I have the following scenario:
A stateless service with a self-hosted OWIN WebApi. This provides a RESTful client-facing api.
A stateful service, again with a self-hosted OWIN WebApi.
After locating the correct stateful service partition, the stateless service calls into stateful service to access state. It does so via HTTP/HTTPS into the WebApi.
This configuration works fine running on the local cluster and an Azure cluster over HTTP. I'm running into problems though with HTTPS.
Using a self-signed cert I'm able to use HTTPS between the client and the stateless front-end service. However, I can't seem to get the configuration quite right to allow the stateless service to communicate with the stateful service over HTTPS.
I get an exception when the stateless service makes the request to the stateful service. "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel." That has an inner exception of "The remote certificate is invalid according to the validation procedure".
I'm a bit fuzzy on security on service fabric, but have read through several articles, SO posts, blogs, etc. on the subject.
Here are my questions:
At a high level, what is the proper way to secure interservice communication in my scenario?
Is a self-sign cert supported in this scenario?
Are the two services in the same cluster? If so, why not just call the stateful service from the stateless one using ServiceProxy?
You can use a self-signed certificate - the error you're seeing is not specific to Service Fabric. There are several ways to bypass it (although obviously it's not recommended to do that in production). Take a look at this SO question: C# Ignore certificate errors?
Related
UPDATE 2: Solved the first problem (note below) - reduced the complexity/scope.
NOTE: If migrating from self-hosting WCF services in Cloud Services to Service Fabric using HttpsBinding then you need to change the HostNameComparisonMode from Exact to StrongWildcard.
I have scenario where I have to open many (100+) WCF Service Hosts to receive callbacks from an external service. They have same Contract but with differing credentials (service certificates are unique to each of our customers).
I would like to know if it is possible to route all requests through a single Host/Router that could check the connecting clients expected service certificate and either a) spoof/ignore (preferably) the service certificate or forward the connection onto the correct host.
I want to avoid having to load hundreds of service hosts with different credentials (which are stored in a database) when the service fabric node first comes up so I don't receive traffic to a service that's not loaded yet. Ideally I could load them when needed or not have to load them at all (spoofing certificate or something).
Looking for someone who is a lot savvier with WCF to shed some light on the possibilities. Thanks.
Scenario
WCF service on our public DNN website using a WsHttpBinding over SSL.
security mode is TransportWithMessageCredential
Requires Username and password authentication
One WCF client consuming the service on our Intranet
I understand the basic idea of point-to-point security using SSL, but my question is - can I still have point-to-point security if my client app (on our Intranet) is connecting to a WCF service on our public website over SSL? Does this service being on the Internet open it up for "man in the middle" attacks considering the communication is going over the Internet? Am I not fully understanding man in the middle attacks?
I should note, the app on our Intranet is the only client that will be using this service or at least, this isn't something that I'm going to allow (give out other username/passwords) anyone else to consume or use.
Thanks
If SSL is handled by a load balancer, do I still need to configure it in the WCF serviceCertificate node? My scenario is to use message level security. If someone can explain how load balancing with wcf and ssl works, that would be very nice.
WCF requires security tokens to be passed over a secure transport if the message itself is not signed/encrypted. Since traffic is HTTP between your Big-IP and your individual web servers, you need a way to have security tokens that you know are secured between the client and the Big-IP up front still be passed to your server farm. There's a couple ways to do that depending on what version of WCF you're using:
If you're using WCF 4.0 you can just create a custom binding and set the AllowInsecureTransport property on the built in SecurityBindingElement to signify that you don't care that the transport isn't secure.
If you're using WCF 3.5 you have to "lie" about security with a custom TransportSecurityBindingElement on the server side. You can read my old post about this here.
FWIW, they created a hotfix release for 3.5 SP1 that adds the AllowInsecureTransport to that version, but I don't know if your company will allow you to install custom hotfixes.
If you want to use message security then each message is encrypted and signed separately - there is no secure connection and load balancer behaves as with any other HTTP transport. Loadbalancer doesn't know about security and doesn't need certificate.
There are two gotchas:
All load balanced application servers hosting your WCF service must use the same certificate
You must ensure that your WCF binding doesn't use sessions (reliable, security) otherwise you will need load balancing algorithm with sticky sessions (all request for single session always routed to the same server)
It doesn't. Don't bother with this. You will be in a world of hurt. Just install the certs on each machine. We've recently been through this fiasco. WCF is not worth the effort it thinks it needs SSL but sees that it doesn't have it. Take a look at openrasta or something else if you want to do all your SSL on the loadbalancer. #microsoftfail
I am very new to using WCF services. Right now I have a WCF service that I call using jQuery. I'm concerned about users making unauthorized calls to the service. What would be the best way to secure my service?
If this is a browser app and you're worried about security, presumably you already have some sort of authentication mechanism (cookies, sessions, something). All these are accessible from WCF services (I'm assuming you're using webHttpBinding or basicHttpBinding?) via the WebOperationContext.Current.IncomingRequest property. You can check/validate a cookie (or whatever else) from your service code, or write a cross-cutting MessageInspector to apply the check to all methods on your service behavior. WCF services also can be integrated with traditional ASP.NET authentication (forms, etc) if you host the service with the compatibility flag. The browser app logs in normally, and your service can consume the credential/token/whatever.
you can use a certificate to sign the WCF messages (it's all in the WCF Settings) on both sides (client and server)
Here is some detailed explanation:
Message Security
Here is my scenario:
I have a proxy that actually has the SSL Cert installed and this sits in front of a load balanced web farm. Each IIS server does not have SSL so I can't use transport security via wsHttp binding. I have not investigated basicHttp because we want to provide SOAP 1.2 going forward w/ this solution. In addition to this, my network team won't allow any use of certs to encrypt at the message level. (this alone would solve my dilemma i'm sure)
My security group has a requirement that we use Forms Authentication (membership provider).
The final solution must allow SSL via the front proxy, yet some type of WCF binding to keep complexity encapsulated in a config file.
I was working with a custom binding that allowed for username/password sent via clear text, but when I try to connect via https i get the usual "http expected" uri error.
How can I use SSL via the proxy to connect securely from client app to web service, but not have SSL installed on IIS and leverage the WCF stack + forms authentication?
I'm not new to WCF, but this very custom setup seems to have me unsure if the requirements allow for any type "easy" solution.
Thank you in advance!
EDIT: I did finally get this working and decided to write a short blog post with complete source code required to write the custom binding.
I think this is similar to a problem many have had when wanting to provide WCF services over SSL when the actual service in IIS is behind an SSL-offloading device. In which case, the following two pages should help you out:
http://blog.hackedbrain.com/archive/2006/09/26/5281.aspx
http://social.msdn.microsoft.com/Forums/en-US/wcf/thread/87a254c8-e9d1-4d4c-8f62-54eae497423f/
Basically you need to lie to WCF and say that the service is secure, even though the traffic will be conducted over HTTP (between the service and the proxy).