Click here to Skip to main content
15,891,633 members
Search within:


Articles / Productivity Apps and Services / Biztalk
 
Tip/Trick

BizTalk WCF-BasicHttp Transport with Message Credentials

Rate me:
Please Sign up or sign in to vote.
5.00/5 (3 votes)
18 Nov 2014CPOL3 min read 16.8K   1  
WS-I Basic Profile Web Services Interoperability

Introduction

Requirement is to expose secure BizTalk web-service (https) [SSL] over internet/intranet with client authentication not at the Transport layer but at the Message Layer by UserID/Password in SOAP header.

Along with that web-service can be consumed by any technology client i.e "Web Services Interoperability" and follows WS-Security (WS-I Basic Profile) guidelines.

Such scenario can be implemented in biztalk by following the below steps.

Background

Sometime users of web-service need to trust on web-service they are using for sending and receiving messages.

At the same time web-service also authenticate the users of service.

Service authentication by users/client: Every Secure web-service (https) is associated with "Server Certificate" issued by well known "Certificate Authority". Which is been verified by clients of that service while using/browsing.

Service authenticates users/clients: Service also should authenticate, that the service is being used by the users which comes under its Trusted Zone.

Client should send the UserID/Password in SOAP header.

Solution

Following are steps need to follow to achieve this in BizTalk Server.

  1. Create/Get Server Certificate :

    If it is for testing then Create Self Sign Server Certificate. If it is for production then need to get the Server certificate from CA

    Following are the steps to create Self sign server certificate.

    1. Go to IIS and select "Server" and in features view select "Server Certificates".

      Image 1
       
    2. Select Create Self Signed Certificate . Then give some friendly name

      Image 2

    Click Ok, then

    Click to View and see the certificate details.

  2. Create Secure Site in IIS (https) :
    1. Right Click Sites and select new Site
    2. Provide the site details as shown below.

      Image 3

    Protocol : https
    SSL certificate : <which created the previous step>

  3. Enable SSL on IIS "MySecureSite".

    Image 4

    Image 5
  4. Create BizTalk Solution.
    1. Solution can be with Orchestration or without Orchestration. In this example will create a solution with BizTalk orchestration and expose it as WCF service.

      Image 6

      Image 7
      Image 8

      Image 9
    2. Service with "http" is deployed on IIS but in "Default Web Site". No we have to move it to "MySecureSite" which is https.

      Add new Application to "MySecureSite" with the same name i.e. "BTS_Test_ProjMsgAuth" and provide the same physical path.

      Image 10

      1. Now remove the application from "Default Web Site" [Note: but don’t delete from physical path]
      2. Check the SSL settings should be like below shown

        Image 11
      3. Go to Physical path of "BTS_SecureWebService1" and open web.config
      4. Comment line start with 
        "<endpoint name="HttpMexEndpoint"……………"

        And Un-Comment line just below that start with

        "<endpoint name="HttpsMexEndpoint"
      5. For following lines 
        <behavior name="ServiceBehaviorConfiguration">
  <serviceDebug httpHelpPageEnabled="true" httpsHelpPageEnabled="false" includeExceptionDetailInFaults="false" />
  <serviceMetadata httpGetEnabled="true" httpsGetEnabled="false" />
</behavior>

        Change http to false and https to true, like done below.

        <behavior name="ServiceBehaviorConfiguration">
   <serviceDebug httpHelpPageEnabled="false" httpsHelpPageEnabled="true" includeExceptionDetailInFaults="false" />
   <serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" />
 </behavior>
      6. Add following lines under <system.web>

        For allowing Users:

        <system.web>
…………..
…………  
 
   <authorization>
      <allow roles="" users="<Domain>\<usernme>" />
      <deny users="*" />
    </authorization>
</system.web>

        For allowing Group:

        <system.web>
…………..
…………  
   <authorization>
      <allow roles="<Domain>\<groupname>" users="" />
      <deny users="*" />
    </authorization>
</system.web>
    3. Go to BizTalk Server Admin console and navigate to your deployed Application.

      Go to BizTalk Received Location and confirm the bindings

      Image 12

      Go to Security tab and change the settings as shown below.

      Image 13

      Image 14

      Image 15

    4. Configure the BizTalk deployed application binding and then start it.
  5. Browse Service: Try to browse the service.

    If you get error : HTTP Error 503. The service is unavailable

    They AppPool under which service is configured to run either not started or having wrong credentials.

    [Note: App Pool under which biztalk server need to run should be same user configured for "Isolated Host Instance" in BizTalk.]

    After browsing service looks like this……….

    Image 16

  6. Who are authorized to use this service?
    • Client message should always be associated with userID/Password in SOAP Header SOAP Message format is shown below. 
      <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"
              xmlns:xsd="http://www.w3.org/2001/XMLSchema"
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
              xmlns:xop="http://www.w3.org/2004/08/xop/include"
              xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <env:Header>
    <!--SOAP header with userid and password-->
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" env:mustUnderstand="1">
      <wsse:UsernameToken wsu:Id="UsernameToken-22D614527BEC949AB414127559566081">
        <wsse:Username>KundanKarma</wsse:Username>
        <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">KKAADDAADASDASD</wsse:Password>
      </wsse:UsernameToken>
    </wsse:Security>
  </env:Header>
  <env:Body>
    <!--Body of the message-->
  </env:Body>
</env:Envelope>
  7. Test :

    Client of the service is independent of Technology. Any web technology client can call the webservice. But client should send the

    userID/Password in SOAP Header

    SOAP Message format is shown below.

    <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"
              xmlns:xsd="http://www.w3.org/2001/XMLSchema"
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
              xmlns:xop="http://www.w3.org/2004/08/xop/include"
              xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <env:Header>
    <!--SOAP header with userid and password-->
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" env:mustUnderstand="1">
      <wsse:UsernameToken wsu:Id="UsernameToken-22D614527BEC949AB414127559566081">
        <wsse:Username>KundanKarma</wsse:Username>
        <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">KKAADDAADASDASD</wsse:Password>
      </wsse:UsernameToken>
    </wsse:Security>
  </env:Header>
  <env:Body>
    <!--Body of the message-->
  </env:Body>
</env:Envelope>

    In this example I am going to show the test by SOAPUI

    SOP UI Prepration:

    1. Open SOAP UI
    2. Take WSDL of Service and create SOAP UI project
    3. Test the service with input message like below:
    <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"
              xmlns:xsd="http://www.w3.org/2001/XMLSchema"
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
              xmlns:xop="http://www.w3.org/2004/08/xop/include"
              xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <env:Header>
    <!--SOAP header with userid and password-->
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" env:mustUnderstand="1">
      <wsse:UsernameToken wsu:Id="UsernameToken-22D614527BEC949AB414127559566081">
        <wsse:Username>KundanKarma</wsse:Username>
        <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">KKAADDAADASDASD</wsse:Password>
      </wsse:UsernameToken>
    </wsse:Security>
  </env:Header>
  <env:Body>
    <!--Body of the message-->
  </env:Body>
</env:Envelope>

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


Written By
KundanKarma
Architect iGATE Global technology solutions
India India
I am BizTalk Server Technology Specialist.I have more than 8+ years of experience on BizTalk Server.I have worked on almost all the versions of BizTalk server 2004/2006/2006R2/2009/2010/2013.

I played multiple roles (Developer/Tech.Lead/Integration Architect) on Several BizTalk Projects.

I have keen interest in developing BizTalk-Integration solutions using SOA,WCF,ESB,EDI, Host Integration Server,Windows Azure BizTalk Services.

Comments and Discussions

 
 
-- There are no messages in this forum --
Permalink
Advertise
Privacy
Cookies
Terms of Use
Layout: fixed | fluid

Posted 18 Nov 2014

Article Copyright 2014 by KundanKarma
Everything else Copyright © CodeProject, 1999-2024

Web04 2.8:2024-04-02:1