Message Security with a Certificate Client

  • Article

The following scenario shows a Windows Communication Foundation (WCF) client and service secured using message security mode. Both the client and the service are authenticated with certificates. For more information, see Distributed Application Security.

For a sample application, see Message Security Certificate.

Message security using a certificate

Characteristic Description

Security Mode

Message

Interoperability

WCF only

Authentication (Server)

Initially using Transport Layer Security (TLS) negotiation requires server authentication using service certificate

Authentication (Client)

Using client certificate and TLS negotiation

Integrity

Yes, using TLS protocol

Confidentiality

Yes, using TLS protocol

Transport

HTTP

Binding

WSHttpBinding

Service

The following code and configuration are meant to run independently. Do one of the following:

  • Create a stand-alone service using the code with no configuration.

  • Create a service using the supplied configuration, but do not define any endpoints.

Code

The following code shows how to create a service endpoint that uses message security to establish a secure context.

' Create the binding.
Dim binding As New WSHttpBinding()
binding.Security.Mode = SecurityMode.Message
binding.Security.Message.ClientCredentialType = _
    MessageCredentialType.Certificate

' Create the URI for the endpoint.
Dim httpUri As New Uri("https://localhost/Calculator")

' Create the service host.
Dim myServiceHost As New ServiceHost(GetType(ServiceModel.Calculator), httpUri)
myServiceHost.AddServiceEndpoint(GetType(ICalculator), binding, "")

' Specify a certificate to authenticate the service.
myServiceHost.Credentials.ServiceCertificate.SetCertificate( _
   StoreLocation.LocalMachine, StoreName.My, _
   X509FindType.FindBySubjectName, "Contoso.com")

' Open the service.
myServiceHost.Open()
Console.WriteLine("Listening...")
Console.ReadLine()

' Close the service.
myServiceHost.Close()

// Create the binding.
WSHttpBinding binding = new WSHttpBinding();
binding.Security.Mode = SecurityMode.Message;
binding.Security.Message.ClientCredentialType =
     MessageCredentialType.Certificate;

// Create the URI for the endpoint.
Uri httpUri = new Uri("https://localhost/Calculator");

// Create the service host.
ServiceHost myServiceHost =
    new ServiceHost(typeof(Calculator), httpUri);
myServiceHost.AddServiceEndpoint(typeof(ICalculator), binding, "");

// Specify a certificate to authenticate the service.
myServiceHost.Credentials.ServiceCertificate.
    SetCertificate(StoreLocation.LocalMachine,
    StoreName.My,
    X509FindType.FindBySubjectName,
    "Contoso.com");

// Open the service.
myServiceHost.Open();
Console.WriteLine("Listening...");
Console.ReadLine();

// Close the service.
myServiceHost.Close();

Configuration

The following configuration can be used instead of the code.

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.serviceModel>
    <behaviors>
      <serviceBehaviors>
        <behavior name="ServiceCredentialsBehavior">
          <serviceCredentials>
            <serviceCertificate findValue="Contoso.com"
                                x509FindType="FindBySubjectName" />
          </serviceCredentials>
        </behavior>
      </serviceBehaviors>
    </behaviors>
    <services>
      <service behaviorConfiguration="ServiceCredentialsBehavior" 
               name="ServiceModel.Calculator">
        <endpoint address="https://localhost/Calculator" 
                  binding="wsHttpBinding"
                  bindingConfiguration="MessageAndCerficiateClient" 
                  name="SecuredByClientCertificate"
                  contract="ServiceModel.ICalculator" />
      </service>
    </services>
    <bindings>
      <wsHttpBinding>
        <binding name="WSHttpBinding_ICalculator">
          <security mode="Message">
            <message clientCredentialType="Certificate" />
          </security>
        </binding>
      </wsHttpBinding>
    </bindings>
    <client />
  </system.serviceModel>
</configuration>

Client

The following code and configuration are meant to run independently. Do one of the following:

  • Create a stand-alone client using the code (and client code).

  • Create a client that does not define any endpoint addresses. Instead, use the client constructor that takes the configuration name as an argument. For example:

    Dim cc As New CalculatorClient("EndpointConfigurationName")

    CalculatorClient cc = new CalculatorClient("EndpointConfigurationName");

Code

The following code creates the client. The binding is to message mode security, and the client credential type is set to Certificate.

' Create the binding.
Dim myBinding As New WSHttpBinding()
myBinding.Security.Mode = SecurityMode.Message
myBinding.Security.Message.ClientCredentialType = _
   MessageCredentialType.Certificate

' Create the endpoint address. 
Dim ea As New EndpointAddress("http://machineName/Calculator")

' Create the client. 
Dim cc As New CalculatorClient(myBinding, ea)

' Specify a certificate to use for authenticating the client.
cc.ClientCredentials.ClientCertificate.SetCertificate( _
   StoreLocation.CurrentUser, StoreName.My, _
   X509FindType.FindBySubjectName, "Cohowinery.com")

' Begin using the client.
Try
    cc.Open()

    Console.WriteLine(cc.Add(100, 11))
    Console.ReadLine()

    ' Close the client.
    cc.Close()
Catch tex As TimeoutException
    Console.WriteLine(tex.Message)
    cc.Abort()
Catch cex As CommunicationException
    Console.WriteLine(cex.Message)
    cc.Abort()
Finally
    Console.WriteLine("Closed the client")
    Console.ReadLine()
End Try

// Create the binding.
WSHttpBinding myBinding = new WSHttpBinding();
myBinding.Security.Mode = SecurityMode.Message;
myBinding.Security.Message.ClientCredentialType =
    MessageCredentialType.Certificate;

// Create the endpoint address. 
EndpointAddress ea = new
    EndpointAddress("http://machineName/Calculator");

// Create the client. 
CalculatorClient cc =
    new CalculatorClient(myBinding, ea);

// Specify a certificate to use for authenticating the client.
cc.ClientCredentials.ClientCertificate.SetCertificate(
    StoreLocation.CurrentUser,
    StoreName.My,
    X509FindType.FindBySubjectName,
    "Cohowinery.com");

// Begin using the client.
try
{
    cc.Open();
    Console.WriteLine(cc.Add(200, 1111));
    Console.ReadLine();

    // Close the client.
    cc.Close();
}

Configuration

The following configuration specifies the client certificate using an endpoint behavior. For more information about certificates, see Working with Certificates. The code also uses an <identity> element to specify a Domain Name System (DNS) of the expected server identity. For more information about identity, see Service Identity and Authentication.

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.serviceModel>
    <behaviors>
      <endpointBehaviors>
        <behavior name="endpointCredentialsBehavior">
          <clientCredentials>
            <clientCertificate findValue="Cohowinery.com" 
               storeLocation="LocalMachine"
              x509FindType="FindBySubjectName" />
          </clientCredentials>
        </behavior>
      </endpointBehaviors>
    </behaviors>
    <bindings>
      <wsHttpBinding>
        <binding name="WSHttpBinding_ICalculator" >
          <security mode="Message">
            <message clientCredentialType="Certificate" />
          </security>
        </binding>
      </wsHttpBinding>
    </bindings>
    <client>
      <endpoint address="http://machineName/Calculator" 
                behaviorConfiguration="endpointCredentialsBehavior"
                binding="wsHttpBinding"
                bindingConfiguration="WSHttpBinding_ICalculator"
                contract="ICalculator"
                name="WSHttpBinding_ICalculator">
        <identity>
          <dns value="Contoso.com" />
        </identity>
      </endpoint>
    </client>
  </system.serviceModel>
</configuration>

See Also

Concepts

Security Overview
Service Identity and Authentication
Working with Certificates