I'm preparing to create a WCF Service which our customers can use to update data in our system. So it has to be available over the Internet. I have a book about WCF from which I know the Message Security
is the way to go when making a WCF Service available over the Internet. That is because you shouldn't use the transport security because it should only be used in environments where you can guarantee that there is a point-to-point connection between service and client. Did I get that right?
So I want to use Message Security in combination with a custom UserName
authentication. I understand that I have to get a certificate to accomplish that. Our company already owns a SSL Certificate that is used for our Websites.
And
For testing purposes I created my own certificate with Makecert. It worked fine but I always had to add the certificate to the Trusted Persons
on the client machine.
Message Security
with the above mentioned certificate without forcing the client to add the certificate to the Trusted Persons
manually? Now, let's assume the following scenario:
There are two Webservers behind an ISA-Server/Firewall. This ISA-Server holds the certificate for the www.company.com address. So all the SSL stuff is handled by it. It also forwards the incoming requests to the webservers accordingly. The newly created WCF Service should run on the 2nd webserver.
Message Security
?If yes, I heard copying certificates is not good practice because it reduces the level of security. Moving the certificate to the webserver is not an option, because it's needed for the websites on Web-Server1, too.
And:
Thank you...
UserName. Password = "testPass"; In this way you can pass username, password in the header to a SOAP WCF Service.
Nicely prepared question. First of all I probably read the same book and I would like to clarify this statement:
That is because you shouldn't use the transport security because it should only be used in environments where you can guarantee that there is a point-to-point connection between service and client.
Yes. HTTPS (transport security) offers only point-to-point security but IMO people don't understand this scenario correctly. Do you think that if you connect to your Internet banking over HTTPs it will randomly somewhere in the middle of Internet swap communication from HTTPS to HTTP? NO! Point-to-point connection means secured transport channel between client and accessed gateway providing the requested URL. In your scenario it means secured transport channel between Client and your ISA Server. Communication will not be secured between your ISA and Web Server 2. If you want end-to-end which will provide secure channel between client and Web Server 2 (ISA will not be able to intercept messages), you need message security.
Now to your other questions:
Can I use the same certificate for the message security of the WCF Service?
Yes you can, but you have to copy private key to your Web Server 2.
Is the Message Security way interoperable with clients that expect a ASMX Webservice?
No. Pure ASMX client can't use message security unless you code a lot of custom SOAP headers and extensions or install WSE 3.0.
Is it possible to enable the Message Security with the above mentioned certificate without forcing the client to add the certificate to the Trusted Persons manually?
Yes but Certification authority which published certificate must be trusted on client machine. It is same with HTTPS. Services secured with message security also can expose certificate's thumbprint inside WSDL. Clients can validate service identity with this thumbprint. I think that in such case you also don't need to install certificate on client but when certificate expires all clients will have to be updated.
Do I have to copy the certificate to the webserver to be able to use the Message Security?
Yes you must. But this can be a problem because for security reason's certificate can be marked as not exportable. Best solution is to request new certificate just for this purpose.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With