Microsoft KB Archive/307267

= HOW TO: Secure XML Web Services with Secure Socket Layer in Windows 2000 =

Article ID: 307267

Article Last Modified on 6/25/2004

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Internet Information Services 5.0

-



This article was previously published under Q307267



IN THIS TASK
SUMMARY
 * Configure Your Web Server for SSL
 * Install Certificate Authority's Certificate on Client
 * Modify WSDL from HTTP to HTTPS
 * Verify That It Works
 * Enforcing SSL-Only Access

REFERENCES



SUMMARY
This step-by-step article describes how to configure a current XML Web service to use an encrypted channel with a Secure Socket Layer (SSL) connection.

back to the top

Configure Your Web Server for SSL
Your XML Web Service will be running on Internet Information Server (IIS) and it will rely on IIS to provide SSL support. Because of this, you must first install an SSL server certificate on your server so that you can enable SSL support.
 * 1) If you are purchasing a server certificate from a third-party certificate authority or if you have an enterprise certificate authority available to you, skip to the next step. Otherwise, install Certificate Services by starting the Add/Remove Programs tool, clicking Add/Remove Windows Components, and then click to select the Certificate Services check box.
 * 2) Run the Web Server Certificate Wizard by starting Internet Services Manager, right-clicking on the virtual site that you want the certificate for, clicking Properties, clicking the Directory Security tab, and then clicking Server Certificate.
 * 3) In the Web Server Certificate Wizard, click Create a new certificate, and then click Next.
 * 4) Click Prepare the request now, but send it later, and then click Next.
 * 5) Continue to fill out the information in the Wizard to fit your needs, but when you are prompted to provide the common name of the certificate, make sure that you specify the name of the host computer that you are running your XML Web service on.
 * 6) When you complete the wizard, a certificate request is saved in a file that you specify. By default, this is c:\Certreq.txt.
 * 7) If you are submitting your certificate to a different certificate authority, do that now by using their procedures and when you receive your certificate file, open it, and then skip to step 16. If you are using your own Certificate Services to get your certificate, browse to http://localhost/certsrv and choose the Request a Certificate option.
 * 8) Under the Request Type page, specify that this is an Advanced Request, and then click Next.
 * 9) Click Submit a certificate request using a base64 encoded PKCS #10 file or a renewal request using a base64 encoded PKCS #7 file, and then click Next.
 * 10) On the Submit a Saved Request page, click Browse for a file to insert, specify the file you created in step 6, click Read, and then Submit. Your request has been submitted, and now you must approve it.
 * 11) On the Programs menu, under Administrative Tools, start the Certificate Authority management console.
 * 12) Under your Certificate Authority's name, choose the Pending Request folder. Right-click the certificate request that you just submitted, point to All Tasks, and then click Issue. Close the Certificate Authority management console.
 * 13) In your browser, go back to http://localhost/certsrv, click Check on Pending Requests, and then click Next.
 * 14) Make sure that the request you just created is selected, and then click Next.
 * 15) On the Certificate Issued page, choose either of the encoding schemes, and then click Download CA certificate. The Certificate property pages are displayed. Click the General tab, and then click Install Certificate.
 * 16) The Certificate Import Wizard starts. Accept all of the defaults and click through the wizard until it has completed.
 * 17) Go back to the Internet Services Manager, right-click the virtual site you created the certificate for, click Properties, click the Directory Security tab, and then click Server Certificate.
 * 18) Click Assign an existing certificate to see a list with your certificate in it. Click your certificate, and then click Next. Complete the Web Server Certificate Wizard. Your SSL Server Certificate is now installed.

back to the top

Install Certificate Authority's Certificate on Client
If you used your own certificate services, you must install your certificate authority's certificate on the client as a trusted root certificate authority. To do so:
 * 1) Browse to http://my computer/certsrv where my computer is the host name where the certificate services are located that issued the server certificate.
 * 2) Click Retrieve the CA certificate or the certificate revocation list, and then click Next.
 * 3) Click the Install this CA certification path link. The certificate should be properly installed.

If you are planning to access your XML Web Service from an ASP page, you must add the Certificate Authority's certificate to the machine's trusted root store:
 * 1) Repeat the preceding first 2 steps, click Download CA certificate, and then save it to a file on your local computer.
 * 2) Start Mmc.exe.
 * 3) Click Console, and then click Add/Remove Snap-in.
 * 4) In the Add/Remove Snap-in dialog box, click Add.
 * 5) In the Add Standalone Snap-in dialog box, click Certificates, and then click Add.
 * 6) Click Computer Account, and then click Next.
 * 7) Click Local Computer, and then click Finish.
 * 8) The list of certificate categories for the local computer should appear in the snap-in window.
 * 9) Click OK to return to the Console Root window.
 * 10) In the tree view, open the list of trusted root certificate authorities.
 * 11) To add the certificate authority certificate that issued your server certificate to the list, click Action, click All Tasks, and then click Import, or drag the certificate on to the list.

back to the top

Modify WSDL from HTTP to HTTPS
 Edit the WSDL files for your service so that the address for your Web service begins with https instead of http. You must make sure that the copy of the WSDL that your client is using also indicates https. For Microsoft Visual Studio .NET projects, when you add a Web Reference ,you can specify an https URL as the location of the XML Web service. If you did not do this, then you can edit the class that was created by Visual Studio .NET that wraps the Web service and modify the line of code that sets the URL. For a C# project, the line of code might look like this after you have modified it:

this.Url = &quot;https://mymachine/MyWS/Service1.asmx&quot;;

 Your XML Web Service will now be accessed over SSL.

back to the top

Verify That It Works
To determine if SSL is configured properly, try browsing to your server by using an https URL such as https://my_computer/test/test.asmx.

You configuration should be alright if you can successfully browse to the location without any error messages being displayed by Internet Explorer. You are ready to try to access your web service programmatically.

back to the top

Enforcing SSL-Only Access
If you want to make sure that only SSL requests are accepted by your Web service, you can configure the virtual directory where your XML Web service resides to be SSL only in the Internet Services Manager:
 * 1) Right-click the virtual directory where your XML Web service resides, and then click Properties.
 * 2) Click the Directory Security tab, and then click Edit under Secure Communications.
 * 3) Click require secure channel (SSL), and then click OK twice.

back to the top

