WS basichttpbinding Security Resolution (7) certificate authentication (iis host)

Source: Internet
Author: User

This section uses the transport security mode for certificate authentication because the transportcredentialonly mode does not support certificates.

Certificate authentication requires the client or server to provide a certificate for identity authentication. First, create two certificates on the command line of vs2010 using the commands shown in 11-42 for the server and client respectively.

Figure 11-42 create a certificate

After the certificate is created, we add the Certificate Management Unit in the MMC console, and then transfer the two certificates to the trusted storage area, 11-43.

Figure 11-43 transfer a certificate to a trusted storage Zone

Description:

As shown in Figure 11-43, you can directly generate the certificate to the specified region on the command line. The main purpose here is to show you how to manage the certificate in a unified manner.

Because SSL links are used in Transmission security mode, we need to configure HTTPS binding for the site in IIS.

We re-create a certificate with the same name as the site --wcfservicewebsite.com, and then export it to the local device. Open IIS, switch to iis7.5 Server Management, and click server certificate to add a certificate to the server. Return to the service site management view, edit the site binding, and select the added certificate. Return to the site management view, click "SSL Settings", and select "require sll", 11-44.

Figure 11-44 website configuration requires SSL

At this time, the website will report that the certificate is invalid because the certificate generated locally has not been verified by the Authority, as shown in 11-45.

Figure 11-45 HTTPS link certificate Access Error

In this case, you can click the Red Cross on IE to install the certificate to a trusted authority, from 11 to 46, and from 11 to 47, as prompted.

Figure 11-46 select to install the certificate

Figure 11-47 install the certificate to a trusted root certificate authority

Refresh the site again. We can see that the lock header is verified, 11-48.

Figure 11-48 certificate verification

First, let's take a look at the communication in transport mode without setting client creden.CodeThe content shown in listing 11-100.

Code List 11-100 do not set client creden

 
 

 
<Bindings>

<Basichttpbinding>

 
<Binding 

 
Name= "Basicbindingconf">

 
<Security 

 
Mode= "Transport">

 
<Transport 

 
Clientcredentialtype= "NONE">

 
</Transport>

 
</Security>

 
</Binding>

 
</Basichttpbinding>

</Bindings>

 
......

 
 

The client makes corresponding adjustments based on the server, and then sets that metadata can be obtained through https, such as the code list 11-101

 
 

 
<Behavior Name= "Wcfhelloservice. servicebehavior">

 
<Servicemetadata 

Httpsgetenabled= "True"/>

 
</Behavior>

The client changes the endpoint address:

The <endpoint address = https://wcfservicewebsite.com/HelloService.svc.../>.

Run the test site. The result is 11-49.

Figure 11-49 test results in transport mode

From the results shown in Figure 11-49 combined with the server code, we can know that anonymous access is currently used. Does the transport layer ensure transmission security? The capture result of our Fiddler, such as the code listing 11-102.

Code List 11-102 data captured in transport mode

 
 

 
Connect wcfservicewebsite.com: 443 HTTP/1.1

HOST: wcfservicewebsite.com

 
Proxy-connection: keep-alive

 
The data sent represents an SSLv3-compatible ClientHello handshake. For your

 
Convenience, the data is extracted below.

 
Major version: 3

 
Minor version: 1

 
Random: 4E 07 11 12 D7 AE D1 35 94 52 CF ce B9 EA BF 8C 5B 4E B2 D4 86 0a BC

 
E6 D2 61 C4 97 BC 1C 11 da

 
Sessionid: empty

 
Ciphers:

 
[002f] tls_rsa_aes_128_sha

 
[1, 0035] tls_rsa_aes_256_sha

 
[1, 0005] ssl_rsa_with_rc4_128_sha

 
[000a] ssl_rsa_with_3des_ede_sha

 
[C013] tls1_ck_ecdhe_rsa_with_aes_128_cbc_sha

 
[C014] tls1_ck_ecdhe_rsa_with_aes_256_cbc_sha

 
[C009] tls1_ck_ecdhe_ecdsa_with_aes_128_cbc_sha

 
[C00a] tls1_ck_ecdhe_ecdsa_with_aes_256_cbc_sha

 
[0032] tls_dhe_dss_with_aes_128_sha

 
[1, 0038] tls_dhe_dss_with_aes_256_sha

 
[1, 0013] ssl_dhe_dss_with_3des_ede_sha

 
[1, 0004] ssl_rsa_with_rc4_128_md5

The content in the code list 11-102 is the request content sent by the client. fiddler does not display the original data, but it is sufficient to prove that the data is protected at the transmission level and encrypted for transmission, you can set Fiddler to decrypt SSL. the decrypted request data is shown in 11-in the code list.

Code List 11-103 actual request information

 
 

 
Post https://wcfservicewebsite.com/HelloService.svc HTTP/1.1

 
Content-Type: text/XML; charset = UTF-8

 
Vsdebuggercausalitydata:

 
Uidpo9b4edyyow5clt + 7ozgctooaaaaaqjlegwjqxkcz0d14i8iazdw + 0ozgjs5bgmw5e + f6yikacqaa

 
Soapaction: "http://tempuri.org/IHelloService/GetHello"

 
HOST: wcfservicewebsite.com

 
Content-Length: 133

 
Secondary CT: 100-continue

 
Accept-encoding: gzip, deflate

 
Connection: keep-alive

 
<S: Envelope 

 
Xmlns: S= "Http://schemas.xmlsoap.org/soap/envelope"> <S: Body> <Gethello 

Xmlns= "Http://tempuri.org /"/> </S: Body> </S: Envelope>

Now let's Configure the server and client certificates, respectively using the two certificates generated above. Next we configure the server certificate, such as the code list 11-104.

Code List 11-104 configure Server Certificate

 
 

 
<Servicebehaviors>

 
<Behavior 

Name= "Wcfhelloservice. servicebehavior">

 
<Servicemetadata 

 
Httpgetenabled= "True"/>

 
<Servicedebug 

 
Includeexceptiondetailinfaults= "False"/>

<Servicecredentials>

 
<Clientcertificate>

 
<Authentication 

 
Certificatevalidationmode= "Peertrust"/>

 
<Certificate

Findvalue= "Xclient"

 
Storelocation= "Currentuser"

 
Storename= "Trustedpeople"

 
X509findtype= "Findbysubjectname"/>

 
</Clientcertificate>

 
<Servicecertificate

 
X509findtype= "Findbysubjectname"

 
Storelocation= "Currentuser"

 
Storename= "Trustedpeople"

 
Findvalue= "Xserver"

 
/>

 
</Servicecredentials>

</Behavior>

 
</Servicebehaviors>

There is no difference between certificate configuration and nettcpbinding. I will not repeat it here. If you have any questions, refer to the previous article. After the server is configured, visit https://wcfservicewebsite.com/helloservice.svcto find the error 11-50.

Figure 11-50 certificate error not found

Occasionally, this error occurs when I perform a test on Windows 7. It may be caused by the cache mechanism in the certificate storage area. However, if I store the certificate on localmachine, I can quickly find it. This may be related to IIS hosting. I have not studied this in depth. If you encounter the same problem, try to put the certificate on the localmachine storage area.

Update the configuration of the test site. After the upgrade, the customer's configuration is shown in the code list 11.

Code List 11-105 client certificate Configuration

 
 

<System. servicemodel>

 
<Behaviors>

 
<Endpointbehaviors>

 
<Behavior 

 
Name= "Clientbehavior">

<Clientcredentials>

 
<Clientcertificate

 
Findvalue= "Xuanhunclient"

 
Storelocation= "Currentuser"

 
Storename= "Trustedpeople"

 
X509findtype= "Findbysubjectname"/>

 
<Servicecertificate>

 
<Authentication 

 
Certificatevalidationmode= "NONE"/>

 
</Servicecertificate>

 
</Clientcredentials>

</Behavior>

 
</Endpointbehaviors>

 
</Behaviors>

 
<Bindings>

 
<Basichttpbinding>

 
......

 
<Security 

 
Mode= "Transport">

 
<Transport 

 
Clientcredentialtype= "Certificate" Proxycredentialtype= "NONE">

 
</Transport>

 
</Security>

 
</Binding>

 
</Basichttpbinding>

 
</Bindings>

 
<Client>

<Endpoint 

 
Address= "Https://wcfservicewebsite.com/HelloService.svc"

 
Binding= "Basichttpbinding" 

 
Bindingconfiguration= "Basichttpbinding_ihelloservice"

 
Contract= "Helloservicereferenceforbasic. ihelloservice" 

Name= "Basichttpbinding_ihelloservice" Behaviorconfiguration= "Clientbehavior">

 
</Endpoint>

 
</Client>

 
</System. servicemodel>

In the configuration in code listing 11-, we change the endpoint's address attribute to HTTPS connection https://wcfservicewebsite.com/HelloService.svc and configure <authentication certificatevalidationmode = "NONE"/> so that the client does not verify the server certificate.

Start the test site and get the error 11-51.

Figure 11-51 inconsistent SSL configurations

The error shown in Figure 11-51 is that the service itself requires the client to pass the certificate, while the SSL setting of IIS does not set the client certificate as required. You can change the value by pressing 11-52 in the figure.

Figure 11-52 set IIS SSL

Now, run the test site again. The result is 11-53.

Figure 11-53 certificate verification successful

The returned certificate ID and verification type X509 in Figure 11-53 indicate that the server has successfully verified the client certificate.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.