Kundan's Integration Blog (BizTalk, Logic Apps)

BizTalk WCF-BasicHttp with Client Certificate authentication

Introduction

Requirement is to expose secure web-service (https) [SSL] over internet/intranet with client authentication by Client Certificate in BizTalk.

Background

Sometime users of web-service need to trust on web-service they are using for sending and receiving messages.

At the same time web-service also authenticate the users of service.

Service authentication by users/client: Every Secure web-service (https) is associated with “Server Certificate” issued by well known “Certificate Authority”. Which is been verified by clients of that service while using/browsing.

Service authenticates users/clients: Service also should authenticate that the service is being used by the users which comes under its Trusted Zone. So while sending message to service Client should send the “Client Certificate” ” issued by well known “Certificate Authority”. Service will authenticate the “Client Certificate” and if it comes under its trusted users it will allow or reject the message/request.

Will do this implementation in BizTalk Server using WCF adapters.

Solution

Following are steps need to follow to achieve this in BizTalk Server.

1. Create/Get Server Certificate :

If it is for testing then Create Self Sign Server Certificate. If it is for production then need to get the Server certificate from CA

Following are the steps to create Self sign server certificate.

a. Go to IIS and select “Server” and in features view select “Server Certificates”.

b. Select Create Self Signed Certificate . Then give some friendly name

Click Ok, then

Click to View and see the certificate details.

2. Create Secure Site in IIS (https) :

a. Right Click Sites and select new Site

b. Provide the site details as shown below.

Protocol : https

SSL certificate : <which created the previous step>

3. Enable SSL on IIS “MySecureSite”.

4. Create BizTalk Solution.

a. Solution can be with Orchestration or without Orchestration. In this example will create a solution with BizTalk orchestration and expose it as WCF service.

b. Service with “http” is deployed on IIS but in “Default Web Site”. No we have to move it to “MySecureSite” which is https.

Add new Application to “MySecureSite” with the same name i.e. “BTS_SecureWebService1” and provide the same physical path.

i. Now remove the application from “Default Web Site” [Note: but don’t delete from physical path]

ii. Go to Physical path of “BTS_SecureWebService1” and open web.config

iii.

Comment line start with

“<endpoint name="HttpMexEndpoint"……………”

And Un-Comment line just below that start with

“<endpoint name="HttpsMexEndpoint"

iv. For following lines

</behavior>

Change http to false and https to true, like done below.

</behavior>

c. Go to BizTalk Server Admin console and navigate to your deployed Application.

Go to BizTalk Received Location and confirm the bindings

Go to Security tab and change the settings as shown below.

d. Configure the BizTalk deployed application binding and then start it.

5. Browse Service: Try to browse the service.

If you get error : HTTP Error 503. The service is unavailable

They AppPool under which service is configured to run either not started or having wrong credentials.

[Note: App Pool under which biztalk server need to run should be same user configured for “Isolated Host Instance” in BizTalk.]

It will ask for Client Certificate like shown below

If you already have any certificate please try to give else follow below steps to create

Self-Signed Client certificate.

After browsing service looks like this……….

6. Create Self Sign Client Certificate :

i. Self Sign CA certificate:

makecert.exe -r -n “CN=KKServerPersonalCA” -pe -sv KKServerPersonalCA.pvk -a sha1 -len 2048 -b 01/21/2014 -e 01/21/2016 -cy authority KKServerPersonalCA.cer

ii. Self Sign Client Certificate issued by CA “KKServerPersonalCA”

makecert.exe -iv KKServerPersonalCA.pvk -ic KKServerPersonalCA.cer -n “CN=KundanKServer” -pe -sv KundanKarmaServer.pvk -a sha1 -len 2048 -b 01/21/2014 -e 01/21/2016 -sky exchange KundanKarmaServer.cer -eku 1.3.6.1.5.5.7.3.2

pvk2pfx.exe -pvk KundanKarmaServer.pvk -spc KundanKarmaServer.cer -pfx KundanKarmaServer.pfx -po <Password>

Now the secured BizTalk Service (https) with Client authentication by certificate is ready.

7. Who are authorized to use this service?

· Client message should always be associated with Client certificate.

The issuer of Client certificate should be under the Trusted List of Server

· Following shown is the Trusted CA which service can support.

Got to Run and type “mmc”

Then FileàAdd/Remove Snap-in

As shown below.

8. Test :

Client of the service is independent of Technology. Any web technology client can call the webservice. But client should send the message with client certificate which should be trusted by Service.

In this example I am going to show the test by SOAPUI

SOP UI Prepration:

a. Create self sign certificate (as specified in 6 I & ii) OR get the client certificate from CA.

b. Open SOAP UI

Go to File --> Preferences

And provide the certificate (provide key should be associated with Client certificate) *.pfx [Note: *.cer or *.cert are certificate with Public key but *.pfx is the certificate with private key]

And also provide the password of the certificate (which provided at the time of certificate creation i.e specified in step 6 ii. In pvk2pfx.exe command)

c. Take WSDL of Service and create SOAP UI project

[Note: If face any problem while creating soap UI project by browsing WSDL, for time being disable client certificate authentication (both at IIS and BizTalk receive location security tab) and once SOAP UI project created enable the client certificate authentication again]

d. Test the service like shown below.

Kundan's Integration Blog (BizTalk, Logic Apps)

Pages

Thursday, November 13, 2014

No comments:

Post a Comment

Blog Archive

Infolinks2

About Me