none
HTTPS url and Message Security RRS feed

  • Question

  • Hi,

    My client wants that the WCF service that we created have...
    1. A HTTPS url instead of a HTTP url.
    2. That message encryption be done like that of WsHttpBinding (Mode : Message).

    I tried various options.. 
    1. Have configured my IIS with a certificate and ensured that the application is https enabled.
    2. I tried with WsHttpBinding and CustomBinding equivalent to the WsHttpBinding.

    All my trails have gone awry and I really don't know what to do here.
    The client's requirement was..
    1. SSL certificates - meaning a HTTPS url.
    2. Message signing - message is encrypted between sender and receiver and vice-versa.

    While my service provider is obviously .NET, my consumers are java / Pega based. So, need to think about interoperability also.Can anybody please advise.
    Thanks in advance.


    Praveen Behara
    MCST : BizTalk Server 2006 R2, 2010


    • Edited by Praveen Kumar Behara Saturday, December 28, 2013 6:13 AM added provider and consumer details
    Friday, December 27, 2013 10:22 AM

All replies

  • Hi,

    It will be better if you can post your configure file here to find where are wrong.

    And please try to check these articles:

    #How to: Configure an IIS-hosted WCF service with SSL:
    http://msdn.microsoft.com/en-us/library/hh556232(v=vs.110).aspx .

    #Seven simple steps to enable HTTPS on WCF WsHttp bindings:
    http://www.codeproject.com/Articles/36705/7-simple-steps-to-enable-HTTPS-on-WCF-WsHttp-bindi .

    #WCF over HTTPS :
    http://cgeers.com/2009/08/07/wcf-over-https/ .

    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Monday, December 30, 2013 6:05 AM
    Moderator
  • Hi Amy,
    Thanks for the response and the links. They are pretty useful.
    Before I get into what I did wrong, I just want to re-iterate what is needed.

    ===============
    We need to have two way SSL as well as message signing.

    SSL certificates
    Consumer                                        -> Provider                        -> Provider                                         -> Consumer
    Sign with Consumer Private Key & submit request -> Verify with Consumer Public Key -> Sign with Provider Private Key & return response -> Verify with  Provider Public Key

    Message signing
    Consumer                                        -> Provider                        -> Provider
    Sign with Consumer Private Key & submit request -> Verify with Consumer Public Key -> Send unsigned response
    ===============
    I did manage to get something in place with the following configuration...
    1. I have configured my site with SSL, still for testing purpose I am enabling a ..
     a. UnsecureEndpoint - basicHttpBinding using http URL.
     b. SecureEndpoint   - wsHttpBinding using https URL.
    2. WsHttpBinding with Mode as TransportWithMessageCredential

    Now what I want to know.. Is this configuration sufficient for the requirement?
    How do I prove it that it is sufficient with what is asked for?
    Also, the client keeps on insisting that the message be encrypted..
    I believe the Transport will take care of encrypting the data... is it correct?
    When I look in my WCF logs, I am seeing plain text data. When I used Mode as Message in WsHttpBinding, I was seeing cipherText in my WCF logs.
    ===============

    Below is the binding I am using for the service.

    <system.serviceModel>
      <bindings>
        <wsHttpBinding>
          <binding name="SecureWsHttpBinding">
            <security mode="TransportWithMessageCredential">
              <transport clientCredentialType="Windows" /> <!-- Can I remove this -->
              <message clientCredentialType="Certificate" />
            </security>
          </binding>
        </wsHttpBinding>
      </bindings>
      <services>
        <service behaviorConfiguration="SecureBehavior" name="SampleApplication.Services.SampleApplicationService">
          <endpoint address="http://localhost/SampleApplication/SampleApplicationService.svc/basic"
            binding="basicHttpBinding" bindingConfiguration="" name="SampleApplicationEndpoint_Basic"
            contract="SampleApplication.Contracts.ISampleApplicationService" />
          <endpoint address="https://localhost/SampleApplication/SampleApplicationService.svc"
            binding="wsHttpBinding" bindingConfiguration="SecureWsHttpBinding"
            name="WsHttpSecureEndpoint" contract="SampleApplication.Contracts.ISampleApplicationService">
            <identity>
              <dns value="ServiceCert" />
            </identity>
          </endpoint>
        </service>
      </services>
      <behaviors>
        <endpointBehaviors>
          <behavior name="SecureEndpointBehavior">
            <clientCredentials>
              <clientCertificate findValue="ServiceCert" storeLocation="LocalMachine"
                x509FindType="FindBySubjectName" />
              <serviceCertificate>
                <defaultCertificate findValue="ServiceCert" storeLocation="LocalMachine"
                  x509FindType="FindBySubjectName" />
              </serviceCertificate>
            </clientCredentials>
          </behavior>
        </endpointBehaviors>
        <serviceBehaviors>
          <behavior name="UnsecureBehavior">
            <serviceMetadata httpGetEnabled="true" />
            <serviceDebug includeExceptionDetailInFaults="true" />
          </behavior>
          <behavior name="SecureBehavior">
            <serviceCredentials>
              <clientCertificate>
                <authentication certificateValidationMode="PeerOrChainTrust" revocationMode="NoCheck" />
              </clientCertificate>
              <serviceCertificate findValue="ServiceCert" x509FindType="FindBySubjectName" />
            </serviceCredentials>
            <serviceDebug />
            <serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
          </behavior>
        </serviceBehaviors>
      </behaviors>
    </system.serviceModel>
    =====================

    Client would be Pega or some java based application.

    Thanks in advance for all the help.


    Praveen Behara
    MCST : BizTalk Server 2006 R2, 2010

    Monday, December 30, 2013 8:17 AM