Building a secure XML Web Service series (iii)

web|xml| Security

First of all introduce SSL, the English full name of SSL is "secure Sockets Layer", the Chinese name is "Secure Sockets Layer protocol layer", it is Netscape (Netscape) the security protocol based on WEB application. The SSL protocol can be divided into two tiers: the SSL record Protocol (SSL records PROTOCOL): It is built on a reliable transport protocol (such as TCP), providing support for the basic functions of data encapsulation, compression, and encryption for high-level protocols. SSL is the abbreviation of the security socket layer, technically known as Secure sockets, can be simply a cryptographic communication protocol, the use of SSL can be used for communication (including e-mail) content of high intensity encryption to prevent hackers from listening to your communications content or even user passwords.

So what does it mean to use SSL on an XML Web service? XML Web Service transfer data is in XML format, XML is a clear text, and transport layer through TCP/IP transmission, and TCP/IP transmission may be illegal monitoring, hackers can easily parse the XML data, intercept information and even tamper with data, which caused the XML Web Service is not safe in data transmission. With SSL, the original XML can be encrypted by high intensity, which effectively prevents the data from being illegally intercepted and tampered during transmission.

Here's how to use SSL on an XML Web service, and using SSL requires a digital certificate that you can use for commercial purchases or certificates generated by your own CA, but requires some extra work. In general, your network service is used for the interface between organizations, the certificate generated by your own CA is completely enough, but as a financial institution like a bank, their user base is relatively large, it is best to buy a certificate. This article only explains how to use your own CA to generate an SSL certificate.

　　1. Installing a certification Authority

Both the Windows 2003 Standard and server editions are self-contained components of a certification authority, but are not installed by default, and to request a certificate, you must install the Certification authority component and install the method:

Open Control Panel-Add/Remove Programs, select Add/Remove Windows components, insert Windows installation CD, select Certificate Services, and then all the way to the next step. Once the installation is successful, you can enter the next request for an SSL certificate.

　　2. Request an SSL certificate

To set up SSL for a Web service, you must set the Web service as a Web site, not a virtual directory.

First, open IIS, right-click the Web Service site, click Directory Security, select "Server Certificate" in secure Communication, click Next, select "New Certificate", click Next, then select "Prepare certificate request now but send later", click Next, Enter an arbitrary certificate name, the bit length to choose the default 1024, the longer the length of confidentiality the better, but the worse performance. Click Next, enter units and departments, click Next, and the following interface appears:

Note: The public name must be filled in as the domain name to access the site, such as: to use the following address to access the Web service,https://192.168.1.179/..., you must fill out the "192.168.1.179", or you will be prompted to use an unsafe certificate, Causes the site to be inaccessible. After you set up this step, you can do it all the way next.

In the IE Address bar, enter "Http://localhost/certsrv/default.asp", in the page that appears, select "Request a Certificate", go to the next page, select "Advanced Certificate Request", on the next page, select " Submit a certificate request using a BASE64-encoded CMC or PKCS#10 file, or renew a certificate request with a pkcs#7 file, in the following page, enter the base64 code in the generated file in the previous step, the saved property can be empty, all the way next.

The next thing that needs to be done is through the certification authority, issue the certificate you just requested, click Start-Administration Tools-Certification authority, select the pending application, right-click on the certificate you just requested, choose to issue, then select the Issued certificate, click the certificate you just issued, select the details, click "Copy to File", All the way to next. Save the certificate to a file.

Next, go back to the IIS settings, on the Web Services site, click the server certificate again, select "Process the pending request and install" certificate, select the certificate file that you just exported, and next. Once the certificate is installed, click Directory Security-Secure communications-Edit and check the "Require secure channel (SSL)" option. This completes the SSL settings, note When SSL is selected, you must use HTTPS to access it, and the port that accesses the Web site uses the SSL port, which defaults to 443, and if you have problems accessing your site that do not normally access, check to see if the server firewall prohibits access to SSL port 443. This is more easily overlooked. Also, because it is the certificate generated by your own CA, if you want someone else to be able to access the network service via HTTPS, you need to do an extra bit of work to import the root certificate of the CA into the trusted authority of the client certificate, and the client will be able to access the network services normally.