Getting Started With WCF over SSL
· To create an IIS Application that is accessed over SSL.
· Use the Wcf Test Client to connect and verify the service is running
YOU WILL NEED:
· SELFSSL7.exe available here: http://www.iisinformation.com/2010/05/self-signing-ssl-for-iis7-selfssl7/
· IIS instance installed locally
· Sufficient access to install certificates in root certificate authority store
Self Signed Certificate Installation
1. Install SELFSSL7 to a convenient location
2. Open IIS7 management console as administrator
3. Open your ‘Default Web Site’ and create an application called TestSSL
a. use a physical path like C:inetpubwwwrootsecure
b. accept the other defaults and hit OK
4. Open a command line tool (e.g. powershell) as administrator
5. Run SelfSSL7.exe with the following command:
selfssl7 /V 9999 /I /T /Q
This command will create a 1024 bit strength certificate that is valid for 9999 days, bound to the “Default Web Site” website on all unassigned IP addresses for port 443, added to the local users “Trusted Certificates” list, named <YOUR_PC_NAME>. It will also override any binding on port 443.
One of the important things to remember about Self Signed certificates and WCF is that if the name on the certificate doesn’t match the name of the internet domain it is assigned to, then certificate validation will fail.
SSL application creation
1. Reopen the IIS7 management console and inspect the Secure web site SSL Settings
2. Tick the Require SSL option and hit Apply
3. Open the Bindings for the ‘Default Web Site’ site, ensure there is a https binding.
4. Edit the https binding and ensure that its using the YOUR_PC_NAME certificate
Test WCF Service creation
1. Open Visual Studio 2010 and create a new WCF Service Application
2. Open the web.config
Replace the system.serviceModel element with the following markup:
<service name="WcfService1.Service1" behaviorConfiguration="https">
TestSSL/Service1.svc" bindingConfiguration="TransportSecurity" binding="wsHttpBinding" contract="WcfService1.IService1"/>
<endpoint address="mex" binding="mexHttpsBinding" name="Metadata" contract="IMetadataExchange"/>
<transport clientCredentialType="None" />
<serviceHostingEnvironment multipleSiteBindingsEnabled="false" />
This markup achieves several things, reading from top to bottom:
· It sets up two service endpoints: one foir https access and another for accessing metadata about the service, over SSL. Note the contracts used and the use of a QN (Qualified Name) to describe the service contract.
· It modifies the standard ‘wsHttpBinding’ to include transport level security using SSL certificates at the server only. This implies that the client must trust the server certificate. Labelled ‘TransportSecurity’
· Creates a service behaviour called ‘https’ and enables publishing of metadata (for service discovery) and debugging information.
· Finally it forces the use of absolute URLs by disabling the ‘multipleSiteBindingsEnabled’ attribute
· Note the service endpoint is configured to use the modified binding and behaviour through the use of the ‘bindingConfiguration’ & the ‘behaviourConfiguration’ attributes, respectively.
3. Open the project properties and goto the ‘Package/Publish Web’ tab
4. Change the IIS Web site/application name to ‘Secure/TestSSL’
5. Save the properties
6. Right click the project in the Solution Explorer and choose ‘Build Deployment Package’. Wait for the package to be created
7. Right click the project again, this time selecting the Publish... menu item. You’ll see this window:
8. Rename the profile to ‘FileSystem’, and change the publish method to ‘filesystem’.
Set the target location to the physical location of your web application, and set it to delete all existing files:
Hit publish and wait for it to succeed. *NOTE* You may need to edit permissions for folders created under c:inetpubwwwroot
9. Double check your deployment by browsing to the physical location of your TestSSL site. You should see something like this:
10. Check the service is up and running: goto https:///testssl/service1.svc
If you see a certificate warning in your browser or something like this:
View the certificate and double check the certificate name matches the URL you’ve assigned the website...they must match. E.g. for a website on https://it-05/ to work, you must name your certificate ‘it-05’
Using the WCF Test Client to Check your work
1. Generally the test client exists at the following location on 64 bit machines,
c:\program files (x86)\microsoft visual studio 10.0\common7\IDE\wcftestclient.exe
2. Find it and run it
3. Add an endpoint address (the address of your service)
4. If everything went well, you should see a listing of the service operations on your service.
This email may contain confidential information, which also may be legally privileged. Only the intended recipient(s) may access, use, distribute or copy this email. If this email is received in error, please inform the sender by return email and delete the original. If there are doubts about the validity of this message, please contact the sender by telephone. It is the recipients responsibility to check the email and any attached files for viruses.