Message Security with a Certificate Client
The following scenario shows a Windows Communication Foundation (WCF) client and service secured using message security mode. Both the client and the service are authenticated with certificates. For more information, see Distributed Application Security.
For a sample application, see Message Security Certificate.
| Characteristic | Description |
|---|---|
|
Security Mode |
Message |
|
Interoperability |
WCF only |
|
Authentication (Server) |
Using service certificate |
|
Authentication (Client) |
Using client certificate |
|
Integrity |
Yes |
|
Confidentiality |
Yes |
|
Transport |
HTTP |
|
Binding |
Service
The following code and configuration are meant to run independently. Do one of the following:
-
Create a stand-alone service using the code with no configuration.
-
Create a service using the supplied configuration, but do not define any endpoints.
Code
The following code shows how to create a service endpoint that uses message security to establish a secure context.
// Create the binding. WSHttpBinding binding = new WSHttpBinding(); binding.Security.Mode = SecurityMode.Message; binding.Security.Message.ClientCredentialType = MessageCredentialType.Certificate; // Create the URI for the endpoint. Uri httpUri = new Uri("http://localhost/Calculator"); // Create the service host. ServiceHost myServiceHost = new ServiceHost(typeof(Calculator), httpUri); myServiceHost.AddServiceEndpoint(typeof(ICalculator), binding, ""); // Specify a certificate to authenticate the service. myServiceHost.Credentials.ServiceCertificate. SetCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindBySubjectName, "Contoso.com"); // Open the service. myServiceHost.Open(); Console.WriteLine("Listening..."); Console.ReadLine(); // Close the service. myServiceHost.Close();
Configuration
The following configuration can be used instead of the code.
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="ServiceCredentialsBehavior">
<serviceCredentials>
<serviceCertificate findValue="Contoso.com"
x509FindType="FindBySubjectName" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<services>
<service behaviorConfiguration="ServiceCredentialsBehavior"
name="ServiceModel.Calculator">
<endpoint address="http://localhost/Calculator"
binding="wsHttpBinding"
bindingConfiguration="MessageAndCerficiateClient"
name="SecuredByClientCertificate"
contract="ServiceModel.ICalculator" />
</service>
</services>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_ICalculator">
<security mode="Message">
<message clientCredentialType="Certificate" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client />
</system.serviceModel>
</configuration>
Client
The following code and configuration are meant to run independently. Do one of the following:
-
Create a stand-alone client using the code (and client code).
-
Create a client that does not define any endpoint addresses. Instead, use the client constructor that takes the configuration name as an argument. For example:
Code
The following code creates the client. The binding is to message mode security, and the client credential type is set to Certificate.
// Create the binding. WSHttpBinding myBinding = new WSHttpBinding(); myBinding.Security.Mode = SecurityMode.Message; myBinding.Security.Message.ClientCredentialType = MessageCredentialType.Certificate; // Create the endpoint address. EndpointAddress ea = new EndpointAddress("http://machineName/Calculator"); // Create the client. CalculatorClient cc = new CalculatorClient(myBinding, ea); // Specify a certificate to use for authenticating the client. cc.ClientCredentials.ClientCertificate.SetCertificate( StoreLocation.CurrentUser, StoreName.My, X509FindType.FindBySubjectName, "Cohowinery.com"); // Begin using the client. try { cc.Open(); Console.WriteLine(cc.Add(200, 1111)); Console.ReadLine(); // Close the client. cc.Close(); }
Configuration
The following configuration specifies the client certificate using an endpoint behavior. For more information about certificates, see Working with Certificates. The code also uses an <identity> element to specify a Domain Name System (DNS) of the expected server identity. For more information about identity, see Service Identity and Authentication.
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.serviceModel>
<behaviors>
<endpointBehaviors>
<behavior name="endpointCredentialsBehavior">
<clientCredentials>
<clientCertificate findValue="Cohowinery.com"
storeLocation="LocalMachine"
x509FindType="FindBySubjectName" />
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_ICalculator" >
<security mode="Message">
<message clientCredentialType="Certificate" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="http://machineName/Calculator"
behaviorConfiguration="endpointCredentialsBehavior"
binding="wsHttpBinding"
bindingConfiguration="WSHttpBinding_ICalculator"
contract="ICalculator"
name="WSHttpBinding_ICalculator">
<identity>
<dns value="Contoso.com" />
</identity>
</endpoint>
</client>
</system.serviceModel>
</configuration>
See Also
Build Date:
