6.3 Setting up secure connection
This chapter contains a manual on how to set up the data service’s subsystems step by step for the connection to function according to https protocol. The service producer is the IIS WCF Service application and the service consumer is the command line program.
You have to create a connection between the security server and the adapter by using the “Transport Security with Certificate Authentication“ pattern. In order to complete the task, you need to follow the following steps:
In the context of this example, one security server (where the roles of both the service consumers and service producers are located) and an adapter applications are used, which run on the same physical machine. In the production environment, the roles are usually located on different servers, but all the following set up steps remain the same.
NB! A checking must be performed after each block. You can move forward only when the checking is successfully completed.
- Completed prototype (applications of the data service producer and consumer), between which the data exchange works via the http protocol.
Utilities which can be used to make test certificates – makecert.exe ja pvk2pfx.exe.
Figure 1 Hierarchy of the certificates
Firstly, you need to create certificates. You need to create separate certificates for data service producer and consumer which have been signed with the same root certificate. There will be three certificates:
ConsumerCA.cer – Certificate of the data service consumer’s subsystem
ProducerCA.cer – Certificate of the data service producer’s subsystem
We create the root certificate from the command line:
makedert -r -pe -ss Root -sr LocalMachine -n "CN=AdapterRoot" -sv "AdapterRoot.pvk" AdapterRoot.der
-r Certificate that is signed by itself(Self-Signed)
-pe Makes the private keys exportable
-ss Name of the certificate repository.
-Sr Registry location (Registry location)
-n Name of the certificate
-sv Name of the private key’s file
Lastly comes the name of the certificate file.
A more specific explanation about the utility makecert can be found https://msdn.microsoft.com/en-us/library/windows/desktop/aa386968(v=vs.85).aspx.
This command results in two files (AdapterRoot.pvk, AdapterRoot.der) and an additionally added certificate that are in the repository Local Computer/Trusted Root Certification Authorities.
Note! The password field may be left empty; for that, you need to click on the “None” button in the “Create Private Key Password“ window.
We create the service producer’s certificate that is signed by the root certificate:
The certificate goes to the IIS server for web application HTTPS binding. So as a name, it is important to put the address under which the service is published. In the scope of this example, the machine’s IP address is used, but the domain names can also be used.
iv – private key of the root certificate
ic – root certificate
This command results in two files (ProducerCA.pvk, ProducerCA.der) that have to be added to the archive with the following command:
Pack files into archive:
A ProducerCA.pfx file is created.
We create the service consumer’s certificate that is signed by the root certificate:
As a result, we get ConsumerCA.pvk and ConsumerCA.der.
Pack files into archive:
A ConsumerCA.pfx file is created.
With this step, the certificate files are completed and we can now set up the servers. Before setting up, you must make sure that the IIS application works with HTTP protocol.
Check! The certificate signing tree is the same as on the figure.
First, you have to change the binding parameters of the endpoint of the application:
- Select the application configuration file (app.config or Web.config) and call the context menu
- Select “Edit WCF Configuration“
- Under Bindings, you have to select the one that is used by the service endpoint.
- Select tab “Security“
- Change two parameters
- Mode: Transport
- TransportClientCredentialType: Certificate
- File -> Save
- Select the application file and click “Publish“ in the context menu.
With this step, the updated application will be on the IIS server.
Next, the application’s server parameters will be set up. You have to import the service producer’s certificate ProducerCA.pfx into the IIS server’s certificate repository:
Actions -> Open Feature
Actions -> Import...
Certificate File -> “...“ -> select ProducerCA.pfx file.
Password -> Enter password (in this guide, it was created without a password)
Select Certificate Store -> Web Hosting
As a result, a previously created certificate appeared. Make sure that the certificate is issued to the address(Issued To) 192.168.218.233 and signed with (Issued by) the root certificate.
Check! Select the imported certificate and make sure that “This certificate is OK“ is written in the Certificate status column, in the Certification Path tab. If the certificate is brought from the outside, the root certificate has to be stored into the trusted certificate repository.
Add https binding to the web application:
Actions -> Bindings...
IP address: you have to select the same address to which the certificate is issued
Port: 443 or other suitable port
Set up the certificate requirement:
IIS/SSL Settings -> Open Feature
Notice Require SSL
Client certificates: Require
Check! When the changes have been made – the website will become inaccessible (HTTP Error 403). For testing, you have to import the ConsumerCA.pfx file into the web browser certificate repository (or the machine’s Current User/Personal certificate repository), restart the web browser and open the application page again. This time, an authentication certificate window should appear where you can choose ConsymerCA. As a result, you can access the website, using the certificate.
In the interconnection ‘Service provider’s application <-> Security server’, the security server is the client and the IIS web application is the server. The client and the server must trust each other’s certificates, and for that, their certificates need to be exchanged.
Importing the service producer’s application certificate to the security server:
Security Server Clients
Select the service producer’s role
Tab Internal Services
Internal TLS Certificates
Select the button Browse and the ProducerCA.der file
EXPORT – Save the Security server certificate to the service application’s machine.
The security server client to the certificate application server Local Computer/Trusted Root Certification Authorities repository and the application server certificate has to be imported to the security server.
Log in to the security server user interface
Security Server Clients -> Select the service producer
Internal Ceritivate -> Export
Unpack the archive and import cert.cer into the trusted root certificates’ repository of the application machine.
The setting up of the security server is the same as previously, with the exception that Connection Type must be HTTPS
The first six steps of setting up the client application are the same as with setting up the server application. Additionally, the client certificate has to be determined:
Click New Endpoint Behavior Configuration
In the added element, you have to select the sub-element clientCertificate
Here you have to set up which storage and by which criterion is the client certificate searched; in this guide, the parameters are as follows:
StoreLocation: Current User
The final configuration of the client application is as follows:
<?xml version="1.0" encoding="utf-8" ?>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.6.1" />
<clientCertificate findValue="ConsumerCA" x509FindType="FindBySubjectName" />
<transport clientCredentialType="Certificate" />
<endpoint address="https://192.168.219.123" behaviorConfiguration="SSLBehavior"