我有一个 WCF 客户端/服务应用程序,它依赖于两台计算机之间的安全通信,并且我想使用证书存储中安装的 x509 证书来相互识别服务器和客户端。我通过将绑定配置为
服务器具有颁发给安装在本地计算机/个人存储中的 server.mydomain.com 的证书,客户端具有颁发给安装在同一位置的 client.mydomain.com 的证书。除此之外,服务器在本地计算机/受信任的人员中具有客户端的公共证书,并且客户端在本地计算机/受信任的人员中具有服务器的公共证书。
最后,客户端已配置为检查服务器的证书。我使用配置文件中的 system.servicemodel/behaviors/endpointBehaviors/clientCredentials/serviceCertificate/defaultCertificate 元素来完成此操作。
到目前为止一切顺利,这一切都有效。我的问题是,我想在服务器的配置文件中指定,仅允许使用受信任的人证书存储中的 client.mydomain.com 证书标识自己的客户端进行连接。
使用 ServiceSecurityContext 在服务器上可以获得正确的信息,但我正在寻找一种方法来在 app.config 中指定 WCF 应该执行此检查,而不是必须从代码中检查安全上下文。
这可能吗?任何提示将不胜感激。
顺便说一句,到目前为止,我的服务器的配置文件如下所示:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.serviceModel>
<services>
<service name="MyServer.Server" behaviorConfiguration="CertificateBehavior">
<endpoint contract="Contracts.IMyService" binding="customBinding" bindingConfiguration="SecureConfig">
</endpoint>
<host>
<baseAddresses>
<add baseAddress="http://localhost/SecureWcf"/>
</baseAddresses>
</host>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="CertificateBehavior">
<serviceCredentials>
<serviceCertificate storeLocation="LocalMachine" x509FindType="FindBySubjectName" findValue="server.mydomain.com"/>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<customBinding>
<binding name="SecureConfig">
<security authenticationMode="MutualCertificate"/>
<httpTransport/>
</binding>
</customBinding>
</bindings>
</system.serviceModel>
</configuration>
I have a WCF client/service app that relies on secure communication between two machines and I want to use use x509 certificates installed in the certificate store to identify the server and client to each other. I do this by configuring the binding as <security authenticationMode="MutualCertificate"/>. There is only client machine.
The server has a certificate issued to server.mydomain.com installed in the Local Computer/Personal store and the client has a certificate issued to client.mydomain.com installed in the same place. In addition to this the server has the client's public certificate in Local Computer/Trusted People and the client has the server's public certificate in Local Computer/Trusted People.
Finally the client has been configured to check the server's certificate. I did this using the system.servicemodel/behaviors/endpointBehaviors/clientCredentials/serviceCertificate/defaultCertificate element in the config file.
So far so good, this all works. My problem is that I want to specify in the server's config file that only clients that identify themselves with the client.mydomain.com certificate from the Trusted People certificate store are allowed to connect.
The correct information is available on the server using the ServiceSecurityContext, but I am looking for a way to specify in app.config that WCF should do this check instead of my having to check the security context from code.
Is that possible? Any hints would be appreciated.
By the way, my server's config file looks like this so far:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.serviceModel>
<services>
<service name="MyServer.Server" behaviorConfiguration="CertificateBehavior">
<endpoint contract="Contracts.IMyService" binding="customBinding" bindingConfiguration="SecureConfig">
</endpoint>
<host>
<baseAddresses>
<add baseAddress="http://localhost/SecureWcf"/>
</baseAddresses>
</host>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="CertificateBehavior">
<serviceCredentials>
<serviceCertificate storeLocation="LocalMachine" x509FindType="FindBySubjectName" findValue="server.mydomain.com"/>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<customBinding>
<binding name="SecureConfig">
<security authenticationMode="MutualCertificate"/>
<httpTransport/>
</binding>
</customBinding>
</bindings>
</system.serviceModel>
</configuration>
发布评论
评论(2)
似乎没有办法使用 web.config 来做我想做的事情。
我最终添加了带有此标签的行为:
然后将客户端的证书添加到服务器运行的用户的“受信任的人”证书存储中。
There doesn't appear to be a way to do what I want using web.config.
I ended up adding a behavior with this tag:
And then add the client's certificate to the "trusted people" certificate store of the user that the server runs as.
查看 Codeplex 上的 WCF 安全指南 页面 - 优秀且非常有用的东西!
特别是,请查看操作方法,更具体地说,
如何 - 在从 Windows 窗体调用 WCF 时使用证书身份验证和消息安全
它解释得很好详细说明如何设置要求其客户端提供有效证书的 WCF 服务以及如何检查该证书。如果您只想允许单个客户端,请仅将该证书专门部署到该单个客户端。
希望这有帮助!
Check out the WCF Security Guidance page on Codeplex - excellent and very useful stuff!
In particular, check out the How-To's and even more specifically the
How To – Use Certificate Authentication and Message Security in WCF calling from Windows Forms
It explains in great detail how to set up a WCF service which requires its clients to present a valid certificate, and how to check that. If you want to allow only a single client, deploy that certificate only specifically to that one single client.
Hope this helps!