Hi,
I am busy designing a WCF app. The app's purpose will be to give insurance members access to their insurance information via the web.
The problem lies with our network architecture and I am not exactly sure what type or combinaion of security I must use.
In our internal network we have a UNIX environment which I access using EntireX .net wrapper and we have an Oracle 10g data store which I access via Enterprise library.
I created a BLL containing the business objects and a DAL that populate these objects via Enterprise Library/EntireX.
I created a WCF services layer with 2 WCF services, one to access the oracle store and one to access unix and they reference the BLL.
I am going to host this service in IIS on a production server with SQL 2005 inside the firewall. We purchased a web server for which we are creating DMZ and this web server will communicate with the production server only via port 443 and/or port 80. Our company internet will have access to the web server in the DMZ.
The presentation layer will be an ASP.Net front end that calls the service in code using a Channelfactory. I use X509 client certificates that the client must present to the service. The service is secured by SSL. The front end will be on the web server in the DMZ.
I am using wsHttpBinding with Transport security and clientCredentialType="Certificate", which works fine but I want to pass login information to the service. I thought of adding it to the message header.
Now, I anm at a stage that I am doubting the viability of my design. Can someone give me some tips on what binding and security I must use in this scenario, how to pass login info and what I must have in my presenrtation layer to be the most secure. We have control over what ports will be opened through the firewall to the internal production server. We will only have 1 ASP.Net client hosted on the web server in the DMZ but will only have HTTPS or HTTP access to the production server.
Thanks a lot Ryan
Thanks