使用https访问WCF服务 [英] Accessing WCF service using https

查看:106
本文介绍了使用https访问WCF服务的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我在局域网上的两台不同的开发机器上创建了一个自托管的WCF服务和客户端,并使用basicHttpBinding来测试连接和功能。测试成功。



我的目标是使用带有TransportWithMessageCredential安全性的wsHttpBinding和clientCredentialType证书。



因此我为该服务创建了以下app.config文件:



 < ?  xml     version  < span class =code-keyword> =  1.0  >  
< 配置 >
< system.serviceModel >
< behavior >
< serviceBehaviors >
< 行为 名称 = ServiceBehavior >
< serviceMetadata httpGetEnabled = false httpsGetEnabled = true / >
< serviceDebug includeExceptionDetailInFaults = true / >
< serviceCredentials >
< clientCertificate >
< 身份验证 certificateValidationMode = PeerTrust / >
< / clientCertificate >
< serviceCertificate findValue = WCFServer

< span class =code-attribute> < span class =code-attribute> storeLocation = LocalMachine

< span class =code-attribute> storeName = 我的

x509FindType = FindBySubjectName / >
< / serviceCredentials >
< / behavior >
< / serviceBehaviors >
< / behavior >
< bindings >
< wsHttpBinding >
< binding name = wsHttpEndpointBinding >
< security mode = TransportWithMessageCredential >
< message clientCredentialType = 证书 / >
< span class =code-keyword>< / security >
< / binding >
< / wsHttpBinding >
< / bindings >
< 服务 >
< service name = WCFServiceHost.Operations behaviorConfiguration = ServiceBehavior >
< endpoint name = wsHttpEndpoint 地址 = binding = wsHttpBinding bindingConfiguration = wsHttpEndpointBinding 合同 = WCFServiceHost.IOperations >
< / endpoint >
< 端点 名称 = mexHttpEndpoint 地址 = mex binding = mexHttpsBinding 合同 = IMetadataExchange >
< / endpoint >
< 主持人 >
< baseAddresses >
< add baseAddress = https://10.0.0.103:8003/WCFServiceHost/Operations/ / >
< / baseAddresses >
< / host >
< / service >
< / services >
< / system.serviceModel >
< 启动 >
< supportedRuntime version = v4.0 sku = 。NETFramework,Version = v4.0 / >
< / startup >
< / configuration >





我在服务器上创建了2个证书(WCFServer和WCFClient),按照

... codeproject.com/Articles/36683/9-simple-steps -to-enable-x-509-certificates-on-wcf

并在服务器计算机上导出WCFClient证书,并将其导入客户端计算机。



我还使用netsh在服务器计算机上添加了ssl证书绑定。



我能够使用Service创建ServiceHost实例,修改后的app.config。



我为客户创建了以下app.config:



< pre lang =xml> <? xml 版本 = 1.0 编码 = utf-8 >
< configuration < span class =code-keyword>>
< system.serviceModel >
< behavior >
< endpointBehaviors >
< 行为 名称 = EndpointBehavior < span class =code-keyword>>
< clientCredentials >
< clientCertificate storeLocation = LocalMachine

< span class =code-attribute> storeName = 我的

x509FindType = FindBySubjectName

findValue = WCFClient / >
< serviceCertificate >
< 认证 certificateValidationMode = < span class =code-keyword> PeerTrust / >
< / serviceCertificate >
< / clientCredentials >
< / behavior >
< / endpointBehaviors <跨度class =code-keyword>>
< / behavior >
< bindings >
< wsHttpBinding >
< binding name = wsHttpEndpoint closeTimeout = 00:01:00 openTimeout = 00:01:00

receiveTimeout = 00:10:00 sendTimeout = 00:01:00 bypassProxyOnLocal = false

< span class =code-attribute> transactionFlow = false hostNameComparisonMode = StrongWildcard

< span class =code-attribute> maxBufferPoolSize = 524288 maxReceivedMessageSize = 65536

messageEncoding = 文字 textEncoding = utf-8 useDefaultWebProxy = true

allowCookies = false >
< readerQuotas maxDepth = 32 < span class =code-attribute> maxStringContentLength = 8192 maxArrayLength = 16384

maxBytesPerRead < span class =code-keyword> = 4096 maxNameTableCharCount = 16384 / >
< reliableSession ordered = true inactivityTimeout = 00:10:00

已启用 = false / >
< 安全性 mode = TransportWithMessageCredential >
< transport clientCredentialType = proxyCredentialType =

realm = \" />
<message clientCredentialType=\"Certificate\" negotiateServiceCredential=\"true\"

algorithmSuite=\"Default\" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address=\"https://10.0.0.103:8003/WCFServiceHost/Operations/\"

binding=\"wsHttpBinding\" bindingConfiguration=\"wsHttpEndpoint\"

contract=\"WCFService.IOperations\" name=\"wsHttpEndpoint\">
<identity>
<dns value=\"WCFServer\" />
</identity>
</endpoint>
</client>
</system.serviceModel>
</configuration>





I then updated the Service Reference.

The update procedure issued a Security Alert, which is most likely related to the subsequent issue described below, and which I have not been able to resolve.



I ignored the Security Alert and continued. The Service Reference was updated.



I then executed the client, and received this error:\t

\t

\"The client certificate is not provided. Specify a client certificate in ClientCredentials.\"



After stepping through code, I noticed on \"client = new WCFService.Client();\" that the value of client.ClientCredentials.ClientCertificate.Certificate = null.



I then added the following in code after \"client = new WCFService.Client();\":



X509Store store = new X509Store(\"My\", StoreLocation.LocalMachine); 
store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);
X509Certificate2Collection collection = (X509Certificate2Collection)store.Certificates;
foreach (X509Certificate2 x509 in collection)
{
\tif (x509.Thumbprint == \"236D7D4AD91234B8F22D3781D61AACB56788E1B5\")
\t{
\t\tclient.ClientCredentials.ClientCertificate.SetCertificate(
\t\t\tx509.SubjectName.Name, store.Location, StoreName.My);
\t}
}





After execution of this code, client.ClientCredentials.ClientCertificate.Certificate contains the certificate.



Upon executing \"client.Open();\" , an exception is thrown with the following contents.



The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

The remote certificate is invalid according to the validation procedure.

Could not establish trust relationship for the SSL/TLS secure channel with authority



If anyone with knowledge of how I may approach resolution of the above issues can assist, I will be most grateful.



Thank you, Ol.

解决方案

Well, it’s a bit late but establishSecurityContext=\"true\" might be the solution.


I created a self-hosted WCF service and client on 2 different development machines on a LAN, and used basicHttpBinding in order to test connectivity and functionality. The tests were successful.

My goal is to use wsHttpBinding with TransportWithMessageCredential security, and clientCredentialType certificate.

I thus created the following app.config file for the service:

<?xml version="1.0"?>
<configuration>
  <system.serviceModel>
    <behaviors>
      <serviceBehaviors>
        <behavior name="ServiceBehavior">
          <serviceMetadata httpGetEnabled="false" httpsGetEnabled="true"/>
          <serviceDebug includeExceptionDetailInFaults="true"/>
          <serviceCredentials>
            <clientCertificate>
              <authentication certificateValidationMode="PeerTrust"/>
            </clientCertificate>            
            <serviceCertificate findValue="WCFServer" 

                      storeLocation="LocalMachine" 

                      storeName="My" 

                      x509FindType="FindBySubjectName"/>
          </serviceCredentials>
        </behavior>
      </serviceBehaviors>
    </behaviors>
    <bindings>
      <wsHttpBinding>
      <binding name="wsHttpEndpointBinding">
        <security mode="TransportWithMessageCredential">
        <message clientCredentialType="Certificate"/>
        </security>
      </binding>
      </wsHttpBinding>
    </bindings>    
    <services>
      <service name="WCFServiceHost.Operations" behaviorConfiguration="ServiceBehavior">
        <endpoint name="wsHttpEndpoint" address="" binding="wsHttpBinding" bindingConfiguration="wsHttpEndpointBinding"   contract="WCFServiceHost.IOperations">
        </endpoint>              
        <endpoint name="mexHttpEndpoint" address="mex" binding="mexHttpsBinding" contract="IMetadataExchange">
        </endpoint>
        <host>
          <baseAddresses>
            <add baseAddress="https://10.0.0.103:8003/WCFServiceHost/Operations/"/>
          </baseAddresses>
        </host>
      </service>
    </services>
  </system.serviceModel>
  <startup>
    <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0"/>
  </startup>
</configuration>



I created 2 certificates (WCFServer and WCFClient) on the server in accordance with
...codeproject.com/Articles/36683/9-simple-steps-to-enable-x-509-certificates-on-wcf
and exported the WCFClient certificate on the server machine, and imported it on the client machine.

I also added the ssl certificate binding on the server machine using netsh.

I am able to create an instance of the ServiceHost with Service, with the modified app.config.

I created the following app.config for the client:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
  <system.serviceModel>
    <behaviors>
      <endpointBehaviors>
        <behavior name="EndpointBehavior">
          <clientCredentials>
            <clientCertificate storeLocation="LocalMachine"

                       storeName="My"

                       x509FindType="FindBySubjectName"

                       findValue="WCFClient" />
            <serviceCertificate>
              <authentication certificateValidationMode="PeerTrust" />
            </serviceCertificate>
          </clientCredentials>
        </behavior>
      </endpointBehaviors>
    </behaviors>    
    <bindings>
      <wsHttpBinding>
        <binding name="wsHttpEndpoint" closeTimeout="00:01:00" openTimeout="00:01:00"

            receiveTimeout="00:10:00" sendTimeout="00:01:00" bypassProxyOnLocal="false"

            transactionFlow="false" hostNameComparisonMode="StrongWildcard"

            maxBufferPoolSize="524288" maxReceivedMessageSize="65536"

            messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true"

            allowCookies="false">
          <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"

            maxBytesPerRead="4096" maxNameTableCharCount="16384" />
          <reliableSession ordered="true" inactivityTimeout="00:10:00"

            enabled="false" />
          <security mode="TransportWithMessageCredential">
            <transport clientCredentialType="None" proxyCredentialType="None"

              realm="" />
            <message clientCredentialType="Certificate" negotiateServiceCredential="true"

              algorithmSuite="Default" />
          </security>
        </binding>
      </wsHttpBinding>
    </bindings>
    <client>
      <endpoint address="https://10.0.0.103:8003/WCFServiceHost/Operations/"

          binding="wsHttpBinding" bindingConfiguration="wsHttpEndpoint"

          contract="WCFService.IOperations" name="wsHttpEndpoint">
        <identity>
          <dns value="WCFServer" />
        </identity>
      </endpoint>
    </client>
  </system.serviceModel>
</configuration>



I then updated the Service Reference.
The update procedure issued a Security Alert, which is most likely related to the subsequent issue described below, and which I have not been able to resolve.

I ignored the Security Alert and continued. The Service Reference was updated.

I then executed the client, and received this error:

"The client certificate is not provided. Specify a client certificate in ClientCredentials."

After stepping through code, I noticed on "client = new WCFService.Client();" that the value of client.ClientCredentials.ClientCertificate.Certificate = null.

I then added the following in code after "client = new WCFService.Client();":

X509Store store = new X509Store("My", StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);
X509Certificate2Collection collection = (X509Certificate2Collection)store.Certificates;
foreach (X509Certificate2 x509 in collection)
{
	if (x509.Thumbprint == "236D7D4AD91234B8F22D3781D61AACB56788E1B5")
	{
		client.ClientCredentials.ClientCertificate.SetCertificate(
			x509.SubjectName.Name, store.Location, StoreName.My);
	}
}



After execution of this code, client.ClientCredentials.ClientCertificate.Certificate contains the certificate.

Upon executing "client.Open();" , an exception is thrown with the following contents.

The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
The remote certificate is invalid according to the validation procedure.
Could not establish trust relationship for the SSL/TLS secure channel with authority

If anyone with knowledge of how I may approach resolution of the above issues can assist, I will be most grateful.

Thank you, Ol.

解决方案

Well, it's a bit late but establishSecurityContext="true" might be the solution.


这篇关于使用https访问WCF服务的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆