Securing Web Services with X.509 Certificates
(Page 1 of 4 )

Last week's exercise began teaching you about the security and policy enhancements for Web Services 2.0. This article, covering the second exercise in the lab, picks up where last week's left off. It was written by MSDN Virtual Labs.

Exercise 2 Securing Web Services with X.509 Certificates

Scenario

In the last exercise you were able to secure SecureInvoiceServiceA by requiring UsernameToken authentication, a message signature, and encryption.

Using UsernameToken for signing and encrypting messages is not the most secure option. Using a binary security token, such as an X.509 certificate, offers a higher level of security. In this exercise, you'll walk through the process of installing some sample certificates and configuring your application to use them for signature and encryption purposes.

You'll be working in the Exercises\B\before directory.

        Tasks              Detailed steps

Installing the Sample Certificates

WSE 2.0 provides two sample certificates for you to use while testing your WSE 2.0 applications. These two certificates were generated by the makecert tool provided in the Microsoft Platform Software Development Kit. In order to begin using these certificates in your applications, you must first install them on your computer.

Note: you should not use these sample certificates in a production environment. You must contact a certificate authority, request your own certificate, and follow the procedures shown here to use it.

1. Open an MMC console by pressing Start, press Run, type mmc, and then click OK. 
   
2. On the File menu, click Add/Remove Snap-in 
   
3. Click Add, under Snap-in, double-click Certificates. 
   
4. Click My user account to add the certificates for the current user. Click Finish. 
   
5. Click Add, under Snap-in, double-click Certificates.
   
6. Click Computer account for the local machines certificates. 
   
7. Click Next. 
   
8. Click Finish.
   
9. Click Close.
   
10. Click OK.
    
11. Your MMC window should now look something like this:
     
    
    
    
12. In the console tree, click Certificates - Current User | Personal. 
    
13. Open the Certificate Import wizard by clicking Action | All Tasks | Import…. 
    
14. Click Next.
    
15. In the File Name field, type C:\Program Files\Microsoft WSE\v2.0\Samples\Sample Test Certificates\Client Private.pfx. 
    
16. Click Next. 
    
17. In the Password field, type wse2qs.
    
18. Click Next.
    
19. Click Next.
    
20. Click Finish. 
    
21. Click OK.
    
    Note: this certificate will be used by our client application to sign messages sent to the service. It could also be used to identify the client for authentication purposes. 
    
22. In the console tree, click Certificates (Local Computer) | Personal. 
    
23. Open the Certificate Import wizard by clicking Action | All Tasks | Import…. 
    
24. Click Next.
    
25. In the File Name field, type C:\Program Files\Microsoft WSE\v2.0\Samples\Sample Test Certificates\Server Private.pfx. 
    
26. Click Next.
    
27. In the Password field, type wse2qs.
    
28. Click Next. 
    
29. Click Next. 
    
30. Click Finish.
    
31. Click OK.
    
    Note: this certificate will be used to encrypt messages between the applications. The client application will use the public key to encrypt the message and the service will use the private key to decrypt the message. The client needs to have the public portion of the certificate available in the Current User store. 
    
32. In the console tree, click Certificates - Current User | Other People.
    
    Note: if you don't have an Other People store under Current User, open Internet Explorer, click Tools | Internet Options | Content, and click the Certificates button. Click the Other People tab in the certificates dialog. You can import the certificate by clicking Import….and then following steps hh-mm.
    
33. If importing in the mmc, open the Certificate Import wizard by clicking Action | All Tasks | Import….
    
34. Click Next.
    
35. In the File Name field, type C:\Program Files\Microsoft WSE\v2.0\Samples\Sample Test Certificates\Server Public.cer.
    
36. Click Next. 
    
37. Click Next. 
    
38. Click Finish. 
    
39. Click OK. 
    
40. If importing through Internet Explorer, click Close, click OK, close Internet Explorer, and return to the mmc. 
    
41. Close the mmc. 
    
42. If prompted to save settings, click No.
    
    Note: this certificate only contains the public portion of Server Private.pfx. The client will use this to encrypt messages and the server will use the private key installed in the Local Machine store to decrypt the messages.

Next: Signing with a Certificate >>
 

More Visual Basic.NET Articles
More By MSDN Virtual Labs

Comments On: Securing Web Services with X.509 Certificates

· We hope you found this exercise from MSDN Virtual Labs to be educational and...   >>> Post your comment now!