SSL technology is used to encrypt communication between a client and a Web site. SSL is well known for its use in commercial Web sites, but it is equally valuable in almost any type of distributed application. For a server to support SSL connections, it must have an X.509 digital certificate. This certificate indicates that the server identity is registered with a valid Certificate Authority (CA). We'll consider how to obtain a certificate in the next section. A secure SSL session unfolds over several steps. The process is outlined here:
SSL and CertificatesTo use SSL, you first need to install a server-side certificate using IIS. You can generate your own certificate for testing (using Certificate Server from Windows 2000 Server or Windows .NET Server, which requires Active Directory). When deploying a public application, however, you will probably want to use a genuine certificate authority such as VeriSign (http://www.verisign.com). One of the easiest ways to purchase a certificate is to create and e-mail a certificate request to the appropriate Certificate Authority. IIS Manager allows you to create a certificate request automatically by following these steps:
You can read much more information about certificate requests and how to use certificates with IIS in detail in the online IIS help, at http://localhost/iisHelp.
Communicating with SSLAfter you've installed your certificate, you just need to ensure that client requests use a URL that starts with https: rather than http: to use SSL encryption. If you're using an XML Web service, you can modify the base Url property of the generated proxy class (inherited from the WebClientProtocol class in the System.Web.Services.Protocols namespace), as shown in Listing 13-19. Listing 13-19 Enabling SSL on the client sideDim Proxy As New localhost.SSLServiceTest() Proxy.Url = "https://localhost/DistributedCode/SSLServiceTest.asmx" ' (You can now send an SSL-encrypted message). Proxy.Url = "http://localhost/DistributedCode/SSLServiceTest.asmx" ' (You can now send normal unencrypted requests). This technique is particularly useful when you work with a service that uses ticket-based authentication. In this case, you might want to use SSL only when calling the Login method. To perform the required URL manipulations without hard-coding the URL, you can use the System.Uri class: Dim Proxy As New localhost.SSLServiceTest() Dim WSUri As New Uri(Proxy.Url) ' Use SSL. ' WSUri.Host = "localhost" and ' WSUri.Path = "/DistributedCode/SSLServiceTest.asmx" Proxy.Url = "https://" & WSUri.Host & WSUri.AbsolutePath ' Use ordinary HTTP. Proxy.Url = "http://" & WSUri.Host & WSUri.AbsoultePath In your XML Web service code, you can check whether a user is connecting over a secure connection using the HttpRequest.IsSecureConnection property, as shown in Listing 13-20. Listing 13-20 Verifying SSL on the server sideIf Not Context.Request.IsSecureConnection Then Throw New SecurityException( _ "This page must be requested through SSL.") Else ' (Perform action.) End If In a .NET Remoting scenario, you just modify the URL in the client's configuration file so that it starts with https: rather than the http: prefix. Keep in mind that when you use SSL, all traffic is encrypted, not just the data you're exchanging. For example, the text in an XML Web service request message that identifies the method to execute is encrypted, along with the body of the message, the envelope, and all SOAP headers. This is one reason why SSL has a reputation for being slow. |