WCF Security question: SSL w/client certificate + WS-Security w/certificates RRS feed

  • Question

  • I've got a bit of a challenge that I haven't quite wrapped my head around yet.  Our network is setup such that external partners must send messages to us through our DMZ, which is secured via two-way SSL authentication via IIS.  The DMZ hosts our web service router which simply forwards the message on to the next zone and, ultimately, a service in the intranet.  The service in the intranet is secured using WS-Security 1.0/1.1 and the X.509 token profile ("mutual certificate" security).  The client uses the logical address of the service, which the intermediary is configured to understand.  I can get this working with WSE3.0, but I want to migrate our clients and services to WCF (since all our new services are already WCF-based).


    Unfortunately, this presents a challenge, as WCF doesn't appear to support this with the built-in bindings.  Essentially, I've tried to define my own custom binding and corresponding "httpsTransport" + encoder, "security" elements.  It appears there is a limitation though, because there doesn't seem to be anyway to define separate certificates for SSL and the message signature. 


    Here is what I've got so far:


    Code Snippet

    <?xml version="1.0" encoding="utf-8" ?>





            <binding name="defaultWithSecurity">

              <security authenticationMode="MutualCertificate"



                        messageSecurityVersion="WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10" />

              <textMessageEncoding messageVersion="Soap11WSAddressingAugust2004" />

              <httpsTransport requireClientCertificate="true"/>





          <endpoint address="urn:testservice:v1"







              <dns value="FabrikamEnterprises" />






            <behavior name="viaBehavior">

              <clientVia viaUri="http://dmzserver/servicegateway/router.svc" />




                  <defaultCertificate findValue="CN=FabrikamEnterprises" />


                  <authentication certificateValidationMode="PeerOrChainTrust"

                                  revocationMode="NoCheck" />


                <clientCertificate findValue="CN=TestClientCertificate"


                                   storeName="My" />









    This doesn't appear to work as the httpsTransport doesn't like me setting a DNS value.  Also, if I need to use a different certificate for the SSL connection (i.e. different from the one used for the message's digital signature), how would I do that?  I'm starting to suspect that I'll need to create my own binding and set the SSL certificate in code.


    Any thoughts or suggestions would be appreciated.



    Saturday, June 7, 2008 12:21 AM