BizTalk WCF-WebHttp Adapter SSL Certificate Props - ssl

What is the difference between Client Cert and Service Cert props in the security tab of WCF-BasicHttp, WCF-WebHttp adatpers based recv and send ports and how they are used by BizTalk for SSL authentication?
The documentations are not that specific.
How to Configure a WCF-WSHttp Send Port

Seems reasonably clear in that article to me
The Client Certificate is the one you hold the private key for and is used for signing your messages so the recipient can verify who you are.
certificate for authenticating this send port to services
The Service Certificate is the public key of the service you are connecting too. This way it can verify that you are connecting to who you think you are connecting too.
certificate for authenticating the service to which this send port sends messages
This is not required "The default is an empty string." however it is a security feature that prevents someone successfully being able to spoof the web service and intercepting your payload if they manage to poison the DNS entry.

Related

Could not establish secure channel for ssl/tls authority

WCF service installed on two servers and accessing that service through load balancer. We have domain validation certificate which is installed on load balancer. WCF client is giving error "Could not establish secure channel for ssl/tls authority" while adding service reference but SOAPUI is able to access service.
I am not sure what is causing this issue. Any help will be appreciated.
Thanks in advance.
The root cause is the account running the WCF client application failed to access the private key of the client certificate.
The reason we should establish the secure channel for SSL authority is that the communication between the server-side and the client-side works over https, therefore, these two sides should exchange the public key of the certificate. After that, the private key of the client certificate will be used to unencrypt the https message so that the https traffic would work properly. Likewise, the server account also should have access to the private key of the service certificate.
Please refer to the below steps to add the Everyone account to the management group of the private key of the client certificate so that the client account can access the private key properly.
Feel free to let me know if there is anything I can help with.

The HTTP request was forbidden with client authentication scheme 'Anonymous' net core

I'm having a .net core API and an EmailService as a connected service (WCF)
The EmailService is hosted on IIS (HTTPS); I'm trying to connect to the emailService with a Client Certificate. Everything is fine but i'm getting the
The HTTP request was forbidden with client authentication scheme 'Anonymous' error;
On the EmailService side:
The SSL Settings are on Require SSL (Require), the IIS Binding is on HTTPS
On the API side:
When i'm trying to access the emailservice by chrome browser, i'm getting a prompt for a client certificate, i'm picking the cert and everything works alright;
Any suggestions?
Thanks
I am not sure if you can call the service properly since WS-security is not supported in DotNet Core. Anyway, this error typically indicates that the client’s certificate cannot be recognized by the server-side when establishing the Https communication. Also, if your client communicates with the server over HTTP and the server requires SSL, this kind of error also occurred.
The Https secure communication between the client-side and the server-side can not be established properly. As you know, the https secure communication requires the procedure of exchanging each other’s public key of the certificate. Therefore, the server-side and the client-side should establish mutual trust. In other words, the server’s certificate must be trusted by the client and the client’s certificate must be trusted by the server. The specific operation is to install the certificate in the local Trusted Root Certification Authorities.
Please refer to the below link.
https://learn.microsoft.com/en-us/dotnet/framework/wcf/feature-details/transport-security-with-certificate-authentication
Besides, the client-side should have access to the private key of the certificate provided by the client so that the https secure communication is valid. The specific operation is to add the current user to the private key management group of the certificate.
Feel free to let me know if there is anything I can help with.

When we create SSL enabled Service, do we have to hand out certificates to each client?

One of my teammate just enabled SSL on one of the service that we are using and I had to install a Certificate that he gave me to each of the client machines who intend to consume that service. Now, I am not very well-versed when it comes to SSL security and that raised a question in my mind that
WHENEVER we create a SSl enabled service, do we have to hand out certificate to all the clients
Is there any kind of configuration using which we create an SSL enabled service without having to hand out certificate to all the clients?
IF it is possible then how secured that service be than the service which requires each client to install certificate on the machine?
Also, is there any easy to understand article on WCF SSL security?
Que : WHENEVER we create a SSl enabled service, do we have to hand out certificate to all the clients
Ans : No. For SSL enabled service one do not need to handout certificates to clients.
SSL certificate on server (in this case service) side gives confidence to clients that they are talking to legitimate server.
Clients needs certificates only in case of when service needs its clients to prove their identity using client certificate. With client certificate server (service) gets confidence that its sending data to legitimate clients.
Que : Is there any kind of configuration using which we create an SSL enabled service without having to hand out certificate to all the clients?
Ans : Certainly there is way with which you can make service enabled without requiring client certificate. Check SSL Settings option for website where service is hosted.
Que: IF it is possible then how secured that service be than the service which requires each client to install certificate on the machine?
Ans : Obliviously using SSL certificate doesn't stop any clients from consuming it. Any client who knows service endpoint can consume it. Client certificate is one way to authenticate clients. Only those clients who has valid client certificate will be able to consume service.
Que: Also, is there any easy to understand article on WCF SSL security?
Ans : Check out this link : https://msdn.microsoft.com/en-us/library/ff650862.aspx Its WCF regarding security as whole and not just SSL security.

Disabling certificate revocation checks in Mule

I am having an issue where service calls that I am making cannot validate server certificates presented by the TMG as part of connecting to the service. The certificate URLS from the TMG address are not reachable from the target servers. This is causing 30 second timeouts for new connections.
Is there a way to disable certificate revocation checks in Mule to avoid this issue?
If you're talking about Mule HTTP endpoints, then this would vary, if you're using http transport you can create a custom message dispatcher and allow http client to ignore the certificates, otherwise you can manually install the certificates in the keystore so you don't get SSL errors.

WCF transport security with encryption

I have client server application which using WCF service with Transport security mode and NetTCP binding. I heard like Transport security is best for local intranet, not for internet. Now my scenario is I need to access WCF service over internet (from another country), but dont want to use Message security (cause it need to purchase and install certificate on server and each client). I want to use Transport security and also encrypt my data, so no one can hack it from internet.
So please someone guide me how can I encrypt my data with Transport security ?
Thanks
Transport is just SSL, so after the initial setup on the host and client sides, there's really nothing special to it. SSL will encrypt all the bytes starting at byte 0 and only the host that distributed the public key portion of the SSL cert will be able to decrypt the transmission since it and only it should have the private key part of the certificate.
SSL does present some potential problems if you have a load balancer or proxy fronting your service - i.e. if the proxy or LB server didn't begin the SSL transmission, it won't know what to do with the inbound message. But SSL encryption can be offloaded to a LB or proxy, so there are ways around that.
Here's a link to a stackoverflow question about SSL over WCF
Enable SSL for my WCF service