Re: WSE 2.0 Policy security settings with multiple X.509 certifica
From: Laura Papez (LauraPapez_at_discussions.microsoft.com)
Date: 01/06/05
- Next message: Hendrik Schulze: "Re: WSE 2.0 SecurityPolicy with multiple X.509 certificates"
- Previous message: SQLAgentman: "Re: Public Key Authentication"
- In reply to: Dilip Krishnan: "Re: WSE 2.0 Policy security settings with multiple X.509 certificates"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 5 Jan 2005 23:05:03 -0800
Hi Dilip,
Thanks for your response. The more I get involved with this technology the
more I learn!
I'm still confused about the method of enabling the web service to accept
multiple X.509 certificates from the clients. I like your idea of having the
Service "trust certificates issued by a common CA" however, how would one
implement this?
Under the "Security" tab in the "WSE Settings 2.0" window the X.509
Certificate Store Location is set to LocalMachine (for the Web Service
project). Within the WSE Security Setting Tool (the Wizard for
adding/replacing Policies - Policy tab) certificate selection for the
"Trusted Client Certificates" is made from "Local Machine - Other People"
store.
Do I import the CA certificate into this store, or am I meant to re-point
this store location to the "Trusted Root Certification Authorities" store?
(there seems to be no way to change the store location from this window <-
"Trusted Client Certificates" screen in the Security Setting Tool).
Frankly, I'm was testing this concept (multiple client certificates) with 2
(unique) VeriSign Digital ID certificates. Rather than adding these 2
certificates as "Trusted Client Certificates" in the Web Service policy I
imported a VeriSign Class 1 certificate into the "Local Machine - Other
People" store and set this as the "Trusted Client Certificate". Of course, it
failed! (wrong CA certificate? wrong concept?). The client application
received the "WSE402: The message does not conform to the policy it was
mapped to." error.
What method could I use to test this process of accepting many client
certificates with a CA certificate on the Service?
Would it be easier if I just start educating myself about setting up my own
certificate service/authority?
Thanks,
Laura.
P.S. I made a test client setup project (I included the policyCache.config
file) and deployed the client application to another XP machine. The .exe
worked, connected to the Web Service, authenticated, encrypted and signed! I
then installed another client certificate, updated the policyCache.config
file with the new details, updated the Web Service (note the issue above -
preference not to update the Web Service policyCache.config file with every
new client certificate) and the new client worked. Hurrah! Question: should
it be a concern that the policyCache.config file can be updated/change
outside of your own changes? (i.e. by another person/process). Is it the view
that by changing this file the Production Web Service would detect a
mismatch? Or are my worries un-necessary? Thanx.
"Dilip Krishnan" wrote:
> Hello Laura,
>
>
>
> > Now for the big questions:
> >
> > If I want to allow and enable another client user to access the Web
> > Service, how/where do I add the new client certificate details in the
> > Policy of the Service?
>
> Depends on your policy requirements. In general if you sign and encrypt requests
> you would need the public server certificate. You would need to use the certificate
> management console to install the cert in yr personal store.
>
> > I noticed in the policyCache.config file there's an element that
> > contains the existing client certificate details (for User XYZ).
> >
> > <wssp:Claims>
> > <wssp:SubjectName MatchType="wssp:Exact">data
> > removed</wssp:SubjectName>
> > <wssp:X509Extension OID="2.5.29.14"
> > MatchType="wssp:Exact">data removed</wssp:X509Extension>
> > </wssp:Claims>
> > Can I simply add another <wssp:Claims> element into the
> > policyCache.config file for the Web Service?
>
> No ...
>
> > What happens when the system has 1000 clients accessing the service,
> > all with their separate certificates?
>
> ...you could have it trust certificates issued by a common CA. Or you could
> have certificates with their subject names starting with a certain value..
> There is a variety of ways to do this
>
>
> > Likewise, in terms of the client deployment, its policyCache.config
> > file also contains the hard coding to User XYZ certificate. Does the
> > client application need to be rebuilt for every client installation?
> > (ensures User XYZ installation can read User XYZ certificate (as
> > defined in policyCache.config) and User ABC installation can read User
> > ABC certificate (as defined in policyCache.config)?
>
> You can just change those values in different deployments.. its not hardcoded..
> it configured.
>
> > I haven't executed a deployment *yet*, so another good question is can
> > the policyCache.config file be changed/updated or is it bundled into
> > the client executable?
>
> Its not bundled
>
> HTH
> Regards,
> Dilip Krishnan
> MCAD, MCSD.net
> dkrishnan at geniant dot com
> http://www.geniant.com
>
>
- Next message: Hendrik Schulze: "Re: WSE 2.0 SecurityPolicy with multiple X.509 certificates"
- Previous message: SQLAgentman: "Re: Public Key Authentication"
- In reply to: Dilip Krishnan: "Re: WSE 2.0 Policy security settings with multiple X.509 certificates"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
