Securing Webservice

[Bob]

Hi,
I am new to web admin and security.
Made a certificate server out of the development Win2k server and created a
root certificate.
The same machine is also the web server for now.
Updated the Web site directory properties to require SSL
When I query the site from a browser on the LAN it brings up the certificate
question and the certificate install appears to go OK. The WSDL doc for my
service then appears
However if I start a new browser window it asks the certificate question
again.

Any clues as to where I am going wrong?
thanks
Bob

 

[Joe Kaplan]

The issue here is that your browser doesn't trust the certificate. IE isn't
installing a certificate when it gives you a warning, it is just telling you
it doesn't trust the certificate. In order to get the client to trust it,
you need to put the root certificate in the client's root certificate store.

Note that you'll need to do that for every client that will access the
server. If that is a lot of clients, you might want to consider a
certificate from a public CA. If they are all members of your domain, then
you can deploy an enterprise CA to get that root automatically installed on
each domain member.

Joe K.

 

[Bob]

Hi Joe,
Thanks for your reply.

The problem apppears to be that I am not installing the certificate on the
client successfully.
When the browser brings up the Certificate question dialog box I go down the
view certificate -> install certificate path. This seems to proceed
correctly.
I have tried letting the wizard choose where to put the certificate as well
as taking the manual path and selecting Trusted Root Certicate Store. In
both cases I am told the import is successful.

However a new browser window gets the certificate question and away we go
again.

The goal is to deploy a thick client on a couple of external machines.

My test Http deployment went OK. but now I have clamped down to Https the
newly installed test app errors trying to connect.

I am assuming that the inability of the browser to repeatedly use the
certificate is related but this may not be correct as the app has been told
to trust any certificate. Still, it is a starting point to trying to figure
out what is wrong.

Thanks
Bob

 

[Joe Kaplan]

Perhaps the issue isn't with a certificate trust issue, but with some other
cert problem such as a cert name/URL host mismatch or a cert expiration.
What exactly does the cert warning dialog say?

Joe K.

 

[Bob]

Hi Joe,
Thanks for following up.
It looks like trust to me.
It has a 'Security Alert ' dialog box.
In summary the dialog box says there is a problem with the sites security
certificate.

Then there is an information icon alongside which it says 'The security
certificate was issued by a company you have not chosen to trust. View the
certificate to determine whether you want to trust the certifying
authority."
This is followed by two green tick icons stating:
1) that the certificate date is valid.
2) "the certificate has a valid name matching the the name of the page you
are trying to view"
regards
Bob

 

[Bob]

Hi Joe,
A supplementary question if I may.
My approach to secure the web service is to
First secure the transmission from the client using https.
Once I get this working I am going to have the website require client
certificates.
The assumption being that I can somehow generate certificates that can be
installed on the clients.
(Process as yet unknown to me.)
I believe that doing this will restrict the publication of the wsdl doc and
access to the web service to only my installed clients.

Am I on the right track?
regards
Bob

 

[Joe Kaplan]

That should work, although deploying client certificates can be a bit
painful and getting them to work programmatically can also be difficult in
some types of deployments.

There are other ways to do this, including adding some sort of transport
level authentication like Basic or IWA auth. SSL on the server side is a
good idea to provide encryption of the communication in either case.

Joe K.

 

[Joe Kaplan]

Ok, if it is a trust issue, then when you open up the certificate in the
certificates UI and switch to the Certification Path tab, you should see
where the trust chain is being broken. That should tell you what is missing
or is not being trusted properly.

Joe K.

 

[Bob]

Hi Joe,
Thanks,
I'll give it a go.
regards
Bob

Ok, if it is a trust issue, then when you open up the certificate in the
certificates UI and switch to the Certification Path tab, you should see
where the trust chain is being broken. That should tell you what is missing
or is not being trusted properly.

Joe K.

 

[Bob]

Hi Joe,

The only thing in the Certification path is my development machine which I
set up as the one and only certificate server in our company.
The information message says "This certificate cannot be verified up to a
trusted certification authority"
Is it inferring that basically my machine needs to be authorised by a higher
level.
In other words do I need to engage a commercial third party to verify my
certificates?
i.e. Issuing your own certificates based entirely on your own authority is
not good enough?
Thanks
Bob

 

[Joe Kaplan]

This is all much easier if you get a certificate from a public CA as they
typically have their CA certs already installed in the trusted roots cert
store in Windows, so you won't have trust issues. That said, lots of
companies have their own internal CAs with roots that don't chain up to one
of the standard root CAs, and they get this to work by installing their root
certificate in the appropriate Windows store. Generally, this is done
through some mechanism like group policy or something.

It sounds like your certificate's CA cert has not actually been installed in
your machine's trusted root store, despite the fact that you have already
tried to do that. Otherwise, you wouldn't be getting a cert trust error.

If the certificate is self-signed (not issued by another CA), then you need
to put the cert itself in the trusted root store. If not, then you need to
put the root certificate for the entire cert chain (however many CAs that
is) in the trusted root store.

Unfortunately, I can't see your machine, so whatever isn't working isn't
obvious to me or we could probably fix this easily.

Joe K.

 

[Bob]

Hi Joe,
Thanks for your help.
I should now be able to sort it out.
(Famous last words)
I can't look at it at present but will post back when I have a result.
regards
Bob