BizTalk WCF-BasicHttp Transport with Message Credentials
(WS-I Basic Profile Web Services Interoperability)
Introduction
Requirement is to expose secure BizTalk web-service
(https) [SSL] over internet/intranet with client authentication not at the Transport layer but at the Message Layer by UserID/Password in
SOAP header.
Along with that web-service can be consumed by any
technology client i.e “Web Services Interoperability” and follows WS-Security (WS-I Basic Profile) guidelines.
Such scenario can be implemented in biztalk by
following the below steps.
Background
Sometime users of web-service need to trust on web-service
they are using for sending and receiving messages.
At the same time web-service also authenticate the users of
service.
Service authentication by users/client: Every Secure web-service (https) is
associated with “Server Certificate”
issued by well known “Certificate
Authority”. Which is been verified by clients of that service while
using/browsing.
Service authenticates users/clients: Service also should authenticate, that the
service is being used by the users which comes under its Trusted Zone.
Client should send the UserID/Password in SOAP header.
Solution
Following are steps
need to follow to achieve this in BizTalk Server.
1.
Create/Get Server
Certificate :
If
it is for testing then Create Self Sign Server Certificate. If it is for
production then need to get the Server certificate from CA
Following
are the steps to create Self sign server certificate.
a.
Go
to IIS and select “Server” and in features view select “Server Certificates”.
b.
Select Create Self Signed Certificate . Then
give some friendly name
Click
Ok, then
Click
to View and see the certificate details.
2.
Create Secure Site
in IIS (https) :
a.
Right
Click Sites and select new Site
b.
Provide
the site details as shown below.
Protocol : https
SSL certificate : <which created the
previous step>
3.
Enable SSL on IIS
“MySecureSite”.
4.
Create BizTalk
Solution.
a.
Solution
can be with Orchestration or without Orchestration. In this example will create
a solution with BizTalk orchestration and expose it as WCF service.
b.
Service
with “http” is deployed on IIS but
in “Default Web Site”. No we have to move it to “MySecureSite” which is https.
Add new Application to “MySecureSite” with the
same name i.e. “BTS_Test_ProjMsgAuth” and provide the same physical path.
i.
Now
remove the application from “Default Web Site” [Note: but don’t delete from
physical path]
ii.
Check
the SSL settings should be like below shown
iii.
Go
to Physical path of “BTS_SecureWebService1” and open web.config
iv.
Comment line start with
“<endpoint name="HttpMexEndpoint"……………”
And Un-Comment
line just below that start with
“<endpoint name="HttpsMexEndpoint"
v.
For
following lines
<behavior name="ServiceBehaviorConfiguration">
<serviceDebug httpHelpPageEnabled="true" httpsHelpPageEnabled="false" includeExceptionDetailInFaults="false" />
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="false" />
</behavior>
Change http to false and https
to true, like done
below.
<behavior name="ServiceBehaviorConfiguration">
<serviceDebug httpHelpPageEnabled="false" httpsHelpPageEnabled="true" includeExceptionDetailInFaults="false" />
<serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" />
</behavior>
vi.
Add
following lines under <system.web>
For allowing Users:
<system.web>
…………..
…………
<authorization>
<allow roles="" users="<Domain>\<usernme>" />
<deny users="*" />
</authorization>
</system.web>
For allowing Group:
<system.web>
…………..
…………
<authorization>
<allow roles="<Domain>\<groupname>" users="" />
<deny users="*" />
</authorization>
</system.web>
c.
Go
to BizTalk Server Admin console and navigate to your deployed Application.
Go to BizTalk Received Location and confirm the
bindings
Go to Security tab and change the settings as
shown below.
d.
Configure
the BizTalk deployed application binding and then start it.
5.
Browse Service: Try
to browse the service.
If you get error : HTTP Error 503.
The service is unavailable
They AppPool under which service is
configured to run either not started or having wrong credentials.
[Note: App Pool under which biztalk server need to run should be
same user configured for “Isolated Host Instance” in BizTalk.]
After browsing service looks like this……….
6.
Who are authorized
to use this service?
·
Client
message should always be associated with userID/Password in SOAP Header
SOAP Message format is shown below.
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xop="http://www.w3.org/2004/08/xop/include"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<env:Header>
<!--SOAP header with userid and password-->
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" env:mustUnderstand="1">
<wsse:UsernameToken wsu:Id="UsernameToken-22D614527BEC949AB414127559566081">
<wsse:Username>KundanKarma</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">KKAADDAADASDASD</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</env:Header>
<env:Body>
<!--Body of the message-->
</env:Body>
</env:Envelope>
7.
Test :
Client of the service is independent of
Technology. Any web technology client can call the webservice. But client
should send the
userID/Password in SOAP
Header
SOAP Message format is
shown below.
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xop="http://www.w3.org/2004/08/xop/include"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<env:Header>
<!--SOAP header with userid and password-->
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" env:mustUnderstand="1">
<wsse:UsernameToken wsu:Id="UsernameToken-22D614527BEC949AB414127559566081">
<wsse:Username>KundanKarma</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">KKAADDAADASDASD</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</env:Header>
<env:Body>
<!--Body of the message-->
</env:Body>
</env:Envelope>
In this example I am going to show the test by
SOAPUI
SOP UI Prepration:
a.
Open
SOAP UI
b.
Take
WSDL of Service and create SOAP UI project
c.
Test
the service with input message like below:
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xop="http://www.w3.org/2004/08/xop/include"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<env:Header>
<!--SOAP header with userid and password-->
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" env:mustUnderstand="1">
<wsse:UsernameToken wsu:Id="UsernameToken-22D614527BEC949AB414127559566081">
<wsse:Username>KundanKarma</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">KKAADDAADASDASD</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</env:Header>
<env:Body>
<!--Body of the message-->
</env:Body>
</env:Envelope>
Could you please share your emailid
ReplyDeleteI treid as per your post,but i am getting http 400/500 and some strange error.let me know any chnages to do in IIS
ReplyDelete