6.3 Setting up secure connection


6.3.1 Introduction












This chapter contains a manual on how to set up the data service’s subsystems step by step for the connection to function according to https protocol. The service producer is the IIS WCF Service application and the service consumer is the command line program.


You have to create a connection between the security server and the adapter by using the “Transport Security with Certificate Authentication“ pattern. In order to complete the task, you need to follow the following steps:


  1. Create the certificates

  2. Set up the service provider’s application

  3. Set up the service provider’s security server

  4. Set up the service consumer’s security server

  5. Set up the service consumer’s application


In the context of this example, one security server (where the roles of both the service consumers and service producers are located) and an adapter applications are used, which run on the same physical machine. In the production environment, the roles are usually located on different servers, but all the following set up steps remain the same.


NB! A checking must be performed after each block. You can move forward only when the checking is successfully completed.


Prerequisites:

  • Completed prototype (applications of the data service producer and consumer), between which the data exchange works via the http protocol.
  • Utilities which can be used to make test certificates – makecert.exe ja pvk2pfx.exe.

6.3.2 Preparations.

           

Figure 1 Hierarchy of the certificates


Firstly, you need to create certificates. You need to create separate certificates for data service producer and consumer which have been signed with the same root certificate. There will be three certificates:

  • AdapterCA.cer

ConsumerCA.cer – Certificate of the data service consumer’s subsystem

  • ProducerCA.cer – Certificate of the data service producer’s subsystem

  1. We create the root certificate from the command line:

makedert -r -pe -ss Root -sr LocalMachine -n "CN=AdapterRoot"  -sv  "AdapterRoot.pvk" AdapterRoot.der

 

Parameters:

  • -r  Certificate that is signed by itself(Self-Signed)

  • -pe Makes the private keys exportable

  • -ss Name of the certificate repository.

  • -Sr Registry location (Registry location)

  • -n Name of the certificate

  • -sv Name of the private key’s file

  • Lastly comes the name of the certificate file.

 A more specific explanation about the utility makecert can be found https://msdn.microsoft.com/en-us/library/windows/desktop/aa386968(v=vs.85).aspx.

This command results in two files (AdapterRoot.pvk, AdapterRoot.der) and an additionally added certificate that are in the repository Local Computer/Trusted Root Certification Authorities.

Note! The password field may be left empty; for that, you need to click on the “None” button in the “Create Private Key Password“ window.

 

  1. We create the service producer’s certificate that is signed by the root certificate:

The certificate goes to the IIS server for web application HTTPS binding. So as a name, it is important to put the address under which the service is published. In the scope of this example, the machine’s IP address is used, but the domain names can also be used.


makecert -n “CN=192.168.0.13" -iv "AdapterCA.pvk” -ic "AdapterCA.cer” -pe -ss my -sr localmachine -sv "ProducerCA.pvk” ProducerCA.der


Parameters:

iv – private key of the root certificate

  • ic – root certificate


This command results in two files (ProducerCA.pvk, ProducerCA.der) that have to be added to the archive with the following command:


  1. Pack files into archive:


pvk2pfx -pvk ProducerCA.pvk -spc ProducerCA.cer -pfx ProducerCA.pfx


A ProducerCA.pfx file is created.


  1. We create the service consumer’s certificate that is signed by the root certificate:


makecert -n “CN=192.168.0.13" -iv "AdapterCA.pvk” -ic "AdapterCA.cer” -pe -ss my -sr localmachine -sv " ConsumerCA.pvk” ConsumerCA.der

As a result, we get ConsumerCA.pvk and ConsumerCA.der.


  1. Pack files into archive:


pvk2pfx -pvk ConsumerCA.pvk -spc ConsumerCA.der -pfx ConsumerCA.pfx

A ConsumerCA.pfx file is created.

With this step, the certificate files are completed and we can now set up the servers. Before setting up, you must make sure that the IIS application works with HTTP protocol.


Check! The certificate signing tree is the same as on the figure.

6.3.3 Setting up the security server of the service provider

First, you have to change the binding parameters of the endpoint of the application:


  1. Select the application configuration file (app.config or Web.config) and call the context menu
  2. Select “Edit WCF Configuration
  3. Under Bindings, you have to select the one that is used by the service endpoint.
  4. Select tab “Security
  5. Change two parameters
  6. Mode: Transport
  7. TransportClientCredentialType: Certificate
  8. File -> Save
  9. Select the application file and click “Publish“ in the context menu.

With this step, the updated application will be on the IIS server.

Next, the application’s server parameters will be set up. You have to import the service producer’s certificate ProducerCA.pfx into the IIS server’s certificate repository:



  1. Select server

  2. IIS/Server Cerificates

  3. Actions -> Open Feature

  4. Actions -> Import...

  5. Certificate File -> “...“ -> select ProducerCA.pfx file.

  6. Password -> Enter password (in this guide, it was created without a password)

  7. Select Certificate Store -> Web Hosting

  8. OK

As a result, a previously created certificate appeared. Make sure that the certificate is issued to the address(Issued To) 192.168.218.233 and signed with (Issued by) the root certificate.

Check! Select the imported certificate and make sure that “This certificate is OK“ is written in the Certificate status column, in the Certification Path tab. If the certificate is brought from the outside, the root certificate has to be stored into the trusted certificate repository.

 Add https binding to the web application:



  1. Select application

  2. Actions -> Bindings...

  3. Add...

  4. Type: https

  5. IP address: you have to select the same address to which the certificate is issued

  6. Port: 443 or other suitable port

  7. SSL certificate:

  8. OK

  9. Close

Set up the certificate requirement:


  1. Select application

  2. IIS/SSL Settings -> Open Feature

  3. Notice Require SSL

  4. Client certificates: Require


Check! When the changes have been made – the website will become inaccessible (HTTP Error 403). For testing, you have to import the ConsumerCA.pfx file into the web browser certificate repository (or the machine’s Current User/Personal certificate repository), restart the web browser and open the application page again. This time, an authentication certificate window should appear where you can choose ConsymerCA. As a result, you can access the website, using the certificate.


 

6.3.4 Setting up the service provider’s security server


In the interconnection ‘Service provider’s application <-> Security server’, the security server is the client and the IIS web application is the server. The client and the server must trust each other’s certificates, and for that, their certificates need to be exchanged.

Importing the service producer’s application certificate to the security server:



  1. Security Server Clients

  2. Select the service producer’s role

  3. Tab Internal Services

  4. Internal TLS Certificates

  5. Select the button Browse and the ProducerCA.der file

  6. OK

  7.  EXPORT – Save the Security server certificate to the service application’s machine.

The security server client to the certificate application server Local Computer/Trusted Root Certification Authorities repository and the application server certificate has to be imported to the security server.

  1. Log in to the security server user interface

  2. Security Server Clients -> Select the service producer

  3. Internal Ceritivate -> Export

  4. Unpack the archive and import cert.cer into the trusted root certificates’ repository of the application machine.

 

 

6.3.5 Setting up the service consumer’s security server

The setting up of the security server is the same as previously, with the exception that Connection Type must be HTTPS

6.3.6 Setting up the application  of the service consumer

 

The first six steps of setting up the client application are the same as with setting up the server application. Additionally, the client certificate has to be determined:

  1. Endpoint Behaviors

  2. Click New Endpoint Behavior Configuration

  3. Name: SSLBehavior

  4. Add...

  5. Select clientCredentials

  6. Add

  7. In the added element, you have to select the sub-element clientCertificate

  8. Here you have to set up which storage and by which criterion is the client certificate searched; in this guide, the parameters are as follows:

    1. FindValue: ConsumerCA

    2. StoreLocation: Current User

    3. StoreName: My


    1. X509FindType: FindBySubjectName

The final configuration of the client application is as follows:

<?xml version="1.0" encoding="utf-8" ?>

<configuration>

    <startup>

        <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.6.1" />

    </startup>

    <system.serviceModel>

        <behaviors>

            <endpointBehaviors>

                <behavior name="SSLBehavior">

                    <clientCredentials>

                        <clientCertificate findValue="ConsumerCA" x509FindType="FindBySubjectName" />

                    </clientCredentials>

                </behavior>

            </endpointBehaviors>

        </behaviors>

        <bindings>

            <basicHttpBinding>

                <binding name="TreasuryXrdCustomerWS">

                    <security mode="Transport">

                        <transport clientCredentialType="Certificate" />

                    </security>

                </binding>

            </basicHttpBinding>

        </bindings>

        <client>

            <endpoint address="https://192.168.219.123" behaviorConfiguration="SSLBehavior"

                binding="basicHttpBinding" bindingConfiguration="TreasuryXrdCustomerWS"

                contract="TreasutyMessagingService.TreasuryClientPortType"

                name="TreasuryXrdCustomerWS" />

        </client>

    </system.serviceModel>

</configuration>


Last modified: Wednesday, 25 October 2017, 4:15 PM