Question

我确实谷歌它使用证书安全设置我的WCF服务，我发现了一堆文章，但我无法决定哪个文章很容易遵循。此外，当我键入这些命令时，Visual Studio命令提示符中有一些工具，而有些则不是。任何人都能告诉我精确的步骤或指向我一些不错的链接吗？

提前致谢：）

Answer 1

最困难的部分是配置。否则，任务只是创建客户端和服务器证书并安装证书。我猜你知道怎么做。证书必须放在“受信任的人”存储中。下面粘贴了一个大部分简化的配置。我成功地使用了这个（你必须更换像“在这里地址”这样的值...所以逐行完成这个配置并决定你想要命名的东西。我把它放在帮助中两个教程，但我没有链接了。

 <system.serviceModel>
<services>
  <service name="MyService" behaviorConfiguration="MyServiceBehavior">
    <endpoint name="MyServiceEndpoint" address="" binding="netTcpBinding" bindingConfiguration="MyServiceBinding" contract="IMyContract"/>
    <host>
      <baseAddresses>
        <add baseAddress="address here"/>
      </baseAddresses>
    </host>
  </service>
</services>
<client>
  <endpoint name="MyClientEndpoint" address="address here" behaviorConfiguration="ClientCertificateBehavior" binding="netTcpBinding" bindingConfiguration="MyClientBinding" contract="IMyContract">
    <identity>
      <dns value="ServerCertificate"/>
    </identity>
  </endpoint>
</client>
<behaviors>
  <serviceBehaviors>
    <behavior name="MyServiceBehavior">
      <serviceMetadata/>
      <!--need this for mex to work properly!-->

      <!-- 
        The serviceCredentials behavior allows you to define a service certificate.
        A service certificate is used by the service to authenticate itself to its clients and to provide message protection.
        This configuration references the "localhost" certificate installed during the set up instructions.
      -->
      <serviceCredentials>
        <serviceCertificate findValue="ServerCertificate" storeLocation="CurrentUser" storeName="My" x509FindType="FindBySubjectName"/>
        <clientCertificate>
          <!-- 
          Setting the certificateValidationMode to PeerOrChainTrust means that if the certificate 
          is in the user's Trusted People store, then it is trusted without performing a
          validation of the certificate's issuer chain. This setting is used here for convenience so that the 
          sample can be run without having certificates issued by a certificate authority (CA).
          This setting is less secure than the default, ChainTrust. The security implications of this 
          setting should be carefully considered before using PeerOrChainTrust in production code. 
          -->
          <authentication certificateValidationMode="PeerOrChainTrust" trustedStoreLocation="CurrentUser"/>
        </clientCertificate>
      </serviceCredentials>
    </behavior>
  </serviceBehaviors>
  <endpointBehaviors>
    <behavior name="ClientCertificateBehavior">
      <dataContractSerializer maxItemsInObjectGraph="2147483647"/>
      <!-- 
      The clientCredentials behavior allows you to define a certificate to present to a service.
      A certificate is used by a client to authenticate itself to the service and provide message integrity.
      This configuration references the "client.com" certificate installed during the setup instructions.
      -->
      <clientCredentials>
        <clientCertificate findValue="WFCClient" storeLocation="CurrentUser" storeName="My" x509FindType="FindBySubjectName"/>
        <serviceCertificate>
          <!-- 
          Setting the certificateValidationMode to PeerOrChainTrust means that if the certificate 
          is in the user's Trusted People store, then it is trusted without performing a
          validation of the certificate's issuer chain. This setting is used here for convenience so that the 
          sample can be run without having certificates issued by a certificate authority (CA).
          This setting is less secure than the default, ChainTrust. The security implications of this 
          setting should be carefully considered before using PeerOrChainTrust in production code. 
          -->
          <authentication certificateValidationMode="PeerOrChainTrust" trustedStoreLocation="CurrentUser"/>
        </serviceCertificate>
      </clientCredentials>
    </behavior>
  </endpointBehaviors>
</behaviors>
<bindings>
  <netTcpBinding>
    <binding name="MyClientBinding" maxConnections="25000" listenBacklog="25000" portSharingEnabled="false" closeTimeout="00:05:00" openTimeout="00:05:00" sendTimeout="24:11:30" transferMode="Buffered" transactionFlow="false" hostNameComparisonMode="StrongWildcard" maxBufferSize="2097152000" maxReceivedMessageSize="2097152000" maxBufferPoolSize="2097152000">
      <readerQuotas maxStringContentLength="2000000000" maxArrayLength="2000000000" maxDepth="2000000000" maxBytesPerRead="2000000000" maxNameTableCharCount="2000000000"/>
      <security mode="Transport">
        <transport clientCredentialType="Certificate" protectionLevel="EncryptAndSign"/>
        <message clientCredentialType="Certificate"/>
      </security>
    </binding>
    <binding name="MyServiceBinding" maxConnections="25000" listenBacklog="25000" portSharingEnabled="false" closeTimeout="00:05:00" openTimeout="00:05:00" receiveTimeout="24:12:35" transferMode="Buffered" transactionFlow="false" hostNameComparisonMode="StrongWildcard" maxBufferSize="10485760" maxReceivedMessageSize="10485760" maxBufferPoolSize="104857600">
      <readerQuotas maxStringContentLength="2000000000" maxArrayLength="2000000000" maxDepth="2000000000" maxBytesPerRead="2000000000" maxNameTableCharCount="2000000000"/>
      <security>
        <transport clientCredentialType="Certificate"/>
      </security>
    </binding>
  </netTcpBinding>
</bindings>

如何使用自签名证书实现WCF安全性？

1 个答案: