Raf's laboratory
|
|
DeployManager is the name that resemble my wishes since the first time I worked with Windows Communication Foundation.
There is no doubt that deploying a WCF service is tricky and time-expensive. Probably the most difficult part is certificates management, both in development and in production.
For this reason the first version of this tool deals with certificates. So let's see the features!
The components required for this tool are dynamically extracted and loaded in memory so you only have one exe to take with you.
The tool can be launched as a normal user. The "shield" is near all the link/buttons that require administrative privilege. As you click on them, another process is launched (ElevationHost.exe) with your administrator credentials (using UAC).
The main process and the secondary process talks each other via WCF and ElevationHost works like a gateway for the privileged actions. I love this solution since it does not require (as task manager do for example) to close and re-open the main exe as administrator.
Windows will warn you that ElevationHost comes from an untrusted publisher. This is because ElevationHost is not digitally signed. It's paradoxical for a certificate management tool but, as the tool is free and code certificates are expensive, that's it.
Instead of opening the management console (mmc.exe) and adding the certificates plugins, this tool let you examine all the certificates in the LocalMachine and CurrentUser stores.
WCF and WIF configurations often requires the certificate thumbprint. You copy it in the clipboard using the contextual menu over a certificate.
Certain client WCF configurations require the uuencoded public key of the certificate. [Warning: if you create this string yourself, pay attention not to export bot public and private key. The private key should be never given away]. You copy it in the clipboard using the contextual menu over a certificate.
Verify the certificate chain (validity) of a certificate. A MessageBox with the verbose dump of the checks is shown. You access this functionality using the contextual menu over a certificate.
You can delete a certificate [warning, you cannot undo this operation] from a store by using the contextual menu over a certificate. A warning dialog will ask you to confirm the operation.
WCF services should always run with low-privileged accounts that often do not have access to the physical file. The solution should be simple: set the file security appropriately (read). The real problem is that is not so easy to know the file name of a certificate.
Once you have elevated the permissions, click on "Open folder" to open a new Windows Explorer folder. The file that matches the current certificate will be selected in the Windows Explorer window.
Tip: if you hover on the "Open folder" link, the tooltip will display the certificate filename.
If you prefer, you can now give the file ACL permission manually, otherwise you can directly give the read permissions using the tool:
Unfortuntely the Windows Explorer security dialog don't let you assign the permissions for the new "Managed Accounts".
The tool automatically populate user combobox with well-known accounts and IIS Managed Accounts that are in use in IIS.
When I say "in use in IIS" I mean that "ApplicationPoolIdentity" is selected for the Application Pool in the IIS manager mmc.
You can see that the Application Pool names matches the user names in the permission combobox of the tool.
The first step is to provide three essential informations: X500 name, start/end of validity:
At this point you could prefer to export the certificate on the file system without installing it (a save dialog will open):
Otherwise you can install directly the certificate on the local machine:
The first option let you select the storage flags. These defaults are good for WCF standard stuff.
The second option let you choose where to install the certificate. To be self-trusted the certificate must trust itself. For this reason by default it is installed in the root CA.
Finally the certificate location must be chosen. For WCF certificates the machine location is the right one:
Be warned taht the self-signed certificates do make sense only for testing/development purposes. Production certificates must always be trusted by a well-known Certificate Authority (either private/company-wide, or internet-public).
All the operation messages (bad or good) are shown in the status bar. A timer will erase the message after few seconds.
The tool was developed using .NET Framework 4.0 (full installation required). The application was build using Visual Studio 2010, WPF 4.0 and MVVM pattern.
I tested the tool on Vista, Windows 7 and Windows XP. XP has a few limitations and is not an interesting scenario for the future of this tool. IIS 7.0 (Vista/Win2008) is supported. IIS6 is not supported nor tested.
If you find bugs (it's an alpha release), have suggestions, or simply find useful this tool ... please let me know from the "Contact" page or clicking on the link on the about dialog. Thanks!
Version: V0.5 alpha 5 dated September 29, 2010
Version V0.6 alpha 6 dated December 19, 2010
New features:
- Certificate contextual menu. Added "Copy WCF tag (thumbprint)"
- Certificate contextual menu. Added "Copy WCF tag (name)"
Copyright (c) Raffaele Rialdi 2009, Senior Software Developer, Consultant, p.iva IT01741850992, hosted by Vevy Europe Advanced Technologies Division. Site created by Raffaele Rialdi, 2009 - 2011
