Please ensure Javascript is enabled for purposes of website accessibility
Powered by Zoomin Software. For more details please contactZoomin

AVEVA™ Engineering

Message Level Security with Certificate based Authentication

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
TABLE OF CONTENTS

Message Level Security with Certificate based Authentication

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
  • Last UpdatedJan 13, 2022
  • 1 minute read

In addition to Windows Authentication, Message Level Security can be configured to use an SSL certificate to authenticate the exchange of messages.

Note:
Message Level Security with Certificate based Authentication is a more complicated option compared to Windows Authentication. There can also be a loss in performance based on the size of the message and strength of the SSL certificate used for authentication.

Note:
The following setting must be consistent within the GlobalWCFClient.config and AdmindWCF.exe.config files.

<security

authenticationMode="MutualCertificate" requireDerivedKeys="false" messageProtectionOrder="SignBeforeEncrypt" messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10">

<secureConversationBootstrap />

</security>

The Security parameters are described below:

authenticationMode

How the certificate is authenticated

requireDerivedKeys

Required security setting relating to Certificate keys

MessageProtectionOrder

How the message is signed

messageSecurityVersion

Determines the Web-standards to apply to messages

The following block is specified in the Service behaviour and must be modified in the AdmindWCF.exe.config file.

The user must specify:

httpsGetEnabled

Must be set to true

trustedStoreLocation

The location of the trusted store for the certificate

findValue

Certificate identifier within the trusted store

x509FindType

The type of find value for the search

storeLocation

Certificate Store: localMachine/Currentuser (determined by the certificate).

<serviceBehaviors>

<behavior name="GlobalWcfServiceBehavior">

<dataContractSerializer maxItemsInObjectGraph="2147483647"/>

<serviceMetadata httpGetEnabled="true"/>

<serviceDebug includeExceptionDetailInFaults="true" />

<serviceCredentials>

<clientCertificate>

<authentication trustedStoreLocation="LocalMachine" certificateValidationMode="None"></authentication>

</clientCertificate>

<serviceCertificate findValue="tempCert" x509FindType="FindBySubjectName" storeLocation="LocalMachine"/>

</serviceCredentials>

</behavior>

</serviceBehaviors>

The GlobalWCFClient.config file has an equivalent <endpointBehaviors> element that must be modified to match the configuration changes made in the Service Behaviours of the AdmindWCF.exe.config file.

To view an example of configuration files with Message Level Security using Certificate based authentication, extract the contents of the GlobalWCF_SampleConfigFiles folder file and navigate to the sub folder MessageSecurityCertificateAuthentication.

Related Links
TitleResults for “How to create a CRG?”Also Available in