Geeks With Blogs

News View Michael Stephenson's profile on BizTalk Blog Doc View Michael Stephenson's profile on LinkedIn
Michael Stephenson keeping your feet on premise while your heads in the cloud

As discussed in the introduction article this walkthrough will explain how you can implement WCF security with the Windows Azure Service Bus to ensure that you can protect your endpoint in the cloud with a shared secret but also combine this with certificates so that you can identify the sender of the message.

 

Prerequisites

As in the previous article before going into the walk through I want to explain a few assumptions about the scenario we are implementing but to keep the article shorter I am not going to walk through all of the steps in how to setup some of this.

In the solution we have a simple console application which will represent the client application. There is also the services WCF application which contains the WCF service we will expose via the Windows Azure Service Bus.

The WCF Service application in this example was hosted in IIS 7 on Windows 2008 R2 with AppFabric Server installed and configured to auto-start the WCF listening services. I am not going to go through significant detail around the IIS setup because it should not matter in relation to this article however if you want to understand more about how to configure WCF and IIS for such a scenario please refer to the following paper which goes into a lot of detail about how to configure this. The link is: http://tinyurl.com/8s5nwrz

 

Setting up the Certificates

To keep the post and sample simple I am going to use the local computer store for all certificates but this bit is really just the same as setting up certificates for an example where you are using WCF without using Windows Azure Service Bus. In the sample I have included two batch files which you can use to create the sample certificates or remove them.

Basically you will end up with:

  • A certificate called PocServerCert in the personal store for the local computer which will be used by the WCF Service component
  • A certificate called PocClientCert in the personal store for the local computer which will be used by the client application
  • A root certificate in the Root store called PocRootCA with its associated revocation list which is the root from which the client and server certificates were created

 

For the sample Im just using development certificates like you would normally, and you can see exactly how these are configured and placed in the stores from the batch files in the solution using makecert and certmgr.

 

The Service Component

To begin with let's look at the service component and how it can be configured to listen to the service bus using a shared secret but to also accept a username token from the client. In the sample the service component is called Acme.Azure.ServiceBus.Poc.Cert.Services. It has a single service which is the Visual Studio template for a WCF service when you add a new WCF Service Application so we have a service called Service1 with its Echo method.

Nothing special so far!....

The next step is to look at the web.config file to see how we have configured the WCF service.

In the services section of the WCF configuration you can see I have created my service and I have created a local endpoint which I simply used to do a little bit of diagnostics and to check it was working, but more importantly there is the Windows Azure endpoint which is using the ws2007HttpRelayBinding (note that this should also work just the same if your using netTcpRelayBinding).

The key points to note on the above picture are the service behavior called MyServiceBehaviour and the service bus endpoints behavior called MyEndpointBehaviour. We will go into these in more detail later.

 

The Relay Binding

The relay binding for the service has been configured to use the TransportWithMessageCredential security mode. This is the important bit where the transport security really relates to the interaction between the service and listening to the Azure Service Bus and the message credential is where we will use our certificate like we have specified in the message/clientCrentialType attribute.

Note also that we have left the relayClientAuthenticationType set to RelayAccessToken. This means that authentication will be made against ACS for accessing the service bus and messages will not be accepted from any sender who has not been authenticated by ACS.

 

The Endpoint Behaviour

In the below picture you can see the endpoint behavior which is configured to use the shared secret client credential for accessing the service bus and also for diagnostic purposes I have included the service registry element.

 

 

Hopefully if you are familiar with using Windows Azure Service Bus relay feature the above is very familiar to you and this is a very common setup for this section. There is nothing specific to the username token implementation here.

The Service Behaviour

Now we come to the bit with most of the certificate stuff in it. When you configure the service behavior I have included the serviceCredentials element and then setup to use the clientCertificate check and also specifying the serviceCertificate with information on how to find the servers certificate in the store.

 

 

I have also added a serviceAuthorization section where I will implement my own authorization component to perform additional security checks after the service has validated that the message was signed with a good certificate.

I also have the same serviceSecurityAudit configuration to log access to my service.

My Authorization Manager

The below picture shows you implementation of my authorization manager. WCF will eventually hand off the message to my authorization component before it calls the service code. This is where I can perform some logic to check if the identity is allowed to access resources. In this case I am simple rejecting messages from anyone except the PocClientCertificate.

 

 

The Client

Now let's take a look at the client side of this solution and how we can configure the client to authenticate against ACS but also send a certificate over to the service component so it can implement additional security checks on-premise.

I have a console application and in the program class I want to use the proxy generated with Add Service Reference to send a message via the Azure Service Bus. You can see in my WCF client configuration below I have setup my details for the azure service bus url and am using the ws2007HttpRelayBinding.

 

Next is my configuration for the relay binding. You can see below I have configured security to use TransportWithMessageCredential so we will flow the token from a certificate with the message and also the RelayAccessToken relayClientAuthenticationType which means the component will validate against ACS before being allowed to access the relay endpoint to send a message.

 

 

After the binding we need to configure the endpoint behavior like in the below picture. This contains the normal transportClientEndpointBehaviour to setup the ACS shared secret configuration but we have also configured the clientCertificate to look for the PocClientCert.

 

 

Finally below we have the code of the client in the console application which will call the service bus. You can see that we have created our proxy and then made a normal call to a WCF in exactly the normal way but the configuration will jump in and ensure that a token is passed representing the client certificate.

 

 

Conclusion

As you can see from the above walkthrough it is not too difficult to configure a service to use both a shared secret and certificate based token at the same time. This gives you the power and protection offered by the access control service in the cloud but also the ability to flow additional tokens to the on-premise component for additional security features to be implemented.

Sample

The sample used in this post is available at the following location:

https://s3.amazonaws.com/CSCBlogSamples/Acme.Azure.ServiceBus.Poc.Cert.zip

 

Posted on Tuesday, October 30, 2012 4:22 AM Azure Service Bus | Back to top


Comments on this post: Combining Shared Secret and Certificates

# re: Combining Shared Secret and Certificates
Requesting Gravatar...
Great article ...
Left by Vecham on May 19, 2013 8:24 AM

# re: Combining Shared Secret and Certificates
Requesting Gravatar...
good The virtually all amazing matter about Zapya apk for android os and Zapya Advanced interconnection and transporting acceleration of the Zapya apk for android app. Zapya nice.
Left by raju on Mar 30, 2016 7:04 PM

# videoder
Requesting Gravatar...
good You can check out through multiple movies in this software. Videoder APK Android Then, Videoder offers you a list with results and Videoder App Download nice.
Left by janvi on Apr 14, 2016 9:58 PM

# re: Shareit
Requesting Gravatar...
good Shareit for Computer helps upto 5 equipment to include group writing when desired. SHAREit App for PC Shareit for house windows/mac notebook computer. SHAREit for PC nice.
Left by vivek on May 17, 2016 1:32 AM

# re: isnapchatemojis
Requesting Gravatar...
good mentioned by the flames emoji. You reduce your Snapstreak hourglass emoji meaning generally tempered by the sneaking suspicion nice.
Left by akki on Jun 18, 2016 10:04 PM

# re: isnapchatemojis
Requesting Gravatar...
good Gray rectangular concept (outline) A Take or Talk is usually pending and may possess expired isnapchatemojis for one hundred days and nights in a strip. nice.
Left by vinod on Jun 18, 2016 10:05 PM

# re: Combining Shared Secret and Certificates
Requesting Gravatar...
good appreciate.and you can certainly to discover the well-known Mobdro Windows Download The software logo design offers a drop down rundown from Download Mobdro Android nice.
Left by reena on Jul 17, 2016 7:14 PM

# re: Combining Shared Secret and Certificates
Requesting Gravatar...
good with others during a video call. But Video meeting is certainly Duo App Android store respectively. In this guide we will help you nice.
Left by mahipal on Sep 15, 2016 12:00 AM

# re: Combining Shared Secret and Certificates
Requesting Gravatar...
Thank you for advices, I decided to get second degree and your site became very helpful in my situation.
pof login
Left by pof login on Oct 10, 2016 7:50 PM

# Latest discount coupon
Requesting Gravatar...
The article you have shared here is very awesome. I really like and appreciate your work. The points you have mentioned in this article are useful. I must try to follow these points and also share others.
InterServer coupon code
Left by Dac on Dec 06, 2016 8:10 PM

# re: Combining Shared Secret and Certificates
Requesting Gravatar...
This article definitely helped me a lot to understand about the various concepts on combining shared secret and certificates. I am able to clear all the misconceptions that I had before this. Samples used in the description is a bit confusing but still it gives a nice idea on the topic. wholesale ipad
Left by lionel on Dec 12, 2016 8:14 PM

# re: Combining Shared Secret and Certificates
Requesting Gravatar...
Combining shared secrets is a good option since it helps in managing the security and also it allows sending anonymous emails. I run an old machine and I thought it won’t be supported in my configuration. But it did work. best cable deals
Left by debra on Dec 18, 2016 6:45 PM

# re: Combining Shared Secret and Certificates
Requesting Gravatar...
I run an old machine and I thought it won’t be supported in my configuration. But it did work how to get android update
Left by suji on Dec 21, 2016 10:27 PM

# re: Combining Shared Secret and Certificates
Requesting Gravatar...
I must try to follow these points and also share others. download android kitkat
Left by ravi on Dec 21, 2016 10:28 PM

# re: Combining Shared Secret and Certificates
Requesting Gravatar...
I am able to clear all the misconceptions that I had before this. Samples used in the description is a bit confusing but still it gives a nice idea on lovely wallpaper hd
Left by shrma on Dec 21, 2016 10:29 PM

# re: Combining Shared Secret and Certificates
Requesting Gravatar...
good mentioned by the flames emoji. You reduce your how to update android
Left by revan on Dec 21, 2016 10:30 PM

# re: Combining Shared Secret and Certificates
Requesting Gravatar...
I really like and appreciate your work. The points you have mentioned in this article are useful. best movie downloader app
Left by nnaidu on Dec 21, 2016 10:30 PM

# re: Combining Shared Secret and Certificates
Requesting Gravatar...
Posts shared useful information and meaningful life, I'm glad to be reading this article and hope to soon learn the next article.
android 7.0 Nougat
Left by nandini on Dec 21, 2016 10:31 PM

# re: Combining Shared Secret and Certificates
Requesting Gravatar...

good with others during a video call. But Video meeting is fb.com login
Left by ANITHA on Dec 21, 2016 10:32 PM

# re: Combining Shared Secret and Certificates
Requesting Gravatar...
nice on this iste like short status for whatsapp
Left by sunita on Dec 21, 2016 10:33 PM

# re: Combining Shared Secret and Certificates
Requesting Gravatar...
This article definitely helped me a lot to understand about the various concepts on combining shared secret and certificates. cute dp for whatsapp
Left by anu on Dec 21, 2016 10:34 PM

# slack
Requesting Gravatar...
good kind of enterprise and with the Email being Slack Alternatives group interactions. With the announcement of an nice.
Left by george on Jan 01, 2017 9:12 PM

# re: Combining Shared Secret and Certificates
Requesting Gravatar...
good for Android as well as iphone gadgets. tutuapp pokemon go Daily, several apps are released across various systems nice.
Left by dev on Jan 31, 2017 11:07 PM

# re: Combining Shared Secret and Certificates
Requesting Gravatar...
good Download and install any kind of paid applications free of cost. tutuapp apk Within some days the app came to be well-known and obtained a wonderful action nice.
Left by chilli on Feb 15, 2017 7:53 PM

# re: Combining Shared Secret and Certificates
Requesting Gravatar...
I appreciate your efforts in sharing such a detailed and informative article to know how private paris tours configure a service to use both a shared secret and certificate based token at the same time. You have gone through all areas which made it easy for us to understand.
Left by sandrabullock on Feb 16, 2017 8:06 PM

# re: Combining Shared Secret and Certificates
Requesting Gravatar...
good on mobile or tablet computer. It enables set beat apk limitless music at all times You can set up Setbeat best.
Left by frad on Mar 06, 2017 5:19 PM

# re: Combining Shared Secret and Certificates
Requesting Gravatar...
If you have already submitted your pan card than you can check the status here. check pan card status
Left by Name on Mar 10, 2017 7:19 AM

# re: Combining Shared Secret and Certificates
Requesting Gravatar...
thanks man for sharing it Tutu Helper Latest Edition keep it up
Left by Amaal on Apr 13, 2017 9:08 PM

# Showbox for Android
Requesting Gravatar...
library of film or video clip things.Gone are the days when Showbox for Android some websites that, they have discussed Showbox App is
Left by mahi on Apr 13, 2017 9:53 PM

# Tutuapp for pc
Requesting Gravatar...
[url={https://tutuapppokemongo.com/}]{tutuapp pokemon go}[/url] is the best app to download pokemon go modded version app.
Left by samar on Apr 16, 2017 6:24 PM

# re: Combining Shared Secret and Certificates
Requesting Gravatar...
[url=https://tutuapppokemongo.com/] Tutuapp Pokemon go [/url] To solve this issue we are writing this guide – how to download Google play store and iTunes paid applications without paying any money and for absolutely free with the help of TutuApp APK Download for iPhone and Android to use paid apps like Pokemon Go App.

Left by samars on Apr 16, 2017 6:37 PM

# re: Combining Shared Secret and Certificates
Requesting Gravatar...
really great blog and if you are looking for any android Forum then visit us we share really good tips.
Left by Silver on Apr 20, 2017 3:56 AM

# re: Combining Shared Secret and Certificates
Requesting Gravatar...
best apk for download aptoide free install and download any time
Left by patel pradip on Apr 21, 2017 10:25 PM

# re: Combining Shared Secret and Certificates
Requesting Gravatar...
here best and free install aptoide for iphone for free all time.
Left by THE on Apr 21, 2017 10:27 PM

# re: Combining Shared Secret and Certificates
Requesting Gravatar...
Stream online links to watch Boxing and rugby:

State of Origin streaming free

Anthony Joshua vs Wladimir Klitschko live

It's free to use and watch.
Left by Savithri on Apr 25, 2017 12:22 AM

# re: Combining Shared Secret and Certificates
Requesting Gravatar...
Data security is one of the important things all companies look forward. I am glad to know about the WCF security with the Windows Azure Service Bus to ensure that you can protect your endpoint in the cloud with a shared secret. Thanks for the details.
Thanks
oren loni
Left by steve larsc on Apr 25, 2017 9:25 PM

# re: Combining Shared Secret and Certificates
Requesting Gravatar...
if you want to Download android apk just visit our site, we offer different android apps, games for free.
Left by anmol on Apr 26, 2017 7:11 PM

# re: Combining Shared Secret and Certificates
Requesting Gravatar...
Opera Mini For iphone, Opera Mini for iPad ioperamini.com the factor behind Opera being Famous.
Left by gaurang on May 21, 2017 4:52 PM

# re: Combining Shared Secret and Certificates
Requesting Gravatar...
Good post..Zellmeonline
Left by anu on Jun 05, 2017 5:35 PM

# re: Combining Shared Secret and Certificates
Requesting Gravatar...
Your post helped me to get some idea about how to implement WCF security with the Windows Azure Service Bus. I think this piece of information will be useful to all those who are looking to protect their endpoint in the cloud with a shared secret and at the same time combine this with certificates. addition contractors
Left by Zelda on Jun 05, 2017 11:32 PM

# re: Combining Shared Secret and Certificates
Requesting Gravatar...
Nice article, thanks for sharing these secret and certificates. Farsi1HD.
Left by Shubham Meena on Jun 11, 2017 7:07 AM

# re: Combining Shared Secret and Certificates
Requesting Gravatar...
Left by sam on Jun 15, 2017 6:48 PM

Your comment:
 (will show your gravatar)


Copyright © Michael Stephenson | Powered by: GeeksWithBlogs.net