Re: WSE and X509 trouble
From: Julie Lerman (jlermanATNOSPAMPLEASEthedatafarm.com)
Date: 10/15/04
- Next message: Martin Kulov: "Re: Newbie General Question"
- Previous message: Dan: "Newbie General Question"
- In reply to: andrea: "WSE and X509 trouble"
- Next in thread: Softwaremaker: "Re: WSE and X509 trouble"
- Reply: Softwaremaker: "Re: WSE and X509 trouble"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 15 Oct 2004 09:10:01 -0400
Andrea-
I'm going to try to help you with some of the basic stuff here as I have
just been through it myself and then maybe one of the more knowledgable
people can fill in any blanks. I will make the comments in line.
"andrea" <a.canade@retis.it> wrote in message
news:5c884a8f.0410150044.1e0892cd@posting.google.com...
> Hi all
>
> i've some question about security with x509 that are not clear to me
> :(
>
> are these steps correct to make a security soap based test
> application?
>
> terminology:
> client is a console application that send signed soap request and
> receive signed soap response or faults...
-- A client can be any client of the web service - but you've got the right
concept. It can be a console app, a windows app, a web application, a mobile
app (pocket pc, palm os), or even another web service. But it's basically
the initiator of the request. The thing that will be asking the web service
to do something for it.
>
> server is a web service using policy files to add security requirement
> to the project.
>
--I wouldn't define it quite this way because a) you do not always use
policy files and b) a client can also use a policy file. First let me just
tell you how I define a policy file. It gives the requester or the responder
rules to live by. If it's the requester the rules could be something like
...any time I send out a request, it should be encrypted or any time I
recieve a message I won't look at it unless it is signed. So these rules can
get placed on either end. Make sense?
The server itself is the HOST of the web service. A web server is actually
an application (eg. IIS) but some people just think of it as the box that
IIS (or whatever) is on..which works for me.
>
> SERVER
>
> 1) i create a webservice (stupid: only a string Repeat(string word)
> web-method)
> i configure the solution with WSE, particularry i set on security tab
> LocalMachine as store location
> and policy files with a default endpoint...
---okay
>
> at this point the wizard start... i chose to make a secure server
> i check use signed request
> i check use signed response then next...
---okay
>
> i choose X509 certificate
>
> now wizard tell me to choose the certificate to use for client
> authentication?'
> what does this mean ??
> is the certificate inserted on the soap request by client?... i mean
> so..
--- since you chose to require that the incoming request be signed AND the
outgoing request be signed, there will be to different X509 certificates
involved. The client will use IT's private X509 certificate to sign it's
message. Therefore, the server will need the public version of that
certificate to verify the signature. So the wizard needs you to tell it
which certifcate in your certificate store is the one that represents the
public key portion of the client's X509 certificate. It took me a while to
get these things sorted out in my head - I hope I've explained it clearly
enough.
> i insert anything and choose next and complete the wizard
--"anything" could create a problem if it's not the correct certificate :-)
>
> now i build and my service is up !!
>
> CLIENT
> 2) soap communication with digiatal certificate mean that the client
> buy a certifcate from (i said one) "verisign" for example...
> it is correct?
--if you want to sign the outgoing message from the client and you are
talking about usign X509 certificates, then basically yes . There are other
ways to sign a message from the client also.
>
> the client put the certificate in his Store CurrentUser store
> but what is the location? Trusted? People?
--this is where I have limited knowledge that is based on only my limited
experience. What I have worked with is with the certificate going into the
Current User - Personal Store. That is only then accessible by me when I
have logged in to the computer with the proper windows account.
The best walkthrough I have seen for installing the certificates for WSE is
in the Hands on Lab which is on this page:
http://msdn.microsoft.com/webservices/building/wse It shows you how to
install the sample certificates, but it's a good lesson.
>
> 2)
> I create a client application
> i add a proxy created with wsdl.exe
> i change the base class of the proxy to make it work with WSE
--(in visual studio) if you have the client configured to work with WSE2 and
you make a web reference to the wse2 enabled web service, then the proxy
should already be configured correctly. It will actually make two proxy
classes for you ...one against wse and the other just normal. (This has been
my experience - there may be cases where it is not so nicely automatic...)
>
> i enable WSE for my application
--see above - do this FIRST and then you can skip some of the above steps
:-)
>
> NOW must i Add the policy file created on server side?
> or must i create a new policy file for client security??
>
--you will create a new policy file for the client. If you use the wse
settings tool, it even asks if you are creating hte policy for a service or
for a client.
>
> i've created a new policy file
> but the wizard
> - tell me to add a certificate site in the current-user personal store
> (but the certificate must not be inserted into the Thrusted store? )
> - tell me to choose another certificate to authenticate the service
> what does this mean? i've only one certificate
--see above in response to this question on the web service. If you have
said sign out going requests and require that incoming responses be signed -
you are talking about two completely separate certificates. You need the
CLIENT's private key to sign outgoing messages and the public key SERVER's
certificate to verify incoming messages.
>
>
> thank you for patience
--ahh - it just takes a lot of patience to learn this stuff. I definitely
took a long time because I also asked WHY WHY WHY every step of the way!!
:-)
julie
> andrea
- Next message: Martin Kulov: "Re: Newbie General Question"
- Previous message: Dan: "Newbie General Question"
- In reply to: andrea: "WSE and X509 trouble"
- Next in thread: Softwaremaker: "Re: WSE and X509 trouble"
- Reply: Softwaremaker: "Re: WSE and X509 trouble"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
