Friday, November 14, 2014

BizTalk WCF-BasicHttp Transport with Message Credentials


BizTalk WCF-BasicHttp Transport with Message Credentials
(WS-I Basic Profile Web Services Interoperability)

Introduction

Requirement is to expose secure BizTalk web-service (https) [SSL] over internet/intranet with client authentication not at the Transport layer but at the Message Layer by UserID/Password in SOAP header.
Along with that web-service can be consumed by any technology client i.e “Web Services Interoperability” and follows WS-Security (WS-I Basic Profile) guidelines.
Such scenario can be implemented in biztalk by following the below steps.

Background

Sometime users of web-service need to trust on web-service they are using for sending and receiving messages.
At the same time web-service also authenticate the users of service.
Service authentication by users/client:  Every Secure web-service (https) is associated with “Server Certificate” issued by well known “Certificate Authority”. Which is been verified by clients of that service while using/browsing.
Service authenticates users/clients:  Service also should authenticate, that the service is being used by the users which comes under its Trusted Zone. 
Client should send the UserID/Password in SOAP header.

Solution

 Following are steps need to follow to achieve this in BizTalk Server.
1.       Create/Get Server Certificate :
If it is for testing then Create Self Sign Server Certificate. If it is for production then need to get the Server certificate from CA

Following are the steps to create Self sign server certificate.

a.       Go to IIS and select “Server” and in features view select “Server Certificates”.






b.       Select Create Self Signed Certificate . Then give some friendly name


Click Ok, then
Click to View and see the certificate details.

2.       Create Secure Site in IIS (https) :

a.       Right Click Sites and select new Site
b.      Provide the site details as shown below.
Protocol : https
SSL certificate : <which created the previous step>

















3.       Enable SSL on IIS “MySecureSite”.






4.       Create BizTalk Solution.

a.       Solution can be with Orchestration or without Orchestration. In this example will create a solution with BizTalk orchestration and expose it as WCF service.













b.      Service with “http” is deployed on IIS but in “Default Web Site”. No we have to move it to “MySecureSite” which is https.

Add new Application to “MySecureSite” with the same name i.e. “BTS_Test_ProjMsgAuth” and provide the same physical path.




i.                     Now remove the application from “Default Web Site” [Note: but don’t delete from physical path]

ii.                   Check the SSL settings should be like below shown



iii.                  Go to Physical path of “BTS_SecureWebService1” and open web.config

iv.                  

                     Comment line start with

<endpoint name="HttpMexEndpoint"……………

And Un-Comment line just below that start with

<endpoint name="HttpsMexEndpoint"





v.                   For following lines

        <behavior name="ServiceBehaviorConfiguration">
          <serviceDebug httpHelpPageEnabled="true" httpsHelpPageEnabled="false" includeExceptionDetailInFaults="false" />
          <serviceMetadata httpGetEnabled="true" httpsGetEnabled="false" />
        </behavior>

Change http to false and https to true, like done below.


       <behavior name="ServiceBehaviorConfiguration">
          <serviceDebug httpHelpPageEnabled="false" httpsHelpPageEnabled="true" includeExceptionDetailInFaults="false" />
          <serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" />
        </behavior>


vi.                 Add following lines under  <system.web>


For allowing Users:

<system.web>
…………..
…………  

   <authorization>
      <allow roles="" users="<Domain>\<usernme>" />
      <deny users="*" />
    </authorization>
</system.web>

For allowing Group:

<system.web>
…………..
…………  
   <authorization>
      <allow roles="<Domain>\<groupname>" users="" />
      <deny users="*" />
    </authorization>
</system.web>











c.       Go to BizTalk Server Admin console and navigate to your deployed  Application.

Go to BizTalk Received Location and confirm the bindings






Go to Security tab and change the settings as shown below.














d.      Configure the BizTalk deployed application binding and then start it.







5.       Browse Service: Try to browse the service.

If you get error : HTTP Error 503. The service is unavailable
They AppPool under which service is configured to run either not started or having wrong credentials.

[Note: App Pool under which biztalk server need to run should be same user configured for “Isolated Host Instance” in BizTalk.]

After browsing service looks like this……….








6.       Who are authorized to use this service?
·         Client message should always be associated with userID/Password in SOAP Header
SOAP Message format is shown below.

<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"
              xmlns:xsd="http://www.w3.org/2001/XMLSchema"
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
              xmlns:xop="http://www.w3.org/2004/08/xop/include"
              xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <env:Header>
    <!--SOAP header with userid and password-->
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" env:mustUnderstand="1">
      <wsse:UsernameToken wsu:Id="UsernameToken-22D614527BEC949AB414127559566081">
        <wsse:Username>KundanKarma</wsse:Username>
        <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">KKAADDAADASDASD</wsse:Password>
      </wsse:UsernameToken>
    </wsse:Security>
  </env:Header>
  <env:Body>
    <!--Body of the message-->
  </env:Body>
</env:Envelope>





7.       Test : 

Client of the service is independent of Technology. Any web technology client can call the webservice. But client should send the

                     userID/Password in SOAP Header
                    SOAP Message format is shown below.

<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"
              xmlns:xsd="http://www.w3.org/2001/XMLSchema"
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
              xmlns:xop="http://www.w3.org/2004/08/xop/include"
              xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <env:Header>
    <!--SOAP header with userid and password-->
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" env:mustUnderstand="1">
      <wsse:UsernameToken wsu:Id="UsernameToken-22D614527BEC949AB414127559566081">
        <wsse:Username>KundanKarma</wsse:Username>
        <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">KKAADDAADASDASD</wsse:Password>
      </wsse:UsernameToken>
    </wsse:Security>
  </env:Header>
  <env:Body>
    <!--Body of the message-->
  </env:Body>
</env:Envelope>














In this example I am going to show the test by SOAPUI


SOP UI Prepration:
a.       Open SOAP UI

b.      Take WSDL of Service and create SOAP UI project

c.       Test the service with input message like below:


<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"
              xmlns:xsd="http://www.w3.org/2001/XMLSchema"
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
              xmlns:xop="http://www.w3.org/2004/08/xop/include"
              xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <env:Header>
    <!--SOAP header with userid and password-->
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" env:mustUnderstand="1">
      <wsse:UsernameToken wsu:Id="UsernameToken-22D614527BEC949AB414127559566081">
        <wsse:Username>KundanKarma</wsse:Username>
        <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">KKAADDAADASDASD</wsse:Password>
      </wsse:UsernameToken>
    </wsse:Security>
  </env:Header>
  <env:Body>
    <!--Body of the message-->
  </env:Body>
</env:Envelope>









Thursday, November 13, 2014

BizTalk WCF-BasicHttp with Client Certificate authentication

Introduction

Requirement is to expose secure web-service (https) [SSL] over internet/intranet with client authentication by Client Certificate in BizTalk.

Background

Sometime users of web-service need to trust on web-service they are using for sending and receiving messages.
At the same time web-service also authenticate the users of service.
Service authentication by users/client:  Every Secure web-service (https) is associated with “Server Certificate” issued by well known “Certificate Authority”. Which is been verified by clients of that service while using/browsing.
Service authenticates users/clients:  Service also should authenticate that the service is being used by the users which comes under its Trusted Zone.  So while sending message to service Client should send the “Client Certificate” ” issued by well known “Certificate Authority”.  Service will authenticate the “Client Certificate” and if it comes under its trusted users it will allow or reject the message/request.
Will do this implementation in BizTalk Server using WCF adapters.

Solution

 Following are steps need to follow to achieve this in BizTalk Server.
1.       Create/Get Server Certificate :
If it is for testing then Create Self Sign Server Certificate. If it is for production then need to get the Server certificate from CA

Following are the steps to create Self sign server certificate.

a.       Go to IIS and select “Server” and in features view select “Server Certificates”.







b.       Select Create Self Signed Certificate . Then give some friendly name


Click Ok, then
Click to View and see the certificate details.

2.       Create Secure Site in IIS (https) :

a.       Right Click Sites and select new Site
b.      Provide the site details as shown below.
Protocol : https
SSL certificate : <which created the previous step>

















3.       Enable SSL on IIS “MySecureSite”.






4.       Create BizTalk Solution.

a.       Solution can be with Orchestration or without Orchestration. In this example will create a solution with BizTalk orchestration and expose it as WCF service.














b.      Service with “http” is deployed on IIS but in “Default Web Site”. No we have to move it to “MySecureSite” which is https.

Add new Application to “MySecureSite” with the same name i.e. “BTS_SecureWebService1” and provide the same physical path.



i.                     Now remove the application from “Default Web Site” [Note: but don’t delete from physical path]

ii.                   Go to Physical path of “BTS_SecureWebService1” and open web.config

iii.                   

                     Comment line start with

<endpoint name="HttpMexEndpoint"……………

And Un-Comment line just below that start with

<endpoint name="HttpsMexEndpoint"





iv.                 For following lines

        <behavior name="ServiceBehaviorConfiguration">
          <serviceDebug httpHelpPageEnabled="true" httpsHelpPageEnabled="false" includeExceptionDetailInFaults="false" />
          <serviceMetadata httpGetEnabled="true" httpsGetEnabled="false" />
        </behavior>

Change http to false and https to true, like done below.


       <behavior name="ServiceBehaviorConfiguration">
          <serviceDebug httpHelpPageEnabled="false" httpsHelpPageEnabled="true" includeExceptionDetailInFaults="false" />
          <serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" />
        </behavior>



c.       Go to BizTalk Server Admin console and navigate to your deployed  Application.

Go to BizTalk Received Location and confirm the bindings


Go to Security tab and change the settings as shown below.






d.      Configure the BizTalk deployed application binding and then start it.







5.       Browse Service: Try to browse the service.

If you get error : HTTP Error 503. The service is unavailable
They AppPool under which service is configured to run either not started or having wrong credentials.

[Note: App Pool under which biztalk server need to run should be same user configured for “Isolated Host Instance” in BizTalk.]

It will ask for Client Certificate like shown below




If you already have any certificate please try to give else follow below steps to create
Self-Signed Client certificate.

After browsing service looks like this……….






6.       Create Self Sign Client Certificate :
i.                     Self Sign CA certificate:


makecert.exe -r -n “CN=KKServerPersonalCA” -pe -sv KKServerPersonalCA.pvk -a sha1 -len 2048 -b 01/21/2014 -e 01/21/2016 -cy authority KKServerPersonalCA.cer




ii.                   Self Sign Client Certificate issued by CA “KKServerPersonalCA


makecert.exe -iv KKServerPersonalCA.pvk -ic KKServerPersonalCA.cer -n “CN=KundanKServer” -pe -sv KundanKarmaServer.pvk -a sha1 -len 2048 -b 01/21/2014 -e 01/21/2016 -sky exchange KundanKarmaServer.cer -eku 1.3.6.1.5.5.7.3.2

pvk2pfx.exe -pvk KundanKarmaServer.pvk -spc KundanKarmaServer.cer -pfx KundanKarmaServer.pfx -po <Password>



Now the secured BizTalk Service (https) with Client authentication by certificate is ready.


7.       Who are authorized to use this service?
·         Client message should always be associated with Client certificate.
        The issuer of Client certificate should be under the Trusted List of Server
·         Following shown is the Trusted CA which service can support.

Got to Run and type “mmc”
Then FileàAdd/Remove Snap-in

As shown below.




8.       Test : 

Client of the service is independent of Technology. Any web technology client can call the webservice. But client should send the message with client certificate which should be trusted by Service.

In this example I am going to show the test by SOAPUI


SOP UI Prepration:
a.       Create self sign certificate (as specified in 6 I & ii) OR get the client certificate from CA.
b.      Open SOAP UI

Go to File --> Preferences





And provide the certificate (provide key should be associated with Client certificate) *.pfx [Note: *.cer or *.cert are certificate with Public key but *.pfx is the certificate with private key]
And also provide the password of the certificate (which provided at the time of certificate creation i.e specified in step 6 ii. In pvk2pfx.exe command)




c.       Take WSDL of Service and create SOAP UI project

[Note: If face any problem while creating soap UI project by browsing WSDL, for time being disable client certificate authentication (both at IIS and BizTalk receive location security tab) and once SOAP UI project created enable the client certificate authentication again]

d.      Test the service like shown below.