We'd like to configure Transport Security (SSL) with Client Certificate for our WCF Service (basicHttpBinding) which is used only by Company X as a client of our service.
From our side, we have 2 load-balanced servers and from their side there is only 1 server.
On the 3 servers just mentioned, we have installed the same Root Certificate Authority which would be used to issue other certificates.
There are lots of confusion on how to configure this with WCF and where to install which certificates?
1) How many other certificates we should be issuing and to be installed where?
Should Company X issue a certificate as well?
Which certificates should be installed on our 2 Servers and which ones on their Server?
We should be trusting their server so I'd guess we'd require them to install a Client Certificate, right? Who and from where this certificate will be issued?
From the service side, how to configure WCF to trust this client certificate when received?
They should be trusting our 2 servers, how does this work?
2) What is the purpose of
<serviceCertificate>
and should we adding it to our config? Should the Company X add it to their end?
I've read the purpose is "to authenticate/identify the service to the client". I'd guess this means that we only need to install these certificates on our servers and they shouldn't be installed on the client's server.
Does it mean that it is the same as ssl?
We have hosted the WCF Service on IIS and we have also configured SSL via IIS. Does it mean we don't have to add
<serviceCertificate>
on our WCF config then?
3)
<clientCertificate>
I've read the purpose is to identify the client to the service therefore I'd guess it's something that should be installed on the Client's Machine certainly.
Who will issue this certificate? The Root Certificate Authority on our servers or on theirs?
Should this certificate be installed on our both Servers as well? or just on their side?
From our service side, how are we going to trust this client certificate? Any web.config settings or?
Many thanks,
Related
I Got a solution that contains a C# winform client and a server (Windows Service WCF service, IdentityServer4 and ElasticSearch). Certificate is required when running IdentityServer in production so this will be implemented on all of the services. It will probably only be a one way certificate(function certificate for services).
The production will run a bought certificate.
Is there any reason to buy an certificate for dev or will a dev certificate from a local Windows server be enouth to really test everything like as if it was in production?
A test certificate will work the same way as a bought certificate. Its however possible that you will need to override the check of the certificate on client and service to grant it even if the certificate is not installed in the required service. If you however are able to generate certificate specific for the computers that are running the software, then there will be no need to override the certificate check method.
Hope my question is clear!
I have created a WCF Service and have implemented all necessary work for SSL implementation.
From IIS to Web.config
I am able to accessing Service with following URL successfully on browser from my own PC.
https://mycomputername/wcfService.svc
but How can I access it using my IP-Address e.g:
https://192.x.x.x/wcfService.svc
Actually I have to access the web service from another PC with in my network.
The SSL certificate will be associated with a domain name, not with an IP address.
So you will have to customize how to accept the SSL certificate. If you have a .NET client, you can use ServicePointManager.ServerCertificateValidationCallback and return true to accept any certificate.
Related: How to ignore the certificate check when ssl
I'm planning on deploying a WCF service to multiple devices to receive notifications of certain events. All of the events will originate from a client machine that can provide a certificate to the service to authenticate.
I'm less concerned about the client authenticating each service, but I'm having difficulty choosing the proper WCF security settings to provide this setup. It appears that message-level security requires a client certificate and a service certificate.
But the devices hosting the service will not be able to be maintained in a way that allows us to update the service certificate periodically when it expires. So here are my questions:
Is there a way to set up a WCF service for client certificate authentication without a service certificate on the server?
Is there a simpler approach for verifying the identity of the caller that I'm missing?
I apologize for the brevity of this answer, but it is better to think of it as a Server certificate, rather than a Service certificate. Multiple services could use the same certificate, and you can work around the expiration by not checking for expiration client side. In terms of is there any easier way, WCF supports a variety of authentication and authorization models, here's some useful links.
http://msdn.microsoft.com/en-us/library/ee748498.aspx
http://msdn.microsoft.com/en-us/library/ms733131(v=vs.110).aspx
I created a self hosted HTTPS WCF web service running on my Localhost machine. Now i make a request to this web service from a GWT based application hosted on some domain.
I use self-signed X.509certificate which is not approved yet. Whenever my GWT application make requests, It shows an error because of untrusted Certificate. Can i bypass this error from my GWT client code or suggest me an alternative solutions ?
Is there are any other protocol which supports WCF service that we can use for communication and will not trigger the security alert from browser?
Updated
Whole scenario:
You installed a exe in your system, which take cares of WCF web service and importing certificate to your local machine.
You open a GWT based website from your browser. Let's say some.com
some.com continuously polling a request to his/her local machine. Let's say on https://localhost:8098/{someendpoint}
But because of this HTTPS and untrusted certificate. It is not able to make request.
since you said
Let's start with local testing
How about installing your self signed certificate onto the machine on which you are testing the GWT ?
You should be able to double click the certificate and follow the prompts/wizard to install it.
This applies to development only (for production you'd need a proper certificate)
We have Windows Service with tcp binding. It has a transport security mode and client credential type is Windows. Service is within a domain.
Now we want to make calls to this service from the ASP.NET application running on IIS which is not part of the domain. We don't need user impersonation. What is the most secure way to enable this sort of communication?
This is a pretty standard situation: Web server is in DMZ and I would like to know how to set a secure communication with WCF backend services.
I expect that it will not work. You cannot use Windows client credential type if you want to consume the service outside of your domain. You must use Certificate (or None but it means no authentication).
The difference is that Windows client credentials will create stream secured with SSPI whereas Certificate and None client credentials will create stream secured with SSL certificate. In case of Certificate client credentials each client will be identified by its own certificate (= you need one for your IIS server).