Embed Size (px)
Citation preview
Hands-On LabUsing Certificate based Authentication to Consume a Windows Azure WCF Service from SharePoint
Lab version: 1.0.0
Last updated: 5/20/2023
CONTENTS
OVERVIEW................................................................................................................................................. 3
EXERCISE 1: CREATING AND MANAGING THE CERTIFICATES.........................................................5Task 1 – Creating the Certificates........................................................................................................5
Task 2 – Managing the Certificates......................................................................................................9
Task 3 – Exporting the Certificates.....................................................................................................12
EXERCISE 2: CREATING THE AZURE WCF SERVICE........................................................................17Task 1 – Configuring the WCF Service................................................................................................17
Task 2 – Testing the Service...............................................................................................................21
EXERCISE 3: CREATE CLIENT APPLICATION TO CONSUME THE WCF SERVICE.........................25Task 1 – Creating the Client Application............................................................................................25
Task 2 – Displaying the Web Part......................................................................................................28
SUMMARY................................................................................................................................................ 28
Overview
The cloud security design ensures that a customer’s data is only accessible by authorized entities. Windows Azure provides confidentiality via several mechanisms, one of which is Identity and Access Management. This Ensures that only properly authenticated entities are allowed access.
Certificates and private keys are uploaded via Service Management API (SMAPI) or the Windows Azure Portal as PKCS12 (PFX) files protected in transit by SSL. PKCS12 is one of the Public-Key Cryptography Standards (PKCS), published by RSA Laboratories, which defines a file format commonly used to store X.509 private keys with accompanying public key certificates, protected with a password-based symmetric key. SMAPI removes the password protection (if necessary) and encrypts the entire PKCS12 blob using SMAPI’s public key and stores it in a secret store on the fabric controller, along with a short certificate name and the public key as metadata. The configuration data associated with any role within the same subscription specifies the certificates that should be made available to the role. When a role is instantiated on a VM, the Fabric controller retrieves the appropriate certificate, decrypts the PKCS12 blob, and re-encrypts it using the Fabric agent's public transport key. For more information on using Certificates with Windows Azure, please read the Windows Azure Security Overview Whitepaper.
Objectives
In this lab, you will:
Create a signing certificate and store it in the machine root.
Create self-signed client and server certificates and store them in the appropriate certificate stores
Create a Windows Azure hosted WCF service that authenticates users based on the certificates
Create a SharePoint Web Part application that reads the client's certificate store for a valid certificate to consume the Windows Azure service.
System Requirements
You must have the following items to complete this lab:
Windows Azure SDK and Windows Azure Tools for Microsoft Visual Studio (March 2011)
KB981002- WCF: Hotfix rollup in .NET 3.5 SP1 for Win 7 and Win 2k8 R2
Access to a Windows Azure account.
Setup
The Windows Azure SDK (included in Windows Azure Tools for Visual Studio) installs a simulation environment on your development machine for testing Azure applications locally before deploying them to the cloud. The simulation environment consists of the development fabric to host web and worker roles, and the development storage which simulates cloud blob, table and queue storage locally.
Development storage uses SQL Server as its underlying storage mechanism, and by default the SDK will attempt to configure it to use SQL Server Express. If you do not have SQL Server Express installed before installing the SDK, or you wish to simply use an existing SQL Server instance to host the development storage database, you must run the dsinit command to select the SQL Server instance where the database will be created.
Using dsinit to Configure Development Storage
1. Open a command prompt.
2. Edit the following command line as appropriate for your environment, where [AzureSDKInstallDrive] is the drive where you installed the Azure SDK (or Windows Azure Tools for Visual Studio), and [YourSqlInstance] is the SqlServer where you want to create the development storage database.
[AzureSDKInstallDrive]\ Program Files\Windows Azure SDK\v1.4\bin\devstore\dsinit.exe /sqlinstance:[YourSqlInstance].
Example Command Line:“C:\Program Files\Windows Azure SDK\v1.4\bin\devstore\dsinit.exe” /sqlinstance:.
3. Note that the sample command line above uses the value “.” for the sqlinstance argument, which specifies that the local default SQL instance will be used for development storage.
Estimated time to complete this lab: 60 minutes.
Exercise 1: Creating and Managing the Certificates
Task 1 – Creating the Certificates
A self-signed certificate is an identity certificate that is signed by its own creator. That is, the person that created the certificate also signed off on its legitimacy. In this exercise, you will create 3 certificates - The signing certificate, the client certificate and the server certificate.
1. Log into your Windows Azure Portal at http://windows.azure.com
2. Click New Hosted Service
Figure 1Windows Azure Ribbon menu
3. Create a new hosted service as follows:
Note: Use a unique name and URL prefix for your service, and ensure that the Do not deploy is selected as the deployment option. By selecting this option, you are just blocking the name and the URL of your service. This URL is needed to create the service certificate
Figure 2Create a New Hosted Service
4. Click OK.
5. Wait for a few minutes till the new hosted service is created and ready.
6. Open the Visual studio 2010 command prompt
Figure 3Windows Start menu
7. Create the signing certificate and store it in the machine root by running the following command: makecert -r -pe -a sha1 -n "CN=azurehol2011_ca" -ss Root -sr LocalMachine -len 2048 -sp "Microsoft Enhanced RSA and AES Cryptographic Provider" -sy 24 azurehol2011_ca.cer
Note: The azurehol2011_ca.cer is the file name of the certificate file and the azurehol2011_ca is the certificate common name (CN).
8. Create a client certificate and store it in the personal certificate store by running the following command:
makecert -pe -n "CN=Azure HOL Client Certificate, O=My Company Name" -ss my -sr CurrentUser -a sha1 -sky exchange -eku 1.3.6.1.5.5.7.3.2 -in "azurehol2011_ca" -is Root -ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12
Note: The azurehol2011_ca in the above command should match the common name (CN) from the step 7
Figure 4Visual Studio Command Prompt
9. Replace the [Your Hosted Service] in the below command with the URL prefix of the Azure service (Ex : azureholusingcerts). Create a server certificate and store it in the machine personal store by running the following command:
makecert -pe -n "CN=[Your Hosted Service].cloudapp.net" -ss my -sr LocalMachine -a sha1 -sky exchange -eku 1.3.6.1.5.5.7.3.1 -in "azurehol2011_ca" -is Root -ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 azurehol2011_server.cer
Note: The azurehol2011_ca in the above command should match the common name (CN) from the step 7.
Figure 5Azure Command
Task 2 – Managing the Certificates
1. Click Windows Start, and type MMC and click the mmc.exe.
Figure 6Windows Start menu
2. On the File menu, click Add/Remove Snap-in
3. Select Certificates and click the Add button.
-Figure 7Add or Remove Snap-ins Dialog
4. Select My user account and then click Finish.
5. In the Add or Remove Snap-ins dialog box, select Certificates again and click the Add button again.
6. Select Computer Account and then click Next.
7. Click Finish.
8. Click OK.
9. Expand Certificates (Local Computer) and then expand Trusted Root Certification Authority. Double-click Certificates.
10. Locate the signing certificate (ex: azurehol2011_ca). Right-click the certificate name and then click Copy.
Figure 8Certificates explorer
11. Under Certificates (Local Computer), expand Personal. Right-click Certificates and then click Paste.
Figure 9Certificates context menu
12. Now the Local Computer Personal store should look as follows:
Figure 10Certificates explorer
Task 3 – Exporting the Certificates
1. Right-click the signing certificate (Ex: azurehol2011_ca), click All Tasks, and then click Export.
Figure 11Certificates explorer
2. Click Next.
3. Select Yes, export the private key option and then click Next.
4. Leave the defaults (Personal Information Exchange selection), and then click Next
Figure 12Certificate Export Wizard
5. Type and Confirm the password for this certificate (Ex: pass@word1). Click Next.
6. Browse to a location on your development machine and save this certificate. Use the same name (ex: azurehol2011_ca.pfx) and save the certificate
Figure 13
Certificate Export Wizard
7. Click Finish.
8. Repeat the steps to save the Server certificate located at Certificates (local computer) > Personal > Certificates > [your hosted service].cloudapp.net to your development machine as azurehol2011_server.pfx. This certificate along with the signing certificate will be uploaded to the Azure hosted service instance
9. Similarly, Repeat the steps to save the Client certificate located at Certificates - Current Users > Personal > Certificates > Azure HOL Client Certificate to your development machine as azurehol2011_client.pfx. This certificate should be distributed to the clients seeking to consume the Azure hosted WCF service.
10. When this is done, you should have 3 certificates as follows:
Figure 14Certificate Explorer
11. Log into your Windows Azure Portal (http://windows.azure.com)
12. Expand the name of the hosted service that you created in exercise 1 , and then click Certificates.
13. Click Add Certificate.
Figure 15Windows Azure Platform
14. Click the Browse button, and locate the Server Certificate (azurehol2011_server.pfx) and upload it. Type the certificate password and click Create.
Figure 16File Browser
15. Similarly, upload the Signing Authority certificate (azurehol2011_ca.pfx).
Figure 17Certificates Explorer
The certificates needed for the WCF service is now ready.
Exercise 2: Creating the Azure WCF Service
Task 1 – Configuring the WCF Service
In this task, you will create the WCF service and host it on Azure.
1. Browse to the Before folder of the Lab.
2. Open the solution SPToWinAzureUsingCerts.sln
3. Right-click the SalaryServiceWebRole under Roles, and click Properties. Then, click the Certificates tab on the left
Figure 18Web Roles
4. Click Add Certificate.
5. Type ServerCertificate as the name of the Certificate. Leave the default Store Location to LocalMachine and Store Name to My.
6. Click the Thumbprint button to bring up the Certificate list. Select the Server Certificate and click OK.
Figure 19Windows Security – Certificate List
7. Similarly add another certificate CA (for certificate authority), and choose the signing authority certificate (Ex: azurehol2011_ca)
Figure 20Windows Security – Certificate List
8. The Certificate section should now look as follows:
Figure 21Certificate Section
9. Click Endpoints on the left tab
10. Set the following attributes for the EndPoint.
Type: Input
Protocol: https
Public Port: 443
SSL Certificate Name: ServerCertificate
Figure 22EndPoint fields
11. Save the project.
12. Open the Startup.cmd file.
13. Replace the [THUMBPRINT] with the thumbprint of your signing authority certificate
Figure 23Sartup.cmd file
Since the signing certificate is self-signed, it must be installed in Root of the Azure Hosted Service. The configuration options do not support this (as a security measure) so this must be done using a Startup task. Also required in the Startup task is the unlocking of the SSL configuration section of Web.config. This step specifies a Startup task with elevated privileges running Startup.cmd
14. After the changes, the Startup.cmd will look as follows:
Figure 24Startup.cmd file
15. Open the Servicedefinition.csdef file, and add the following XML element to the TODO: 5.8.1 section.
XML
<Startup> <Task commandLine="Startup.cmd" executionContext="elevated" taskType="simple"> </Task></Startup>
16. Save, Publish and Deploy (Production Deployment) the solution to the hosted service that you created earlier in Exercise 1 (Ex: AzureHolUsingCerts.CloudApp.net)
17. The hosted service should now look as follows:
Figure 25Hosted Service
Task 2 – Testing the Service
1. On the development machine, open a new instance of the internet explorer browser and navigate to your service URL. Note: You must https (Ex: https://azureholusingcerts.cloudapp.net/salaryservice.svc)
2. Since your development machine has the client certificate installed in the Personal certificate store, the browser would prompt you to confirm the certificate(Note: Since self-signed certificate is used, you see this Window Security message. When a certificate issues by an authority is used, you will not see this message)
Figure 26Windows Security Pop-up
3. Select the Client Certificate and click OK.
4. You should be able to see the service details
Figure 27Service details
5. Now, try to access the same service from a different machine, where the certificate is not installed. You will notice that the browser shows a server error, and the access to the service is denied
Figure 28Acces is denied error
To enable access to this service from the machines that does not have access to service, distribute the client certificate and install it on the end-user machine. All end-user machines requiring access to the service should have the client certificate installed in their personal certificate store.
6. To test the AdjustSalary method from the machine that has the client certificate, open the browser window and navigate to:https://[Your URL Prefix].cloudapp.net/salaryservice.svc/adjustedsalary?a=1000&b=7Note: Replace the [Your URL Prefix] with the URL prefix of your hosted serviceExample:https://azureholusingcerts.cloudapp.net/salaryservice.svc/adjustedsalary?a=1000&b=7
7. Save/download the resulting file (Json output) as adjustedSalary.txt to your local machine. Open the text file. The text file contains the result of the calculation
Exercise 3: Create Client Application to consume the WCF Service
Task 1 – Creating the Client Application
1. Open the SalaryDisplayPage.htm in the SalaryDisplayWeb project.
2. Under the section //TODO: 5.8.2, replace the [Your URL Prefix] with the URL prefix of your Azure hosted WCF Service. Ex: https://azureholusingcerts.cloudapp.net
Figure 29SalaryDisplayPage.htm
3. Copy the Full Path of the SalaryDisplayPage.htm to your clipboard
Figure 30SalaryDisplayPage.htm properties
4. Open a new instance of Internet Explorer. Copy the Full Path and browse the html page.
5. Note, the URL should point a local file
Figure 31
Internet Explorer
6. Click the Internet Explorer Security bar, and click Allow Blocked Content.
Figure 32Internet Explorer security bar
7. Enter a Starting Salary and Inflation and click the Get Adjusted Salary button. You will see a Windows security alert asking you to confirm the client certificate. Click the client certificate and click OK.
Figure 33Windows Security Alert
This Windows Security dialog is displayed when using self-signed certificate. However using a certificate signed by a certificate authority will eliminate this problem; in the meantime, you can ignore the error.
For more details refer to: http://msdn.microsoft.com/en-us/library/ff795779.aspx
8. The result of the calculation (inflation adjusted salary) is now displayed.
Task 2 – Displaying the Web Part
1. The html code snippet can be inserted into a SharePoint HTML Web Part (As explained in JQuery Labs - Labs 5 and 6). However, you will run into an access denied error message. This is due to the use of a self-signed certificate. The self-signed certificate that was used in the lab is used for authentication in the development environment only. However using a certificate signed by a certificate authority will eliminate this problem. For more details refer to: http://msdn.microsoft.com/en-us/library/ff795779.aspx
Summary
The cloud security design ensures that a customer’s data is only accessible by authorized entities. Windows Azure provides confidentiality via several mechanisms one of which is Identity and Access Management using private key and certificates.
In this lab, you learned to create a signing certificate and store it in the machine root. You also created a self-signed client and server certificates and stored them in the appropriate certificate stores. You also learned how to create SharePoint Web Parts to consume a Windows hosted WCF service over https.
