Home
  • Deutsch (DE-CH-AT)
  • English (United Kingdom)
  • Japanese(JP)
Securing WCF Services with HTTPS by using self-issued certificates PDF Print

WCF distinguishes two security mechanisms: transport and message level security.

Transport level security comes in-built, but is sometimes a bit tricky to set up.


1. Service-side, you have to create a new wsHTTPBinding:

<wsHttpBinding>
<binding name="TransportSecurity">
<security mode="Transport">
<transport clientCredentialType="None"/>
</security>
</binding>
</wsHttpBinding>


2. Consume this binding in your service

<service name="Service.Service">        
<endpoint address="" binding="wsHttpBinding" bindingConfiguration="TransportSecurity" contract="Service.Service"/>
<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange"/>
</service>


3. Remove the service's HTTP binding from your web.config


4. Disable the HTTP undisclosure of meta data, or this will later give you a funny exception:

<serviceBehaviors>
<behavior>
<!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
<serviceMetadata httpGetEnabled="false"/>
<!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="true"/>
</behavior>
</serviceBehaviors>


If you do not set httpGetEnable to false, you will get the following exception:

The HttpGetEnabled property of ServiceMetadataBehavior is set to true and the HttpGetUrl property is a relative address, but there is no http base address. Either supply an http base address or set HttpGetUrl to an absolute address.


5. Client-side, add the https:// address of your service.


6. Remove a (possibly) still existing http endpoint binding from your app.config client-side.


7. Add the following line to the startup code of your application

System.Net.ServicePointManager.ServerCertificateValidationCallback = delegate(object s, System.Security.Cryptography.X509Certificates.X509Certificate certificate, System.Security.Cryptography.X509Certificates.X509Chain chain, System.Net.Security.SslPolicyErrors sslPolicyErrors) { return true; };


Note, if you do not add this line, you will receive the following exception where WCF complains that the certificate was not issued by a certificate authority

Could not establish trust relationship for the SSL/TLS secure channel with authority 'localhost'.



Resources: http://www.codeproject.com/KB/WCF/7stepsWCF.aspx

 

Last Updated on Sunday, 14 November 2010 10:36