Need help w/ Web Services and SSL/TLS

Hello Experts!

I am working with vendor who offers SOAP based web services that I'm trying to use for my company.  The web services app/client that I'm builiding will reside on an IIS box, on our company network.  The web services require a cert for mutual SSL and another for TLS.  The vendor is requesting that I purchase the two certs for this and send the certs to them for installation.  I not familiar with how this all works and would like to better understand before I continue down the path of obtaining certs, configuring, etc.

Specifically, I'd like to know if someone can assist in answering the following for me:

1)  Are these special certs that I need to purchase?
2)  What does the vendor do with the provided certs and what information should I expect to receive from them to ensure a secure handshake?
3)  Is the "mutual cert" something that I need to configure (e.g., install on the web server, convert to a file, etc.)


I want to make sure I'm heading down the right path by understand all that needs to happen to form a secure connection with the vendor and what is being requested by them.

Any insight you can offer up would be greatly appreciated!

Thanks,
SK
sk1922Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

 
Siva Prasanna KumarPrincipal Solutions ArchitectCommented:
I think someone from .NET background may help you better, I will explain the certificates part.

Yes your vendor is right you need to certificates.

1) For TLS that is to make sure that the client is actually talking to the server domain identified by the certificate. example: https//bankofamerica.com you will find that browser will validate that https cert of bank of america and then established the session.

2) A certificate for mutual authentication which will be used for client side to trust you application. it acts as a primary identity of your application with its own CN names.

About buying these certificates first both are almost similar but difference being that for the TLS one you need to make sure your server DNS name and the one in the certificate are same, if not the certificate will be of no use.

For the mutual auth certificate you need to make sure that you have already some kind of accepted client identifier like CN name.

The Vendor will import your both certificates for establishing Mutual Auth and TLS.

You need to configure both the certs on your cert also, please note you don't need to provide any of the private keys to the vendor only public certs should suffice for them.

The way you import these certs on IIS must be something which should be available on google or some .NET expert may help with.

Let me see if I can help u with import of the IIS Cert
0

Experts Exchange Solution brought to you by ConnectWise

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
 
sk1922Author Commented:
Thank you for your help. And please pardon my ignorance on this.

So for TLS, I would actually generate the CSR on my end and supply the public certificate the vendor, correct?


>>>A certificate for mutual authentication which will be used for client side to trust you application....
Do you mean the client side of the vendor's system?


Also, can you explain this further??
>>>>For the mutual auth certificate you need to make sure that you have already some kind of accepted client identifier like CN name.
0
 
btanExec ConsultantCommented:
thought that this can be useful read
@ http://www.orionserver.com/docs/ssl.html

For secure channel from client machine to request for web service hosted, there is need for authentication for legit user. SSL/TLS is the standard HTTP securing mechanism for protecting the channel against web attack such as man-in-the-middle (talking to fake server) or snooping of credential and data (if the channel is not encrypted).

Of course in web service, the security common reference is WS and it can leverage on certificates. There are various schemes such as WS-Policy, WS-Trust and WS-SecureConversation that can be deployed. The vendor should be also to share with you in details. That give you some assurance

@ http://en.wikipedia.org/wiki/WS-Security

Actually I see those certificates are for server and client but in your case, your IIS server will have both cert. I am thinking it will server these purposes (a) Server cert to other client accessing your web server. (b) Client cert which is for authentication with your vendor's web service.
Better to clarify with them too

0
 
sk1922Author Commented:
helpful and guided me in the appropriate direction.  I had to open additional questions specific to each scenario.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.