This is one of the most frequently asked questions on the newsgroups.

Since Verisign and Thawte do not speak “message-based security”, people are always confused about buying SSL Certificates for doing WSE or WCF.

It’s not just the vendors. Sometimes the people responsible for your networks are also hard to convince since message-based security just does not make sense in their world. They may not know which one is right either.

What have you had success with? What actual certificates (literally the name that the vendor applies to the cert) have you purchased from which vendors? There’s a myriad of choices, but it’s never easy to pick.

On Thursday evening I gave a talk on WS Security Fundamentals in Dayton Ohio. One of the resources I point to is the PAG Guide on Securing Web Services. On the way home the next day, while sitting on the runway in PHL for 2 hours before taking off (uggh), I was reading the latest ASPNET Pro and Michele Leroux Bustamante’s Under the Hood column was all about X509 cert management. It’s great advice and I highly recommend it. It’s the October 2006 issue which does not have all of its articles online.

Many developers who are starting up with programming message level security (eg with WSE or WCF) definitely have a learning curve when it comes to having to grok all of these bits and pieces of security tools that we have to work with – encryption, hashing, signing, certificates. I don’t know how many times I have seen the question “where do I get a certificate” in the wse newsgroups. Heck, I had the same question myself once. And it was a lot of work to wrap my head around all of this crypto stuff.

So…. if you get ASPNET Pro or you can grab a copy at your local user group, check it out.

I’m going to send this to the sysadmin that works with one of my clients. I spent three months trying to explain to him why I needed a server certificate that was not going to be used for SSL. Aargh. Message level security seems to be a bit of an oxymoron to IT Pros.

I was happy to find this very current slide denoting the status of the various WS-* specs. I got to use it in a WS-Security fundamentals talk that I did in Dayton Ohio last night.

http://blogs.msdn.com/jevdemon/archive/2006/08/02/686515.aspx

I learned this the hard way, as usual.

We had to change the X509 Certificate that we were using for our application. That meant that the policy config file on the client and the app had to have the certificate identity defined by the findValue parameter of the X509 node.

<serviceToken>
<x509 storeLocation=“LocalMachine“ storeName=“My“ findValue=“CN=MyCertificateName“ findType=“FindBySubjectDistinguishedName“ />
</serviceToken>

I made all of the necessary changes and ran the client app. I received an error from the server:

“WSE2006: EncryptedKeyToken in the security header of the incoming message is encrypted with a different security token than expected.”

That’s telling me that the certificate on the client side doesn’t match the certificate on the server side. After triple checking my setup and configuration, I went to turn tracing on on the server side to see what the heck was going on. This meant modifying the web.config. Suddenly the app worked.

Editing web.config forces an app restart so this made me realize that the policy file must have been getting cached in the AppDomain and the restart forced the revised policy to be read. Mark Fussell confirmed that to be the case.

I have posted my version of the powerpoint (not the pretty MSDN version since I don’t have that) and the sample code from today’s Intro to WSE 3.0 webcast.

You can find them on my TALKS page. Scroll down to Introduction to…. and you’ll see the zip and ppt files.

Thanks to all who attended!

I hear there was a snafu with the survey and MP3 Raffle and that emails will be sent out to attendees on how to get back in the game (within 24 hours, they told me)

Rather than paste miles (271 lines) of angle brackets in here, I am posting the section of my trace files here from today’s webcast and have renamed it so you can view it in your browser if you want. Note that in general, these trace files will contain your UNSECURED raw data as well (I have stripped those sections out in mine) so you don’t normally want to do this!

I have put comments in the file to point out what is of interest.

Here is the basic story.

Because our policy indicates SecureConversation, WSE will know that before it can make that HelloWorld call, it needs to request a security context token. So you will see not one, but TWO outgoing messages, one right afte the other. THe first is the request for an SCT that WSE deemed necessary (based on the policy). That request sends the usernameToken with the login and password we provided in code. The user is authenticated against the db and the SCT is created and sent back to the cient. Then the client creates the HelloWorld request, but instead of using the username/password for authentcation, it uses the SCT!

I have put comments in the key spots of the file so you can see the differences between the first and second request. I.E. renders them as gray. Don’t be afraid to look at this goo because it’s a good arrow to have in your problem-solving quiver! I promise you won’t have angle-bracket filled nightmares. If you do, I recommend Dr. Ewald’s CureAll Tonic for Angle Brackets.

I’m packing up the code and will write another post when it is on the presentations page of website.

[update: see this post for information on the sample code, etc.]

As part of the Web Services Webcast Series, I’ll be doing an Intro to WSE 3.0 tomorrow morning at 11am.

It will be a 1 hour session on the key features of WSE 3.0 with as many demos as I can cram in!

There’s an MP3 raffle for attendees of this series. Check it out!

Here is the whole series. Please don’t ask me why the series of web casts on Web Services (WSE, ASMX, and lot of WCF, of course) is called “Windows Vista: Improve your Deployment and Security Strategy”, but at least it’s under the WCF section, since it’s like a WCF starter kit for those who can’t wait until WCF is live!

See you tomorrow!

Kirk Allen Evans has organized some of the top WCF/Web Services gurus (and me,too!) to do a web cast series through June.

For those of you securing web services TODAY, my webcast will be Overview of WSE 3.0 . June 8th at 11am EST (that’s 8am PST).

More info here

Also oooh aah a raffle for attendees!! Attend any webcast in this series and qualify to win a 40 gigabyte Creative Zen MP3 player (official rules).

Here is the full of the schedule

“The Lifetime of a Message in Windows Communication Foundation”

Justin Smith, Wintellect

6/1/2006 8:00 AM PST

http://msevents.microsoft.com/cui/eventdetail.aspx?eventID=1032299306&Culture=en-US

 “Taking Advantage of TCP/IP Reliability in SOAP”

William “Softwaremaker” Tay

6/6/2006 8:00 AM PST

http://msevents.microsoft.com/cui/eventdetail.aspx?eventID=1032299329&Culture=en-US

 “Extending Windows Communication Foundation”

Aaron Skonnard, Pluralsight

6/7/2006 8:00 AM PST

http://msevents.microsoft.com/cui/eventdetail.aspx?eventID=1032299313&Culture=en-US

“Introducing Web Services Enhancements for Microsoft .NET (WSE) 3.0”

Julie Lerman, The Data Farm

6/8/2006 8:00 AM PST

http://msevents.microsoft.com/cui/eventdetail.aspx?eventID=1032299315&Culture=en-US

“What’s New for ASP.NET Web Services (ASMX) in .NET 2.0”

Kirk Allen Evans, Microsoft Corporation

6/13/2006 8:00 AM PST

http://msevents.microsoft.com/cui/eventdetail.aspx?eventID=1032299322&Culture=en-US

“Dissecting Contract-First Web Services”

Christian Weyer, thinktecture

6/14/2006 8:00 AM PST

 http://msevents.microsoft.com/cui/eventdetail.aspx?eventID=1032299331&Culture=en-US 

   “Transactions in Distributed Solutions with Windows Communication Foundation”

Christian Weyer, thinktecture

6/15/2006 8:00 AM PST

http://msevents.microsoft.com/cui/eventdetail.aspx?eventID=1032299342&Culture=en-US

“Building Powerful AJAX-Style Solutions with ASP.NET “Atlas” and Windows Communication Foundation”

Kirk Allen Evans, Microsoft Corporation

6/20/2006 8:00 AM PST

http://msevents.microsoft.com/cui/eventdetail.aspx?eventID=1032299344&Culture=en-US

“Exposing Your Content as a Service Using Windows Communication Foundation’

Clemens Vasters, Microsoft Corporation

6/21/2006 8:00 AM PST

http://msevents.microsoft.com/cui/eventdetail.aspx?eventID=1032299346&Culture=en-US

“Web Services Interoperability with Java and J2EE Using Windows Communication Foundation (“Indigo”)”

Kirill Gavrylyuk, Microsoft Corporation

6/22/2006 8:00 AM PST

http://msevents.microsoft.com/cui/eventdetail.aspx?eventID=1032299348&Culture=en-US

“Understanding Windows Communication Foundation Contracts”

Michele Leroux Bustamante, IDesign

6/28/2006 8:00 AM PST

http://msevents.microsoft.com/cui/eventdetail.aspx?eventID=1032299360&Culture=en-US

This has always been a big point of confusion, both for developers (like me) and admins.

SSL Certificates are misnamed. They are not for SSL only. I wish all of the CA’s would just call them “Web Server Certificates”. How and where you install them determines whether or not they are used for SSL.

I remember my first conversation with tech support at Verisign trying to find out how much one cost. This was when I was playing with WSE 1.0. I was extremely clueless. The conversation went something like this:

me: I’m trying to find a server certificate to use for Web Service Enhancements

them: huh?

me: I think it’s just called a “web server certificate”. You have SSL certificates, but I don’t want SSL. I’m not doing SSL.

them: huh?

It went on for a while.

I finally learned that the trick was just to buy an SSL cert, install it on the server and don’t bother with the IIS intallation of it. That’s what I do.

I couldn’t figure out how to explain this to an i.t. person who is used to SSL. They were very wary of installing it on the web server because I wanted to do something wierd with it.

With WS-Security picking up more steam and WCF around the corner, I think thre are going to be many conversations like this in the future. If they just called them Web Server Certificates, it would prevent a lot of frustration out there in the world of web service developers.

Don’t Forget: www.acehaid.org

What? I’m still writing about that worn-out old non-technology, WSE 3.0? Darn right I am. [read more…]

[A DevLife post]

Don’t Forget: www.acehaid.org