How to Configure SSL between a Commerce Application and a Commerce Foundation Endpoint
In a secure three-tier commerce deployment, a secure communication channel must be established between the Commerce Foundation on the application tier and the Web application (a native ASP.NET or Microsoft SharePoint 2010 Web application, based on your solution) in the presentation tier.
Prerequisites
- On the application tier, you have created the required Commerce Foundation service instance in IIS to host service requests from the SharePoint 2010 or ASP.NET commerce site in the presentation tier. For information on how to create a Commerce Foundation service, see How to Create a Commerce Foundation Operation Service.
Configuring SSL between a SharePoint 2010 Commerce Application and a Commerce Foundation Service Endpoint
Perform the following procedures in the order listed to configure SSL between the Web application on the presentation tier and a Commerce Foundation service end point in the application tier.
Securing the Foundation Service with a Certificate
Configuring the Service Endpoint to Use Transport Mode Security
Configuring the Client Endpoint to Use Transport Mode Security
Adding the Foundation Service Certificate To The Root of Application Certificate Chain
Securing the Foundation Service with a Certificate
Use the IIS Manager to add an HTTPS binding to the IIS Web site where the Commerce Foundation service is hosted. When the https binding is added, specify the default port (443) or a specific port for your service and select an appropriate certificate for the Web server. The certificate should be able to be used for the purpose of ensuring the identity of a remote computer. Note that for testing, a self-signed certificate may be used. A self-signed certificate may be generated using IIS Manager. For secure deployment however, the use of a certificate authority-signed certificate is recommended.
Configuring the Service Endpoint to Use Transport Mode Security
In the application tier, configure the Commerce Foundation service endpoint to use transport mode security.
To configure the service endpoint to use transport mode security:
In the Web.config file for the Commerce Foundation service on the application tier server, add a bindingConfiguration for the Commerce Foundation service endpoint. The following example shows an endpoint using WCF wsHttpBinding. Set the security mode in the bindingConfiguration to "Transport" and set the transport clientCredentialType to “Windows”.
<system.serviceModel> (...) <bindings> <wsHttpBinding> <binding name="wsHttp" > <security mode="Transport"> <transport clientCredentialType="Windows" /> </security> </binding> </wsHttpBinding> </bindings> <services> <service name="Microsoft.Commerce.Server.OperationService" behaviorConfiguration="OperationServiceBehaviour" > <endpoint name="WsHttpOperationService" binding="wsHttpBinding" bindingConfiguration="wsHttp" contract="Microsoft.Commerce.IOperationService" /> </service> </services>
Configuring the Client Endpoint to Use Transport Mode Security
The Commerce Foundation service client endpoint for the commerce Web application must be configured to use transport mode security.
The following example shows an endpoint using wsHttpBinding to communicate with the Commerce Foundation service. Update the endpoint address with the correct HTTPS binding URL for the Commerce Foundation service. If a custom port was used when the binding was added on the server, it must appear in the address. The example below uses port number 10001. Also set the security mode in the bindingConfiguration to “Transport” and set the transport clientCredentialType to “Windows”.
Note
if your application is a SharePoint 2010 commerce application and you are using the SharePoint STS (SharePoint security token service), you must apply the same Web.config modifications to the STS Web.config file. And if your SharePoint 2010 commerce application is deployed in more than one zone, these modifications must be applied to the Web.config file in each zone
<system.serviceModel>
…
<bindings>
<wsHttpBinding>
<binding name="wsHttp" >
<security mode="Transport">
<transport clientCredentialType="Windows" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint name="Foundation" address="https://AppTier:10001/Foundation/OperationService.svc" binding="wsHttpBinding" bindingConfiguration="wsHttp" contract="Microsoft.Commerce.IOperationService">
<identity>
<userPrincipalName value="domain\user" />
</identity>
</endpoint>
</client>
</system.serviceModel>
Adding the Foundation Service Certificate to the Root of Application Certificate Chain
In a deployment where requests are being sent from a SharePoint 2010 application to a secured service (e.g. the Commerce Foundation), SharePoint 2010 needs to trust the root authority that issued the certificate (in this case, the Commerce Foundation service). To establish this root certificate trust, export the root certificate of the certificate authority (CA) that issued the Commerce Foundation service certificate. Then add the root CA certificate to the SharePoint 2010 list of managed trusts on the presentation tier. You perform this task using either the SharePoint Central Administration console (Security – Manage Trust – New Trust Relationship) or with the Microsoft Windows Powershell command New-SPTrustedRootAuthority.
Perform the following steps to export the Commerce Foundation root certificate into SharePoint 2010 trusted root authority list using Windows PowerShell. Copy the SSL certificate used to secure the Commerce Foundation operation service. The certificate must not contain a private key. When you export the certificate, specify the option "No, do not export the private key". Use DER encoded binary X.50 (.CER) format.
Note
This procedure assumes that you will copy the certificate at the root of the presentation tier machine. This procedure uses the certificate file name CsAppTier.cer.
On the presentation tier machine, open a SharePoint 2010 Management Shell.
In the shell, perform the following command: cd c:\
Copy the certificate to a variable: $cert = Get-PfxCertificate .\CsAppTier.cer
Submit the certificate to SharePoint 2010 : New-SPTrustedRootAuthority -Certificate $cert -Name CsAppTier