3/17/2018 Ekstern vegleiðing: At gera Webservice til Heldina Hendan vegleiðingin lýsir, hvussu ein webservice verður gjørd í. net, sum veitari av data (Producer)
3/17/2018 Fyritreytir og software sum skal installerast Uppseting av IIS WSDL til Heldina Producer við. net Consumer við. net Uppseting av samband millum WS
3 X-Road hands-on. NET training • Hands-on training: • Configure IIS • Describing X-Road Web Service • Creating and testing new X-Road Producer in. NET • Creating and testing new X-Road Consumer in. NET • Provider Secure connection • Consumer Secure connection • Example
4 Development environment • . NET framework (3. 5/4. 0/4. 5) • IIS (7) • MS Visual studio (2010+) • Windows SDK • Soap. UI (http: //sourceforge. net/projects/soapui/files/)
5 Configure IIS • Using UI • On Windows Server • Using CMD • Can be used on Windows/Windows Server
6 Configure IIS f Using UI on Windows • Open Windows Features dialog and select needed options. (type „turn windows features on or off“ on start search)
7 Configure IIS Using UI on Windows • Look for „Internet information Services“ • In „Security“ choose: • Client Certificate Mapping Authentication • IIS Client Certificate Mapping Authentication • In Common HTTP Features: • Directory Browsing • Static Content
8 Configure IIS Using UI on Windows Server • Open Server Manager • Select Roles -> Add Roles • Select „Web Server (IIS)“
9 Configure IIS Using UI on Windows Server • On Role Services check: • Common HTTP Features: • Static Content • Default Document • Directory Browsing • Application Development: • Asp. Net • . NET Extensibility • ASP • Security • Basic Auth • Client Certificate Mapping Auth • IIS Client Certificate Mapping Auth
10 Configure IIS Using CMD • To enable all needed features you need to run the next command: start /w pkgmgr /iu: IIS-Web. Server. Role; IIS-Web. Server; IIS-Common. Http. Features; IISStatic. Content; IIS-Default. Document; IIS-Directory. Browsing; IIS-Http. Errors; IIS-Http. Redirect; IISApplication. Development; IIS-ASPNET; IIS-Net. Fx. Extensibility; IIS-ASP; IIS-CGI; IISISAPIExtensions; IIS-ISAPIFilter; IIS-Server. Side. Includes; IIS-Health. And. Diagnostics; IISHttp. Logging; IIS-Logging. Libraries; IIS-Request. Monitor; IIS-Http. Tracing; IIS-Custom. Logging; IISODBCLogging; IIS-Security; IIS-Basic. Authentication; IIS-Windows. Authentication; IISDigest. Authentication; IIS-Client. Certificate. Mapping. Authentication; IISIISCertificate. Mapping. Authentication; IIS-URLAuthorization; IIS-Request. Filtering; IIS-IPSecurity; IIS -Performance; IIS-Http. Compression. Static; IIS-Http. Compression. Dynamic; IISWeb. Server. Management. Tools; IIS-Management. Console; IIS-Management. Scripting. Tools; IISManagement. Service; IIS-IIS 6 Management. Compatibility; IIS-Metabase; IIS-WMICompatibility; IISLegacy. Scripts; IIS-Legacy. Snap. In; IIS-FTPPublishing. Service; IIS-FTPServer; IISFTPManagement; WAS-Windows. Activation. Service; WAS-Process. Model; WASNet. Fx. Environment; WAS-Configuration. API
11 Describing X-Road Web Service • Start from scratch – sample. wsdl • Personalize service • Add custom operations • Define messages • Define custom data types • Service endpoint
12 Describing X-Road Web Service Using Scratch • Begin from a X-Road blank sample. wsdl, file which contains only meta services for Security Server: • list. Methods • Used by security server to show list of available operations. • test. System • Used for checking Producer server status. • We are not allowed to change these two methods names, signature and etc.
13 Describing X-Road Web Service Personalize service • First step is to personalize your service. For this you need to change next occurrences to your own: • Producer. Short. Name -> The short name of your ministry • Only lowercase letters and “-” are allowed, no underscore! • Security. Server. Address -> Security server proxy address (not important for producer stage, only for customer) • Port. Name* -> You service port name (not important for consumers) • IService. Interface. Name* -> The name of your service interface name • Producer. Service. Name* -> Name of your Producer • Port. Type. Name* -> Name of operations set on producer
14 Describing X-Road Web Service Personalize service • For example: • Producer. Short. Name • Security. Server. Address • Port. Name • IService. Interface. Name • Producer. Service. Name • Port. Type. Name -> mot -> http: //10. 96. 70. 195/cgi-bin/consumer_proxy -> Tea. Port -> ITea. Service -> Tea. Services
15 Describing X-Road Web Service Add custom operations • Now create a list of available operations. • List operations in binding element: <binding name="Binding " type="tns: Port. Type"> <soap: binding style="document" transport="http: //schemas. xmlsoap. org/soap/http"/> <operation name="op 1"> . . . </operation> <operation name="op 2"> . . . </operation> </binding>
16 Describing X-Road Web Service Add custom operations • Now we create a list of available operations. • Each custom operation must have next structure: • soap: operation • xrd: version • The input consists of 5 parts: • Consumer, producer, user. Id, id, service. • Output consists of 5 parts (same as input): • Consumer, producer, user. Id, id, service.
17 Describing X-Road Web Service Add custom operations • Example: <operation name="app. List"> <soap: operation soap. Action="app. List" style="document"/> <xrd: version>v 1</xrd: version> <input> <soap: body parts="body" use="literal"/> <soap: header message="tns: standardheader" part="consumer" use="literal"/> <soap: header message="tns: standardheader" part="producer" use="literal"/> <soap: header message="tns: standardheader" part="user. Id" use="literal"/> <soap: header message="tns: standardheader" part="id" use="literal"/> <soap: header message="tns: standardheader" part="service" use="literal"/> </input> <output>. . . </output> </operation>
18 Describing X-Road Web Service Add custom operations • Each operation in binding has appropriate soap. Action in port. Type operation list. <port. Type name="Port. Type"> <operation name="op 1"> . . . </operation> <operation name="op 2"> . . . </operation> </port. Type>
19 Describing X-Road Web Service Add custom operations • Specify the input and output messages for each operation. <operation name="op 1"> <documentation> <xrd: title>Short description. </xrd: title> </documentation> <input message="tns: op 1"/> <output message="tns: op 1 Response"/> </operation>
20 Describing X-Road Web Service Add custom operations • Messages are listed inside the root („definitions“) element. <definitions . . . namespaces. . . > <types> <schema>. . . types definition. . . </schema> </types> <message name="Msg name">. . . </message>. . . other messages. . . <port. Type name="Port. Type">. . . port operations. . . </port. Type> <binding name="Binding " type="tns: Port. Type">. . . operations. . . </binding> <service name="Producer. Service">. . . </service> </definitions>
21 Describing X-Road Web Service Add custom operations • Define message types for Port. Type operations. <message name="op 1 msg. Req"> <part name="body" element="tns: op 1"/> </message> <message name="op 1 msg. Res"> <part name="body" element="tns: op 1 Response"/> </message>
22 Describing X-Road Web Service Add custom operations • Last step is to write the xsd schema of custom types we want to use. <definitions. . . namespaces. . . > <types> <schema xmlns="http: //www. w 3. org/2001/XMLSchema" xmlns: xrd="http: //x-road. eu/xsd/x-road. xsd" target. Namespace="http: //x-road. eu/xsd/x-road. xsd">. . . Definitions of data types to use in service. . . </schema> </types> . . . </definitions>
23 Describing X-Road Web Service endpoint • Element <service> describe the producer endpoint configuration. <definitions>. . . <service name="Test. Soap. Service"> <wsdl: port name="Test" binding="tns: Test. Soap. Binding"> <soap: address location="http: //localhost: 6421/training/Test"/> <xrd: title>Test Service Endpoint</xrd: title> <xrd: address producer="aktorstest 3"/> </wsdl: port> </service> </definitions>
24 Describing X-Road Web Service endpoint • Names of service and port is not important to Security Server. It is Up to you to give meaningful names. • Important is address location and producer name: • Soap location address is security server proxy address ([sec server IP]/cgi-bin/consumer_proxy) Not important for Producer itself. It describes a service endpoint for client. Each client has its own Security Server to send requests. • Producer name is an organization short name.
25 Describing X-Road Web Service endpoint • After refactoring: <service name="People. Register"> <wsdl: port name="People. Register. Port" binding="tns: People. Register. Binding"> <soap: address location="http: //172. 25. 200. 131/cgibin/consumer_proxy/"/> <xrd: title>People Register services</xrd: title> <xrd: address producer="aktorstest 2"/> </wsdl: port> </service> </definitions> • An example of service endpoint configuration. It can be skipped for producers, because consumer configure its own endpoint.
26 Create Producer using ASP. NET • Prepare working files. • Sample Project • Code Generation • Implementing Service • Test service • Deploy on IIS Server
27 Create Producer using ASP. NET Working files • We will create a Web Service interface via Web Services Description Language Tool(wsdl. exe) • Training samples files folder: c: trainingNET_example • Sample WSDL: • training_eu. wsdl • Sample C# files: • Blank. wsdl , training_eu. wsdl, Generate. Code. bat
28 Create Producer using ASP. NET Working files • Change the name of sample WSDL file training_eu. wsdl->mot. wsdl as an example • In service provider namespace: • Find all instances of sample provider name in file and replace „aktorstest 3“ with your real service provider short name: http: //aktorstest 3. x-road. eu/producer I will use “mot” instead of aktorstest 3 as an example
29 Create Producer using ASP. NET Sample Project • Create a new project • Select: File -> New -> Project -> ASP. NET Web Service Application
30 Create Producer using ASP. NET Sample Project • Enter a Project name: Producer • Include to project training files • Producer-> Add ->New Folder -> wsdl • Producer-> Add ->Existing Item -> (Browse for mot. wsdl file in training folder)
31 Create Producer using ASP. NET Sample Project • In file properties change next options: • Mark imported file as a “Content” to prevent changes directory of file. • Always copy to output directory
32 Create Producer using ASP. NET Code Generation • Generate CSharp code: • In training folder run Generate. Code. bat ! NB before running script make sure that the full name of input wsdl file and output file are correct.
33 Create Producer using ASP. NET Code Generation • Attach generated code to solution: Producer-> Add ->Existing Item -> (Browse for ITea. Service. cs file in trainig folder) • For better reading you can refactor some class names: • @string -> Consumer. Header • string 1 -> Producer. Header • string 2 -> User. Id. Header • string 3 -> Id. Header • string 4 -> Service. Header
34 Create Producer using ASP. NET Code Generation • For changed classes remove all occurrences of the attribute in header class types: [System. Xml. Serialization. Xml. Type. Attribute(Type. Name="string", Namespace="http: //www. w 3. org/2001/XMLSchema")] Or [System. Xml. Serialization. Xml. Type. Attribute(Namespace="http: //ww w. w 3. org/2001/XMLSchema")] The reason why we do it is the file generation tool use attribute types as class names, but we can not have duplicate class names.
35 Create Producer using ASP. NET Implementing Service • Delete default Service 1. asmx and create XRoad. Service. asmx • Make it an implementation of the generated service public class XRoad. Service : ITea. Service • Add attributes to XRoad. Service class: [Web. Service(Namespace = "http: //mot. x-road. ee/producer")] [Soap. Document. Service(Routing. Style = Soap. Service. Routing. Style. Request. Element)] • Replace in namespace shortname „aktorstest 3“ with your real service provider short name
36 Create Producer using ASP. NET Implementing Service • Implement all members: • Headers : • consumer, producer, user. Id, service as properties. • Methods: • Custom methods: • list. Dist • etc. … • System methods: • list. Methods – used by Security Server to obtain a list of custom operations • test. System – used By Security Server to check producer status.
37 Create Producer using ASP. NET Implementing Service • list. Methods(object request): • Parse WSDL file and show operation list from binding element. • Filter system methods that is used by Security Server • (Check the notes section for code sample) • test. System(object request): • Good place to run tests or check database connection.
38 Create Producer using ASP. NET Implementing Service • Custom Method list. Dist(list. Dist. Req) example
39 Create Producer using ASP. NET Implementing Service • Service must copy all request SOAP message header fields into the response SOAP message header. IXroad. Service person. List method …. [Soap. Header. Attribute("consumer", Direction = Soap. Header. Direction. In. Out)] [Soap. Header. Attribute("id", Direction = Soap. Header. Direction. In. Out)] [Soap. Header. Attribute("service", Direction = Soap. Header. Direction. In. Out)] [Soap. Header. Attribute("producer", Direction = Soap. Header. Direction. In. Out)] [Soap. Header. Attribute("user. Id", Direction = Soap. Header. Direction. In. Out)] . .
40 Create Producer using ASP. NET Implementing Service • Service must copy all request parameters to response message also. • Change file XRoad. Service. asmx, data service method: person. List …. // X-road: <request> element in response message must contain the same elements as were in the request message return new list. Dist. Res { request = new list. Dist. Res. Request { name. Part = list. Dist. Req. request. name. Part }, . . . };
41 Create Producer using ASP. NET Implementing Service • The new service is now created: • Push Run to see the result • The service now runs on VS built in IIS, open web browser at: http: //localhost: 54879/Tea. Service. asmx
42 Service testing in training environment Training computer: X-Road service provider; test client Security server: service providers SOAP request (2. 3) IIS server SOAP response (2. 4) request (1. 1) response (1. 2) request (2. 2) SOAP request (2. 1) SOAP client Service provider SOAP response (2. 6) response (2. 5) Security server: service consumers consumer WEB browser X-Road MISP 2 server X-Road central server
43 Create Producer using ASP. NET • In Solution Explorer, select My. Xroad. Service-> Publish Deploy on IIS Server • On profile tab, select “new” and type “XRoad. Profile” Next ->
44 Create Producer using ASP. NET Deploy on IIS Server • On Connection choose “Publish method -> File system” • Set destination as C: inetpubwwwrootService or your own Next ->
45 Create Producer using ASP. NET Deploy on IIS Server • On Setting, choose the right configuration. • “Delete all existing files to publish” is optional Next ->
46 Create Producer using ASP. NET Deploy on IIS Server • On Preview step. • After publishing step the new folder with the project will appear in the IIS root catalog. • The next step is Configure IIS Publish
47 Create Producer using ASP. NET Deploy on IIS Server • Create a new web site: Sites-> Add Web Site • Set destination as C: inetpubwwwrootService or your own
48 Create Producer using ASP. NET Deploy on IIS Server • New web site properties: • Name: Xroad. Service • Path: (Service Deployment path) • IP: (Select one of available) • Port: Available port (for example 92) • Press “OK”
49 Create Producer using ASP. NET Deploy on IIS Server • Our service must be available from IIS
50 Create Consumer • Initial data • Create project • Service reference • Configure client • Test client • Best practice
51 Create Consumer Initial data • Service description file - wsdl from the security server proxy: https: Sec. Ser. IP/cgi-bin/uriproxy? producer=Producer. Short. Name • Service endpoint address: https: Sec. Ser. IP/cgi-bin/consumer_proxy
52 Create Consumer Create Project • For test project we can use Console Application. • Add new project to solution • Solution XRoad -> Add ->New Project -> Console Application • Name it: „XRoad. Client“
53 Create Consumer Service reference • In Solution Explorer, select „References“ • Select „Add Service. Reference. . . “ • Follow Service Reference wizard instructions
54 Create Consumer Service reference • Use Service description file from Security Server: • Example: http: //192. 168. 219. 122/cgi-bin/uriproxy? producer=aktorstest • 192. 168. 219. 122 – security server address • aktorstest – producer short name • Enter name for namespace • Press OK • Build a project
55 Create Consumer Configure Client • We have now the service client code generated. • But we also need to configure, the endpoint for our client to make possible to send requests. • In solution explorer, select the app. config file and choose „Edit WCF Configuration“ option
56 Create Consumer Configure Client • In configuration editor tasks, select „Create a New Client. . . “ • Select manual configuration (Manual -> Next) • Select Service Contract by pressing „Browse. . . “ button.
57 Create Consumer Configure Client • In Type browser, navigate to project assembly file • Bin/Debug/“Project Assembly name“
58 Create Consumer Configure Client • Type browser parse assembly and show available service client interfaces. • Select right one and press Open • Press Next
59 Create Consumer Configure Client • The next step is for binding. • Select „New binding Configuration“-> Next • Choose HTTP based communications -> Next • The service will use „Basic Web Service Interoperability“ -> Next • The address is security server consumer proxy: http: //192. 168. 219. 122/cgi-bin/consumer_proxy • Leave Default name at this moment. • The result should be next: • Save changes and quit the editor. •
60 Create Consumer Test Client • Now create a service client and make a request var car. Client = new Car. Register. Type. Client(); String consumer = "cons", producer = "aktorstest 3", user. Id = "12345", id = "1", service = "aktorstest 3. register. Car. v 1"; var request = car. Client. register. Car( ref consumer, ref producer, ref user. Id, ref id, ref service, new register. Car{ request = new register. Car. Request{ Car = new Car(), personal. Code = "data" }); var response = request. response;
61 Create Consumer Test Client • To make Security server know what you want to use we specify next fields: • Consumer – short name of organization NB! Not an organization name as a producer name • Id and user. Id MISP user or mynistry inner system user identification • Producer – Name of organization as a producer • Service – Full name of operation (example prod 0. Service. Method. v 1)
62 Create Consumer Best Practice • The best practice of creating a client is: • Create separate Class Library for client project. • Create wrapper for client with simplified method's signature (check example project) • Add Class Library to main application(web site, desktop app and etc)
63 Producer Secure connection • Introduction • IIS Configuration • Certificate Export • Upload Certificate • Configure Security Server • Certificate Mapping
64 Producer Secure connection Introduction • To make secure connection we need: • On client side: • Change IIS site binding to https and select certificate. • Export IIS Certificate • Import Security Server Certificate to local machine • Certificate Mapping • On Security Server: • Change Connection type to HTTPS • Import IIS Certificate
65 Producer Secure connection IIS Configuration • Set IIS Site to use https protocol: • Go to the Bindings • Add New /Edit existing binding • Select IP and Port • Select https protocol certificate
66 Producer Secure connection IIS Configuration • Turn off Anonymous Auth: • IIS Features -> authentication -> Disable Anonymous Authecation
67 Producer Secure connection IIS Configuration • Specify https port and select any local self signed IIS chert. • In ASP. Net -> SSL Settings -> Check „Require SSL” -> Select in Client certificate: Require Apply ->
68 Producer Secure connection Export Certificate • Export a https selected certificate to local drive. • IIS Home -> Server Certificates ->’’https binding selected cert” -> look for cert details
69 Producer Secure connection Export Certificate • Find created cert in certificate management console: • Run mmc. exe • In menu select File • Add certificate snap-in • Press Add
70 Producer Secure connection Export Certificate • IIS Certificates located on a computer account. • Browse for IIS cert: Select cert -> All tasks -> Export -> No private key ->. DER format -> Save as “cert. der” -> Finish
71 Producer Secure connection Export Certificate • Load cert. der to a security server: • Configuration -> Servers -> Adapter Servers -> select your producer • Change server type to https -> Save • Load -> Browse “cert. der” -> Save • Now the Security server accepts your Produced Server certificate.
72 Producer Secure connection Export Certificate • Now the Security server accepts your Produced Server certificate, but we need to set up the Producer Server to accept a Security Server certificate: • Export from the Security Server certificate: • Configuration -> Servers -> Adapter Servers -> Generate new key(if there no existing cert) -> Save -> Export • Unzip an archive and install the cert to a local machine certificate store • Using mmc. exe open Local machine Trusted Root Certificate Authorities -> Certificates -> Import exported from security server certificate.
73 Producer Secure connection Export Certificate • Check that your IIS server has a client sertificate auth too installed: • Control Panel -> Programms -> Features -> Internet Information Services ->Security -> IIS Client certificate Certificate Mapping Authentication
74 Producer Secure connection Export Certificate • Configure an IIS Client certificate Certificate Mapping Authentication: • Your Producer site -> Features -> Management -> Configuration • Section: system. web. Server/security/ authentication/ iis. Client. Certificate. Mapping. Authentication
75 Producer Secure connection Export Certificate • Configure an IIS Client certificate Certificate Mapping Authentication: • Your Producer site -> Features -> Management -> Configuration • Section: system. web. Server/security/authentication/iis. Client. Certificate Mapping. Authentication • One. To. One. Mapping -> Add: • Certificate: Cert from Security server in base 64 string format • Enabled: True • passworduser. Name : Windows user credentials
76 Producer Secure connection Export Certificate • Set the Security Server to use the producer https binding: • Configuration -> DatabasesAdapters -> Select your producer -> Adapter setting: • Set an IP and PORT
77 Consumer secure connection • Introduction • Create client certificate • Export Certificate • Upload Certificate • Configure Security Server • Configure Consumer • Important mark
78 Consumer secure connection Introduction • To make secure connection we need: • On Security Server Side: • Save client certificate to secure server • Set up a security server to use https connection • On Consumer side: • Create client certificate • Setup https endpoint configuration • Make client to use a created certificate
79 Consumer secure connection Create client certificate • Begin from the consumer side. • Use makecert. exe tool to create a test certificate 1 – Subject name (By this name consumer will look for it in a local store) 2 – Account name 3 – Store name
80 Consumer secure connection Export Certificate • Find created cert in certificate management console: • Run mmc. exe • In menu select File • Add certificate snap-in • Press Add
81 Consumer secure connection Export Certificate • As we created certificate in current user account on first step select “My user account”. • Store name : Trusted People • The certificate is located.
82 Consumer secure connection Export Certificate • Export certificate by choosing „Export. . . “ task • Export only the public key • Choose an DER file format • Save to local drive
83 Consumer secure connection Upload Certificate • Go to Security Server management page • Open Configuration/Servers/Information System Servers • Select Organisation • Note: If the organization user is used by MISP it is better to create a new one
84 Consumer secure connection Configure Security Server • Switch „Connection type“ to HTTPS • Press Load • Press Choose file and navigate to exported cert file. • Press Save (twice)
85 Consumer secure connection Configure Consumer • Use Configuration editor and edit existing consumer endpoint configuration. • Go to Advanced-> Endpoint behaviors-> New Endpoint Behavior Configuration. • Here we will specify which certificate The consumer will use for authorization.
86 Consumer secure connection Configure Consumer • Add “client. Credentials” element extension section.
87 Consumer secure connection Configure Consumer • Go to created behaviour -> client. Credentials -> client. Certificate : • 3 – Name of our certificate created in the first step • 4 – Account name of certificates location • 5 - Selected store • 6 – Find type ( search by subject name)
88 Consumer secure connection Configure Consumer • Now we need to make our endpoint to use https protocol and cert for auth. • Create new binding config: • Go to Bindings –> New binding Configuration • Select “basic. Http. Binding” • Set configuration name and go to “Security” tab. • On Security tab, select “Transport. Client. Credential. Type” -> Certificate
89 Consumer secure connection Configure Consumer • Now use our configurations on consumer endpoint: • Go to Endpoints and select configurations that we created. • Use https Address • Behavoir. Configuration • Binding. Configuration
90 Consumer secure connection Important mark • As long as test certificates(certificates created using makecert tool) are in usage the validation of Security Server certificate is need to be reimplemented. • WCF Consumer uses windows build in cert validation and as a consequence the validation of test certificates is failing. • The consumer will throw „Cannot establish SSL connection. Remote server certificate validation failed“
91 Consumer secure connection Important mark • We need to find a place in code before services calls will be executed and redefine certificate validation callback method. • In sample project „Consumer“ there is a class Helpers/Singleton. cs where services clients are initialized. • In the Singleton constructor, you can see callback method Service. Point. Manager. Server. Certificate. Validation. Callback += (sender, certificate, chain, ssl. Policy. Errors) => {. . . };
92 Consumer secure connection Important mark • Easiest way to implement certificate validation is just check local machine certificate store for certain certificate existence. • Export Security Server Certificate to local machine. • Install certificate to current user “Trusted. People” store. • Write code: Service. Point. Manager. Server. Certificate. Validation. Callback += (sender, certificate, chain, ssl. Policy. Errors) => { var store = new X 509 Store(Store. Name. Trusted. People, Store. Location. Current. User); store. Open(Open. Flags. Read. Only); bool cert. Is. Present = store. Certificates. Contains(certificate); store. Close(); return cert. Is. Present; };
93 Sources • Requirements for Information Systems and Adapter Servers (10. 23. 2015 reserved copy)
Скачать презентацию 3 17 2018 Ekstern vegleiðing At gera Webservice til Heldina
fde878b368210d92b48bcfc039c8f174.ppt