My WCF service involves the sending of a dataset (in csv format) data between client and service. This dataset must be encrypted so that the data cannot be intercepted. I’m using wshttpbinding and trying to encrypt the message by using the following settings in web.config:
<wsHttpBinding> <binding name='wsHttp'> <reliableSession enabled='true' /> <security mode='Message'> <message clientCredentialType='UserName' algorithmSuite='TripleDes' /> </security> </binding> </wsHttpBinding> When I try and generate a client proxy I get a long error messagebox (which cannot be completely read because it goes off the bottom of the screen!). The error message does mention something about a ‘service certificate not being provided’.
How do I encrypt a message? Do I need a certificate? I should mention that this service will be used over the internet from different domains so I’m not sure whether using ‘Username’ security is the best option (?)
Basically I’m confused!
Yes, your service needs a certificate so that your encryption keys can be exchanged securely. You can create a test service authentication certificate with makecert.exe. See this entry in my blog for the details of that.
You also need to ensure that the account your service is running as is able to read the certificate’s private key file. If you’re on Windows Vista (or later) the Certificates MMC snap-in allows you to control permissions on that private-key, but for earlier versions of Windows it’s a bit harder. I used to use a utility that came with WSE3, but someone else might be able to suggest a more direct way. Unless your service runs as an admin, you will most likely have to adjust these permissions.
Update: like all good things, my blog came to an end. Thanks to makerofthings7 for reminding me. The makecert command you need to generate a service authentication certificate is something like this…
…simply replace subject-name with any certificate name that makes sense for your service.