Solved

Need help w/ Web Services and SSL/TLS

Posted on 2010-11-30
4
873 Views
Last Modified: 2012-05-10
Hello Experts!

I am working with vendor who offers SOAP based web services that I'm trying to use for my company.  The web services app/client that I'm builiding will reside on an IIS box, on our company network.  The web services require a cert for mutual SSL and another for TLS.  The vendor is requesting that I purchase the two certs for this and send the certs to them for installation.  I not familiar with how this all works and would like to better understand before I continue down the path of obtaining certs, configuring, etc.

Specifically, I'd like to know if someone can assist in answering the following for me:

1)  Are these special certs that I need to purchase?
2)  What does the vendor do with the provided certs and what information should I expect to receive from them to ensure a secure handshake?
3)  Is the "mutual cert" something that I need to configure (e.g., install on the web server, convert to a file, etc.)


I want to make sure I'm heading down the right path by understand all that needs to happen to form a secure connection with the vendor and what is being requested by them.

Any insight you can offer up would be greatly appreciated!

Thanks,
SK
0
Comment
Question by:sk1922
  • 2
4 Comments
 
LVL 23

Accepted Solution

by:
Siva Prasanna Kumar earned 250 total points
Comment Utility
I think someone from .NET background may help you better, I will explain the certificates part.

Yes your vendor is right you need to certificates.

1) For TLS that is to make sure that the client is actually talking to the server domain identified by the certificate. example: https//bankofamerica.com you will find that browser will validate that https cert of bank of america and then established the session.

2) A certificate for mutual authentication which will be used for client side to trust you application. it acts as a primary identity of your application with its own CN names.

About buying these certificates first both are almost similar but difference being that for the TLS one you need to make sure your server DNS name and the one in the certificate are same, if not the certificate will be of no use.

For the mutual auth certificate you need to make sure that you have already some kind of accepted client identifier like CN name.

The Vendor will import your both certificates for establishing Mutual Auth and TLS.

You need to configure both the certs on your cert also, please note you don't need to provide any of the private keys to the vendor only public certs should suffice for them.

The way you import these certs on IIS must be something which should be available on google or some .NET expert may help with.

Let me see if I can help u with import of the IIS Cert
0
 

Author Comment

by:sk1922
Comment Utility
Thank you for your help. And please pardon my ignorance on this.

So for TLS, I would actually generate the CSR on my end and supply the public certificate the vendor, correct?


>>>A certificate for mutual authentication which will be used for client side to trust you application....
Do you mean the client side of the vendor's system?


Also, can you explain this further??
>>>>For the mutual auth certificate you need to make sure that you have already some kind of accepted client identifier like CN name.
0
 
LVL 61

Assisted Solution

by:btan
btan earned 250 total points
Comment Utility
thought that this can be useful read
@ http://www.orionserver.com/docs/ssl.html

For secure channel from client machine to request for web service hosted, there is need for authentication for legit user. SSL/TLS is the standard HTTP securing mechanism for protecting the channel against web attack such as man-in-the-middle (talking to fake server) or snooping of credential and data (if the channel is not encrypted).

Of course in web service, the security common reference is WS and it can leverage on certificates. There are various schemes such as WS-Policy, WS-Trust and WS-SecureConversation that can be deployed. The vendor should be also to share with you in details. That give you some assurance

@ http://en.wikipedia.org/wiki/WS-Security

Actually I see those certificates are for server and client but in your case, your IIS server will have both cert. I am thinking it will server these purposes (a) Server cert to other client accessing your web server. (b) Client cert which is for authentication with your vendor's web service.
Better to clarify with them too

0
 

Author Closing Comment

by:sk1922
Comment Utility
helpful and guided me in the appropriate direction.  I had to open additional questions specific to each scenario.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now