Https上的WCF DataService [英] WCF DataService over Https

问题描述

我正在开发一个在Windows控制台应用程序中自托管的WCF DataService。我想通过Https（即SSL）而不是Http来激活我的服务。我该怎么做？

I am developing a WCF DataService that's self-hosted inside a Windows Console Application. I want to activate my service over Https (i.e. SSL) instead of Http. How can I do that?

谢谢

推荐答案

首先创建一个Windows上的CA证书（使用Visual Studio命令提示符）：

First Creating a CA Certificate on Windows (use Visual Studio Command Prompt):

makecert -sv SignRoot.pvk -cy authority -r signroot.cer -a sha1 -n "CN=Dev Certification Authority" -ss my -sr localmachine

现在把Windows密钥库中受信任的根证书颁发机构中的证书。这可以通过MMC来完成。为此：运行... - >键入mmc - >输入 - >选择证书控制台 - >在个人存储中查找创建的证书，并将其移动到可信证书颁发机构存储。

Now put the certificate in the "Trusted Root Certification Authority" in Windows Key Store. That can be done through MMC. To do that: Run... -> Type "mmc" -> enter -> choose the "Certificates" console -> Find your created certificate in the Personal store and move it to the Trusted Certificate Authority store.

现在我们创建一个由 CA证书签名的交换证书：

Now we create an exchange certificate signed by the CA certificate:

makecert -iv SignRoot.pvk -ic signroot.cer -cy end -pe -n CN="localhost" -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localmachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12

注意：EKU OID用于服务器身份验证

注意：CN（公用名）应与呼叫服务的名称相同。

NOTE: The EKU OID is for Server Authentication
NOTE: the CN (Common Name) should be identical to the name by which the service will be called.

现在我们向数据服务添加一个Https端点。这可以是
1-通过服务的 web.config 文件，我们必须在其中输入服务端点：

Now we add an Https endpoint to the data service. That can either be
1- Through the web.config file of the service, in which we'll have to enter a service endpoint:

<endpoint address="https://localhost:8888/" binding="basicHttpsBinding" contract="System.Data.Services.IRequestHandler"></endpoint>

2-或者使用DataServiceHost对象的AddServiceEndpoint以编程方式添加端点：

2- Or with adding an endpoint programmatically using the "AddServiceEndpoint" of the DataServiceHost object:

host.AddServiceEndpoint(
                new ServiceEndpoint(ContractDescription.GetContract(typeof(TestODataService.DemoDataService)))
                {
                    Address = new EndpointAddress("https://localhost:8888/"),
                    Binding = new WebHttpBinding(WebHttpSecurityMode.Transport),
                    Contract = ContractDescription.GetContract(typeof(IRequestHandler)),
                }
                );

注意：第二种方法中的绑定必然是具有传输安全性的WebHttpBinding 。在web.config方法中，它可以是basicHttpsBinding，也可以是带有bindingConfiguration的webBinding，以启用传输安全性。

NOTE: The binding in the second method is necessarily WebHttpBinding with Transport security. While in the web.config method, it can be either basicHttpsBinding, or a webBinding with bindingConfiguration that enable transport security.

现在我们将交换证书与端口绑定服务。为了使WCF Web服务器使用交换证书响应客户端，我们需要使用netsh命令将证书绑定到服务的地址：
netsh http add sslcert ipport = 0.0.0.0：8000 certhash = 0000000000003ed9cd0c315bbb6dc1c08da5e6 appid = {00112233-4455-6677-8899-AABBCCDDEEFF}

Now we bind the exchange certificate with the port of the service. In order for the WCF web server to respond to clients with the exchange certificate, we need to bind the certificate to the address of the service, using the netsh command: netsh http add sslcert ipport=0.0.0.0:8000 certhash=0000000000003ed9cd0c315bbb6dc1c08da5e6 appid={00112233-4455-6677-8899-AABBCCDDEEFF}

注意：certhash是交换证书的指纹，并且appid是在项目的 AssemblyInfo.cs 中找到的托管应用程序的 GUID 。 ip 0.0.0.0绑定到所有IP地址，端口是服务的端口。此命令只需对每个地址使用一次。

NOTE: the certhash is the thumbprint of the exchange certificate, and the appid is the GUID of the hosting application found in the AssemblyInfo.cs of the project. The ip 0.0.0.0 binds to all ip address, and the port is the port of the service. This command is required to be used only once for each address.

注意：某些移动设备可能无法验证其身份使用服务的IP地址调用时的服务，即使交换证书将CN设置为服务的IP地址。在这种情况下，证书的CN应该是域名。

NOTE: Some mobile devices may not be able to verify the identity of the service when called using the ip address of the service, even if the exchange certificate have the CN set to the ip address of the service. In this case the CN of the certificate should be a domain name.

注意：为了让移动设备信任交换证书该服务， CA证书应安装在可信CA证书商店的移动设备上。

NOTE: in order for the mobile device to trust the exchange certificate of the service, the CA certificate should be installed on the mobile in the Trusted CA Certificate store.

注意：某些浏览器（例如Chrome）会反对为localhost颁发证书，localhost是仅在本地网络中使用的名称。如果将CN设置为域名，则不会发生这种情况。

NOTE: Some browsers (e.g. Chrome) will object that the certificate is issued for localhost which is a name only used in your local network. This will not occur if you set the CN to a domain name.

参考： http://www.codeproject.com/Articles/24027/SSL-with-Self-hosted-WCF-Service

这篇关于Https上的WCF DataService的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！