如何将 WCF 服务配置为仅接受由 x509 证书标识的单个客户端 [英] How to configure a WCF service to only accept a single client identified by a x509 certificate
问题描述
我有一个 WCF 客户端/服务应用程序,它依赖于两台机器之间的安全通信,我想使用安装在证书存储中的 x509 证书来相互识别服务器和客户端.为此,我将绑定配置为 <security authenticationMode="MutualCertificate"/>.只有客户端机器.
I have a WCF client/service app that relies on secure communication between two machines and I want to use use x509 certificates installed in the certificate store to identify the server and client to each other. I do this by configuring the binding as <security authenticationMode="MutualCertificate"/>. There is only client machine.
服务器具有颁发给安装在本地计算机/个人存储中的 server.mydomain.com 的证书,而客户端具有颁发给安装在同一位置的 client.mydomain.com 的证书.除此之外,服务器在本地计算机/受信任的人中有客户端的公共证书,客户端在本地计算机/受信任的人中有服务器的公共证书.
The server has a certificate issued to server.mydomain.com installed in the Local Computer/Personal store and the client has a certificate issued to client.mydomain.com installed in the same place. In addition to this the server has the client's public certificate in Local Computer/Trusted People and the client has the server's public certificate in Local Computer/Trusted People.
最终客户端已配置为检查服务器的证书.我使用配置文件中的 system.servicemodel/behaviors/endpointBehaviors/clientCredentials/serviceCertificate/defaultCertificate 元素做到了这一点.
Finally the client has been configured to check the server's certificate. I did this using the system.servicemodel/behaviors/endpointBehaviors/clientCredentials/serviceCertificate/defaultCertificate element in the config file.
到目前为止一切顺利,一切正常.我的问题是我想在服务器的配置文件中指定只允许使用 Trusted People 证书存储中的 client.mydomain.com 证书标识自己的客户端连接.
So far so good, this all works. My problem is that I want to specify in the server's config file that only clients that identify themselves with the client.mydomain.com certificate from the Trusted People certificate store are allowed to connect.
使用 ServiceSecurityContext 在服务器上提供正确的信息,但我正在寻找一种在 app.config 中指定 WCF 应该执行此检查而不是我必须检查安全上下文的方法来自代码.
The correct information is available on the server using the ServiceSecurityContext, but I am looking for a way to specify in app.config that WCF should do this check instead of my having to check the security context from code.
这可能吗?任何提示将不胜感激.
Is that possible? Any hints would be appreciated.
顺便说一下,到目前为止,我的服务器的配置文件是这样的:
By the way, my server's config file looks like this so far:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.serviceModel>
<services>
<service name="MyServer.Server" behaviorConfiguration="CertificateBehavior">
<endpoint contract="Contracts.IMyService" binding="customBinding" bindingConfiguration="SecureConfig">
</endpoint>
<host>
<baseAddresses>
<add baseAddress="http://localhost/SecureWcf"/>
</baseAddresses>
</host>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="CertificateBehavior">
<serviceCredentials>
<serviceCertificate storeLocation="LocalMachine" x509FindType="FindBySubjectName" findValue="server.mydomain.com"/>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<customBinding>
<binding name="SecureConfig">
<security authenticationMode="MutualCertificate"/>
<httpTransport/>
</binding>
</customBinding>
</bindings>
</system.serviceModel>
</configuration>
推荐答案
似乎没有办法使用 web.config 做我想做的事.
There doesn't appear to be a way to do what I want using web.config.
我最终用这个标签添加了一个行为:
I ended up adding a behavior with this tag:
<clientCertificate>
<authentication certificateValidationMode="PeerTrust" trustedStoreLocation="CurrentUser" revocationMode="NoCheck"/>
</clientCertificate>
然后将客户端的证书添加到运行服务器的用户的可信人"证书存储中.
And then add the client's certificate to the "trusted people" certificate store of the user that the server runs as.
这篇关于如何将 WCF 服务配置为仅接受由 x509 证书标识的单个客户端的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
