Saturday, October 20, 2012

WCF Tutorial - HTTPS setting for WCF application


HTTPS (TLS / SSL) setting for WCF application

                   This post will explain how to implement TLS/ SSL (https) settings in WCF to secure the services, assuming that the readers will have basic knowledge on WCF components (ABC) and cryptographic terminologies (X509). To implement Https settings in WCF, an url needs to be reserved in Url access control list (urlacl) and a cryptographic certificate is required to set SSL port and finally some setting in service config and host file.

Pre requisites:
Makecert.exe                            - for X509 certificate creation (comes with Visual studio by default).
HttpCfg.exe                               - for urlacl / ssl settings in case of XP / Windows 2003 Server.
Netsh.exe                                  - for urlacl / ssl settings in case of Vista / Windows 7 / x64bit OS.

Cryptographic Certificates
                                   The cryptographic or X509 certificates are digital certificates which are used for authentication and authorization between the server and the client. X509 certificates can be Self-Signed or signed by a certificate authority (CA), which is again a root certificate. These certificates can be created by a tool called makecert.exe. It comes with visual studio by default or it can be downloaded. These certificates can be used in development environment and in production it can be replaced with real certificates issued by authorized providers. The following are the commands to create certificates.

Https Implementation:

Let’s take a look at my WCF service library application.
  •      I have a data contract named MyContract with two data members in it as given below

namespace MyWCFServiceLibrary
{
    [DataContract]
    public class MyContract
    {
        [DataMember]
        public string MyName { get; set; }

        [DataMember]
        public long MyMobileNo { get; set; }
       
    }
}

  •      I have a service contract named MyInterface with two operation contracts in it as given below

namespace MyWCFServiceLibrary
{
    [ServiceContract]
    public interface MyInterface
    {
        [OperationContract]
        void AddDetail(MyContract data);
        [OperationContract]
        MyContract GetMobileNo(string name);
    }
}

  •      And finally I have a service implementation named MyService with implementations for interface members in it as given below

namespace MyWCFServiceLibrary
{
    [ServiceBehavior(InstanceContextMode=InstanceContextMode.Single)]
    public class MyService : MyInterface
    {

        List<MyContract> details = newList<MyContract>();

        public void AddDetail (MyContract data)
        {
            details.Add(data);
        }

        public MyContract GetMobileNo (string name)
        {
           return details.Find(x => x.MyName == name);
        }
    }
}

Steps

Step 1: Create CA certificate using the following command

cmd :\> makecert -n "CN=MyCACert" -r -sv MyCACert.pvk MyCACert.cer    (From VisualStudio Cmd tool - Run As Administrator)

Step 2: Install the RootCA certificate

From MMC Snap-in Certificates (localmachine), import MyCACert into "Trusted Root Certificates" folder.

Step 3: Create a new server Certificate using CA

cmd:\ > makecert -sk MyMachine -iv MyCACert.pvk -n "CN=MyMachine" -ic MyCACert.cer -sr localmachine -ss my -sky exchange –pe (From VisualStudio Cmd tool)

This command will directly add the server certificate created to the certificate store in local machine where the command is executed.

MMC
MMC (Microsoft Management Console) is used to check the certificates in certificate store.

HttpCfg.exe / Netsh.exe
 The command line utility which is used to reserve an url and to do ssl settings is HttpCfg.exe in case of XP and Windows 2003 Server. And netsh.exe is the utility for Vista and Windows 7. The utility Httpcfg.exe will be available only with latest service packs. So check for the patches in xp / win 2003 which holds the utility.

After certificate creation,
  •       a url can be reserved for the service and can be restricted to user groups.
  • a ssl port must be set for https.


Step 4: choose a ssl port which is not already in use

cmd :\> httpcfg query ssl   (For XP / 2003 environment)
cmd:\> netsh http show sslcert (For win 7 / vista /2008 environment)

To delete an existing ssl port (Ex : 8733)

cmd :\> httpcfg delete ssl -i 0.0.0.0:8733 -h [certhash]   (For XP / 2003 environment)
cmd :\> netsh http delete sslcert ipport=0.0.0.0:8733 (For win 7 / vista /2008 environment)

Step 5: Reserve an url in urlacl using HttpCfg.exe

cmd :\> httpcfg set urlacl /u https://+:8733/ /a "D:(A;;GXGW;;;WD)"  (For XP / 2003 environment)
cmd :\> netsh http add urlacl url=https://+:8733/ user=\Everyone (For win 7 / vista /2008 environment)

Step 6: Set the ssl port with certificate hash using HttpCfg.exe


cmd :\> httpcfg set ssl -i 0.0.0.0:8733 -h dd6202a426d143391cb4b7e91ddb5d94020a13a6 -g {5FF9F81C-97EF-47ED-BCF9-921667CD1FBD} (For XP / 2003 environment)

cmd :\> netsh http add sslcert ipport=0.0.0.0:8733 certhash=dd6202a426d143391cb4b7e91ddb5d94020a13a6 appid={5FF9F81C-97EF-47ED-BCF9-921667CD1FBD}  (For win 7 / vista /2008 environment)

Step 7: Add / Modify host entry in C:\WINDOWS\System32\Drivers\etc\hosts file.


Step 8: Make config entry in App.Config of WCF


The implementation is recorded as a video presentation which will be available in the link
http://www.youtube.com/watch?v=ugpPSNxtAmY   

For More Info
SSL Settings (Https)http://msdn.microsoft.com/en-us/library/ms733791.aspx
MakeCert - http://msdn.microsoft.com/en-us/library/bfsktky3(v=vs.80).aspx

-->

Labels: , , , , ,

posted by NMK @ 1:45 AM 21 Comments