使用来自另一个Web API的客户端证书调用Web API
[英]Calling web api with client certificate from another web api
问题描述
Scenario: User talks with WebApi called 'Gateway' by angularjs client. 
场景:angularjs客户端与WebApi交谈,称为“网关”。 'Gateway' is like a facade or a proxy, so all requests from User to 'Gateway' will be forwarded to another WebApis. “网关”就像一个外观或代理,因此所有来自用户对“网关”的请求都将转发到另一个WebApis。
Security details: 'Gateway' WebApi and all others WebApis are placed in IIS with HTTPS binding and SSL client certificate option is 'Accept'. 安全性详细信息:“网关” WebApi和所有其他WebApis通过HTTPS绑定放置在IIS中,并且SSL客户端证书选项为“接受”。 So, user will provide valid client certificate to IIS and after verification, request will be handled by WebApi. 因此,用户将向IIS提供有效的客户端证书,并且在验证之后,请求将由WebApi处理。
The problem: when 'Gateway' WebApi receives a request, client certificate is presented in Request object. 问题:当“网关” WebApi收到请求时,客户端证书会显示在“请求”对象中。 Then I just forward this request using HttpClient to another WebApi. 然后,我只是使用HttpClient将此请求转发到另一个WebApi。 But when another WebApi endpoint receives a request, there is not client certificate attached any more. 但是,当另一个WebApi终结点接收到请求时,便不再附加客户端证书。
Below is a code snipped of request forwarding: 下面是请求转发的代码片段:
var request = Request; // income request from angularjs
var handler = new WebRequestHandler();
handler.ClientCertificates.Add(request.GetClientCertificate()); // setting up client certificate from user's request
using (var httpClient = new HttpClient(handler))
{
request.RequestUri = *chaning request address here*;
var response = await httpClient.SendAsync(request);
return ResponseMessage(response);
}
Note: If I try to go directly to the another WebApi, client certificate is presented as expected. 注意:如果我尝试直接转到另一个WebApi,则会按预期显示客户端证书。 If I try to go via 'Gateway', client certificate is presented as well in 'Gateway' request, but after it's successfully attached and request is sent, another WebApi does not receive any certificate attached. 如果我尝试通过“网关”访问,则在“网关”请求中也会显示客户端证书,但是在成功附加并发送请求之后,另一个WebApi不会收到任何附加证书。
Any ideas? 有任何想法吗? Thank you. 谢谢。
1 个解决方案
解决方案1
0 2017-01-06 17:43:22
On your gateway server, you need to import an authentication key onto the "machine" certificate store (MMC.exe, add snap-in "Certificates", Computer account", Certficates-Personal-Certificates, import). 在网关服务器上,您需要将身份验证密钥导入“计算机”证书存储中(MMC.exe,添加管理单元“证书”,“计算机帐户”,Certficates-个人证书,导入)。
Grant permissions (for the auth cert) to the account which your IIS pool is using. 将权限(用于身份验证证书)授予您的IIS池所使用的帐户。 (right-click the cert, All-Tasks, Manage private keys. Add, Advanced, Locations=[machine-name], find now, (probably) Network Service, Read). (右键单击证书,所有任务,管理私钥。添加,高级,位置= [计算机名称],立即查找,(可能)网络服务,已读)。
In your web.config (on your gateway server), check your system.serviceModel / behaviors / endpointBehaviors / behavior / clientCredentials / clientCertificate . 在您的web.config(在网关服务器上)中,检查system.serviceModel / behaviors / endpointBehaviors / behavior / clientCredentials / clientCertificate 。 Make sure the attribute: storeLoction ="LocalMachine", to use the cert from the machine key store. 确保属性: storeLoction =“ LocalMachine”,以使用计算机密钥库中的证书。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.