How do I set up an SSL web service?

Question

0.00/5 (No votes)

See more:

Hi,

This is giving me a headache:

I have a web service with a service contact in my web application. All I need to do is consume it as an SSL web service and not allow access via unsecured http.

I think my issue is the web.config and app.config for my unit test project.

Here is my current incarnation of Web.config:

HTML

<system.serviceModel>
  <bindings>
    <basicHttpBinding>
      <binding name="basicHttpsBinding" maxReceivedMessageSize="524288000">
        <security mode="Transport">
          <transport clientCredentialType="None" proxyCredentialType="None" realm="" />
          <message clientCredentialType="Certificate" algorithmSuite="Default"/>
        </security>
      </binding>
      <binding name="mexHttpBinding" maxReceivedMessageSize="524288000" />
    </basicHttpBinding>
  </bindings>
  <services>
    <service name="fw.Services.AServiceAccess">
      <endpoint address="" binding="basicHttpBinding"  contract="fw.Services.IAServiceAccess" bindingConfiguration="basicHttpsBinding">
      </endpoint>
    </service>
  </services>
</system.serviceModel>

and here is my app.config

HTML

  <configuration>
  <system.net>
    <settings>
      <servicePointManager checkCertificateName="false" checkCertificateRevocationList="false"/>
    </settings>
  </system.net>
  <system.serviceModel>
    <bindings>
      <basicHttpBinding>
        <binding name="BasicHttpBinding_IAServiceAccess" />
      </basicHttpBinding>
    </bindings>
    <client>
      <endpoint address="https://www.fw.codep.co.uk/Services/AServiceAccess.svc"
        binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_IAServiceAccess"
        contract="ASecureAccessService.IAServiceAccess"
        name="BasicHttpBinding_IAServiceAccess" />
    </client>
  </system.serviceModel>
</configuration>

I did get the service working with standard http with large requests. If I use https in the addess I get the error:

Debug Trace:
TestCorrectDetails: AssemblyInit {0}
AssemblyCleanup
Test method FlightWatchUnitTests.Application.WebInterface.Services.AirlineServiceAccessTest.TestCorrectDetails threw exception: 

System.ServiceModel.Security.MessageSecurityException: The HTTP request was forbidden with client authentication scheme 'Anonymous'. ---> System.Net.WebException: The remote server returned an error: (403) Forbidden.

    at System.Net.HttpWebRequest.GetResponse()
   at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
 --- End of inner exception stack trace ---

The default subdomain is dev. but I have www. (and others) set as valid subdomains.

I have googled long and hard but almost all instances of WCF web services are not set up the way I have done it, and config settings make my head hurt >_<
Can anyone help me get back on track with this?

Thanks ^_^
Andy

EDIT: Updated configs and error message to latest issue

Posted 25-May-15 23:43pm

Andy Lanng

Updated 26-May-15 2:18am

v2

Add a Solution

Comments

F-ES Sitecore 26-May-15 5:54am

Obvious questions first, but you never know....have you installed a valid working SSL certificate on the server that is hosting your service? ie not a dev one created by IIS but one you've bought from an issuing authority?

Andy Lanng 26-May-15 5:56am

No - I'm just using a dev one atm. I should still be able to get it working though, right? This is all on my local machine atm

When the service is live we will have a valid Cert from a CA.

F-ES Sitecore 26-May-15 6:09am

If dev certs worked then SSL would be meaningless (anyone can create them, it is no guarantee of authenticity) and no-one would buy real ones. Dev certs are not marked as fully secure so you'll get a warning if you view a dev-cert site in your browser asking you if you want to continue and you'll get a visual "red lock" warning instead of a green lock to show the cert is not valid. When it comes to accessing services like WCF the call will just plain fail. If you want to run WCF services from a dev cert then it can be done but you need to take some steps to tell IIS\WCF that the cert should be trusted. I've done this before so I know you can get it working but it was a bit of a pain, there is a guide here

https://msdn.microsoft.com/en-us/library/ff648498.aspx

but if you google "use wcf service temporary certificate" you might find a better guide.

Andy Lanng 26-May-15 6:47am

I have now followed these steps (I had tried before but I think I missed a step)

I have also implemented Solution 1 and now get (403) forbidden.

This is where I was before. Is this because my unittest project needs to be aware of the certificate? How do I do that?

Abhipal Singh 26-May-15 6:06am

Your Web.Config is the server config I believe (config file of your website)?

It does not have a secure endpoint defined. However, you are trying to access a secure endpoint from your Application/Unit test (App.config)

Andy Lanng 26-May-15 6:08am

I thought is was enough to use the basicHttpsBinding?

If not can you tell me what I need to add please ^_^

Abhipal Singh 26-May-15 6:16am

May be you can try the one below and see if it works :|...
I always find it hard to make a config work.. I can understand your pain.. :)

PS: pasting the config in solution 1.. I dont know why it is not getting pasted correctly in comments..

Andy Lanng 26-May-15 6:38am

Yeah, code in comments doesn't work very well :S

Abhipal Singh 26-May-15 6:43am

Try the solution 1 and let me know if it works :S

Also, Generate your client binding by using the binding in solution 1 as your server binding and see what difference it creates..

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Abhipal Singh · Answer 1 · 2015-05-26T00:21:00

Enable Anonymous Authentication for now and try the web.config below:
Server config:

XML

<configuration>
<system.serviceModel>
    <bindings>
        <basicHttpBinding>
            <binding name="basicHttpsBinding" maxReceivedMessageSize="524288000">
				<security mode="Transport">
					<transport clientCredentialType="None" proxyCredentialType="None" realm="" />
					<message clientCredentialType="Certificate" algorithmSuite="Default"/>
				</security>
            </binding>
            <binding name="mexHttpBinding" maxReceivedMessageSize="524288000" />
        </basicHttpBinding>
    </bindings>
    <services>
        <service name="fw.Services.AServiceAccess">
            <endpoint address="https://www.fw.codep.co.uk/Services/AServiceAccess.svc"
                binding="basicHttpBinding" bindingConfiguration="basicHttpsBinding"
                contract="fw.Services.IAServiceAccess" />
        </service>
    </services>
  </system.serviceModel>
</configuration>

Client config:

XML

<configuration>
  <system.net>
    <settings>
      <servicePointManager checkCertificateName="false" checkCertificateRevocationList="false"/>
    </settings>
  </system.net>
  <system.serviceModel>
    <bindings>
      <basicHttpBinding>
        <binding name="BasicHttpBinding_IAServiceAccess" maxReceivedMessageSize="524288000">
		<security mode="Transport">
		  <transport clientCredentialType="None" proxyCredentialType="None" realm="" />
		  <message clientCredentialType="Certificate" algorithmSuite="Default"/>
				  </security>
			  </binding>
      </basicHttpBinding>
    </bindings>
    <client>
      <endpoint address="https://www.fw.codep.co.uk/Services/AServiceAccess.svc"
        binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_IAServiceAccess"
        contract="ASecureAccessService.IAServiceAccess"
        name="BasicHttpBinding_IAServiceAccess" />
    </client>
  </system.serviceModel>
</configuration>