tags:

views:

321

answers:

1
Q: 

How to secure a 3-hop WCF facade service using certificates?

Hi,

I've recently developed a WCF Facade service. I'm new to WCF and having trouble understanding the security implementation pieces.

The service is as follows:

  • An asp.net public website has a WCF client, which accesses:
  • A WCF Facade service within a DMZ, which in turn acts as a client to access:
  • An internal network WCF service

All services currently are using WSHttpBinding.

I would like to use X.509 certificates for client/server authentication between all 3 servers (i.e. the public client app and facade service authenticate each other using certs, the facade client and internal service authenticate each other using certs).

Can someone explain step by step what needs to be done to secure this in a production environment? Every article and book I've referenced explains use of makecert.exe but does not explain using production certificate(s) from a real CA. I know it's probably easy but I can't seem to wrap my head around the concepts required.

From a trusted CA, I have a SSL cert for user access to the public website and a SAN SSL cert which can be applied to up to 4 domain names via subject alternative names. I'm still confused in terms of authentication if I need to use makecert.exe etc. to create client certs, etc.

Ideally all service/client config would be within app/web.config (no code). I have full administrative access to all three servers (public web server, facade/dmz server, internal web server).

Any insight or guidance would be really appreciated!

Edits to provide more detail based on comments:

  • IIS 6 for all servers
  • user authentication is not required on public facing site. Essentially the public visitors are entering information in forms, which are processed and handled by the services. No authentication is needed.
  • A paid EV SSL cert is going to be used to secure the interaction between public visitor and website.

What I'm interested in is how to implemented mutual cert authentication/identification between the different WCF clients/services. So:

  • WCF client on public server and WCF service on Facade/DMZ server mutually identify and authenticate against each other using certs
  • WCF client on Facade/DMZ server and WCF service on internal server then also mutually identify and authenticate against each other using certs.

I have a flexible SAN certificate from a trusted CA (DigiCert), which I would like to use if possible for the authentication. It can support up to 4 DNS entries via the subject alternative names.

Thanks for any help that can be provided!

A: 

Well after much investigation and trial and error, I think I've wrapped my head around this issue and found a solution.

Because I am using a simplied SSL solution (SAN Certificate with multiple names to secure both the internal web server and DMZ server), I'm able to import the same certificate into the Local Machine\Personal and Local Machine\Trusted People stores on these servers, and into the trusted people store of the public server.

From there, in configuration I've chosen to use a mix of Transport and Message security (TransportWithMessageCredential) to enforce HTTPS and message level encryption via certificates.

Resulting service behavior config:

<serviceBehaviors>
  <behavior name="MyCustomBehavior">
    ...
    <serviceCredentials>
    <serviceCertificate findValue="MySANCertName"
                        x509FindType="FindBySubjectName"
                        storeLocation="LocalMachine"
                        storeName="My" />            
    </serviceCredentials>
    ...
  </behavior>
</serviceBehaviors>

and binding:

<wsHttpBinding>
  <binding name="MyWsBinding">
    <security mode="TransportWithMessageCredential">
      <message clientCredentialType="Certificate"/>
    </security>
  </binding>
</wsHttpBinding>

One other thing I've used that may be useful to those who are having trouble with certificate authentication is to turn on auditing:

<serviceBehaviors>
  <serviceSecurityAudit 
    auditLogLocation="Application"
    messageAuthenticationAuditLevel="SuccessOrFailure"
    serviceAuthorizationAuditLevel="SuccessOrFailure" 
    suppressAuditFailure="false" />
  </behavior>
</serviceBehaviors>

The following references were most helpful in implementing my solution:

http://notgartner.wordpress.com/2007/09/06/using-certificate-based-authentication-and-protection-with-windows-communication-foundation-wcf/ http://www.codeproject.com/KB/WCF/wcf_certificates.aspx?display=Print Essential Windows Communication Foundation For .NET Framework 3.5

KP  2009-12-22 19:50:18

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?