WCF服务和SSL [英] WCF Services and SSL
问题描述
我有一个使用WCF Web服务的WPF客户端应用程序.我们正在尝试将其安装到我们的数据中心,但希望将SSL用于Web服务.我找到了有关如何安装此配置的文章.我的理解是,作为步骤之一,您需要执行makecert.exe和certmgr.exe(如本文所述:http://msdn.microsoft.com/zh-cn/library/ms751516.aspx.
当前,当我执行代码和配置文件时,出现以下错误.这似乎是在告诉我我的代码正确,但是服务器和客户端尚未共享同一证书.我在这里可能会缺少什么吗?
I have a WPF client app that uses WCF web services. We are attempting to install into our Data Center but want to use SSL for the web services. I have found articles on how to install this configuration. My understanding is that you are required, as one of the steps, to execute the makecert.exe and certmgr.exe (as per this article: http://msdn.microsoft.com/en-us/library/ms751516.aspx.
Currently when I execute my code and config file, I get the following error. This appears to be telling me that my code is correct, but that the server and client don''t yet share the same certificate. Is there anything I may be missing here?
{"An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail."}
[System.ServiceModel.Security.MessageSecurityException]: {"An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail."}
Data: {System.Collections.ListDictionaryInternal}
HelpLink: null
InnerException: {"An error occurred when verifying security for the message."}
Message: "An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail."
Source: "mscorlib"
StackTrace: "\r\nServer stack trace: \r\n at System.Runtime.AsyncResult.End[TAsyncResult](IAsyncResult result)\r\n at System.ServiceModel.Channels.ServiceChannel.SendAsyncResult.End(SendAsyncResult result)\r\n at System.ServiceModel.Channels.ServiceChannel.EndCall(String action, Object[] outs, IAsyncResult result)\r\n at System.ServiceModel.Channels.ServiceChannelProxy.InvokeEndService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)\r\n at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)\r\n\r\nException rethrown at [0]: \r\n at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)\r\n at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)\r\n at Agilysys.BI.Client.Core.Security.ISecurity.EndLogin(IAsyncResult result)\r\n at Agilysys.BI.Client.Core.Security.SecurityClient.EndLogin(IAsyncResult result) in Z:\\Projects\\BI\\Infrastructure\\Main\\Client\\Core\\Service Refe
rences\\Security\\Reference.cs:line 2586\r\n at Agilysys.BI.Client.Core.Security.SecurityClient.OnEndLogin(IAsyncResult result) in Z:\\Projects\\BI\\Infrastructure\\Main\\Client\\Core\\Service References\\Security\\Reference.cs:line 2594\r\n at System.ServiceModel.ClientBase`1.OnAsyncCallCompleted(IAsyncResult result)"
TargetSite: {Void HandleReturnMessage(System.Runtime.Remoting.Messaging.IMessage, System.Runtime.Remoting.Messaging.IMessage)}
推荐答案
不清楚的是,您不能在SSL连接上使用私有证书进行身份验证.我记得(我的记忆模糊),部署有两个步骤.首先是为IIS定义,为此您可以使用专用证书(使用makecert).要在测试环境之外进行身份验证,必须使用从证书颁发机构获取的公共证书.部署到生产环境时,您不能拥有自己的权限.
您还会遇到其他一些陷阱.这些文章听起来很容易,但是WCF上的SSL是最困难的部署之一.
What Microsoft does not make clear is that you cannot use private certificates for authentication on an SSL connection. As I recall (my memory is foggy) there are two steps to the deployment. The first is defining to IIS and for that you can use a private certificate (using makecert). For authentication outside of a testing environment you must use a public certificate acquired from a certificate authority. You cannot be your own authority when deploying to a production environment.
There are also a few other gotcha''s you''ll encounter. The articles make it sound easy but SSL on WCF is one of the hardest deployments possible.
我曾与一位同事交谈过,他们提到我不希望这种实现使用客户端证书.因此,我还原了我的代码.我收到的错误是:
I had spoken with a coworker and they mentioned that I would not want client certificate for this implementation. So, I reverted my code. The error I am getting is:
[System.ServiceModel.EndpointNotFoundException]: {"There was no endpoint listening at https://[domain.com]/WebServices/Core/Security.svc/Username that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details."}
Data: {System.Collections.ListDictionaryInternal}
HelpLink: null
InnerException: {"The remote server returned an error: (404) Not Found."}
Message: "There was no endpoint listening at https://[domain.com]/WebServices/Core/Security.svc/Username that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details."
Source: "mscorlib"
当我尝试在wsdl上执行svcutil.exe时,出现上述相同错误.
当我在浏览器中查看https://[domain.com]/WebServices/Core/Security.svc?wsdl而不是wsdl内容时,我得到了执行svcutil.exe的指令,但是出现的链接是http ://[domain.com]/WebServices/Core/Security.svc?wsdl,而不是SSL协议.似乎已重定向到端口80.
When I try to execute the svcutil.exe on the wsdl, I get the same error above.
when I look at the https://[domain.com]/WebServices/Core/Security.svc?wsdl in a browser, instead of the wsdl content, I get instructions to execute the svcutil.exe but the link that appears is http://[domain.com]/WebServices/Core/Security.svc?wsdl, not ssl protocol. It appears there is a redirection to port 80.
没有客户端证书,您将无法为WCF服务使用HTTPS地址.没有证书,您将不得不使用http作为协议.
一种替代方法是设计一种方案,其中客户端计算令牌并将令牌嵌入消息的标头中.然后,编写处理程序以在WCF堆栈中拦截消息,并根据有效令牌的存在接受或拒绝消息.这样会立即杀死所有发送给您的邮件,而邮件头中没有令牌.
You cannot have an HTTPS address for you WCF service without a client certificate. Without the certificate you are bound to http as your protocol.
An alternative approach is to devise a scheme where the client computes a token and embeds the token in the header of the message. Then you write handlers that intercept the message in the WCF stack and accept or deny the message based on the presence of a valid token. This immediately kills all messages sent to you without a token in the header.
这篇关于WCF服务和SSL的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
