AVEVA Global WCF Configuration Guide
WCF Configuration Files : Configure Security : Message Level Security with Certificate based Authentication
Message Level Security with Certificate based Authentication
In addition to Windows Authentication, Message Level Security can be configured to use an SSL certificate to authenticate the exchange of messages.
Note:
Message Level Security with Certificate based Authentication is a more complicated option compared to Windows Authentication. There can also be a loss in performance based on the size of the message and strength of the SSL certificate used for authentication.
Note:
The following setting must be consistent within the GlobalWCFClient.config and AdmindWCF.exe.config files.
<security
authenticationMode="MutualCertificate" requireDerivedKeys="false" messageProtectionOrder="SignBeforeEncrypt" messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10">
<secureConversationBootstrap />
</security>
The Security parameters are described below:
authenticationMode
How the certificate is authenticated
requireDerivedKeys
Required security setting relating to Certificate keys
MessageProtectionOrder
How the message is signed
messageSecurityVersion
Determines the Web-standards to apply to messages
The following block is specified in the Service behaviour and must be modified in the AdmindWCF.exe.config file.
The user must specify:
httpsGetEnabled
Must be set to true
trustedStoreLocation
The location of the trusted store for the certificate
findValue
Certificate identifier within the trusted store
x509FindType
The type of find value for the search
storeLocation
Certificate Store: localMachine/Currentuser (determined by the certificate).
<serviceBehaviors>
<behavior name="GlobalWcfServiceBehavior">
<dataContractSerializer maxItemsInObjectGraph="2147483647"/>
<serviceMetadata httpGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceCredentials>
<clientCertificate>
<authentication trustedStoreLocation="LocalMachine" certificateValidationMode="None"></authentication>
</clientCertificate>
<serviceCertificate findValue="tempCert" x509FindType="FindBySubjectName" storeLocation="LocalMachine"/>
</serviceCredentials>
</behavior>
</serviceBehaviors>
The GlobalWCFClient.config file has an equivalent <endpointBehaviors> element that must be modified to match the configuration changes made in the Service Behaviours of the AdmindWCF.exe.config file.
To view an example of configuration files with Message Level Security using Certificate based authentication, extract the contents of the GlobalWCF_SampleConfigFiles folder file and navigate to the sub folder MessageSecurityCertificateAuthentication.
 
1974 to current year. AVEVA Solutions Limited and its subsidiaries. All rights reserved.
AVEVA Logo