Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Need help w/ Web Services and SSL/TLS

Posted on 2010-11-30
4
Medium Priority
?
911 Views
Last Modified: 2012-05-10
Hello Experts!

I am working with vendor who offers SOAP based web services that I'm trying to use for my company.  The web services app/client that I'm builiding will reside on an IIS box, on our company network.  The web services require a cert for mutual SSL and another for TLS.  The vendor is requesting that I purchase the two certs for this and send the certs to them for installation.  I not familiar with how this all works and would like to better understand before I continue down the path of obtaining certs, configuring, etc.

Specifically, I'd like to know if someone can assist in answering the following for me:

1)  Are these special certs that I need to purchase?
2)  What does the vendor do with the provided certs and what information should I expect to receive from them to ensure a secure handshake?
3)  Is the "mutual cert" something that I need to configure (e.g., install on the web server, convert to a file, etc.)


I want to make sure I'm heading down the right path by understand all that needs to happen to form a secure connection with the vendor and what is being requested by them.

Any insight you can offer up would be greatly appreciated!

Thanks,
SK
0
Comment
Question by:sk1922
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 23

Accepted Solution

by:
Siva Prasanna Kumar earned 750 total points
ID: 34245868
I think someone from .NET background may help you better, I will explain the certificates part.

Yes your vendor is right you need to certificates.

1) For TLS that is to make sure that the client is actually talking to the server domain identified by the certificate. example: https//bankofamerica.com you will find that browser will validate that https cert of bank of america and then established the session.

2) A certificate for mutual authentication which will be used for client side to trust you application. it acts as a primary identity of your application with its own CN names.

About buying these certificates first both are almost similar but difference being that for the TLS one you need to make sure your server DNS name and the one in the certificate are same, if not the certificate will be of no use.

For the mutual auth certificate you need to make sure that you have already some kind of accepted client identifier like CN name.

The Vendor will import your both certificates for establishing Mutual Auth and TLS.

You need to configure both the certs on your cert also, please note you don't need to provide any of the private keys to the vendor only public certs should suffice for them.

The way you import these certs on IIS must be something which should be available on google or some .NET expert may help with.

Let me see if I can help u with import of the IIS Cert
0
 

Author Comment

by:sk1922
ID: 34249472
Thank you for your help. And please pardon my ignorance on this.

So for TLS, I would actually generate the CSR on my end and supply the public certificate the vendor, correct?


>>>A certificate for mutual authentication which will be used for client side to trust you application....
Do you mean the client side of the vendor's system?


Also, can you explain this further??
>>>>For the mutual auth certificate you need to make sure that you have already some kind of accepted client identifier like CN name.
0
 
LVL 65

Assisted Solution

by:btan
btan earned 750 total points
ID: 34266796
thought that this can be useful read
@ http://www.orionserver.com/docs/ssl.html

For secure channel from client machine to request for web service hosted, there is need for authentication for legit user. SSL/TLS is the standard HTTP securing mechanism for protecting the channel against web attack such as man-in-the-middle (talking to fake server) or snooping of credential and data (if the channel is not encrypted).

Of course in web service, the security common reference is WS and it can leverage on certificates. There are various schemes such as WS-Policy, WS-Trust and WS-SecureConversation that can be deployed. The vendor should be also to share with you in details. That give you some assurance

@ http://en.wikipedia.org/wiki/WS-Security

Actually I see those certificates are for server and client but in your case, your IIS server will have both cert. I am thinking it will server these purposes (a) Server cert to other client accessing your web server. (b) Client cert which is for authentication with your vendor's web service.
Better to clarify with them too

0
 

Author Closing Comment

by:sk1922
ID: 34621715
helpful and guided me in the appropriate direction.  I had to open additional questions specific to each scenario.
0

Featured Post

Ask an Anonymous Question!

Don't feel intimidated by what you don't know. Ask your question anonymously. It's easy! Learn more and upgrade.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How does someone stay on the right and legal side of the hacking world?
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question