-->

11/10/2011

WCF - Implementing Transport Security using SSL


Security :  Security ensures that the information does not go in wrong hands when it travels from the sender to the receiver. This feature ensures that the receiver of the message gets the same information that the sender sends without any data tampering.

There are two types of security provisions in WCF.
1. Transport Level
2. Message Level

Transport level security happens at the channel level. Transport level security is the easiest to implement as it happens at the communication level. WCF uses transport protocols like TCP, HTTP, MSMQ etc and every of these protocols have their own security mechanisms. One of the common implementation of transport level security is HTTPS. HTTPS is implemented over HTTP protocols with SSL providing the security mechanism. No coding change is required it’s more of using the existing security mechanism provided by the protocol.

Message level security is implemented with message data itself. Due to this it is independent of the protocol. Some of the common ways of implementing message level security is by encrypting data using some standard encryption algorithm.
 In this post we will see how to implement transport security on http protocol using SSL certificates.



Step 1: Create a regular WCF service with a very minimal code.
namespace WCFSSLSecureService
{
    // NOTE: You can use the "Rename" command on the "Refactor" menu to change the class name "Service1" in code, svc and config file together.
    public class Service1 : IService1
    {
        public string GetData(int value)
        {
            return string.Format("You entered: {0}", value);
        }
        public CompositeType GetDataUsingDataContract(CompositeType composite)
        {
            if (composite.BoolValue)
            {
                composite.StringValue += "Suffix";
            }
            return composite;
        }
    }
}
You can use the straight forward scaffold generated code (Code generated at the time of Creation of project).

Coming to configuration part, we need to take care of the 3 things.

Step 2: Binding - Make sure that you use a transport protocol which has the provision of Transport security. In this example i was using WSHttpBinding. In binding information, make sure that you mentioned security mode is set to Transport.
<bindings>
      <wsHttpBinding>
        <binding name="TransportSecurity">
          <security mode="Transport">
            <transport clientCredentialType="None"/>
          </security>
        </binding>
      </wsHttpBinding>
  </bindings>
Step 3: Service Behavior - Since we are dealing with https protocol, we need to ensure that we configure the same in Service behavior. Change httpGetEnabled to httpsGetEnabled.
<behaviors>
      <serviceBehaviors>
        <behavior name="WCFSSLSecureService.Service1Behavior">
          <!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
          <serviceMetadata httpsGetEnabled="true"/>
          <!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
          <serviceDebug includeExceptionDetailInFaults="false"/>
        </behavior>
      </serviceBehaviors>
    </behaviors>
Step 4: Define the end points to to support the secure communication. In this scenario i am defining one MEX end point for Metadata exchange and one wsHttp end point with a base address as "https" in its base address. Make sure that you wrapped the end point behavior with both Binding and Service behaviors defined in earlier steps.
<services>
      <service name="WCFSSLSecureService.Service1" behaviorConfiguration="WCFSSLSecureService.Service1Behavior" >
        <!-- Service Endpoints -->
        <endpoint address="https://localhost/WCFSSLSecureService/Service1.svc" binding="wsHttpBinding" bindingConfiguration="TransportSecurity" contract="WCFSSLSecureService.IService1"/>
        <endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange"/>
      </service>
    </services>
Step 6 : Now, move on to properties on the project and change the hosting environment to IIS. Reason being SSL (Secure) mode of communication can be done only through IIS.

Step 7: We are done with configuration part from application side. Lets move to IIS.
Create a Self-Signed Certificate (Dummy Certificate) for our development purpose.
Open IIS---> Click on Server Name ---> Click on Server Certificates on Right hand Pane.

Step 8 : Click on Create Self-Signed Certificate and give any dummy name to it.
Step 9 : Now the certificate is created, its time to assign the certificate to a site. Keep on thing in mind.
"You can associate a SSL certificate to a Web Site, not a Web Application"
Reason being, a web site can have multiple web applications/virtual directories. So, you cannot have multiple certificates associated to a single website. So, IIS gives you a provision of assigning the SSL at Website level.
So, create a web site.
Step 10 : Once website is created, add the web application that we created to that web site.

Step 11 : Select the web site, and click on SSL Settings on right hand pane.

Step 12: You will find a screen which will be prompting for SSL Settings for that specific Web Application.
Check the box saying Our web app Require SSL. Before closing the things observe the three radio buttons in there. We will see the significance of those options in next steps.
For time being, select Ignore for Client Certificate option.

Out put:
Hit the service with http protocol. you will get the below error.
Now hit the url with "https", it may ask for confirmation to continue, once you confirmed you can access the service.

Step 13 : Now, lets talk about those three options. How security has been provided by all the things that we have done above. To understand that now go to SSL properties of the application and change "Client Certificates" option from Ignore to Required.
Hit the url now, and you will get 403.7 forbidden error.

I will send this certificate to people who i will expose this service and only by using that either IE / Client can access my service.
We will see message level security in upcoming posts.
Code:
Click Here
Is it helpful for you? Kindly let me know your comments / Questions.

7 comments:

  1. Hi,

    Pratap thank you for your postings. I am reading your blog postings every time these are very informative.

    ReplyDelete
  2. Very good, i found your post on google :)

    ReplyDelete
  3. Good presentation.Thanks you for your service.- Babu

    ReplyDelete
  4. Excellent Presentation.. Very useful.

    ReplyDelete
  5. could you please describe about giving certificates to people .

    ReplyDelete