Console.WriteLine( "All Things .NET" );
6.09.2005
Intro to WSE 2.0 (x.509 certificates)
Since I'll be doing WSE 2.0 with certificates in web services at work, here is somewhere I have to start.
Overview of WSE 2.0 by Aaron Skonnard.
The best walkthrough I found was this Hands-On Lab from TechEd 2004. It walks you through code-centric WSE features that allow you to provide UsernameToken for authorization, as well as sign and encrypt the SOAP body.
Where the above Hands-on-Lab falls short is how to create your own test certs like they provide with the samples (need .CER and .PFX files to import certificates into the various "stores" on the client and server machines)
Another walkthrough (from Windows IT Library), not quite as thorough as the hands on lab above, but still good overview of the process.
So here are some pointers to more about .CER and .PFX files:
Here's a google groups thread with overview info about .CER and .PFX certificates and their relationships to each other.
And other dude here that is trying to understand the relationships between .CER and .PFX and .PVK. How to get a .PFX file like they have in the WSE samples?
MSDN article about portable protected keys in .NET (specifically talking about .PFX files, etc) [has some decent links in the references section at the bottom]
Whew!! Finally dug up this article that shows how to get a .PFX file from a .CER certificate generated by MAKECERT for testing.
In case the article is gone someday, you need to this PVK Import tool (I saved the exe install here too)
Then, here are the commands to run:
Some say the MAKECERT tool from VS.NET is buggy. Apparently the one from Platofrm SDK is the best to use. Download Platform SDK here.
Found this article (Call a Web Service Using Client Certificates) on MSDN after the fact, that tells about the WinHttpCertCfg.exe tool that you can use to install a cert from .PFX file.
(tool is available here)
Now that I'm trying this outside of the HOL sample, running into some differences. Here's a google groups discussion about what stores to put the certs in that differs from the samples.
Deployment
Some things to rememeber when deploying the web service to production server.
Here's another walkthrough of using WSE for X.509 certificates authentication and digital signature. (Looks like the code is more based on WSE 1.0 so the namespaces and classes have changed)
specific info from the walkthrough above...
Create test certificates with MAKECERT
makecert.exe and certmgr.exe are found in the Visual Studio .NET SDK dirs
(Note: only certificates from makecert in .NET 1.1 can be used with WSE)
More links of things to think about and look into (mostly taken from WSE home page on MSDN):
Securing the username token in WSE 2.0. Common attacks and vulnerabilities to be aware of.
Role based security with WSE 2.0. Some introductory info on getting started.
MSDN TV video around the launch of WSE 2.0
Overview of WSE 2.0 by Aaron Skonnard.
The best walkthrough I found was this Hands-On Lab from TechEd 2004. It walks you through code-centric WSE features that allow you to provide UsernameToken for authorization, as well as sign and encrypt the SOAP body.
Where the above Hands-on-Lab falls short is how to create your own test certs like they provide with the samples (need .CER and .PFX files to import certificates into the various "stores" on the client and server machines)
Another walkthrough (from Windows IT Library), not quite as thorough as the hands on lab above, but still good overview of the process.
So here are some pointers to more about .CER and .PFX files:
Here's a google groups thread with overview info about .CER and .PFX certificates and their relationships to each other.
And other dude here that is trying to understand the relationships between .CER and .PFX and .PVK. How to get a .PFX file like they have in the WSE samples?
MSDN article about portable protected keys in .NET (specifically talking about .PFX files, etc) [has some decent links in the references section at the bottom]
Whew!! Finally dug up this article that shows how to get a .PFX file from a .CER certificate generated by MAKECERT for testing.
In case the article is gone someday, you need to this PVK Import tool (I saved the exe install here too)
Then, here are the commands to run:
- makecert -r -n "CN=CodeProject" -b 20/12/2004 -e 01/01/2099 -eku 4.1.2.1.6.6.7.3.7 -sv CodeProject.pvk CodeProject.cer
- cert2spc CodeProject.cer CodeProject.spc
- pvkimprt -pfx CodeProject.spc CodeProject.pvk
Found this article (Call a Web Service Using Client Certificates) on MSDN after the fact, that tells about the WinHttpCertCfg.exe tool that you can use to install a cert from .PFX file.
(tool is available here)
Now that I'm trying this outside of the HOL sample, running into some differences. Here's a google groups discussion about what stores to put the certs in that differs from the samples.
Deployment
Some things to rememeber when deploying the web service to production server.
- Change the endpoint URL in the web service policyCache.config file. You probably have http://localhost/... in there from development
- Turns out you do NOT have to have the client's public key certificate on the web service machine if you are only signing. MS doc here (managing X.509 certificates) tells that the public key is included in the SOAP message.
- If you have to change the certificate referred to in the policyCache.config file, either re-run the WSE Configuration Editor and point to the config file, or edit the file manually, copying in the correct Subject name and Windows Key Identifier values from WSE X509 Certificate Tool.
Here's another walkthrough of using WSE for X.509 certificates authentication and digital signature. (Looks like the code is more based on WSE 1.0 so the namespaces and classes have changed)
specific info from the walkthrough above...
Create test certificates with MAKECERT
makecert.exe and certmgr.exe are found in the Visual Studio .NET SDK dirs
(Note: only certificates from makecert in .NET 1.1 can be used with WSE)
More links of things to think about and look into (mostly taken from WSE home page on MSDN):
Securing the username token in WSE 2.0. Common attacks and vulnerabilities to be aware of.
Role based security with WSE 2.0. Some introductory info on getting started.
MSDN TV video around the launch of WSE 2.0
posted by dan @ 10:21 PM | 0 comments | PermaLink URL |
Comments:
Post a Comment
