One of the innovations in WSE 3.0 is the addition of turnkey security scenarios. However, without spending some time trying to learn security concepts up front, you might not be sure how to use some of the features in WSE 3.0.
Don Smith posts on a set of webcasts focusing on WSE 3.0 and security. The X.509 webcast is really well done. It explains concepts like the mutualCertificate11Security turnkey assertion very well and explains where the certificates should go:
- Client cert in Personal store on client
- Client cert in Trusted People store on service
- Service cert in Personal store on service
- Service cert in Other People store on client
It also describes the capability for certificate revocation and how the cert issuer maintains the certificate revocation list (CRL). Of course, there is a demo that shows how easy it is to create a secure service via policy, and Dwayne Taylor from RDA runs through the wizard (with an unexpected shortening of the number of steps… the wizard just vanishes part way through the sequence).
Another interesting tidbit is when Dwayne explains the different certificate store options.