Introduction
Requirement is to expose secure BizTalk web-service (https) [SSL] over internet/intranet with client authentication not at the Transport layer but at the Message Layer by UserID/Password in SOAP header.
Along with that web-service can be consumed by any technology client i.e "Web Services Interoperability" and follows WS-Security (WS-I Basic Profile) guidelines.
Such scenario can be implemented in biztalk by following the below steps.
Background
Sometime users of web-service need to trust on web-service they are using for sending and receiving messages.
At the same time web-service also authenticate the users of service.
Service authentication by users/client: Every Secure web-service (https) is associated with "Server Certificate" issued by well known "Certificate Authority". Which is been verified by clients of that service while using/browsing.
Service authenticates users/clients: Service also should authenticate, that the service is being used by the users which comes under its Trusted Zone.
Client should send the UserID/Password in SOAP header.
Solution
Following are steps need to follow to achieve this in BizTalk Server.
- Create/Get Server Certificate :
If it is for testing then Create Self Sign Server Certificate. If it is for production then need to get the Server certificate from CA
Following are the steps to create Self sign server certificate.
- Go to IIS and select "Server" and in features view select "Server Certificates".
- Select Create Self Signed Certificate . Then give some friendly name
Click Ok, then
Click to View and see the certificate details.
- Create Secure Site in IIS (https) :
- Right Click Sites and select new Site
- Provide the site details as shown below.
Protocol : https
SSL certificate : <which created the previous step>
- Enable SSL on IIS "MySecureSite".
- Create BizTalk Solution.
- Solution can be with Orchestration or without Orchestration. In this example will create a solution with BizTalk orchestration and expose it as WCF service.
- Service with "http" is deployed on IIS but in "Default Web Site". No we have to move it to "MySecureSite" which is https.
Add new Application to "MySecureSite" with the same name i.e. "BTS_Test_ProjMsgAuth" and provide the same physical path.
- Now remove the application from "Default Web Site" [Note: but don’t delete from physical path]
- Check the SSL settings should be like below shown
- Go to Physical path of "BTS_SecureWebService1" and open web.config
- Comment line start with
"<endpoint name="HttpMexEndpoint"……………"
And Un-Comment line just below that start with
"<endpoint name="HttpsMexEndpoint"
- For following lines
<behavior name="ServiceBehaviorConfiguration">
<serviceDebug httpHelpPageEnabled="true" httpsHelpPageEnabled="false" includeExceptionDetailInFaults="false" />
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="false" />
</behavior>
Change http to false and https to true, like done below.
<behavior name="ServiceBehaviorConfiguration">
<serviceDebug httpHelpPageEnabled="false" httpsHelpPageEnabled="true" includeExceptionDetailInFaults="false" />
<serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" />
</behavior>
- Add following lines under <system.web>
For allowing Users:
<system.web>
…………..
…………
<authorization>
<allow roles="" users="<Domain>\<usernme>" />
<deny users="*" />
</authorization>
</system.web>
For allowing Group:
<system.web>
…………..
…………
<authorization>
<allow roles="<Domain>\<groupname>" users="" />
<deny users="*" />
</authorization>
</system.web>
- Go to BizTalk Server Admin console and navigate to your deployed Application.
Go to BizTalk Received Location and confirm the bindings
Go to Security tab and change the settings as shown below.
- Configure the BizTalk deployed application binding and then start it.
- Browse Service: Try to browse the service.
If you get error : HTTP Error 503. The service is unavailable
They AppPool under which service is configured to run either not started or having wrong credentials.
[Note: App Pool under which biztalk server need to run should be same user configured for "Isolated Host Instance" in BizTalk.]
After browsing service looks like this……….
- Who are authorized to use this service?
- Test :
Client of the service is independent of Technology. Any web technology client can call the webservice. But client should send the
userID/Password in SOAP Header
SOAP Message format is shown below.
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xop="http://www.w3.org/2004/08/xop/include"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<env:Header>
<!--SOAP header with userid and password-->
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" env:mustUnderstand="1">
<wsse:UsernameToken wsu:Id="UsernameToken-22D614527BEC949AB414127559566081">
<wsse:Username>KundanKarma</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">KKAADDAADASDASD</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</env:Header>
<env:Body>
<!--Body of the message-->
</env:Body>
</env:Envelope>
In this example I am going to show the test by SOAPUI
SOP UI Prepration:
- Open SOAP UI
- Take WSDL of Service and create SOAP UI project
- Test the service with input message like below:
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xop="http://www.w3.org/2004/08/xop/include"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<env:Header>
<!--SOAP header with userid and password-->
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" env:mustUnderstand="1">
<wsse:UsernameToken wsu:Id="UsernameToken-22D614527BEC949AB414127559566081">
<wsse:Username>KundanKarma</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">KKAADDAADASDASD</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</env:Header>
<env:Body>
<!--Body of the message-->
</env:Body>
</env:Envelope>
