Thursday, February 25, 2010

SSL and Certificate security with WCF

Set up WCF to use certificates for security. There are a number of examples and tutorials, but there is still a number of gotchas in doing this, the keys we found being:

- For TRANSPORT security using Certificate authentication
  • make sure you have a ROOT CA, and trust it on both the server and the client. This means the ROOT CA public key needs to be imported into the trusted certificates of both. Transport security will not work (even in dev) without a trusted CA on both the client and server.
  • make sure the server SSL certificate is issued to the server name you will be using in the URL - i.e if you are using http://my.server.wcf/MyService, then issue the SSL server certificate to my.server.wcf
  • make sure your client certificate has a private key and it is imported to the personal cert store on the client. Ensure the client's public key is in the trusted people on the server.
  • Ensure the web site n IIS has SSL required checked on, and require client certificate checked on.
  • We setup up a vanilla web site with a simple "Hello World" web page to check the SSL and client certificates are working (Require SSL and Require Client Certificate turned on). If you use IE to connect to the basic web site on the server, it should prompt you to select a certificate. If you can select your certificate and connect to a basic web site, then the same certificates will work in WCF. If not, then it wont work in WCF either!
  • you can use certificate mapping to map to a windows account, and then use .net security demands in your application is normal. Make sure you set windows account mapping on in the wcf server configuration (mapClientCertificateToWindowsAccount="true") AND in IIS.
  • you can achieve this with self signed certificates or CA assigned certificates
  • you can achieve this in IIS 6 and IIS 7
- For MESSAGE security using certificates
  • basic Message security with certificates is simpler
  • use PeerTrust, and trust the client public key on the server, and the server public key on the client (Trusted People).
  • No need for a trusted CA (or any CA) in this configuration
  • use the identity/dns settings in the wcf configuration to match the certificate names issued to the server and client.
  • certificate mapping to windows accounts does not work using message security
  • you can achieve this with self signed certificates or CA assigned certificates
  • you can achieve this in IIS 6 and IIS 7
Thats a simple checklist of things to look out for. Hope it helps someone.

No comments:

Post a Comment