My WCF service involves the sending of a dataset (in csv format) data between client and service. This dataset must be encrypted so that the data cannot be intercepted. I'm using wshttpbinding and trying to encrypt the message by using the following settings in web.config:
<wsHttpBinding>
<binding name="wsHttp">
<reliableSession enabled="true" />
<security mode="Message">
<message clientCredentialType="UserName" algorithmSuite="TripleDes" />
</security>
</binding>
</wsHttpBinding>
When I try and generate a client proxy I get a long error messagebox (which cannot be completely read because it goes off the bottom of the screen!). The error message does mention something about a "service certificate not being provided".
How do I encrypt a message? Do I need a certificate? I should mention that this service will be used over the internet from different domains so I'm not sure whether using "Username" security is the best option (?)
Basically I'm confused!
By default, WCF does not encrypt the Action value but signs it if message security is used. Therefore, this information is available to all intermediaries, but no one can change it.
To secure an application that runs exclusively on a Windows domain, you can use the default security settings of either the WSHttpBinding or the NetTcpBinding binding. By default, anyone on the same Windows domain can access WCF services. Because those users have logged on to the network, they are trusted.
Windows Communication Foundation (WCF) security has three common security modes that are found on most predefined bindings: transport, message, and "transport with message credential." Two additional modes are specific to two bindings: the "transport-credential only" mode found on the BasicHttpBinding, and the "Both" ...
In addition to signing the message, the MSMQ message is encrypted using the public key of the certificate obtained from Active Directory that belongs to the receiving queue manager that hosts the target queue. The sending queue manager ensures that the MSMQ message is encrypted in transit.
Yes, your service needs a certificate so that your encryption keys can be exchanged securely. You can create a test service authentication certificate with makecert.exe. See this entry in my blog for the details of that.
You also need to ensure that the account your service is running as is able to read the certificate's private key file. If you're on Windows Vista (or later) the Certificates MMC snap-in allows you to control permissions on that private-key, but for earlier versions of Windows it's a bit harder. I used to use a utility that came with WSE3, but someone else might be able to suggest a more direct way. Unless your service runs as an admin, you will most likely have to adjust these permissions.
Update: like all good things, my blog came to an end. Thanks to makerofthings7 for reminding me. The makecert command you need to generate a service authentication certificate is something like this...
makecert -sr LocalMachine -ss My -pe -n CN=subject-name -eku 1.3.6.1.5.5.7.3.1 -sky exchange
...simply replace subject-name with any certificate name that makes sense for your service.
@Martin is right, you need a certificate on the server. This link has a good overview of the communication flow for message based security and has sample code. This link has a good overview of working with certificates.
For your authenication requirements, this link reviews the various options available. If you're new to WCF, Learning WCF: A Hands-on Guide by Michele Bustamante is a good book and covers message based security.
I am still trying to find the solution this problem. I have it too, but with signing an xml. Still to find the user IIS is running in WinXP Start > Right-Click My Computer > Manage > Services And Applications > Services > IIS Admin > Double click and in the Log on tab it will usually say Local System.
EDIT
OK, this is how I solved my problem. I had a ceritificate that I used this article to make the cert. If the project is a ASPWebSite that is saved to your C Folder you may not have issues with this. But if its saved to IIS as an HTTP project then you will have issues.
The way to solve it after weeks of investigationg is not that hard. Microsoft has something called the Web Services Enhancements you will download the lastest but I am using the second one with the lastest service pack. When I installed I enabled everything.
Certificates can be in a physical file but they are usually in the Certificate Management Store to get to it use the tool X509 Certificate tool in WSE 2.0. Here open your certificate by looking for it in the diferent sections until you find it. Then open it and at the bottom there will be a View Private Key, in the security tab add LOCALHOST\ASPNET . And this should enable your website to read the certificate.
In short what happens is that when you create the public and private keys, althought you may see the private key just fine, it really its send to Timbuktu in the file system and you need to find it to add the ASPNET account for read access. I am reading than in Vista this is much easier but I am using XP.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With