Building a secure XML Web service family of SSL articles

The original: Building Secure XML Web service series SSL Articles

First introduce SSL, the English full name of SSL is "secure Sockets layer", the Chinese name is "Secure Sockets Layers protocol layer", it is the Netscape (Netscape) based on WEB Application security protocol. The SSL protocol can be divided into two tiers: SSL record Protocol (SSL recorder Protocol): It is based on a reliable transport protocol (such as TCP) to provide high-level protocol data encapsulation, compression, encryption and other basic functions of support. SSL is the abbreviation of the security socket layer, technically known as Secure sockets, can be simply encrypted communication protocol, the use of SSL can be used for communication (including e-mail) content of high-intensity encryption, to prevent hackers listening to your communication content or even user passwords.
So what's the point of using SSL on an XML Web service? XML Web Service transfer data is XML format, XML is a clear text, and transport layer through TCP/IP transmission, and TCP/IP transmission may be illegal listening, hackers can easily parse the XML data out, intercept information and even tamper with the data, which caused the XML Web The service is not secure in data transmission. The use of SSL can be the original XML through high-intensity encryption, so as to effectively prevent the data in the transmission process was illegally intercepted and tampered with.
Here's how to use SSL on an XML Web service, using SSL requires a digital certificate, which you can either buy commercially or use your own CA-generated certificates, just need some extra work. Typically, your network service is used for cooperative interfaces between units, and certificates generated by your own CA are completely available, but financial institutions such as banks have large user groups and are better off buying certificates. This article only describes how to generate an SSL certificate using your own CA.
1. Install the Certification authority
Windows 2003 Standard and Server editions are all components of your own certification authority, but are not installed by default, to request a certificate, you must install the Certification authority component, installation method:
Open Control Panel-Add/Remove Programs, select Add/Remove Windows components, insert the Windows installation CD, select Certificate Services, and then go the next step. After the installation is successful, you can proceed to the next request for an SSL certificate.
2. Request an SSL certificate
To set up SSL for a Web service, you must set the Web service to a Web site and not a virtual directory.
First, open IIS, right-click the Web Service site, click Directory Security, select "Server Certificate" in secure Communication, click Next, select "New Certificate", click Next, then select "Prepare certificate request now but send later", click Next, Enter an arbitrary certificate name, the bit length select the default of 1024, the longer the length of the better the confidentiality, but the worse performance. Click Next, enter units and departments, click Next, the following interface appears:

Note: The public name must be filled in to access the site's domain name, such as: to use the following address to access the Web service,https://192.168.1.179/., you must fill in "192.168.1.179" here, otherwise you will be prompted to use an unsafe certificate. Causes the site to be inaccessible. Set this step up and next.
In the IE Address bar, enter "Http://localhost/certsrv/default.asp", in the page that appears, select "Request a Certificate", go to the next page, select "Advanced Certificate Request", on the following page select " Submit a certificate request using a BASE64 encoded CMC or PKCS#10 file, or renew a certificate request by using a pkcs#7 file ", on the next page, enter the Base64 code in the build file in the previous step, and the saved properties can be empty, all the way next.
The next thing you need to do is pass the Certificate authority, issue the certificate you just requested, click Start-Management tools-Certification authority, select the pending application, right-click on the certificate you just requested, select issue, then select the Issued certificate, click the certificate you just issued, select details, click "Copy to File", Go down all the way next, save the certificate to a file.
Next, go back to the IIS settings, at the Web Service site, click the server certificate again, select "Process pending requests and install" certificate, select the certificate file that you just exported, next. After installing the certificate, click on Directory Security-Secure Communications-Edit and select "Require Secure Channel (SSL)". This completes the SSL settings, note that after the SSL is checked, you must use HTTPS to access, and access to the site's port will also use the SSL port, the default is 443, if you visit the site during the process of non-normal access problems, check the server firewall to prohibit access to SSL port 443, This is more easily overlooked. Another point, because it is the certificate generated by the CA, if you want to allow other people to access the network service through HTTPS, need to do an extra bit of work, the root certificate of the CA into the client certificate of the trusted institutions, the client can access network services normally.

Building a secure XML Web service family of SSL articles