我有关于WCF的证书/安全问题,但我对证书缺乏了解,所以对我来说这很难。我相信有经验的人可以提供帮助:)我得到的.net错误是SecurityNegotiationException:错误:无法与SSL / TLS安全通道建立信任关系具有权限“[第三方网站服务地址]“
如果你无法帮助确切的WCF配置,那么如果你能帮助我更好地理解我正在使用的证书/ PFX的目的/类型,那将是非常棒的,它将极大地帮助我。 或者,如果您有任何疑难解答的想法 - 我很乐意接受尝试,以便最好地解决这个问题。
如何验证我附加的证书与soapUI的证书相同?我打算使用Fiddler来比较请求,但遇到了不为soapUI和.net捕获的问题,它没有出于某种原因向我显示xml请求。
无论如何,进入场景: 我正在与第三方打交道,为了在浏览器中显示他们的web服务,我需要在我受信任的本地计算机根目录中安装他们的WS.cert。
有一个工作示例,我已经在soapUI中给出了它,它适用于第三方的服务。出于某种原因,我有2个pfx文件给我(a.pfx和b.pfx - 渠道证书?)我并不完全确定每个文件的类型或用途,但两个都需要soapUI才能工作。我有他们告诉我的消息签名证书 - a.pfx,我这样设置:
在这里添加了名称a.pfx:soapUI project>属性> WS-Security配置>密钥库/证书。
在soapUI项目下>属性> WS-Security配置>传出的WS-Security配置,我添加了“ws”的配置。 为此,我添加了一个带有以下设置的WSS条目(类型:签名):
Keystore: a.pfx
Key Identifier Type: Binary Security Token
Signature Algorithm: http://www.w3.org/2000!09:smldsig#rsa-sha1
Signature Canonicalization: http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
Digest Algorithm: http://www.w3.org/2000/09/xmldsig#sha1
Use Single Certificate : [checked this box] Use single certificate for signing
Parts: Blank
b.pfx如何发挥作用在soapUI>下文件>偏好> SSL设置 KeyStore:添加了适当填充KeyStore密码的b.pfx。但同样,我不确定这是什么以及如何将其纳入WCF。
到目前为止,我的配置尝试看起来像是
<system.serviceModel>
<behaviors>
<endpointBehaviors>
<!--Configure the Client Certificate on the client:
http://msdn.microsoft.com/en-us/library/ff648360.aspx#Step8 -->
<behavior name="myBehavior">
<clientCredentials>
<clientCertificate storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint"
findValue="40 char hex thumbprint - removedBeforePosting. Points to b.pfx" />
<serviceCertificate>
<defaultCertificate storeLocation="LocalMachine" storeName="Root" x509FindType="FindByThumbprint"
findValue="40 char hex thumbprint - removedBeforePosting. Points to WS.cert" />
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<basicHttpBinding>
<binding name="myServiceBinding" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00" allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard" maxBufferSize="65536" maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered" useDefaultWebProxy="true">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384"/>
<security mode="Transport">
<!--I believe the transport also needs Certificate because you can't bring up their ws in a browser w/o their cert -->
<transport clientCredentialType="Certificate" proxyCredentialType="None" realm=""/>
<message clientCredentialType="Certificate" algorithmSuite="Default"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint address="https://thirdparty.com:443/Service" behaviorConfiguration="myBehavior" binding="basicHttpBinding" bindingConfiguration="myServiceBinding" contract="ThirdPartyService.IThirdPartyService" name="ThirdPartyService_V2_Port">
<identity>
<certificateReference storeLocation="LocalMachine" storeName="My"
x509FindType="FindByThumbprint" findValue="40 char hex thumbprint - removedBeforePosting. Points to a.pfx" />
<!--<certificate encodedValue="QW4k8wz/BGqIfu2pi0OAyjfQJ5cRiiLk" />-->
<!--tHhfDw/gHv27z52lyMrm4JjP76c=-->
</identity>
</endpoint>
</client>
</system.serviceModel>