From Li Tianping works: http://book.51cto.com/art/200906/129770.htm
7.9.2 encrypted transmission using SSL (1)
By default, IIS uses http to transmit data in plain text. Web services use HTTP to transmit data. The data transmitted by Web Service is plain text in XML format. Without any encryption measures, users' important data is easily stolen. How can we protect these important data transmitted on the network?
The Chinese full name of SSL (Security Socket Layer) is the encrypted SOCKET protocol layer, which is located between the HTTP protocol layer and the TCP protocol layer and is used to establish encrypted communication between users and servers, ensure the security of the transmitted information, and the SSL Security Mechanism relies on digital certificates.
SSL is based on public keys and private keys. users use public keys to encrypt data, but the corresponding private keys must be used to decrypt data. The communication process using the SSL security mechanism is as follows: after a user establishes a connection with the IIS server, the server sends the digital certificate and public key to the user, and the user end generates a session key, encrypt the session key with a public key and then pass it to the server. The server uses the private key for decryption. In this way, a secure channel is established between the client and the server, only users allowed by SSL can communicate with the IIS server.
Note that an SSL website is different from an ordinary website. It uses the "HTTPS" protocol rather than the common "HTTP" protocol. Therefore, its URL (Uniform Resource Locator) format is "https: // website domain name ".
The following describes how to use SSL to enhance the communication security between the IIS server and Web Service.
The implementation steps are as follows.
1. Install the Certificate Service for the server
To use the SSL security mechanism, you must first install the Certificate Service for Windows Server 2003. Go to control panel, run add or delete programs, and enter the Windows component wizard dialog box, as shown in 7-13.
|
Figure 7-13 Windows component wizard |
Select the "Certificate Service" option and click "Next.
Then select the CA type. Select the "independent Root CA" option, as shown in 7-14. Click "Next", name your CA server, and set the validity period of the certificate, as shown in 7-15.
|
Figure 7-14 select the CA type |
|
Figure 7-15 set ca Information |
Finally, specify the location of the Certificate database and Certificate database logs, as shown in 7-16, and click "Next.
|
Figure 7-16 specify the Certificate database |
To copy system files, you need to insert a Windows installation CD, as shown in 7-17. To install the Certificate Service, you must stop the current IIS operation. Therefore, click "yes.
|
Figure 7-17 copy a System File |
Finally, the certificate service is installed. Click "finish", as shown in 7-18.
|
Figure 7-18 installation completed |
7.9.2 encrypted transmission using SSL (2)
2. Configure an SSL website
1) create a request Certificate file
To enable the Web Service to use the SSL security mechanism, you must first configure the Web service as a website. Then, create a request Certificate file for the website.
Click "Control Panel"> "Administrative Tools", run "Internet Information Service (IIS) manager", and expand the "website" directory in the Manager window, right-click the Web Service website to use SSL, select the "properties" command from the shortcut menu, and switch to the "Directory Security" tab in the "website properties" dialog box, as shown in 7-19,
|
Figure 7-19 website attributes |
Click "server certificate" to bring up the "IIS certificate wizard" dialog box.
In the "IIS certificate wizard" dialog box, select "New certificate" and click "Next", as shown in 7-20.
|
Figure 7-20 server certificate |
Select the "Prepare certificate request now, but send later" option. Click "Next", as shown in figure 7-21.
|
Figure 7-21 certificate wizard |
Name the certificate in the "name" input box, and then select the key length in the "bit length" drop-down list (the default value is 1024, the longer the length, the better the confidentiality, but the performance will be worse ). Click "Next", as shown in figure 7-22.
|
Figure 7-22 set the Certificate Name |
Set Unit information, as shown in figure 7-23, and then click "Next. Set the public name, as shown in 7-24.
|
Figure 7-23 set unit information |
|
Figure 7-24 set a public name |
Note that the public name must be entered as the domain name to access the site. For example, to access the Web service with an address https://www.maticsoft.com, enter "www.maticsoft.com" here; otherwise, an insecure certificate will be prompted, the website cannot be accessed. In addition, www.maticsoft.com and www.maticsoft.com: 8001 have different access ports. If www.maticsoft.com is set, the website is set to www.maticsoft.com: 8001.
Then, click "Next" to set the country and region, as shown in 7-25.
|
Figure 7-25 set country and region |
Set the Unit, Department, site public name, and geographic information of the certificate, and click "Next.
Finally, specify the storage location of the Request Certificate file. This completes the creation of the Request Certificate file.
7.9.2 encrypted transmission using SSL (3)
2) apply for a server certificate
After completing the preceding settings, submit the created request Certificate file to the Certificate Server.
Enter "http: // localhost/certsrv/default. asp" in the address bar of the IE browser on the server ".
In the "Microsoft Certificate Service" Welcome window, click the "apply for a certificate" link, as shown in 7-26.
Next, click the "Advanced Certificate Application" link in the certificate application type, as shown in 7-27.
|
Figure 7-26 apply for a certificate |
|
Figure 7-27 select a certificate type |
Then, in the Advanced Certificate application window, click "base64-encoded CMC or PKCS #10 ...... "Link, as shown in 7-28.
|
Figure 7-28 select Encoding |
Next, in the new window, open the generated "certreq.txt" file and copy the content to "saved application", as shown in 7-29.
|
Figure 7-29 submit a certificate application |
Click "Submit" to display the "certificate pending" page, as shown in 7-30.
|
Figure 7-30 certificate suspension |
7.9.2 encrypted transmission using SSL (4)
3) Issue a server certificate
After you submit a certificate application, you must issue a server certificate. Select Start> set> control panel, double-click Administrative Tools, and then double-click Certificate Authority ", select "pending applications" in the displayed dialog box, as shown in 7-31.
|
(Click to view the larger image) Figure 7-31 pending applications |
Find the certificate you just applied for, right-click it, and select "all tasks"> "issue" from the shortcut menu, as shown in 7-32.
After the certificate is issued, select the issued certificate option and double-click the issued certificate. In the displayed "certificate" dialog box, click "Copy To File, 7-33.
|
Figure 7-32 issue a certificate |
The "Certificate export wizard" dialog box is displayed. Click "Next" and select "base64 encoded X.509", as shown in figure 7-34.
|
(Click to view the larger image) Figure 7-34 select the Export File Format |
Click "Next", specify the file name in the "file to export" dialog box, and click "finish.
4) install the Web server certificate
Log on to the IIS manager's "Directory Security" tab and click "server certificate". In the displayed "pending certificate requests" dialog box, select "process pending requests and install Certificates, click "Next", as shown in figure 7-35.
|
(Click to view the larger image) Figure 7-35 process the suspended certificate |
Specify the location of the exported server certificate file, as shown in 7-36.
|
(Click to view the larger image) Figure 7-36 select the export location |
Set the SSL port, use the default "443", and click "finish.
7.9.2 encrypted transmission using SSL (5)
5) configure the website to enable the SSL Channel
On the website properties "Directory Security" tab, click the "edit" button in the secure communication bar, and then select the "require secure channel (SSL)" option, as shown in 7-37.
|
(Click to view the larger image) Figure 7-37 enable the SSL channel for the website |
Ignore client certificate: This option allows users to access the site without having to provide client certificates.
Accept client certificate: select this option to allow access by users with client certificates. The certificate is not required. Users with client certificates can be mapped; users without client certificates can use other authentication methods.
Client certificate required: select this option to allow only users with valid client certificates to connect. Users without valid client certificates are denied access to the site. Select this option to select the require secure channel (SSL) option before requesting the client certificate.
Click OK to enable SSL. After configuring the SSL website, you only need to enter "https: // website domain name" in the IE browser to access the website.
Note
After you select SSL, you must use HTTPS to access the website. The port used to access the website also uses the SSL port. The default value is 443.
If your website cannot be accessed normally, check whether the server firewall prohibits access to SSL port 443, you can also modify the port.
If you still cannot access it, the following message is displayed: "You are trying to execute CGI, ISAPI, or other executable programs from the directory, but this directory does not allow programs to be executed. HTTP Error 403.1-Access prohibited: Access denied. "Check the execution permission of the website's main directory and set the execution permission to a pure script, as shown in 7-38.
|
Figure 7-38 set the execution permission |
6) Client installation certificate
If the IIS server sets "client certificate required", other machines or users want to access and call the Web service over HTTPS, you need to import the root certificate of the CA to the trusted organization of the client certificate before the client can normally access the Web service.
(1) Select "start"> "run", and enter "MMC" in the displayed dialog box. The page shown in 7-39 is displayed.
|
Figure 7-39 start the Console |
(2) Select the "file" → "Add/delete snap-in" command. The page shown in 7-40 is displayed.
|
Figure 7-40 add/delete a Management Unit |
(3) Click "add" and select "certificate" in the list of available independent management units. The page shown in 7-41 is displayed.
(4) Select "Computer Account", click "Next", select "Local Computer", and then click "finish" → "close" → "OK.
|
Figure 7-41 add a Certificate Management Unit |
Go to the Certificate Management Unit of the current user. The page is 7-42.
|
(Click to view the larger image) Figure 7-42 select the certificate import location |
Select the "Certificate node" option under "personal", right-click, and select "all tasks"> "import" from the shortcut menu, as shown in 7-43.
|
(Click to view the larger image) Figure 7-43 import a certificate |
Select the server certificate cert. Cer we just issued and import it to your personal storage location, as shown in 7-44.
|
(Click to view the larger image) Figure 7-44 import to Certificate |
7) Advantages and Disadvantages of SSL
Advantage: it has no impact on the data integrity provided by web services. When the value is returned to the customer, the value remains unchanged and does not change because encryption technology is used during transmission.
Disadvantage: it may affect the integrity of the site, because it requires a lot of encryption and decryption data processing.