none
WCF Security question: SSL w/client certificate + WS-Security w/certificates

    Question

  • I've got a bit of a challenge that I haven't quite wrapped my head around yet.  Our network is setup such that external partners must send messages to us through our DMZ, which is secured via two-way SSL authentication via IIS.  The DMZ hosts our web service router which simply forwards the message on to the next zone and, ultimately, a service in the intranet.  The service in the intranet is secured using WS-Security 1.0/1.1 and the X.509 token profile ("mutual certificate" security).  The client uses the logical address of the service, which the intermediary is configured to understand.  I can get this working with WSE3.0, but I want to migrate our clients and services to WCF (since all our new services are already WCF-based).

     

    Unfortunately, this presents a challenge, as WCF doesn't appear to support this with the built-in bindings.  Essentially, I've tried to define my own custom binding and corresponding "httpsTransport" + encoder, "security" elements.  It appears there is a limitation though, because there doesn't seem to be anyway to define separate certificates for SSL and the message signature. 

     

    Here is what I've got so far:

     

    Code Snippet

    <?xml version="1.0" encoding="utf-8" ?>

    <configuration>

      <system.serviceModel>

        <bindings>

          <customBinding>

            <binding name="defaultWithSecurity">

              <security authenticationMode="MutualCertificate"

                        includeTimestamp="true"

                        messageProtectionOrder="SignBeforeEncrypt"

                        messageSecurityVersion="WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10" />

              <textMessageEncoding messageVersion="Soap11WSAddressingAugust2004" />

              <httpsTransport requireClientCertificate="true"/>

            </binding>

          </customBinding>

        </bindings>

        <client>

          <endpoint address="urn:testservice:v1"

                    binding="customBinding"

                    bindingConfiguration="defaultWithSecurity"

                    contract="TestServiceReference.TestService"

                    name="default"

                    behaviorConfiguration="viaBehavior">

            <identity>

              <dns value="FabrikamEnterprises" />

            </identity>

          </endpoint>

        </client>

        <behaviors>

          <endpointBehaviors>

            <behavior name="viaBehavior">

              <clientVia viaUri="http://dmzserver/servicegateway/router.svc" />

     

              <clientCredentials>

                <serviceCertificate>

                  <defaultCertificate findValue="CN=FabrikamEnterprises" />

     

                  <authentication certificateValidationMode="PeerOrChainTrust"

                                  revocationMode="NoCheck" />

                </serviceCertificate>

                <clientCertificate findValue="CN=TestClientCertificate"

                                   storeLocation="CurrentUser"

                                   storeName="My" />

              </clientCredentials>

            </behavior>

          </endpointBehaviors>

        </behaviors>

      </system.serviceModel>

    </configuration>

     

     

    This doesn't appear to work as the httpsTransport doesn't like me setting a DNS value.  Also, if I need to use a different certificate for the SSL connection (i.e. different from the one used for the message's digital signature), how would I do that?  I'm starting to suspect that I'll need to create my own binding and set the SSL certificate in code.

     

    Any thoughts or suggestions would be appreciated.

     

    Thanks!

    Saturday, June 7, 2008 12:21 AM