0

I am using basicHttpBinding,message security and x509 certificate in my WCF service(.Net Framework 4.0).The config looks like this:

<?xml version="1.0"?>
<configuration>

  <system.web>
    <compilation debug="true" targetFramework="4.0" />
  </system.web>

  <system.serviceModel>
    <behaviors>
      <serviceBehaviors>
        <behavior name="ServiceBehavior">
          <serviceMetadata httpGetEnabled="true"/>
          <serviceDebug includeExceptionDetailInFaults="true"/>
          <serviceCredentials>
            <serviceCertificate findValue="MyWebSite" storeLocation="LocalMachine"
             storeName="My" x509FindType="FindBySubjectName" />
            <userNameAuthentication userNamePasswordValidationMode="Custom"
             customUserNamePasswordValidatorType="CToSave.ValidateClient, CToSave" />
          </serviceCredentials>
        </behavior>
      </serviceBehaviors>
    </behaviors>
    <serviceHostingEnvironment multipleSiteBindingsEnabled="true"/>

    <standardEndpoints>
      <webScriptEndpoint>
        <standardEndpoint crossDomainScriptAccessEnabled="True"/>
      </webScriptEndpoint>
    </standardEndpoints>

    <services>
      <service behaviorConfiguration="ServiceBehavior" name="CToSave.MyService">
        <endpoint address="" binding="basicHttpBinding" contract="CToSave.IMyService" bindingConfiguration="BindingConfig"/>
      </service>
    </services>

    <bindings>

      <basicHttpBinding>
        <binding name="BindingConfig" openTimeout="00:50:00" sendTimeout="00:50:00" receiveTimeout="00:50:00" closeTimeout="00:50:00" maxReceivedMessageSize="2147483647">
          <security mode="Message">
            <message clientCredentialType="Certificate"/>
          </security>
        </binding>
      </basicHttpBinding>

    </bindings>
  </system.serviceModel>
  <system.webServer>
    <modules runAllManagedModulesForAllRequests="true"/>
  </system.webServer>


</configuration>

A PHP client will be consuming this service. In order to consume it,will the client need a certificate at his end?I would prefer that the client doesnt have to generate a certificate.

If the clinet has to get a certificate,will my config change? If yes,what changes will I have to make?

I have read dozens of articles on basihttpbinding+security but none of them indicate anything about the certificate on the client-side. Please help.

user1550951
  • 369
  • 2
  • 9
  • 26

2 Answers2

1

Yes, client needs a certificate because of this:

<security mode="Message">
    <message clientCredentialType="Certificate"/>
</security>

In general client does not generate its own certificate but gets it from agree provider (can be cert authority in the organization or a public authority or service owner).

In any case you need a good WS-Security library for PHP since you need to generate the message format WCF expects (this is message level security).

Yaron Naveh
  • 23,560
  • 32
  • 103
  • 158
  • Can you please elaborate **"In general client does not generate its own certificate but gets it from agree provider (can be cert authority in the organization or a public authority or service owner)."**?? What 'clientcredentialtype' should I use so that the client does not require a certificate? – user1550951 Aug 28 '13 at 08:23
  • it depends how you want to authenticate the client to the server. Can be None, UserName... depend on your needs – Yaron Naveh Aug 28 '13 at 09:05
  • Service will authenticate the client via the the username and password sent by the client.I am using overriding the `Validate` function in `System.IdentityModel.Selectors.UserNamePasswordValidator` for authentication.in the service to authenticate the client against username and password.In that case,which `clientcredentialtype` should I use? – user1550951 Aug 28 '13 at 14:22
  • clientCredentialType=UserName – Yaron Naveh Aug 28 '13 at 14:44
  • Okay,so changed the `clientCredentialType` to `UserName`.It throws error:"BasicHttp binding requires that BasicHttpBinding.Security.Message.ClientCredentialType be equivalent to the BasicHttpMessageCredentialType.Certificate credential type for secure messages. Select Transport or TransportWithMessageCredential security for UserName credentials." If I use `transport` security,will I still be able to use Reverse Proxy on this service hosted in IIS? – user1550951 Aug 28 '13 at 14:53
  • 1
    I believe the proxy will need to off load ssl and send plain http to iis, like some xml gateways. Have not did it myself. Anyway the error is surprising, basic http should allow you to configure whatever security you want (this is what this setting is for) unless there is some additional layer you have configured to prevent it somehow. – Yaron Naveh Aug 28 '13 at 17:39
  • I have changed the config to: ` ` The service sits behind a reverse proxy.Is the service still secure? – user1550951 Aug 29 '13 at 14:36
  • this is a question to your IT. this means the connection between reverse proxy and WCF is not secured. Your IT need to decide if this is ok on your network configruation. – Yaron Naveh Aug 29 '13 at 14:59
  • okay,I have to use basichttp+security=message+certificate on service.I do not want certificate on client,it will authenticate itself with username+password. What should my web.config look like?I'm getting confused with the wcf security! – user1550951 Aug 29 '13 at 15:17
  • clientCredentialType should be "UserName". Now security mode should be either "Message" or "Transport" depending on what you need. – Yaron Naveh Aug 29 '13 at 15:39
0

Actually it is possible to validate certificate by identity on a client

vitaliy zadorozhnyy
  • 1,226
  • 10
  • 12