Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out

Lab

VIEWS: 0 PAGES: 28

									Hands-On Lab
Using Certificate based Authentication to
Consume a Windows Azure WCF Service
from SharePoint
Lab version:    1.0.0
Last updated:   5/15/2013
CONTENTS

OVERVIEW ................................................................................................................................................... 3

EXERCISE 1: CREATING AND MANAGING THE CERTIFICATES ......................................................... 5
       Task 1 – Creating the Certificates ......................................................................................................... 5
       Task 2 – Managing the Certificates ....................................................................................................... 9
       Task 3 – Exporting the Certificates ..................................................................................................... 12

EXERCISE 2: CREATING THE AZURE WCF SERVICE ......................................................................... 17
       Task 1 – Configuring the WCF Service................................................................................................. 17
       Task 2 – Testing the Service ................................................................................................................ 21

EXERCISE 3: CREATE CLIENT APPLICATION TO CONSUME THE WCF SERVICE ......................... 25
       Task 1 – Creating the Client Application ............................................................................................. 25
       Task 2 – Displaying the Web Part ....................................................................................................... 28

SUMMARY .................................................................................................................................................. 28
Overview
The cloud security design ensures that a customer’s data is only accessible by authorized entities.
Windows Azure provides confidentiality via several mechanisms, one of which is Identity and Access
Management. This Ensures that only properly authenticated entities are allowed access.
Certificates and private keys are uploaded via Service Management API (SMAPI) or the Windows Azure
Portal as PKCS12 (PFX) files protected in transit by SSL. PKCS12 is one of the Public-Key Cryptography
Standards (PKCS), published by RSA Laboratories, which defines a file format commonly used to store
X.509 private keys with accompanying public key certificates, protected with a password-based
symmetric key. SMAPI removes the password protection (if necessary) and encrypts the entire PKCS12
blob using SMAPI’s public key and stores it in a secret store on the fabric controller, along with a short
certificate name and the public key as metadata. The configuration data associated with any role within
the same subscription specifies the certificates that should be made available to the role. When a role is
instantiated on a VM, the Fabric controller retrieves the appropriate certificate, decrypts the PKCS12
blob, and re-encrypts it using the Fabric agent's public transport key. For more information on using
Certificates with Windows Azure, please read the Windows Azure Security Overview Whitepaper.


Objectives
In this lab, you will:
        Create a signing certificate and store it in the machine root.
        Create self-signed client and server certificates and store them in the appropriate certificate
         stores

        Create a Windows Azure hosted WCF service that authenticates users based on the certificates
        Create a SharePoint Web Part application that reads the client's certificate store for a valid
         certificate to consume the Windows Azure service.



System Requirements
You must have the following items to complete this lab:
        Windows Azure SDK and Windows Azure Tools for Microsoft Visual Studio (March 2011)
        KB981002- WCF: Hotfix rollup in .NET 3.5 SP1 for Win 7 and Win 2k8 R2

        Access to a Windows Azure account.
Setup
The Windows Azure SDK (included in Windows Azure Tools for Visual Studio) installs a simulation
environment on your development machine for testing Azure applications locally before deploying them
to the cloud. The simulation environment consists of the development fabric to host web and worker
roles, and the development storage which simulates cloud blob, table and queue storage locally.
Development storage uses SQL Server as its underlying storage mechanism, and by default the SDK will
attempt to configure it to use SQL Server Express. If you do not have SQL Server Express installed before
installing the SDK, or you wish to simply use an existing SQL Server instance to host the development
storage database, you must run the dsinit command to select the SQL Server instance where the
database will be created.

Using dsinit to Configure Development Storage
       1. Open a command prompt.
       2. Edit the following command line as appropriate for your environment, where
          [AzureSDKInstallDrive] is the drive where you installed the Azure SDK (or Windows Azure
          Tools for Visual Studio), and [YourSqlInstance] is the SqlServer where you want to create the
          development storage database.

           [AzureSDKInstallDrive]\ Program Files\Windows Azure SDK\v1.4\bin\devstore\dsinit.exe
           /sqlinstance:[YourSqlInstance].


                Example Command Line:
                “C:\Program Files\Windows Azure SDK\v1.4\bin\devstore\dsinit.exe” /sqlinstance:.
    3. Note that the sample command line above uses the value “.” for the sqlinstance argument,
       which specifies that the local default SQL instance will be used for development storage.

Estimated time to complete this lab: 60 minutes.
Exercise 1: Creating and Managing the
Certificates
Task 1 – Creating the Certificates


A self-signed certificate is an identity certificate that is signed by its own creator. That is, the person that
created the certificate also signed off on its legitimacy. In this exercise, you will create 3 certificates -
The signing certificate, the client certificate and the server certificate.
    1. Log into your Windows Azure Portal at http://windows.azure.com
    2. Click New Hosted Service




        Figure 1
        Windows Azure Ribbon menu


    3. Create a new hosted service as follows:

          Note: Use a unique name and URL prefix for your service, and ensure that the Do not deploy is
          selected as the deployment option. By selecting this option, you are just blocking the name
          and the URL of your service. This URL is needed to create the service certificate
   Figure 2
   Create a New Hosted Service


4. Click OK.
5. Wait for a few minutes till the new hosted service is created and ready.
6. Open the Visual studio 2010 command prompt
   Figure 3
   Windows Start menu


7. Create the signing certificate and store it in the machine root by running the following
   command:
   makecert -r -pe -a sha1 -n "CN=azurehol2011_ca" -ss Root -sr LocalMachine -len 2048 -sp
   "Microsoft Enhanced RSA and AES Cryptographic Provider" -sy 24 azurehol2011_ca.cer


     Note: The azurehol2011_ca.cer is the file name of the certificate file and the azurehol2011_ca
     is the certificate common name (CN).



8. Create a client certificate and store it in the personal certificate store by running the following
   command:

   makecert -pe -n "CN=Azure HOL Client Certificate, O=My Company Name" -ss my -
   sr CurrentUser -a sha1 -sky exchange -eku 1.3.6.1.5.5.7.3.2 -in
   "azurehol2011_ca" -is Root -ir LocalMachine -sp "Microsoft RSA SChannel
   Cryptographic Provider" -sy 12



     Note: The azurehol2011_ca in the above command should match the common name (CN)
     from the step 7
 Figure 4
 Visual Studio Command Prompt


9. Replace the [Your Hosted Service] in the below command with the URL prefix of the Azure
   service (Ex : azureholusingcerts). Create a server certificate and store it in the machine
   personal store by running the following command:



 makecert -pe -n "CN=[Your Hosted Service].cloudapp.net" -ss my -sr
 LocalMachine -a sha1 -sky exchange -eku 1.3.6.1.5.5.7.3.1 -in
 "azurehol2011_ca" -is Root -ir LocalMachine -sp "Microsoft RSA SChannel
 Cryptographic Provider" -sy 12 azurehol2011_server.cer




   Note: The azurehol2011_ca in the above command should match the common name (CN)
   from the step 7.
       Figure 5
       Azure Command




Task 2 – Managing the Certificates
     1. Click Windows Start, and type MMC and click the mmc.exe.




       Figure 6
       Windows Start menu


     2. On the File menu, click Add/Remove Snap-in
     3. Select Certificates and click the Add button.
                                                                                       -
  Figure 7
  Add or Remove Snap-ins Dialog


4. Select My user account and then click Finish.
5. In the Add or Remove Snap-ins dialog box, select Certificates again and click the Add button
   again.
6. Select Computer Account and then click Next.
7. Click Finish.
8. Click OK.
9. Expand Certificates (Local Computer) and then expand Trusted Root Certification Authority.
   Double-click Certificates.
10. Locate the signing certificate (ex: azurehol2011_ca). Right-click the certificate name and then
    click Copy.
  Figure 8
  Certificates explorer


11. Under Certificates (Local Computer), expand Personal. Right-click Certificates and then click
    Paste.




  Figure 9
  Certificates context menu


12. Now the Local Computer Personal store should look as follows:
        Figure 10
        Certificates explorer



Task 3 – Exporting the Certificates
      1. Right-click the signing certificate (Ex: azurehol2011_ca), click All Tasks, and then click Export.




        Figure 11
        Certificates explorer


      2. Click Next.
      3. Select Yes, export the private key option and then click Next.
      4. Leave the defaults (Personal Information Exchange selection), and then click Next
 Figure 12
 Certificate Export Wizard


5. Type and Confirm the password for this certificate (Ex: pass@word1). Click Next.
6. Browse to a location on your development machine and save this certificate. Use the same
   name (ex: azurehol2011_ca.pfx) and save the certificate




 Figure 13
  Certificate Export Wizard


7. Click Finish.
8. Repeat the steps to save the Server certificate located at Certificates (local computer) >
   Personal > Certificates > [your hosted service].cloudapp.net to your development machine
   as azurehol2011_server.pfx. This certificate along with the signing certificate will be uploaded
   to the Azure hosted service instance
9. Similarly, Repeat the steps to save the Client certificate located at Certificates - Current Users
   > Personal > Certificates > Azure HOL Client Certificate to your development machine as
   azurehol2011_client.pfx. This certificate should be distributed to the clients seeking to
   consume the Azure hosted WCF service.
10. When this is done, you should have 3 certificates as follows:




  Figure 14
  Certificate Explorer


11. Log into your Windows Azure Portal (http://windows.azure.com)
12. Expand the name of the hosted service that you created in exercise 1 , and then click
    Certificates.
13. Click Add Certificate.
  Figure 15
  Windows Azure Platform


14. Click the Browse button, and locate the Server Certificate (azurehol2011_server.pfx) and
    upload it. Type the certificate password and click Create.




  Figure 16
  File Browser
15. Similarly, upload the Signing Authority certificate (azurehol2011_ca.pfx).




  Figure 17
  Certificates Explorer


  The certificates needed for the WCF service is now ready.
Exercise 2: Creating the Azure WCF
Service

Task 1 – Configuring the WCF Service
In this task, you will create the WCF service and host it on Azure.
       1. Browse to the Before folder of the Lab.
       2. Open the solution SPToWinAzureUsingCerts.sln
       3. Right-click the SalaryServiceWebRole under Roles, and click Properties. Then, click the
          Certificates tab on the left




        Figure 18
        Web Roles


       4. Click Add Certificate.
       5. Type ServerCertificate as the name of the Certificate. Leave the default Store Location to
          LocalMachine and Store Name to My.
       6. Click the Thumbprint button to bring up the Certificate list. Select the Server Certificate and
          click OK.
Figure 19
Windows Security – Certificate List




7. Similarly add another certificate CA (for certificate authority), and choose the signing
   authority certificate (Ex: azurehol2011_ca)




Figure 20
Windows Security – Certificate List
8. The Certificate section should now look as follows:




Figure 21
Certificate Section


9. Click Endpoints on the left tab
10. Set the following attributes for the EndPoint.


         Type: Input
         Protocol: https
         Public Port: 443
         SSL Certificate Name: ServerCertificate




Figure 22
EndPoint fields


11. Save the project.
12. Open the Startup.cmd file.
13. Replace the [THUMBPRINT] with the thumbprint of your signing authority certificate
Figure 23
Sartup.cmd file


Since the signing certificate is self-signed, it must be installed in Root of the Azure Hosted
Service. The configuration options do not support this (as a security measure) so this must be
done using a Startup task. Also required in the Startup task is the unlocking of the SSL
configuration section of Web.config. This step specifies a Startup task with elevated privileges
running Startup.cmd
14. After the changes, the Startup.cmd will look as follows:




Figure 24
Startup.cmd file


15. Open the Servicedefinition.csdef file, and add the following XML element to the TODO: 5.8.1
    section.
        XML
        <Startup>
            <Task commandLine="Startup.cmd" executionContext="elevated"
        taskType="simple">
           </Task>
        </Startup>



       16. Save, Publish and Deploy (Production Deployment) the solution to the hosted service that
           you created earlier in Exercise 1 (Ex: AzureHolUsingCerts.CloudApp.net)
       17. The hosted service should now look as follows:




        Figure 25
        Hosted Service




Task 2 – Testing the Service
      1. On the development machine, open a new instance of the internet explorer browser and
         navigate to your service URL. Note: You must https
         (Ex: https://azureholusingcerts.cloudapp.net/salaryservice.svc)
       2. Since your development machine has the client certificate installed in the Personal certificate
          store, the browser would prompt you to confirm the certificate
          (Note: Since self-signed certificate is used, you see this Window Security message. When a
          certificate issues by an authority is used, you will not see this message)
Figure 26
Windows Security Pop-up


3. Select the Client Certificate and click OK.
4. You should be able to see the service details
Figure 27
Service details


5. Now, try to access the same service from a different machine, where the certificate is not
   installed. You will notice that the browser shows a server error, and the access to the service
   is denied
   Figure 28
   Acces is denied error


   To enable access to this service from the machines that does not have access to service,
   distribute the client certificate and install it on the end-user machine. All end-user machines
   requiring access to the service should have the client certificate installed in their personal
   certificate store.
 6. To test the AdjustSalary method from the machine that has the client certificate, open the
    browser window and navigate to:
    https://[Your URL Prefix].cloudapp.net/salaryservice.svc/adjustedsalary?a=1000&b=7
    Note: Replace the [Your URL Prefix] with the URL prefix of your hosted service
    Example:
    https://azureholusingcerts.cloudapp.net/salaryservice.svc/adjustedsalary?a=1000&b=7
7. Save/download the resulting file (Json output) as adjustedSalary.txt to your local machine.
   Open the text file. The text file contains the result of the calculation
Exercise 3: Create Client Application to
consume the WCF Service
Task 1 – Creating the Client Application
    1. Open the SalaryDisplayPage.htm in the SalaryDisplayWeb project.
    2. Under the section //TODO: 5.8.2, replace the [Your URL Prefix] with the URL prefix of your
       Azure hosted WCF Service.
       Ex: https://azureholusingcerts.cloudapp.net




        Figure 29
        SalaryDisplayPage.htm




    3. Copy the Full Path of the SalaryDisplayPage.htm to your clipboard
   Figure 30
   SalaryDisplayPage.htm properties


4. Open a new instance of Internet Explorer. Copy the Full Path and browse the html page.
5. Note, the URL should point a local file




   Figure 31
   Internet Explorer


6. Click the Internet Explorer Security bar, and click Allow Blocked Content.




   Figure 32
   Internet Explorer security bar


7. Enter a Starting Salary and Inflation and click the Get Adjusted Salary button. You will see a
   Windows security alert asking you to confirm the client certificate. Click the client certificate
   and click OK.




   Figure 33
   Windows Security Alert
        This Windows Security dialog is displayed when using self-signed certificate. However using a
        certificate signed by a certificate authority will eliminate this problem; in the meantime, you can
        ignore the error.
        For more details refer to: http://msdn.microsoft.com/en-us/library/ff795779.aspx
    8. The result of the calculation (inflation adjusted salary) is now displayed.



Task 2 – Displaying the Web Part
    1. The html code snippet can be inserted into a SharePoint HTML Web Part (As explained in
       JQuery Labs - Labs 5 and 6). However, you will run into an access denied error message. This is
       due to the use of a self-signed certificate. The self-signed certificate that was used in the lab is
       used for authentication in the development environment only. However using a certificate
       signed by a certificate authority will eliminate this problem.
       For more details refer to: http://msdn.microsoft.com/en-us/library/ff795779.aspx



Summary
The cloud security design ensures that a customer’s data is only accessible by authorized entities.
Windows Azure provides confidentiality via several mechanisms one of which is Identity and Access
Management using private key and certificates.
In this lab, you learned to create a signing certificate and store it in the machine root. You also created a
self-signed client and server certificates and stored them in the appropriate certificate stores. You also
learned how to create SharePoint Web Parts to consume a Windows hosted WCF service over https.

								
To top