WCF 服务 - 通过用户名身份验证实现证书和消息安全
我正准备创建一个 WCF 服务,我们的客户可以使用它来更新我们系统中的数据。因此它必须可以通过互联网访问。我有一本关于 WCF 的书,从中我知道 Message Security 是在 Internet 上提供 WCF 服务时的最佳选择。这是因为您不应该使用传输安全性,因为它只能在可以保证服务和客户端之间存在点对点连接的环境中使用。我做对了吗? 因此,我想将 Message Security 与自定义 UserName 身份验证结合使用。我知道我必须获得证书才能实现这一目标。我们公司已经拥有用于我们网站的 SSL 证书。
- 我可以为 WCF 服务的消息安全使用相同的证书吗?
并且
- 消息安全方式是否可以与需要 ASMX Web 服务的客户端互操作?
出于测试目的,我创建了我的拥有 Makecert 的证书。它工作得很好,但我总是必须将证书添加到客户端计算机上的“受信任的人”中。
- 是否可以使用上述证书启用
消息安全,而不强制客户端手动将证书添加到受信任的人员?
现在,让我们假设以下场景:
ISA 服务器/防火墙后面有两个 Web 服务器。此 ISA 服务器持有 www.company.com 地址的证书。所以所有的 SSL 东西都是由它处理的。它还相应地将传入请求转发到网络服务器。新创建的 WCF 服务应在第二个 Web 服务器上运行。
- 我是否必须将证书复制到网络服务器才能使用
消息安全性?
如果是,我听说复制证书不是一个好的做法,因为它会降低安全级别安全。将证书移至 Web 服务器不是一种选择,因为 Web-Server1 上的网站也需要它。
- 在这种情况下我有什么选择?
并且:
- 无论给定的要求如何,这种情况的最佳实践是什么?
谢谢...
I'm preparing to create a WCF Service which our customers can use to update data in our system. So it has to be available over the Internet. I have a book about WCF from which I know the Message Security is the way to go when making a WCF Service available over the Internet. That is because you shouldn't use the transport security because it should only be used in environments where you can guarantee that there is a point-to-point connection between service and client. Did I get that right?
So I want to use Message Security in combination with a custom UserName authentication. I understand that I have to get a certificate to accomplish that. Our company already owns a SSL Certificate that is used for our Websites.
- Can I use the same certificate for the message security of the WCF Service?
And
- Is the Message Security way interoperable with clients that expect a ASMX Webservice?
For testing purposes I created my own certificate with Makecert. It worked fine but I always had to add the certificate to the Trusted Persons on the client machine.
- Is it possible to enable the
Message Securitywith the above mentioned certificate without forcing the client to add the certificate to theTrusted Personsmanually?
Now, let's assume the following scenario:
There are two Webservers behind an ISA-Server/Firewall. This ISA-Server holds the certificate for the www.company.com address. So all the SSL stuff is handled by it. It also forwards the incoming requests to the webservers accordingly. The newly created WCF Service should run on the 2nd webserver.
- Do I have to copy the certificate to the webserver to be able to use the
Message Security?
If yes, I heard copying certificates is not good practice because it reduces the level of security. Moving the certificate to the webserver is not an option, because it's needed for the websites on Web-Server1, too.
- What are my options in this case?
And:
- What would be the best practice for this scenario, regardless of the given requirements?
Thank you...
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
精心准备的问题。首先,我可能读过同一本书,我想澄清一下这一点:
是的。 HTTPS(传输安全)仅提供点对点安全,但 IMO 人们没有正确理解这种情况。您是否认为如果您通过 HTTP 连接到网上银行,它会随机地在互联网交换通信中从 HTTPS 到 HTTP 的某个位置?不!点对点连接意味着客户端和提供所请求 URL 的访问网关之间的安全传输通道。在您的场景中,这意味着客户端和 ISA 服务器之间的安全传输通道。 ISA 和 Web Server 2 之间的通信不会受到保护。如果您希望在客户端和 Web Server 2 之间提供端到端的安全通道(ISA 将无法拦截消息),那么您需要消息安全性。
现在回答您的其他问题:
是的,您可以,但您必须将私钥复制到您的 Web 服务器 2。
不可以。除非您编写大量自定义 SOAP 标头和扩展或安装 WSE 3.0,否则纯 ASMX 客户端无法使用消息安全性。
是的,但是发布证书的证书颁发机构必须在客户端计算机上受到信任。与 HTTPS 相同。使用消息安全保护的服务还可以在 WSDL 中公开证书的指纹。客户端可以使用此指纹验证服务身份。我认为在这种情况下,您也不需要在客户端上安装证书,但当证书过期时,所有客户端都必须更新。
是的,你必须。但这可能是一个问题,因为出于安全原因,证书可能被标记为不可导出。最好的解决方案是为此目的请求新证书。
Nicely prepared question. First of all I probably read the same book and I would like to clarify this statement:
Yes. HTTPS (transport security) offers only point-to-point security but IMO people don't understand this scenario correctly. Do you think that if you connect to your Internet banking over HTTPs it will randomly somewhere in the middle of Internet swap communication from HTTPS to HTTP? NO! Point-to-point connection means secured transport channel between client and accessed gateway providing the requested URL. In your scenario it means secured transport channel between Client and your ISA Server. Communication will not be secured between your ISA and Web Server 2. If you want end-to-end which will provide secure channel between client and Web Server 2 (ISA will not be able to intercept messages), you need message security.
Now to your other questions:
Yes you can, but you have to copy private key to your Web Server 2.
No. Pure ASMX client can't use message security unless you code a lot of custom SOAP headers and extensions or install WSE 3.0.
Yes but Certification authority which published certificate must be trusted on client machine. It is same with HTTPS. Services secured with message security also can expose certificate's thumbprint inside WSDL. Clients can validate service identity with this thumbprint. I think that in such case you also don't need to install certificate on client but when certificate expires all clients will have to be updated.
Yes you must. But this can be a problem because for security reason's certificate can be marked as not exportable. Best solution is to request new certificate just for this purpose.