WCF 相互证书的消息安全
下面是MSDN提供的方案。演示使用消息安全模式保护的 Windows Communication Foundation (WCF) 服务和客户端。 使用证书对客户端和服务进行身份验证。
实例代码下载
创建服务及客户端证书
相互证书的信息安全需要服务端和客户端进行相互验证,因此我们需要2个证书:服务端证书和客户端证书。接下来我们通过.NET自带的makecert.exe 先创建两个X.509证书:WCF.SecuritySampleCA(服务端)和WCF.SecuritySampleClientCA(客户端)。
Note:以下生成证书过程均在服务端完成。makecert.exe生成的证书只能作为开发测试使用,在正式部署时请不要使用。
创建服务端证书
makecert.exe
-
sr LocalMachine
-
ss MY
-
a sha1
-
n CN
=
WCF.SecuritySampleCA
-
sky exchange
-
pe
LocalMachine:证书存储在本机。
WCF.SecuritySampleCA:证书的Subject名称。
授予对证书私钥的权限
创建Setup.bat 文件,内容如下。目的是使存储在 LocalMachine 存储中的服务器证书可以供 ASP.NET 工作进程帐户访问。
echoecho
************
echo setting privileges on server certificatesecho
************
for
/
F
"
delims=
"
%%
i
in
(
'
"FindPrivateKey.exe" My LocalMachine -n CN^=WCF.SecuritySampleCA -a
'
)
do
set
PRIVATE_KEY_FILE
=%%
i
set
WP_ACCOUNT
=
NT AUTHORITY\NETWORK SERVICE(ver
|
findstr
/
C:
"
5.1
"
)
&&
set
WP_ACCOUNT
=%
COMPUTERNAME
%
\ASPNETecho Y
|
cacls.exe
"
%PRIVATE_KEY_FILE%
"
/
E
/
G
"
%WP_ACCOUNT%
"
:Rpause
注意:
如果您使用的是非美国 英文版本的 Microsoft Windows,则必须编辑 Setup.bat 文件,并用与您所在的区域对应的帐户名称替换“NT AUTHORITY\NETWORK SERVICE”帐户名称。
FindPrivateKey.exe可以在实例代码包中找到。
makecert.exe
-
sr LocalMachine
-
ss TrustedPeople
-
a sha1
-
n CN
=
WCF.SecuritySampleClientCA
-
sky exchange
-
pe
导出服务端证书
服务端证书需要在客户端安装,因此需要导出后一起发布到客户端。
1.在运行窗口键入mmc打开证书管理器
2.选择File中的Add/Remove Snap-in
3.弹出窗口中选择Add...
4.选择Certificates -> Add
5.选择Computer account -> Next
6.选择LocalComputer -> Finish
7.Ok后即可进入管理页面
8.右键点击Personal下的Certificates中WCF.SecuritySampleCA
9.All tasks -> Export...
10.按照提示导出服务端证书WCF.SecuritySampleCA.cer,注意不要导出私钥(No,don't export private key)
导出客户端证书
导出后需要在客户端进行安装。
按照上面同样的方法导出客户端证书WCF.SecuritySampleClientCA.cer
创建WCF Service
在解决方案中创建一个WCF Service项目Service.Message.MutualCertificate,引用WcfSecuritySampleLibrary项目。 点击此处查看WcfSecuritySampleLibrary相关内容。
配置文件如下:
<
system.serviceModel
>
<
services
>
<
service
name
="WcfSecuritySampleLibrary.Service"
behaviorConfiguration
="ServiceBehavior"
>
<!--
Service Endpoints
-->
<
endpoint
address
=""
binding
="wsHttpBinding"
contract
="WcfSecuritySampleLibrary.IService"
bindingConfiguration
="WcfSecuritySampleBinding"
>
<!--
Upon deployment, the following identity element should be removed or replaced to reflect the identity under which the deployed service runs. If removed, WCF will infer an appropriate identity automatically.
-->
</
endpoint
>
<
endpoint
address
="mex"
binding
="mexHttpBinding"
contract
="IMetadataExchange"
/>
</
service
>
</
services
>
<
bindings
>
<
wsHttpBinding
>
<
binding
name
="WcfSecuritySampleBinding"
>
<
security
mode
="Message"
>
<
message
clientCredentialType
="Certificate"
establishSecurityContext
="false"
negotiateServiceCredential
="false"
/>
</
security
>
</
binding
>
</
wsHttpBinding
>
</
bindings
>
<
behaviors
>
<
serviceBehaviors
>
<
behavior
name
="ServiceBehavior"
>
<!--
To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment
-->
<
serviceMetadata
httpGetEnabled
="true"
/>
<!--
To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information
-->
<
serviceDebug
includeExceptionDetailInFaults
="false"
/>
<
serviceCredentials
>
<
serviceCertificate
storeLocation
="LocalMachine"
findValue
="WCF.SecuritySampleCA"
storeName
="My"
x509FindType
="FindBySubjectName"
/>
<
clientCertificate
>
<!--
Setting the certificateValidationMode to PeerOrChainTrust means that if the certificate is in the user's Trusted People store, then it is trusted without performing a validation of the certificate's issuer chain. This setting is used here for convenience so that the sample can be run without having certificates issued by a certificate authority (CA). This setting is less secure than the default, ChainTrust. The security implications of this setting should be carefully considered before using PeerOrChainTrust in production code.
-->
<
authentication
certificateValidationMode
="PeerOrChainTrust"
/>
</
clientCertificate
>
</
serviceCredentials
>
</
behavior
>
</
serviceBehaviors
>
</
behaviors
>
</
system.serviceModel
>
在IIS上部署WCF Service
编译通过后,将WCF Service部署到IIS上。
创建站点 WCF.SecuritySampleService,然后为该站点绑定服务证书:
1.右键Properties -> Dictionary Security -> Server Cetificate
2.根据提示选择Assign an existing certificate, 然后选择证书WCF.SecuritySampleCA
3.设置端口
证书绑定后,即可添加一个虚拟目录创建WCF Service。
使用浏览器浏览该Service中的 Service.svc,配置成功的话,即可打开如下页面:
在Visual Studio 命令提示窗口键入如下命令,生成代理类Service.cs及客户端配置文件output.config。
svcutil.exe http://leo.isoftstone.com:6515/Service.Message.MutualCertificate/Service.svc?wsdl
创建客户端
解决方案中创建客户端项目Client.Message.MutualCertificate。具体实现参见实例中的2个项目Client.Message.MutualCertificate和BusinessLibrary。
安装证书
消息安全的互相验证需要在客户端安装服务端和客户端2个证书。安装方法很简单,只要双击在服务端导出的2个证书WCF.SecuritySampleCA.cer和WCF.SecuritySampleClientCA.cer,根据提示安装即可。
例如安装服务端证书:(服务端证书需要安装在客户端CurrentUser的Trusted People中)
1.双击证书
2.点击Install Certificate...
3.下一步后选择Place all certificates in the following store,然后点击Browse...
4.弹出窗口中选择Trusted People
5.OK.
客户端证书的安装步骤如上,唯一的区别是最后选择证书存储的路径不是Trusted People而是Personal。
客户端配置
<
system.serviceModel
>
<
bindings
>
<
wsHttpBinding
>
<
binding
name
="WSHttpBinding_IService"
>
<
security
mode
="Message"
>
<
message
clientCredentialType
="Certificate"
establishSecurityContext
="false"
negotiateServiceCredential
="false"
/>
</
security
>
</
binding
>
</
wsHttpBinding
>
</
bindings
>
<
client
>
<
endpoint
address
="http://leo.isoftstone.com:6515/Service.Message.MutualCertificate/Service.svc"
binding
="wsHttpBinding"
bindingConfiguration
="WSHttpBinding_IService"
contract
="IService"
name
="WSHttpBinding_IService"
behaviorConfiguration
="ClientCredentialsBehavior"
>
<
identity
>
<
certificate
encodedValue
="AwAAAAEAAAAUAAAAv1KUaGzvpF2I/2nb55A3qyb4+QUgAAAAAQAAAMABAAAwggG8MIIBaqADAgECAhBL/0cYj41XmU7yomd4SulEMAkGBSsOAwIdBQAwFjEUMBIGA1UEAxMLUm9vdCBBZ2VuY3kwHhcNMDgwNjA2MDc0MjAxWhcNMzkxMjMxMjM1OTU5WjAfMR0wGwYDVQQDExRXQ0YuU2VjdXJpdHlTYW1wbGVDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAzbZ8uOt+yvfZHqp0pqmEYiv+S/2t4msC1mP4hkWK8nHT38vhOaHk3QYuaLDaBo1+cPPlhi2wsE+3aQteScsQTYbAiFkHVGhcSsxVCfnT6YdOA39Rpmc66EnZmiM8t1FAKGfD5jAe17lQN63hKk4jM3HbV/QTw3+IvxgkP7eKTSECAwEAAaNLMEkwRwYDVR0BBEAwPoAQEuQJLQYdHU8AjWEh3BZkY6EYMBYxFDASBgNVBAMTC1Jvb3QgQWdlbmN5ghAGN2wAqgBkihHPuNSqXDX0MAkGBSsOAwIdBQADQQBbx4i4WMz7tb7CjFQogCjoR1Z4gdMUY1Nb/4T/RP90aINADATRHYShYDduq8kU89e5BcwhvUBoacclkBUFGCof"
/>
</
identity
>
</
endpoint
>
</
client
>
<
behaviors
>
<
endpointBehaviors
>
<
behavior
name
="ClientCredentialsBehavior"
>
<
clientCredentials
>
<
clientCertificate
findValue
="WCF.SecuritySampleClientCA"
storeLocation
="CurrentUser"
storeName
="My"
x509FindType
="FindBySubjectName"
/>
<
serviceCertificate
>
<
defaultCertificate
findValue
="WCF.SecuritySampleCA"
storeLocation
="CurrentUser"
storeName
="TrustedPeople"
x509FindType
="FindBySubjectName"
/>
</
serviceCertificate
>
</
clientCredentials
>
</
behavior
>
</
endpointBehaviors
>
</
behaviors
>
</
system.serviceModel
>
138
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
