Creating and Using C# Web service over HTTPS – SSL

When Web Services are used, a common concern is security: SOAP messages are transferred in plain text over the network, so anyone with a sniffer could intercept the SOAP message and read it. In my opinion this could happen also to binary data, but probably it requires a little bit more hacker skills. So a solution is to use HTTPS (SSL) instead of HTTP, so the communication is encrypted.

To accomplish this, we need to do the following things

· Install Certificate (Issued by Certificate Authority) on the Web Server

· Create Web Service using .net

· Configure Web service to use SSL in IIS

· Call the Web Service thro Client

Install Certificate

Normally in the Production environment we need to buy the certificate from Verisign or any other well know certification Authority (CA). In the development environment we can make use of .net SDK’s MakeCert.exe which comes with .net 2.0 SDK.

Path to the Exe :

/Program Files/Microsoft Visual Studio 8/SDK/v2.0/bin/MakeCert.exe

Create and Install the certificate

Makecert -sr LocalMachine –ss My –n CN=ServiceModelSamples-HTTPS-Server –sky exchange –sk ServiceModelSamples-HTTPS-Key

Now the certificate is created and assigned in the Local Machine.

Create Web Service using .net

Using VS2005 or 2008 create a Web service with a sample Web Method AddValues which has two integer parameters and returns an integer value.
[WebMethod]

public int AddValues(int a,int b)

{

return a+b;

}

Now if you browse the Service from IIS it will show the AddValues Method.

Configure Web service to use SSL in IIS

· Type inetmgr in Run dialogbox and open IIS.

· On the DefaultWebsite Properties, Select the Directory Security tab.

Under Secure communication, select Server Certificate.

In the popup Wizard, select assign an existing certificate.

In the next step select our ServiceModelSamples-HTTPS-Server certificate and finish the wizard.

Now the certificate is installed. Now the view Certificate button gets enabled and

you can view the certificate.

Now R.click your web service Virtual directory in IIS and select its properties.

In the Properties dialogbox select Directory Security tab.

Under Secure communication, click Edit button.

Check Require Secure Channel (SSL).

Press OK and Exit the Properties.

Test the Web Service for HTTPS.

Now in the browser browse to your web service as

http://localhost/MyService/Service1.asmx

The Browser will show “The page must be viewed over a secure channel”.

Now in the browser change the address URL to

https://localhost/MyService/Service1.asmx

The browser will show the following screen

Click Continue to this Website (not recommended).

Create Client to consume the Web Service Method.

Open Visual Studio and create a ASP.Net web application.

In the Web Reference add a reference to our web service.

Type https://localhost/MyService/Service1.asmx in the URL and assign a name to the reference.

Now in the page load call our service

Service.Service1 myservice = new

ServiceHandler.Service.Service1();

int result= myservice.AddValues(10,11);

Response.Write(result.ToString());

If you run the application you will get the validation error.

“The remote certificate is invalid according to the validation procedure.”

Resolution:

Add a new Class file to your project with the name MyCertificatePolicy

Add the following using Statement.

using System;

using System.Net;

using System.Security.Cryptography.X509Certificates;

Inherit System.Net.ICertificatePolicy to the class

Add the method to the class below the constructor

public bool CheckValidationResult(ServicePoint sp,

X509Certificate cert,

WebRequest req,

int problem)

{

return true;

}

Now in the PageLoad add the below code, before initializing the Web service.

System.Net.ServicePointManager.CertificatePolicy =

new MyCertificatePolicy();

Service.Service1 myservice =

new ServiceHandler.Service.Service1();

int result= myservice.AddValues(10,11);

Response.Write(result.ToString());

Now Run the Project. The output 21 will be displayed in the Page.