"Jeff Johnson" <i.***@enough.spamwrote in message
news:JtydnTFI1LlG2GfanZ2dnUVZ_qKgnZ2d@datapex...
Background: I have very little experience with Web services, but I'm not aPurchase an ssl cert...its cheaper than your labour...doing all that message
complete n00B. I'm using VS 2005 SP1, C#, and WSE 3.0, if any of that
matters.
Problem: For an upcoming project, I want to provide access to a partner
company in another state to a Web service that I will be writing. I'm not
dealing in nuclear secrets or anything, but I want to secure the messages
without buying a certificate and using SSL.
I have installed and played with some of the QuickStart samples that come
with WSE 3.0. I built and ran the WSSecurityCertificatePolicy sample, and
even built an installer package for it and put the client on another
machine. After some certificate exporting/importing and fiddling with the
*.config files, I got the client to talk to the service. Unfortunately, I
don't fully see the big picture. There are the main questions I have:
1) Can I give all the users the same client certificate as opposed to
creating one for each? (It is not important to me to track who accessed
the service.)
2) If I can use only one cert, is there any way to distribute and install
that cert along with my custom app? I ask because when I exported the
sample client cert along with its private key I had to provide a password,
and I'm wondering if that might hose the install process.
3) Speaking of installing a cert, can I even DO that in a setup package
and/or programmatically? The QuickStart samples use CertMgr.exe, which
isn't even part of a normal Windows installation; it's from the Framework
SDK.
4) If I have to create a separate cert for each user, how do I handle
(i.e., "register") that in my service?
If anyone has some examples of using certificates in Web services, I'd
appreciate links.
For reference, I'm focusing on the certificate route because it SEEMS the
simplest (least code). If anyone feels other methods are easier, I'm
willing to listen.
layer security takes weeks and weeks of work...plus it'll all be changed
again for WCF when ur WSE is obsolete...
Do a search for 'Web Service Security Patterns and Practices' on MS website.
Thats a good document. 250 pages though.