Microsoft KB Archive/324284

= HOW TO: Secure XML Web Services with Secure Socket Layer in Windows Server 2003 =

Article ID: 324284

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft Internet Information Services 6.0
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Web Edition
 * Microsoft Windows Server 2003, 64-Bit Datacenter Edition
 * Microsoft Windows Server 2003, Enterprise x64 Edition
 * Microsoft Windows Small Business Server 2003 Standard Edition
 * Microsoft Windows Small Business Server 2003 Premium Edition

-



This article was previously published under Q324284



For a Microsoft Windows 2000 version of this article, see 307267.

Microsoft provides programming examples for illustration only, without warranty either expressed or implied. This includes, but is not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and with the tools that are used to create and to debug procedures. Microsoft support engineers can help explain the functionality of a particular procedure, but they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements.

IN THIS TASK
SUMMARY
 * Configure Your Web Server for SSL
 * Install Your Certification Authority's Certificate on the Client
 * Modify WSDL from HTTP to HTTPS
 * Verify That SSL Is Configured Correctly
 * Enforce SSL-Only Access



SUMMARY
This step-by-step article describes how to configure a current XML Web service to use an encrypted channel with a Secure Socket Layer (SSL) connection.

back to the top

Configure Your Web Server for SSL
Your XML Web Service will be running on Internet Information Server (IIS) and it will rely on IIS to provide SSL support. Because of this, you must first install an SSL server certificate on your server so that you can enable SSL support. To do this, follow these steps:  If you are purchasing a server certificate from a third-party certification authority or if you have an enterprise certification authority available to you, skip to step 2.

Otherwise, to install Certificate Services, follow these steps:  Start the Add or Remove Programs tool. Click Add/Remove Windows Components. Click to select the Certificate Services check box. Follow the on-screen instructions to complete the installation.  To run the Web Server Certificate Wizard, follow these steps:  Start Internet Information Services Manager (IISM).</li> Right-click the site that you want the certificate for.</li> Click Properties, click the Directory Security tab, and then click Server Certificate.</li></ol> </li> In the Web Server Certificate Wizard, click Next.</li> Click Create a new certificate, and then click Next.</li> Click Prepare the request now, but send it later, and then click Next.</li> Type a name for the certificate, select the Bit length, and then click Next.</li> Type your company's organization and organizational unit names, and then click Next.</li> Type the Common name, and then click Next.

NOTE: Provide the common name for the server that runs your XML Web service.</li> Complete the Geographical Information page, and then click Next.</li> Type a file name for your certificate request, and then click Next.</li> Click Next.</li> Click Finish.</li> When you complete the wizard, a certificate request is saved in a file that you specify. By default, this is C:\Certreq.txt.</li> <li>Do one of the following: <ul> <li>If you are submitting your certificate to another certification authority, submit your application by following the certification authority's guidelines. When you receive your certificate file, open it, and then skip to step 15.</li> <li>If you are using Windows Server 2003 Certificate Services to create your certificate, follow these steps: <ol style="list-style-type: lower-alpha;"> <li>In Internet Explorer, visit the following Web site:

http://localhost/certsrv

</li> <li>Click Request a Certificate.</li> <li>Click Advanced certificate request.</li> <li>Click Submit a certificate request using a base64 encoded PKCS #10 file or a renewal request using a base64 encoded PKCS #7 file.</li> <li>On the Submit a Certificate Request or Renewal Request page, click Browse for a file to insert, specify the file that you created in step 13, click Read, and then click Submit.

NOTE: You may also copy and paste the content of the certificate request file into the Saved Request text box.</li> <li>Click Start, point to Administrative Tools, and then click Certification Authority.</li> <li>Expand your certification authority's name, and then double-click the Pending Request folder.</li> <li>Right-click the certificate request that you just submitted, point to All Tasks, and then click Issue.</li> <li>Quit the Certification Authority Management console.</li> <li>In Internet Explorer, visit the following Web site:

http://localhost/certsrv

</li> <li>Click View the status of a pending certificate request.</li> <li>Click the request that you just created.</li> <li>On the Certificate Issued page, select either of the encoding schemes, and then click Download certificate.</li> <li>Click Save in the security dialog box.</li> <li>Click Close.</li></ol> </li></ul> </li> <li>In Internet Services Manager, right-click the virtual site that you created the certificate for, and then click Properties.</li> <li>Click the Directory Security tab, and then click Server Certificate.</li> <li>Click Next.</li> <li>Click Process the pending request and install the certificate, and then click Next.</li> <li>Click Browse, locate and click your certificate file, and then click Next.</li> <li>Click Next.

NOTE: If a dialog box appears that warns you that the certificate may have come from an untrusted source, click OK.</li> <li>Click Finish.</li></ol>

back to the top

Install Your Certification Authority's Certificate on the Client
If you used your own certificate services, follow these steps to install your certification authority's certificate on the client as a trusted root certification authority: <ol> <li>In Internet Explorer, visit the following Web site, where  is the name of the Certificate Services server that issued the certificate that is being used on the Web server:

http:// /certsrv

</li> <li>Click Download a CA certificate, certificate chain or CRL.</li> <li>Click Download CA certificate.</li> <li>In the File Download dialog box, click Open.</li> <li>In the Certificate dialog box, click Install Certificate.</li> <li>In the Certificate Import Wizard, click Next.</li> <li>Click Automatically select the certificate store based on the type of certificate, and then click Next.</li> <li>Click Finish.</li> <li>Click OK to acknowledge that the import was successful.</li> <li>Click OK to close the Certificate dialog box.</li></ol>

If you plan to access your XML Web Service from an ASP page, follow these steps to add the certification authority's certificate to the computer's trusted root store: <ol> <li>In Internet Explorer, visit the following Web site, where  is the name of the Certificate Services server that issued the certificate that is being used on the Web server:

http:// /certsrv

</li> <li>Click Download a CA certificate, certificate chain or CRL.</li> <li>Click Download CA certificate.</li> <li>In the File Download dialog box, click Save.</li> <li>Click Close.</li> <li>Click Start, and then click Run.</li> <li>In the Open box, type mmc, and then click OK.</li> <li>On the File menu, click Add/Remove Snap-in.</li> <li>Click Add.</li> <li>Click Certificates, and then click Add.</li> <li>Click Computer Account, and then click Next.</li> <li>Click Local Computer, and then click Finish.</li> <li>Click Close, and then click OK.

The list of certificate categories for the local computer appears in the snap-in window.</li> <li>Expand Certificates (Local Computer).</li> <li>Expand Trusted Root Certification Authorities.</li> <li>Right-click Certificates, point to All Tasks, and then click Import.</li> <li>In the Certificate Import Wizard, click Next.</li> <li>Click Browse, and then locate the certificate that you saved in step 14,n.</li> <li>Click the file, and then click Open.</li> <li>Click Next.</li> <li>Click Next, and then click Finish.</li> <li>Click OK to acknowledge the successful import.</li></ol>

back to the top

Modify WSDL from HTTP to HTTPS
<ol> <li>Edit the Web Service Description Language (WSDL) files for your service so that the address for your Web service begins with https instead of http. Make sure that the copy of the WSDL that your client uses also indicates https.</li> <li> For Microsoft Visual Studio .NET projects, when you add a Web Reference, you can specify an https URL as the location of the XML Web service. To do this, edit the class that was created by Visual Studio .NET that wraps the Web service; modify the line of code that sets the URL. For a C# project, the line of code will look similar to the following after you modify it, where  refers to the Web server that is hosting Web services that are secured by SSL: this.Url = &quot;https://mycomputer/MyWS/Service1.asmx&quot;; </li></ol>

Your XML Web Service will now be accessed over SSL.

back to the top

Verify That SSL Is Configured Correctly
To determine whether SSL is configured correctly, try using an https URL such as the following, where  refers to the Web server that is hosting Web services that are secured by SSL:

https:// /test/test.asmx

If you can successfully visit the location without Internet Explorer displaying an error message, your configuration is correct. You are now ready to try to access your Web service programmatically.

back to the top

Enforce SSL-Only Access
To make sure that only SSL requests are accepted by your Web service, follow these steps to configure the virtual directory where your XML Web service resides to be SSL only in Internet Services Manager:
 * 1) Click Start, point to Administrative Tools, and then click Internet Information Services (IIS).
 * 2) Expand the computer that hosts your XML Web service Web site.
 * 3) Expand the Web Sites folder.
 * 4) Expand the Web site that hosts your XML Web service.
 * 5) Right-click the virtual directory where your XML Web service resides, and then click Properties.
 * 6) Click the Directory Security tab, and then click Edit under the Secure Communications section.
 * 7) In the Secure Communications dialog box, click Require secure channel (SSL), and then click OK two times.

back to the top

Additional query words: kbsecurity ca https

Keywords: kbsecurityservices kbenv kbhowto kbhowtomaster kbnetwork kbtool KB324284

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.