How to secure WCF on cloud with HTTPS

Although windows azure provide very friendly interface which allow existing .net application be easily run on cloud, however, there are still some changes need be done before we megiate normal .net app on to cloud app.

In this blog, I'll show how to create a WCF service on webrole with transport security armed.

First, let's create a Windows azure project with 1 WCFWebRole. In WCFWebRole project, there is an existing WCF called "Service1.svc". Since, we are focusing on how to secure service, we'll just use this wcf service without change any code.

Second, change the web.config file to configure wcf security.

With this configuration, we will enable TransportWithMessageCredential security, and use custom usernamePassword authentication. And here is my custom validator:

namespace WCFServiceWebRole1
{
    public class MyCustomUsernamePasswordValidator : UserNamePasswordValidator
    {
        public override void Validate(string userName, string password)
        {
            if (userName != password)
                throw new Exception("username/password not valid.");
        }
    }
}

Note: For why I don't choose Transport security, that's because cloud doesn't support Windows authentication, due to the IIS(not sure IIS web core) limitation, 'Basic' is not choice either. However, if we don't need client authentication, then we could simply set security to transport and set clientCredential to None.

Until now, we haven't done all necessary steps to make a transport secured WCF run on local IIS. However, there are additional work need be done to enable the HTTPS protocol on cloud. Let's continue.

First, create a self-signed certificate(just for test usage). the subject name should be equal to your windows azure service's domian name.(eg. [servicename].cloudapp.net). To create certificate, open Command prompt with administrator priviledge, run the commands below.

Makecert -r -pe -n "CN=[your_ns].cloudapp.net" -b 05/10/2010 -e 12/22/2012 -eku
 1.3.6.1.5.5.7.3.1 -ss my -sr localmachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12

When certificate created, it would be added to your localmachine's personal store directly. You need use MMC tool to export the certificate with private key to local file *.pfx

Third, return to our cloud project, open WCFServiceWebRole's properties panel, click "Certificates" tab, Add certificate, in Thumbprint column choose our new added certificate.

Click "Endpoints" tab, check "HTTPS" endpoints, select certifice in "SSL certificate name" combobox to bind certificate to SSL port.

Next, we need upload certificate to windows azure service. Login the Windows Azure Portal, open the target service, in management page, find "Certificates" section, click "Manage"
In certificate management page, select the pfx file, input password, click "Upload" button. If succeed, the certificate would be listed here.

Ok, last step is deploy our windows azure application on cloud. Here is the result

Note that, the browser address bar is in red color, that's because the self-signed certificate is not from a trusted certificate root. To solve this issue, open certmgr tool, select "Trusted Root Certification Authorities", import our certificate.

If have questions, please post comment. This is my first blog, I'm very glad if someone get help from it :)