Securing message with HTTPS in WCF
Securing message with HTTPS in WCF
By : Kasim Wirama, MCDBA, MVP SQL Server
Message encryption could be achieved with message level or transport level security. For message level security, you can see my article titled : Encrypt Message with TCP-based in WCF, this article will discuss about implementation of transport level security with HTTP.
By default HTTP basic binding (basicHttpBinding) doesn’t support message level security because HTTP implements WS-BasicProfile 1.1. If WCF uses WS-BasicProfile 1.1 standard, it must be interoperable with other Web services and clients that use same standard, so to secure the message, WCF service implements transport level security with HTTPS (SSL over HTTP). Microsoft creates WSE (web service enhancement) that make message level security possible to be implemented. But WCF service with WSE can only interoperable to other web services or clients that use WSE as well.
I explore how to implement transport level security with https. Here what I do.
WCF service
Edit application configuration file with Service Configuration Editor program, create basicHttpBinding at Bindings folder, open Security tab, and set Mode to Transport level security. Then create new endpoint with basicHttp with specified binding configuration. Give https address on Address property (for example : https://localhost/WCFService/Service.svc) and specify contract on the endpoint. Save changes and close Service Configuration Editor program.
WCF client
Configuration at WCF client is similar to what you have done in WCF service, except you create endpoint under Client/Endpoints folder path.
Run WCF client program, it display error : “An error occurred while making the HTTP request to https://localhost/WCFService/Service.svc. This could be due to the fact that the server certificate is not configured properly with HTTP.sys in the HTTPS case. This could also be caused by a mismatch of the security binding between the client and the server”
I just check the security binding, both of them apply Transport mode. It looks likely certificate not get installed. So below is section how to create certificate, install certificate through httpcfg to IIS command line utility and configure certificate checking pass at WCF client.
Create certificate
Run this in window command line
Makecert –sr LocalMachine –ss My –n=My-Certificate –sky exchange –sk HTTPS-Key
You can check the certificate named My-Certificate in Certificate of MMC window, choose LocalMachine, and connect to local machine, in Personal/Certificates folder, you will get My-Certificate certificate get installed.
Double click the certificate, on detail tab, find out thumbnail print, note the thumbnail print value, for example my thumbnail print value is 4a 98 26 42……. This value will be used for installing certificate into IIS
Install certificate
Run this in window command line, with thumbnail print value without spaces
Httpcfg set ssl –i 0.0.0.0 –h 4a982642….
Configure certificate checking pass at WCF client.
The certificate you installed at previous steps is temporary certificate, and you should need real certificate. By default WCF client will verify whether the certificate is valid and issuer is trusted. Because I use test certificate generated through makecert, I would WCF client detect this as real certificate. Do this only in development environment only. For production environment, you need real certificate. Add this code in Main method of WCF client :
Add constant in the class where Main method resides :
Private static string CERTIFICATENAME = “CN=My-Certificate”;
In Main method add this code before proxy instantiation :
System.Net.ServicePointManager.ServerCertificateValidationCallback += new System.Net.Security.RemoteCertificateValidationCallBack(Program.validateCertificate);
Create another static method as callback method :
static bool validateCertificate (object sender, System.Security.Cryptography.X509Certificates.X509Certificate cert,System.Security.Cryptography.X509Certificates.X509Chain chain,System.Net.Security.SslPolicyErrors error){ if (cert.Subject == CERTIFICATENAME) { return true; } return false;}
Last step you need to adjust is to set input parameter value of proxy instantiation to basicHttp endpoint name.
Run your WCF client, this time your WCF client communicates with WCF service through HTTPS service. Installing certificate into IIS involves administration tasks on operating system, so in this case application team and infrastructure team should coordinate to configure certificate at operating system and WCF application level.