HOW TO: Secure XML Web Services with Secure Socket Layer in Windows Server 2003 (324284)
The information in this article applies to:
- Microsoft Internet Information Services version 6.0
- Microsoft Windows Server 2003, Datacenter Edition
- Microsoft Windows Server 2003, Enterprise Edition
- Microsoft Windows Server 2003, Standard Edition
- Microsoft Windows Server 2003, Web Edition
- Microsoft Windows Server 2003, 64-Bit Datacenter Edition
- Microsoft Windows Server 2003, 64-Bit Enterprise Edition
- Microsoft Windows Small Business Server 2003, Standard Edition
- Microsoft Windows Small Business Server 2003, Premium Edition
This article was previously published under Q324284 For a Microsoft Windows 2000 version of this article,
see
307267. Microsoft provides programming examples for illustration only, without warranty either expressed or implied. This includes, but is not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and with the tools that are used to create and to debug procedures. Microsoft support engineers can help explain the functionality of a particular procedure, but they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements. IN THIS TASKSUMMARY This step-by-step article describes how to configure a
current XML Web service to use an encrypted channel with a Secure Socket Layer
(SSL) connection.
back to the top
Configure Your Web Server for SSL Your XML Web Service will be running on Internet Information
Server (IIS) and it will rely on IIS to provide SSL support. Because of this,
you must first install an SSL server certificate on your server so that you can
enable SSL support. To do this, follow these steps:
- If you are purchasing a server certificate from a
third-party certification authority or if you have an enterprise certification
authority available to you, skip to step 2.
Otherwise, to install
Certificate Services, follow these steps:
- Start the Add or Remove Programs tool.
- Click Add/Remove Windows Components.
- Click to select the Certificate Services check box.
- Follow the on-screen instructions to complete the
installation.
- To run the Web Server Certificate Wizard, follow these
steps:
- Start Internet Information Services Manager
(IISM).
- Right-click the site that you want the certificate
for.
- Click Properties, click the Directory Security tab, and then click Server Certificate.
- In the Web Server Certificate Wizard, click Next.
- Click Create a new certificate, and then
click Next.
- Click Prepare the request now, but send it
later, and then click Next.
- Type a name for the certificate, select the Bit
length, and then click Next.
- Type your company's organization and organizational unit
names, and then click Next.
- Type the Common name, and then click Next.
NOTE: Provide the common name for the server that runs your XML Web
service. - Complete the Geographical Information page, and then click Next.
- Type a file name for your certificate request, and then
click Next.
- Click Next.
- Click Finish.
- When you complete the wizard, a certificate request is
saved in a file that you specify. By default, this is
C:\Certreq.txt.
- Do one of the following:
- If you are submitting your certificate to another
certification authority, submit your application by following the certification
authority's guidelines. When you receive your certificate file, open it, and
then skip to step 15.
- If you are using Windows Server 2003 Certificate
Services to create your certificate, follow these steps:
- In Internet Explorer, visit the following Web site:
- Click Request a
Certificate.
- Click Advanced certificate
request.
- Click Submit a certificate request using a
base64 encoded PKCS #10 file or a renewal request using a base64 encoded PKCS
#7 file.
- On the Submit a Certificate Request or Renewal
Request page, click Browse for a file to insert, specify the
file that you created in step 13, click Read, and then click Submit.
NOTE: You may also copy and paste the content of the certificate
request file into the Saved Request text box. - Click Start, point to Administrative Tools, and then click Certification Authority.
- Expand your certification authority's name, and
then double-click the Pending Request folder.
- Right-click the certificate request that you just
submitted, point to All Tasks, and then click Issue.
- Quit the Certification Authority Management
console.
- In Internet Explorer, visit the following Web site:
- Click View the status of a pending
certificate request.
- Click the request that you just created.
- On the Certificate Issued page, select either of
the encoding schemes, and then click Download certificate.
- Click Save in the security dialog box.
- Click Close.
- In Internet Services Manager, right-click the virtual site
that you created the certificate for, and then click Properties.
- Click the Directory Security tab, and then click Server Certificate.
- Click Next.
- Click Process the pending request and install the
certificate, and then click Next.
- Click Browse, locate and click your certificate file, and then click Next.
- Click Next.
NOTE: If a dialog box appears that warns you that the certificate may
have come from an untrusted source, click OK. - Click Finish.
back to the top
Install Your Certification Authority's Certificate on the Client If you used your own certificate services, follow these steps to
install your certification authority's certificate on the client as a trusted
root certification authority:
- In Internet Explorer, visit the following Web site, where
CertificateServer is the name of the Certificate
Services server that issued the certificate that is being used on the Web
server:
http://CertificateServer/certsrv
- Click Download a CA certificate, certificate chain
or CRL.
- Click Download CA certificate.
- In the File Download dialog box, click Open.
- In the Certificate dialog box, click Install Certificate.
- In the Certificate Import Wizard, click Next.
- Click Automatically select the certificate store
based on the type of certificate, and then click Next.
- Click Finish.
- Click OK to acknowledge that the import was successful.
- Click OK to close the Certificate dialog box.
If you plan to access your XML Web Service from an ASP page,
follow these steps to add the certification authority's certificate to the
computer's trusted root store:
- In Internet Explorer, visit the following Web site, where
CertificateServer is the name of the Certificate
Services server that issued the certificate that is being used on the Web
server:
http://CertificateServer/certsrv
- Click Download a CA certificate, certificate chain
or CRL.
- Click Download CA certificate.
- In the File Download dialog box, click Save.
- Click Close.
- Click Start, and then click Run.
- In the Open box, type mmc, and then click OK.
- On the File menu, click Add/Remove Snap-in.
- Click Add.
- Click Certificates, and then click Add.
- Click Computer Account, and then click Next.
- Click Local Computer, and then click Finish.
- Click Close, and then click OK.
The list of certificate categories for the local
computer appears in the snap-in window. - Expand Certificates (Local Computer).
- Expand Trusted Root Certification
Authorities.
- Right-click Certificates, point to All Tasks, and then click Import.
- In the Certificate Import Wizard, click Next.
- Click Browse, and then locate the certificate that you saved in step
14,n.
- Click the file, and then click Open.
- Click Next.
- Click Next, and then click Finish.
- Click OK to acknowledge the successful import.
back to the top
Modify WSDL from HTTP to HTTPS- Edit the Web Service Description Language (WSDL) files for
your service so that the address for your Web service begins with https instead of http. Make sure that the copy of the WSDL that your client uses also
indicates https.
- For Microsoft Visual Studio .NET projects, when you add a
Web Reference, you can specify an https URL as the location of the XML Web
service. To do this, edit the class that was created by Visual Studio .NET that
wraps the Web service; modify the line of code that sets the URL. For a C#
project, the line of code will look similar to the following after you modify
it, where mycomputer refers to the Web server that
is hosting Web services that are secured by SSL:
this.Url = "https://mycomputer/MyWS/Service1.asmx";
Your XML Web Service will now be accessed over
SSL.
back to the top
Verify That SSL Is Configured Correctly To determine whether SSL is configured correctly, try using an
https URL such as the following, where mycomputer
refers to the Web server that is hosting Web services that are secured by SSL:
https://mycomputer/test/test.asmx
If you can successfully visit the location without Internet
Explorer displaying an error message, your configuration is correct. You are
now ready to try to access your Web service programmatically.
back to the top
Enforce SSL-Only Access To make sure that only SSL requests are accepted by your Web
service, follow these steps to configure the virtual directory where your XML
Web service resides to be SSL only in Internet Services Manager:
- Click Start, point to Administrative Tools, and then click Internet Information Services
(IIS).
- Expand the computer that hosts your XML Web service Web
site.
- Expand the Web Sites folder.
- Expand the Web site that hosts your XML Web
service.
- Right-click the virtual directory where your XML Web
service resides, and then click Properties.
- Click the Directory Security tab, and then click Edit under the Secure Communications section.
- In the Secure Communications dialog box, click Require secure channel (SSL),
and then click OK two times.
back to the top
| Modification Type: | Major | Last Reviewed: | 6/17/2005 |
|---|
| Keywords: | kbSecurityServices kbenv kbhowto kbHOWTOmaster kbnetwork kbtool KB324284 kbAudDeveloper |
|---|
|