I have a WCF service hosted in IIS. The service is mandated to be basicHttpBinding. There is IBM DataPower in front of the WCF service that exposes it to outside world.
I am writing a WCF client app (inheriting from ClientBase) that has to encrypt the message body using a pre-shared public key and DataPower will decrypt it and forward the message to the hosting server. As for responses, DataPower will encrypt it and the client should be able to decrypt the responses received. One way to achieve this (that I could think of) is using IClientMessageInspector and use the BeforeSendRequest() to encrypt AfterReceiveReply() to decrypt. Before going this route, I wanted to know what other options are available to achieve this?
Usually the pattern is to use SSL which is easy to work with in DataPower and WCF clients. I'm not sure how easy it is to configure message level encryption in DataPower. If you insist on message level encryption first check if DP dsupports the standard WS-Security approach, in which case configuring the WCF client is easy (basic http binding with security mode of message and client credential type of certificate or username, but of course depend if you want to configure client auth).
Yes datapower supports WS-Security standard and you can play around any part or whole of messages for encryption/decryption. The only thing you need to weight here is whether to use PKI or symmetric encryption/decryption technique while playing with message level security.
Related
I would like to have a service and a client that consume this service from internet, and I am thinking to use the NetTcpBinding.
I have read that NetTcpBinding use by default security in the transport layer, so my question is if I need to use a certificate or not and I can use the binding with the default settings.
My idea is, from the client, send the login/password to the service. The service see in the database that if the information is correct, and then can apply the level access to the application.
This is a good way to do it or there is better alternatives?
Thanks.
Daimroc.
I am designing a WCF service. Is is possible to define a service that can handle encrypted messages from some of the clients (on untrusted channel), but also not encrypted messages (for the clients that are on trusted channel) ?
Yes it should be generally possible. There can be some other requirements which would break this possibility but with simple configuration you can use single service with two endpoints - one exposing unencrypted communication and one exposing encrypted communication. You just have to make sure that each client set can access only selected endpoint - that is usually not related to WCF but to computer or network configuration.
I have an IIS-hosted WCF service which is configured to use basicHttpBinding with transport security.
I have configured IIS with a certificate and I'm using an https endpoint to call the service.
Now, I have enabled message logging on the service at transport level - however, the messages I'm seeing are in clear text. Is this right? If so, why? Is there a way to see the encrypted messages?
Thank you in advance,
Fabio
This is correct behavior. Transport layer handles its decryption before it passes message to upper layer api like WCF so WCF always get message decrypted and it can't intercept the process - transport security is outside of WCF. Encrypted message on transport layer is logged only if you use message security because in such case transport layer just passes the message as is to WCF to deal with it.
Use Fiddler and don't enable SSL decryption in the options. It will allow you to inspect the message traffic as it is on the wire.
Also, worth reading is Debugging Localhost Traffic with Fiddler, a common gotcha for those new to Fiddler. Then check out the info page on HTTPS decryption, if you're interested in using that feature later.
Is it possible to host a WCF service in IIS, access it over HTTP and have the message body encrypted using a wsHttpBinding configuration?
Yes, any protocol that can support message security and the WS-Security standard will be capable of encrypting your messages - it's actually the default setting, too.
See Message Security in WCF for more information, and for hints about how to secure your messages using a Windows credential or a X.509 certificate as the "shared secret" between client and server to ensure encryption.
Yes.
Check this page from MSDN on how to configure your bindings to do what you need:
MSDN - Web Service Protocols Supported by System-Provided Interoperability Bindings
I'm creating a simple web service using WCF. The message needs to be encrypted and the user need to be authenticated through an asp.net provider.
What binding should I use for this? WsHttpBinding or WebHttpBinding?
Can anybody point me to a good example using the asp.net provider and self signed certificates with wcf.
Thanks
You say that the message needs to be encrypted, but don't specify whether you have a specific requirement for message-level encryption or if transport encryption might be enough.
If you transport-level encryption is enough, then BasicHttpBinding + SSL would work.
Otherwise, you'd use WSHttpBinding and configure message-level encryption. Of course, the decision might also be tied to the capabilities of any clients you want to consume the service.
You also mention WebHttpBinding, but that's used only for REST-style services. Is your service REST style? If so, then your only option would be SSL and using transport-level authentication, I think.