WCF服务 - 使用UserName身份验证的证书和邮件安全性
[英]WCF Service - certificates and message security with UserName authentication
问题描述
I'm preparing to create a WCF Service which our customers can use to update data in our system. 
我正准备创建一个WCF服务,客户可以使用它来更新我们系统中的数据。 So it has to be available over the Internet. 所以它必须通过互联网提供。 I have a book about WCF from which I know the Message Security is the way to go when making a WCF Service available over the Internet. 我有一本关于WCF的书,我知道在通过Internet提供WCF服务时, Message Security是可行的方法。 That is because you shouldn't use the transport security because it should only be used in environments where you can guarantee that there is a point-to-point connection between service and client. 这是因为您不应该使用传输安全性,因为它只应在您可以保证服务和客户端之间存在点对点连接的环境中使用。 Did I get that right? 我做对了吗? So I want to use Message Security in combination with a custom UserName authentication. 所以我想将Message Security与自定义UserName身份验证结合使用。 I understand that I have to get a certificate to accomplish that. 我知道我必须获得证书才能完成。 Our company already owns a SSL Certificate that is used for our Websites. 我们公司已拥有用于我们网站的SSL证书。
- Can I use the same certificate for the message security of the WCF Service? 我可以使用相同的证书来获得WCF服务的消息安全性吗?
And 和
- Is the Message Security way interoperable with clients that expect a ASMX Webservice? Message Security方式是否可以与期望ASMX Web服务的客户端互操作?
For testing purposes I created my own certificate with Makecert. 出于测试目的,我使用Makecert创建了自己的证书。 It worked fine but I always had to add the certificate to the Trusted Persons on the client machine. 它工作正常但我总是必须将证书添加到客户端计算机上的Trusted Persons 。
- Is it possible to enable the
Message Securitywith the above mentioned certificate without forcing the client to add the certificate to theTrusted Personsmanually?是否可以使用上述证书启用Message Security,而无需强制客户端手动将证书添加到Trusted Persons?
Now, let's assume the following scenario: 现在,让我们假设以下场景:
There are two Webservers behind an ISA-Server/Firewall. ISA-Server /防火墙后面有两个Web服务器。 This ISA-Server holds the certificate for the www.company.com address. 此ISA-Server拥有www.company.com地址的证书。 So all the SSL stuff is handled by it. 因此所有SSL内容都由它处理。 It also forwards the incoming requests to the webservers accordingly. 它还相应地将传入的请求转发给Web服务器。 The newly created WCF Service should run on the 2nd webserver. 新创建的WCF服务应该在第二个Web服务器上运行。
- Do I have to copy the certificate to the webserver to be able to use the
Message Security?我是否必须将证书复制到Web服务器才能使用Message Security?
If yes, I heard copying certificates is not good practice because it reduces the level of security. 如果是,我听说复制证书不是好的做法,因为它会降低安全级别。 Moving the certificate to the webserver is not an option, because it's needed for the websites on Web-Server1, too. 将证书移动到Web服务器不是一种选择,因为Web-Server1上的网站也需要它。
- What are my options in this case? 在这种情况下我有什么选择?
And: 和:
- What would be the best practice for this scenario, regardless of the given requirements? 无论给定的要求如何,这种情况的最佳做法是什么?
Thank you... 谢谢...
1 个解决方案
解决方案1
12 已采纳 2011-01-13 12:20:01
Nicely prepared question. 精心准备的问题。 First of all I probably read the same book and I would like to clarify this statement: 首先,我可能会读同一本书,我想澄清一下这句话:
That is because you shouldn't use the transport security because it should only be used in environments where you can guarantee that there is a point-to-point connection between service and client.
Yes. 是。 HTTPS (transport security) offers only point-to-point security but IMO people don't understand this scenario correctly. HTTPS(传输安全性)仅提供点对点安全性,但IMO人员无法正确理解此方案。 Do you think that if you connect to your Internet banking over HTTPs it will randomly somewhere in the middle of Internet swap communication from HTTPS to HTTP? 你是否认为如果你通过HTTP连接到你的网上银行,它会随机地从互联网交换通信中的某个地方从HTTPS到HTTP? NO! 没有! Point-to-point connection means secured transport channel between client and accessed gateway providing the requested URL. 点对点连接意味着在客户端和访问的网关之间提供所请求的URL的安全传输通道。 In your scenario it means secured transport channel between Client and your ISA Server. 在您的方案中,它意味着客户端和ISA Server之间的安全传输通道。 Communication will not be secured between your ISA and Web Server 2. If you want end-to-end which will provide secure channel between client and Web Server 2 (ISA will not be able to intercept messages), you need message security. ISA和Web服务器2之间的通信将不受保护。如果您希望端到端能够在客户端和Web服务器2之间提供安全通道(ISA将无法拦截消息),则需要消息安全性。
Now to your other questions: 现在问你的其他问题:
Can I use the same certificate for the message security of the WCF Service?
Yes you can, but you have to copy private key to your Web Server 2. 是的,您可以,但您必须将私钥复制到Web服务器2。
Is the Message Security way interoperable with clients that expect a ASMX Webservice?
No. Pure ASMX client can't use message security unless you code a lot of custom SOAP headers and extensions or install WSE 3.0. 不会。除非您编写大量自定义SOAP标头和扩展或安装WSE 3.0,否则纯ASMX客户端无法使用邮件安全性。
Is it possible to enable the Message Security with the above mentioned certificate without forcing the client to add the certificate to the Trusted Persons manually?
Yes but Certification authority which published certificate must be trusted on client machine. 是,但必须在客户端计算机上信任发布证书的证书颁发机构。 It is same with HTTPS. 它与HTTPS相同。 Services secured with message security also can expose certificate's thumbprint inside WSDL. 使用消息安全性保护的服务还可以在WSDL中公开证书的指纹。 Clients can validate service identity with this thumbprint. 客户端可以使用此指纹验证服务标识。 I think that in such case you also don't need to install certificate on client but when certificate expires all clients will have to be updated. 我认为在这种情况下您也不需要在客户端上安装证书,但是当证书过期时,所有客户端都必须更新。
Do I have to copy the certificate to the webserver to be able to use the Message Security?
Yes you must. 是的,你必须。 But this can be a problem because for security reason's certificate can be marked as not exportable. 但这可能是一个问题,因为出于安全原因,证书可以标记为不可导出。 Best solution is to request new certificate just for this purpose. 最佳解决方案是仅为此目的申请新证书。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.