Re: [WSE 3.0] I need some pointers for using security


"Jeff Johnson" <i.get@xxxxxxxxxxx> wrote in message
news:JtydnTFI1LlG2GfanZ2dnUVZ_qKgnZ2d@xxxxxxxxxx
Background: I have very little experience with Web services, but I'm not a
complete n00B. I'm using VS 2005 SP1, C#, and WSE 3.0, if any of that
matters.

Problem: For an upcoming project, I want to provide access to a partner
company in another state to a Web service that I will be writing. I'm not
dealing in nuclear secrets or anything, but I want to secure the messages
without buying a certificate and using SSL.

I have installed and played with some of the QuickStart samples that come
with WSE 3.0. I built and ran the WSSecurityCertificatePolicy sample, and
even built an installer package for it and put the client on another
machine. After some certificate exporting/importing and fiddling with the
*.config files, I got the client to talk to the service. Unfortunately, I
don't fully see the big picture. There are the main questions I have:

1) Can I give all the users the same client certificate as opposed to
creating one for each? (It is not important to me to track who accessed
the service.)

2) If I can use only one cert, is there any way to distribute and install
that cert along with my custom app? I ask because when I exported the
sample client cert along with its private key I had to provide a password,
and I'm wondering if that might hose the install process.

3) Speaking of installing a cert, can I even DO that in a setup package
and/or programmatically? The QuickStart samples use CertMgr.exe, which
isn't even part of a normal Windows installation; it's from the Framework
SDK.

4) If I have to create a separate cert for each user, how do I handle
(i.e., "register") that in my service?

If anyone has some examples of using certificates in Web services, I'd
appreciate links.

For reference, I'm focusing on the certificate route because it SEEMS the
simplest (least code). If anyone feels other methods are easier, I'm
willing to listen.


Purchase an ssl cert...its cheaper than your labour...doing all that message
layer security takes weeks and weeks of work...plus it'll all be changed
again for WCF when ur WSE is obsolete...


Do a search for 'Web Service Security Patterns and Practices' on MS website.
Thats a good document. 250 pages though.


.

Relevant Pages

  • Re: Web service works on port 80, fails with SSL
    ... popping up a dialog for the secure side. ... >> certificate to the web service so it will use ssl. ... >> to install the exported .cer file on all clients calling the web service? ...
    (microsoft.public.dotnet.framework.webservices)
  • Question about using pre-signed certificates
    ... The owner of the web service asked for a certificate request ... He provided the certificate and I imported it into my Local ... After fixing the issue (was proxy server related), ... I would guess a problem with the cert, ...
    (microsoft.public.dotnet.framework.webservices)
  • Re: certificate based web call fails under iis (urgent!)
    ... in order to get this to work (summary: Certificate based security ... calling web service from within a web service - only broken under IIS ... install cert in local machine certificate store ... IIS *please contact me*!! ...
    (microsoft.public.dotnet.framework.aspnet)
  • RE: XEnroll and local machines cert store
    ... i gived up trying to install certificate through a web service. ... process is executed by network service account instead of the account defines ...
    (microsoft.public.platformsdk.security)
  • Re: WinForms and WebServices
    ... The OP wants to create a WebService and a WebForms application to ... who will install the WebService on their Web servers. ... When that is installed your program can reference to that. ... So you say that I can change the web service URL in the config file at run ...
    (microsoft.public.dotnet.languages.vb)
Loading