If SSL is handled by a load balancer, do I still need to configure it in the WCF serviceCertificate node? My scenario is to use message level security. If someone can explain how load balancing with wcf and ssl works, that would be very nice.
Asked
Active
Viewed 3,422 times
5
-
If you want to use message security you don't need SSL. – Ladislav Mrnka Jun 01 '11 at 19:30
-
But doesn't wcf require you to have an ssl certificate if you use message level security. – Xaisoft Jun 01 '11 at 19:32
-
1It requires certificate but it is not used to establish SSL connection. – Ladislav Mrnka Jun 01 '11 at 19:40
-
@Ladislav, sorry for my confusion. That is what I mean. If the certificate is handled by a load balancer, do I need to specify the certificate in wcf config file or does the load balancer take care of that for me. I am thinking I need to specify the location of the certificate in wcf because once I specify message security, it is going to tell me I need a certificate. Is this correct? – Xaisoft Jun 01 '11 at 19:43
3 Answers
4
If you want to use message security then each message is encrypted and signed separately - there is no secure connection and load balancer behaves as with any other HTTP transport. Loadbalancer doesn't know about security and doesn't need certificate.
There are two gotchas:
- All load balanced application servers hosting your WCF service must use the same certificate
- You must ensure that your WCF binding doesn't use sessions (reliable, security) otherwise you will need load balancing algorithm with sticky sessions (all request for single session always routed to the same server)
Ladislav Mrnka
- 360,892
- 59
- 660
- 670
-
What do you mean by "there is no secure connection.." and when you say all Load Balanced Servers must use the same certificate, are you referring to the servers behind the load balancer? You also sate that bindings don't use security, are you referring to message security? – Xaisoft Jun 01 '11 at 19:47
-
Well, I think you don't fully understand the [difference between transport and message security](http://stackoverflow.com/questions/5673283/wcf-transport-vs-message/5673867#5673867). – Ladislav Mrnka Jun 01 '11 at 19:51
-
I'm referring to servers behind the load balancer. I didn't mention that you don't use security, I mentioned that you cannot use Security session also known as security context or secure conversation. – Ladislav Mrnka Jun 01 '11 at 19:52
-
ok, got you. So if a certificate is installed at the load balancer, do I need to specify the details of the certificate in the wcf config file? – Xaisoft Jun 01 '11 at 20:07
-
No you don't need certificate on load balancer :) Load balancer is not participating in security handling. It just forward already secured messages to application server which must have certificate installed and configured for WCF – Ladislav Mrnka Jun 01 '11 at 20:08
-
-
1Well, I would expect that if somebody down votes the answer he would also point what is wrong or post his own correct answer. – Ladislav Mrnka Jun 01 '11 at 21:18
-
-
No it does not. That is the whole point of message security. Intermediaries do not read secured content of the message and because of that they do not need certificate. They just route messages. – Ladislav Mrnka Jun 01 '11 at 22:27
-
This is way too late, but anyways I am running into this same scenario. I think the OP and us needs to let Ladislav know that in our case: There is a BIG-IP/Load Balancer up front which terminates SSL, and traffic is HTTP between Big-IP and our individual web servers. Any traffic coming to the Big-IP must be https, meaning load-balancer has SSL certificate and terminates SSL and forwards traffic to web servers in HTTP. In my case the problem is how can I use certificates for client authentication and message security. – VoodooChild May 23 '13 at 07:07
-
@VoodooChild: Do you need just certificate in message or full message security? What you are looking for is probably `CertificateOverTransport` security mode. – Ladislav Mrnka May 23 '13 at 13:44
4
WCF requires security tokens to be passed over a secure transport if the message itself is not signed/encrypted. Since traffic is HTTP between your Big-IP and your individual web servers, you need a way to have security tokens that you know are secured between the client and the Big-IP up front still be passed to your server farm. There's a couple ways to do that depending on what version of WCF you're using:
If you're using WCF 4.0 you can just create a custom binding and set the AllowInsecureTransport property on the built in SecurityBindingElement to signify that you don't care that the transport isn't secure.
If you're using WCF 3.5 you have to "lie" about security with a custom TransportSecurityBindingElement on the server side. You can read my old post about this here.
FWIW, they created a hotfix release for 3.5 SP1 that adds the AllowInsecureTransport to that version, but I don't know if your company will allow you to install custom hotfixes.
Drew Marsh
- 33,111
- 3
- 82
- 100
-
We could never get AllowInsecureTransport to work on the secure side bindings. Good luck. – Adam Dymitruk Jun 01 '11 at 22:08
-
The only problem is that OP doesn't know what he wants. Title is asking for load balancing with transport security and the question is asking for load balancing with message security. – Ladislav Mrnka Jun 01 '11 at 22:34
-
@LadislavMrnka - I think OP means `TransportWithMessageCredential` but not sure. One question, if my binding security looks like `
-
@LadislavMrnka- I am just about to read your answer to http://stackoverflow.com/q/5673283/247184 so hang on :) – VoodooChild May 23 '13 at 06:54
-
@VoodooChild: Yes you are still using transport security but you are also using standardized SOAP header to pass certificate credentials to the server. – Ladislav Mrnka May 23 '13 at 13:45
0
It doesn't. Don't bother with this. You will be in a world of hurt. Just install the certs on each machine. We've recently been through this fiasco. WCF is not worth the effort it thinks it needs SSL but sees that it doesn't have it. Take a look at openrasta or something else if you want to do all your SSL on the loadbalancer. #microsoftfail
Adam Dymitruk
- 124,556
- 26
- 146
- 141
-
Interesting answer. Would be more interesting if someone could verify this? – Xaisoft Jun 01 '11 at 19:28
-
1I verified it plenty of times in a real system. Save your sanity and don't bother with WCF w/ SSL in a load-balanced scenario. – Adam Dymitruk Jun 01 '11 at 19:29
-
I asked a recent WCF MCP Cert'ed guy and he had no clue. Let's just say the scenario is not on the top of MS's list of what WCF should do. You might want to bug Glenn Block on Twitter if you REALLY want to get this working. Good luck. – Adam Dymitruk Jun 01 '11 at 19:32
-
-
Then encrypt the payload another way and get rid of SSL. Or, move SSL to each server. – Adam Dymitruk Jun 01 '11 at 19:42
-
-
I can't wait to see how this turns out. Please come back here and update your adventures with WCF :) – Adam Dymitruk Jun 01 '11 at 19:48
-
-
A couple of things. The binding mechanism coupling of the end-points and the publishing of the service that makes it a maintenance nightmare once your api is more than trivial. I now favour pub/sub architectures that end up in a more loosely coupled design. Take a look at NServiceBus, RabbitMQ, etc. – Adam Dymitruk Jun 01 '11 at 19:54
-
Let me know how it goes. We ended up scripting the cert install and moved the cert down to the load-balanced servers. – Adam Dymitruk Jun 01 '11 at 20:12
-
3