Aug 26, 2008

WCF+WSE Using Anonymous Certificate Security


I am not an expert in neither WCF nor WSE, however, recently I have been busy implementing WCF service that could be consumed by WSE client. And the requirement for this was to use Anonymous For Certificate Security protection of messages.
As always I started from Google... However, after spending about 4 to 6 hour I get nothing except examples that was not working.

Therefore, here, I decided to describe the implementation of, both, service and client.

Anonymous for Certificate Security In a Nutshell.
Basically, to protect your messages with certificates you need to do a number of things:

  • first of all, you need to have certificate (*.cer file) and private key for it (*.pfx file)
  • second, you need to install certificate (*.cer file) on a client computer - which will be used to connect to your WCF service into LocalMachine certificate store
  • then, you need to install both certificate (*.cer file) and private key (*.pfx) file on a server where WCF service will be installed into the LocalMachine certificate store
  • lastly, on a server where WCF service will be installed you need to grant an identity, under which WCF will be running, permissions to access your certificates' private key

The way Anonymous for Certificate Security mechanisms work is very simple - the same way as Encryption Algorithms with Open Key works. The certificate (*.cer file) will be used by client as public key to sign and encode his requests to the service and decode response from the service. The service, in it's turn, will be using private key (*.pfx file) to encode / decode messages.

In this way, it will be impossible to give client a fake service, because only service has private key. However, anything can be a client of a service as soon as it encodes and decodes messages using public key (*.cer file).

WCF Service Implementation.

In order to connect WSE and WCF could understand each other they need to talk the same security protocol. Therefore, I set message security version of service binding to "WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10".

Also, made service and client both you MTOM messaging. Message version should be set to "Soap11WSAddressingAugust2004" by the reason explained earlier.

Next things you need to do is to configure your service behaviour, of course. This is very simple to do as well. You need to add tag to your behavior configuration. Then, add element inside it and insert into element empty tag. After that, add element inside element and configure it to use your certificate.

After this is done, you need to configure your service interface to use message contract and create request and response messages for every method on your service interface. Then implement your service. If something was not configured properly your service will not run.

WSE Client Implementation.

First of all, you need to create a proxy for you WCF service. This is very simple to accomplish using wseWsdl3.exe utility that will be installed along with WSE3.0 installation package.

After you did that, you need to create a WSE policy to access WCF service. You can do in configuration file or in code. It does not matter. What you need to do is to configure AnonymousForSecurity assertion and configure your proxy to use certificate you installed as credentials to access WCF service.

Do not forget to configure WSE to use MTOM messaging as well.


There are lots of resources on the web that can give you some food for thought when dealing with peculiarities of this integration including Microsoft Forums and personal blogs. However, I would recommend to check WCF Security Guidance on CodePlex. This is the place where you will find a lot of information about WCF security and How-Tos.

Hope this helps!

1 comment:

Mikalai Kardash said...

I am still do not know how to add attachements and place code to the blog so that it will not look ugly...