使用https访问WCF服务 [英] Accessing WCF service using https
问题描述
我在局域网上的两台不同的开发机器上创建了一个自托管的WCF服务和客户端,并使用basicHttpBinding来测试连接和功能。测试成功。
我的目标是使用带有TransportWithMessageCredential安全性的wsHttpBinding和clientCredentialType证书。
因此我为该服务创建了以下app.config文件:
< ? xml version < span class =code-keyword> = 1.0 ? >
< 配置 >
< system.serviceModel >
< behavior >
< serviceBehaviors >
< 行为 名称 = ServiceBehavior >
< serviceMetadata httpGetEnabled = false httpsGetEnabled = true / >
< serviceDebug includeExceptionDetailInFaults = true / >
< serviceCredentials >
< clientCertificate >
< 身份验证 certificateValidationMode = PeerTrust / >
< / clientCertificate >
< serviceCertificate findValue = WCFServer
< span class =code-attribute> < span class =code-attribute> storeLocation = LocalMachine
< span class =code-attribute> storeName = 我的
x509FindType = FindBySubjectName / >
< / serviceCredentials >
< / behavior >
< / serviceBehaviors >
< / behavior >
< bindings >
< wsHttpBinding >
< binding name = wsHttpEndpointBinding >
< security mode = TransportWithMessageCredential >
< message clientCredentialType = 证书 / >
< span class =code-keyword>< / security >
< / binding >
< / wsHttpBinding >
< / bindings >
< 服务 >
< service name = WCFServiceHost.Operations behaviorConfiguration = ServiceBehavior >
< endpoint name = wsHttpEndpoint 地址 = binding = wsHttpBinding bindingConfiguration = wsHttpEndpointBinding 合同 = WCFServiceHost.IOperations >
< / endpoint >
< 端点 名称 = mexHttpEndpoint 地址 = mex binding = mexHttpsBinding 合同 = IMetadataExchange >
< / endpoint >
< 主持人 >
< baseAddresses >
< add baseAddress = https://10.0.0.103:8003/WCFServiceHost/Operations/ / >
< / baseAddresses >
< / host >
< / service >
< / services >
< / system.serviceModel >
< 启动 >
< supportedRuntime version = v4.0 sku = 。NETFramework,Version = v4.0 / >
< / startup >
< / configuration > I created a self-hosted WCF service and client on 2 different development machines on a LAN, and used basicHttpBinding in order to test connectivity and functionality. The tests were successful. 这篇关于使用https访问WCF服务的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
我在服务器上创建了2个证书(WCFServer和WCFClient),按照
... codeproject.com/Articles/36683/9-simple-steps -to-enable-x-509-certificates-on-wcf
并在服务器计算机上导出WCFClient证书,并将其导入客户端计算机。
我还使用netsh在服务器计算机上添加了ssl证书绑定。
我能够使用Service创建ServiceHost实例,修改后的app.config。
我为客户创建了以下app.config:
< pre lang =xml> <? xml 版本 = 1.0 编码 = utf-8 ? >
< configuration < span class =code-keyword>>
< system.serviceModel >
< behavior >
< endpointBehaviors >
< 行为 名称 = EndpointBehavior < span class =code-keyword>>
< clientCredentials >
< clientCertificate storeLocation = LocalMachine
< span class =code-attribute> storeName = 我的
x509FindType = FindBySubjectName
findValue = WCFClient / >
< serviceCertificate >
< 认证 certificateValidationMode = < span class =code-keyword> PeerTrust / >
< / serviceCertificate >
< / clientCredentials >
< / behavior >
< / endpointBehaviors <跨度class =code-keyword>>
< / behavior >
< bindings >
< wsHttpBinding >
< binding name = wsHttpEndpoint closeTimeout = 00:01:00 openTimeout = 00:01:00
receiveTimeout = 00:10:00 sendTimeout = 00:01:00 bypassProxyOnLocal = false
< span class =code-attribute> transactionFlow = false hostNameComparisonMode = StrongWildcard
< span class =code-attribute> maxBufferPoolSize = 524288 maxReceivedMessageSize = 65536
messageEncoding = 文字 textEncoding = utf-8 useDefaultWebProxy = true
allowCookies = false >
< readerQuotas maxDepth = 32 < span class =code-attribute> maxStringContentLength = 8192 maxArrayLength = 16384
maxBytesPerRead < span class =code-keyword> = 4096 maxNameTableCharCount = 16384 / >
< reliableSession ordered = true inactivityTimeout = 00:10:00
已启用 = false / >
< 安全性 mode = TransportWithMessageCredential >
< transport clientCredentialType = 无 proxyCredentialType = 无
realm = \" />
<message clientCredentialType=\"Certificate\" negotiateServiceCredential=\"true\"
algorithmSuite=\"Default\" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address=\"https://10.0.0.103:8003/WCFServiceHost/Operations/\"
binding=\"wsHttpBinding\" bindingConfiguration=\"wsHttpEndpoint\"
contract=\"WCFService.IOperations\" name=\"wsHttpEndpoint\">
<identity>
<dns value=\"WCFServer\" />
</identity>
</endpoint>
</client>
</system.serviceModel>
</configuration>
I then updated the Service Reference.
The update procedure issued a Security Alert, which is most likely related to the subsequent issue described below, and which I have not been able to resolve.
I ignored the Security Alert and continued. The Service Reference was updated.
I then executed the client, and received this error:\t
\t
\"The client certificate is not provided. Specify a client certificate in ClientCredentials.\"
After stepping through code, I noticed on \"client = new WCFService.Client();\" that the value of client.ClientCredentials.ClientCertificate.Certificate = null.
I then added the following in code after \"client = new WCFService.Client();\":
X509Store store = new X509Store(\"My\", StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);
X509Certificate2Collection collection = (X509Certificate2Collection)store.Certificates;
foreach (X509Certificate2 x509 in collection)
{
\tif (x509.Thumbprint == \"236D7D4AD91234B8F22D3781D61AACB56788E1B5\")
\t{
\t\tclient.ClientCredentials.ClientCertificate.SetCertificate(
\t\t\tx509.SubjectName.Name, store.Location, StoreName.My);
\t}
}
After execution of this code, client.ClientCredentials.ClientCertificate.Certificate contains the certificate.
Upon executing \"client.Open();\" , an exception is thrown with the following contents.
The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
The remote certificate is invalid according to the validation procedure.
Could not establish trust relationship for the SSL/TLS secure channel with authority
If anyone with knowledge of how I may approach resolution of the above issues can assist, I will be most grateful.
Thank you, Ol.Well, it’s a bit late but
establishSecurityContext=\"true\" might be the solution.
My goal is to use wsHttpBinding with TransportWithMessageCredential security, and clientCredentialType certificate.
I thus created the following app.config file for the service:
<?xml version="1.0"?>
<configuration>
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="ServiceBehavior">
<serviceMetadata httpGetEnabled="false" httpsGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="true"/>
<serviceCredentials>
<clientCertificate>
<authentication certificateValidationMode="PeerTrust"/>
</clientCertificate>
<serviceCertificate findValue="WCFServer"
storeLocation="LocalMachine"
storeName="My"
x509FindType="FindBySubjectName"/>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<wsHttpBinding>
<binding name="wsHttpEndpointBinding">
<security mode="TransportWithMessageCredential">
<message clientCredentialType="Certificate"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
<services>
<service name="WCFServiceHost.Operations" behaviorConfiguration="ServiceBehavior">
<endpoint name="wsHttpEndpoint" address="" binding="wsHttpBinding" bindingConfiguration="wsHttpEndpointBinding" contract="WCFServiceHost.IOperations">
</endpoint>
<endpoint name="mexHttpEndpoint" address="mex" binding="mexHttpsBinding" contract="IMetadataExchange">
</endpoint>
<host>
<baseAddresses>
<add baseAddress="https://10.0.0.103:8003/WCFServiceHost/Operations/"/>
</baseAddresses>
</host>
</service>
</services>
</system.serviceModel>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0"/>
</startup>
</configuration>
I created 2 certificates (WCFServer and WCFClient) on the server in accordance with
...codeproject.com/Articles/36683/9-simple-steps-to-enable-x-509-certificates-on-wcf
and exported the WCFClient certificate on the server machine, and imported it on the client machine.
I also added the ssl certificate binding on the server machine using netsh.
I am able to create an instance of the ServiceHost with Service, with the modified app.config.
I created the following app.config for the client:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.serviceModel>
<behaviors>
<endpointBehaviors>
<behavior name="EndpointBehavior">
<clientCredentials>
<clientCertificate storeLocation="LocalMachine"
storeName="My"
x509FindType="FindBySubjectName"
findValue="WCFClient" />
<serviceCertificate>
<authentication certificateValidationMode="PeerTrust" />
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<wsHttpBinding>
<binding name="wsHttpEndpoint" closeTimeout="00:01:00" openTimeout="00:01:00"
receiveTimeout="00:10:00" sendTimeout="00:01:00" bypassProxyOnLocal="false"
transactionFlow="false" hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true"
allowCookies="false">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<reliableSession ordered="true" inactivityTimeout="00:10:00"
enabled="false" />
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="None" proxyCredentialType="None"
realm="" />
<message clientCredentialType="Certificate" negotiateServiceCredential="true"
algorithmSuite="Default" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="https://10.0.0.103:8003/WCFServiceHost/Operations/"
binding="wsHttpBinding" bindingConfiguration="wsHttpEndpoint"
contract="WCFService.IOperations" name="wsHttpEndpoint">
<identity>
<dns value="WCFServer" />
</identity>
</endpoint>
</client>
</system.serviceModel>
</configuration>
I then updated the Service Reference.
The update procedure issued a Security Alert, which is most likely related to the subsequent issue described below, and which I have not been able to resolve.
I ignored the Security Alert and continued. The Service Reference was updated.
I then executed the client, and received this error:
"The client certificate is not provided. Specify a client certificate in ClientCredentials."
After stepping through code, I noticed on "client = new WCFService.Client();" that the value of client.ClientCredentials.ClientCertificate.Certificate = null.
I then added the following in code after "client = new WCFService.Client();":
X509Store store = new X509Store("My", StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);
X509Certificate2Collection collection = (X509Certificate2Collection)store.Certificates;
foreach (X509Certificate2 x509 in collection)
{
if (x509.Thumbprint == "236D7D4AD91234B8F22D3781D61AACB56788E1B5")
{
client.ClientCredentials.ClientCertificate.SetCertificate(
x509.SubjectName.Name, store.Location, StoreName.My);
}
}
After execution of this code, client.ClientCredentials.ClientCertificate.Certificate contains the certificate.
Upon executing "client.Open();" , an exception is thrown with the following contents.
The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
The remote certificate is invalid according to the validation procedure.
Could not establish trust relationship for the SSL/TLS secure channel with authority
If anyone with knowledge of how I may approach resolution of the above issues can assist, I will be most grateful.
Thank you, Ol.Well, it's a bit late but
establishSecurityContext="true" might be the solution.
