I have created a WCF service with X.509 certificate. I took a reference from this article: http://www.codeproject.com/Articles/36683/simple-steps-to-enable-X-certificates-on-WCF. Now it requires a certificate to be sent along with request to the server in order to access the service. My question is that does using a X.509 certificate in request encrypt the message to be sent to the server or do I have to do anything more to do it?
A client sending a request to a WCF service should only require a public key to start off. If you have your service (and client) configured correctly, WCF should automatically handle the authentication / encryption before the transmission of your request content.
As I understand it, your client does not need a X509 cert.
Related
I'm having a .net core API and an EmailService as a connected service (WCF)
The EmailService is hosted on IIS (HTTPS); I'm trying to connect to the emailService with a Client Certificate. Everything is fine but i'm getting the
The HTTP request was forbidden with client authentication scheme 'Anonymous' error;
On the EmailService side:
The SSL Settings are on Require SSL (Require), the IIS Binding is on HTTPS
On the API side:
When i'm trying to access the emailservice by chrome browser, i'm getting a prompt for a client certificate, i'm picking the cert and everything works alright;
Any suggestions?
Thanks
I am not sure if you can call the service properly since WS-security is not supported in DotNet Core. Anyway, this error typically indicates that the client’s certificate cannot be recognized by the server-side when establishing the Https communication. Also, if your client communicates with the server over HTTP and the server requires SSL, this kind of error also occurred.
The Https secure communication between the client-side and the server-side can not be established properly. As you know, the https secure communication requires the procedure of exchanging each other’s public key of the certificate. Therefore, the server-side and the client-side should establish mutual trust. In other words, the server’s certificate must be trusted by the client and the client’s certificate must be trusted by the server. The specific operation is to install the certificate in the local Trusted Root Certification Authorities.
Please refer to the below link.
https://learn.microsoft.com/en-us/dotnet/framework/wcf/feature-details/transport-security-with-certificate-authentication
Besides, the client-side should have access to the private key of the certificate provided by the client so that the https secure communication is valid. The specific operation is to add the current user to the private key management group of the certificate.
Feel free to let me know if there is anything I can help with.
I have to make an WCF client for one external SOAP web-service written probably in Java. That web-service uses WS-Security for signing and encryption (so, I suppose I have to use WCF message level security). Transport mechanism between client and web-service is HTTPS with 2-way handshaking.
The problem is that I have to use four different certificates - let us call them CertA, CertB, CertC and CertD.
CertA and CertC must be used for signing the SOAP message.
CertB and CertD must be used for SOAP message encryption and HTTPS handshaking.
Basically, the client is supposed to sign a message using it's private key and encrypt the message using server's public key. The server do the opposite.
Precisely, here's what WCF client have to do in order to send a message to the server and receive the response back:
Client sign SOAP request with certificate CertA (using CertA's
private key)
Client encrypt SOAP request with certificate CertD
(using CertD's public key)
Client send signed and encrypted SOAP message over HTTPS to the server (certificate CertB is required by the server during HTTPS 2-way handshaking for authentication purpose)
On the server side:
Server receives the message, authenticate and authorize client
Server decrypt message with CertD's private key
Server verify message signature with CertA's public key. Server then process decrypted and verified message.
Server create response message and sign it with certificate CertC (using CertC's private key)
Server encrypts the response message with certificate CertB (using CertB's public key)
Server send response back to the client over HTTPS transport.
When client receive the server response:
Client decrypt response with its CertB's private key
Client verify message signature with CertC's public key
Client process the response.
The question is how to configure such WCF client? Which binding to use to enable SOAP signing & encryption on message layer + HTTPS 2-way handshake on the transport layer and how to "tell" WCF what's the purpose of each of the 4 certificates?
(Yes, I already saw this article: https://msdn.microsoft.com/en-us/library/ms729856(v=vs.110).aspx but I'm afraid that article doesn't provide solution for my case because they use some weird duplex binding which require a client to open an listening port and that's not an option for me since I have to use regular HTTPS connection).
I have a WCF service (authored in-house) using a WS-HTTP binding and transport security (SSL). We are authenticating callers with client certificates and a whitelist of acceptable certificates (certs are provided to us out-of-band). So we're using a custom validator (e.g. a class deriving from System.IdentityModel.Selectors.X509CertificateValidator) to do a database query to check the whitelist.
It works in the following case: We have a root certificate used in development, issued by the development team (using OpenSSL). This root is trusted (e.g. installed in the Trusted Third-Party CA cert store) on the server hosting our WCF service. The test client is configured to present a certificate signed by this root. This case behaves as expected.
It does not work in the following case: The client presents a self-signed certificate to the service. In this case the client receives the error message "The HTTP request was forbidden with client authentication scheme 'Anonymous'", and-- here's the odd part-- the service's certificate validator doesn't even run. We don't get any chance to give the thumbs-up. The client cert is rejected by a layer lower than our validator.
How can I use a self-signed client certificate with my service?
You can't. In WCF, WS-HTTP transport security is SSL. My error results from a failure in the SSL negotiation between the parties.
The normal case of this negotiation is as follows: The service sends the client a list of root certificates that it trusts. The client examines this list and finds a certificate that the server will find trustworthy and sends it.
In my error case, the client is examining the server's list and determining that its cert will not be trusted. At this point the client will normally attempt to negotiate down to anonymous access, which is forbidden in my case, so the negotiation fails.
WCF does not support self-signed client certificates, or certs issued by an untrusted CA, in WS-HTTP binding + transport security scenarios, even if you use custom validation mode. It does support this scenario in message security. I suspect that Net.TCP supports this scenario, but haven't tested that.
I think there's a gap in my mental model of WCF authentication, hoping someone can help me fill it in.
So, I'm creating a WCF service and would like to have clients authenticate using certificates, and message-level security. I'd like the service to validate these using chain trust so that I don't need each client cert installed on the service. For now, I'm not interested in having the service authenticate to the client.
Here's my understanding of what's needed to do this:
The client needs a certificate signed by a CA that's trusted on the service side.
The service needs a CRL installed for that CA.
The service config should have message security turned on, specify clientCredentialType="Certificate", and chain trust for client certificate validation.
The client config should have message security turned on, specify clientCredentialType="Certificate", and an endpoint behavior that tells how to find the client certificate in the store.
The client makes a request to the service, sending its certificate. The service sees that the client's cert is signed by its trusted CA and lets the request through.
Now, all of the walkthroughs of this process I've found also include a step of creating a certificate for the service. None of them explain what this is for, which is throwing me. Why is a service certificate needed if I just want to authenticate the clients?
You are right. In theory no server certificate is required, in practice wcf enforce you to use one. The good news is that you should use a dummy certificate for the server and also set ProtectionLevel to SignOnly. I suggest to read this article which talks on a similar scenario and mostly relevant.
Do not really know how x509 works.
If I have a Web Service that needs to authenticate and validate the client, and he uses a ClientCertificate, could he send me some information that I could then validate against?
I do not create the Web Site itself so I can't be sure they would do it right. I don't wan't to allow someone to say to the Web Service "It's okay, I ClientCertificated him and he's good".
You can implement your own custom client certificate validator but its usage will be different based on the way how do you use the client certificate. If you use pure message security your validator will be the only component used to validate the certificate. If you use HTTPS with client certificate (transport security) the certificate will be first validated by Windows (= your service hosting server must trust the certificate) and after that it will be passed to WCF and validated by your validator.