Как я могу реализовать безопасность WCF, используя самозаверяющий сертификат?

Question

Я настроил Google для настройки службы WCF с использованием защиты сертификатов и нашел несколько статей, но не могу решить, за какой статьей легко следоватьКроме того, когда я набираю эти команды, некоторые инструменты есть в командной строке Visual Studio, а некоторые нет.Кто-нибудь может сказать мне точные шаги или указать мне хорошие ссылки?

Заранее спасибо:)

Answer 1

Самое сложное в этом - конфигурация.В противном случае задача состоит в том, чтобы просто создать сертификат клиента и сервера и установить сертификаты.Я полагаю, вы знаете, как это сделать.Сертификаты должны быть размещены в магазине доверенных лиц.В основном урезанный конфиг вставлен ниже.Я использовал это успешно (вам придется заменить значения, такие как «адрес здесь» ... так что постройте этот конфиг построчно и решите, что вы хотите назвать вещи.из двух учебных пособий, но у меня больше нет ссылок.

 <system.serviceModel>
<services>
  <service name="MyService" behaviorConfiguration="MyServiceBehavior">
    <endpoint name="MyServiceEndpoint" address="" binding="netTcpBinding" bindingConfiguration="MyServiceBinding" contract="IMyContract"/>
    <host>
      <baseAddresses>
        <add baseAddress="address here"/>
      </baseAddresses>
    </host>
  </service>
</services>
<client>
  <endpoint name="MyClientEndpoint" address="address here" behaviorConfiguration="ClientCertificateBehavior" binding="netTcpBinding" bindingConfiguration="MyClientBinding" contract="IMyContract">
    <identity>
      <dns value="ServerCertificate"/>
    </identity>
  </endpoint>
</client>
<behaviors>
  <serviceBehaviors>
    <behavior name="MyServiceBehavior">
      <serviceMetadata/>
      <!--need this for mex to work properly!-->

      <!-- 
        The serviceCredentials behavior allows you to define a service certificate.
        A service certificate is used by the service to authenticate itself to its clients and to provide message protection.
        This configuration references the "localhost" certificate installed during the set up instructions.
      -->
      <serviceCredentials>
        <serviceCertificate findValue="ServerCertificate" storeLocation="CurrentUser" storeName="My" x509FindType="FindBySubjectName"/>
        <clientCertificate>
          <!-- 
          Setting the certificateValidationMode to PeerOrChainTrust means that if the certificate 
          is in the user's Trusted People store, then it is trusted without performing a
          validation of the certificate's issuer chain. This setting is used here for convenience so that the 
          sample can be run without having certificates issued by a certificate authority (CA).
          This setting is less secure than the default, ChainTrust. The security implications of this 
          setting should be carefully considered before using PeerOrChainTrust in production code. 
          -->
          <authentication certificateValidationMode="PeerOrChainTrust" trustedStoreLocation="CurrentUser"/>
        </clientCertificate>
      </serviceCredentials>
    </behavior>
  </serviceBehaviors>
  <endpointBehaviors>
    <behavior name="ClientCertificateBehavior">
      <dataContractSerializer maxItemsInObjectGraph="2147483647"/>
      <!-- 
      The clientCredentials behavior allows you to define a certificate to present to a service.
      A certificate is used by a client to authenticate itself to the service and provide message integrity.
      This configuration references the "client.com" certificate installed during the setup instructions.
      -->
      <clientCredentials>
        <clientCertificate findValue="WFCClient" storeLocation="CurrentUser" storeName="My" x509FindType="FindBySubjectName"/>
        <serviceCertificate>
          <!-- 
          Setting the certificateValidationMode to PeerOrChainTrust means that if the certificate 
          is in the user's Trusted People store, then it is trusted without performing a
          validation of the certificate's issuer chain. This setting is used here for convenience so that the 
          sample can be run without having certificates issued by a certificate authority (CA).
          This setting is less secure than the default, ChainTrust. The security implications of this 
          setting should be carefully considered before using PeerOrChainTrust in production code. 
          -->
          <authentication certificateValidationMode="PeerOrChainTrust" trustedStoreLocation="CurrentUser"/>
        </serviceCertificate>
      </clientCredentials>
    </behavior>
  </endpointBehaviors>
</behaviors>
<bindings>
  <netTcpBinding>
    <binding name="MyClientBinding" maxConnections="25000" listenBacklog="25000" portSharingEnabled="false" closeTimeout="00:05:00" openTimeout="00:05:00" sendTimeout="24:11:30" transferMode="Buffered" transactionFlow="false" hostNameComparisonMode="StrongWildcard" maxBufferSize="2097152000" maxReceivedMessageSize="2097152000" maxBufferPoolSize="2097152000">
      <readerQuotas maxStringContentLength="2000000000" maxArrayLength="2000000000" maxDepth="2000000000" maxBytesPerRead="2000000000" maxNameTableCharCount="2000000000"/>
      <security mode="Transport">
        <transport clientCredentialType="Certificate" protectionLevel="EncryptAndSign"/>
        <message clientCredentialType="Certificate"/>
      </security>
    </binding>
    <binding name="MyServiceBinding" maxConnections="25000" listenBacklog="25000" portSharingEnabled="false" closeTimeout="00:05:00" openTimeout="00:05:00" receiveTimeout="24:12:35" transferMode="Buffered" transactionFlow="false" hostNameComparisonMode="StrongWildcard" maxBufferSize="10485760" maxReceivedMessageSize="10485760" maxBufferPoolSize="104857600">
      <readerQuotas maxStringContentLength="2000000000" maxArrayLength="2000000000" maxDepth="2000000000" maxBytesPerRead="2000000000" maxNameTableCharCount="2000000000"/>
      <security>
        <transport clientCredentialType="Certificate"/>
      </security>
    </binding>
  </netTcpBinding>
</bindings>