mechanisms.
Let’s see how to implement Message level security in WCF with certificates at both Server and Client end.
Step 1: As we are dealing with
Sample programs, we don't need “VeriSign” approved certificates. So let's
generate our own. We need to create both Server and Client certificates.
makecert.exe -sr CurrentUser -ss My -a sha1 -n CN=WCfMsgTestServer -sky exchange -pe
makecert.exe -sr CurrentUser -ss My -a sha1 -n CN=WcfMsgTestClient -sky exchange -pe
In order to do so, we need to install SDK tools from Microsoft.
If you install, you may find makecert.exe in "C:\Program Files\Microsoft
SDKs\Windows\v7.1\Bin" else download from here. Now traverse to the
path mentioned above in command prompt. Execute above code snippet.
Step 2: Both the certificates are created but they
are not still under trusted category. For that Open Microsoft Management
Console. Go to Run --> execute "MMC"
Now console is opened, go to File --> Click on
"Add/Remove Snap-in" --> now select Certificates on left pane and
click "Add" button.
Now certificates are registered, we have to made configuration settings at both Server and Client end.
Step 3: Insert below code
snippets in you server configuration file.
Binding Behavior:
<bindings>
<wsHttpBinding>
<binding
name="wsHttpEndpointBinding">
<security>
<message
clientCredentialType="Certificate" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<serviceCredentials>
<clientCertificate>
<authentication
certificateValidationMode="PeerTrust"/>
</clientCertificate>
<serviceCertificate findValue="WCfMsgTestServer"
storeLocation="CurrentUser"
storeName="My"
x509FindType="FindBySubjectName" />
</serviceCredentials>
Step 4: Create client application, add service reference & Configure
client certificate credentials in client code.
<behaviors>
<endpointBehaviors>
<behavior
name="CustomBehavior">
<clientCredentials>
<clientCertificate
findValue="WcfMsgTestClient"
x509FindType="FindBySubjectName"
storeLocation="CurrentUser" storeName="My" />
<serviceCertificate>
<authentication
certificateValidationMode="PeerTrust"/>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
Change the endpoint definition by associating the behavior to
end point and pointing the identity of end point to server certificate.
<client>
<endpoint address="http://localhost:39487/Service1.svc"
binding="wsHttpBinding"
bindingConfiguration="WSEndpoint"
contract="WCFMsgSecService.IService1"
name="WSEndpoint"
behaviorConfiguration="CustomBehavior">
<identity>
<dns
value="WcfMsgTestServer"/>
</identity>
</endpoint>
</client>
Courtesy: Random Web Images, MSDN, Microsoft .NET 3.5 WCF Book, Several online resources
No comments:
Post a Comment