Tuesday, November 3, 2015

Send signed SOAP request without encrypting the header and body in BizTalk Server using WS-Security


Simply follow all the required steps mentioned in my previous post and then create a custom behaviour extension to disable the encryption by using the following code in the AddBindingParameters function.

 
You can get the complete code for the behvior from this link.

Build the downloaded solution and GAC the DLL.

Update the machine.config for both 64 and 32 bit with the following entry.

<behaviorExtensions>
<add name="SignSoapRequestBehavior" type="WCF.Behavior.SignSoapRequest.SignSoapRequestBehaviorExtensionElement, WCF.Behavior.SignSoapRequest, Version=1.0.0.0, Culture=neutral, PublicKeyToken=ba7175b2b6205a29" />
...

Add this bahvior to the send port.

BizTalk will produce the SOAP request with both the header and body signed as shown below (for clarity most of encrypted content has been skipped from this output):
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
 <s:Header>
  <a:Action s:mustUnderstand="1" u:Id="_2">http://example.com</a:Action>
  <a:MessageID u:Id="_3">urn:uuid:78e28d0b-4944-48f7-86e1-16deef77cfdd</a:MessageID>
  <a:ReplyTo u:Id="_4">
   <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
  </a:ReplyTo>
  <a:To s:mustUnderstand="1" u:Id="_5">http://localhost:6600/BradyContractService/ReceiveContract.svc</a:To>
  <o:Security s:mustUnderstand="1" xmlns:o="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
   <u:Timestamp u:Id="uuid-9a964984-1374-485c-97bc-bdb76408d981-1">
    <u:Created>2015-11-03T07:28:27.508Z</u:Created>
    <u:Expires>2015-11-03T07:33:27.508Z</u:Expires>
   </u:Timestamp>
   <o:BinarySecurityToken u:Id="uuid-c2fe0a8f-ca9f-41c7-8f4b-6357ebdc5a09-2" ValueType="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">MIIDuTCCAqG...mNi0</o:BinarySecurityToken>
   <Signature xmlns="
http://www.w3.org/2000/09/xmldsig#">
    <SignedInfo>
     <CanonicalizationMethod Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/>
     <SignatureMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
     <Reference URI="#_1">
      <Transforms>
       <Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/>
      </Transforms>
      <DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1"/>
      <DigestValue>ee6Ma40RghCCEzDnDA4VZNJynBM=</DigestValue>
     </Reference>
     <Reference URI="#_2">
      <Transforms>
       <Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/>
      </Transforms>
      <DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1"/>
      <DigestValue>0TSzFgakSshEA4QJJOFiDguAmaA=</DigestValue>
     </Reference>
     <Reference URI="#_3">
      <Transforms>
       <Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/>
      </Transforms>
      <DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1"/>
      <DigestValue>iDbgU1OHYaUGdFWCXjmuzgSAqlE=</DigestValue>
     </Reference>
     <Reference URI="#_4">
      <Transforms>
       <Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/>
      </Transforms>
      <DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1"/>
      <DigestValue>l6mMmQ2LE9VFtjaA6Qc4GKBXURw=</DigestValue>
     </Reference>
     <Reference URI="#_5">
      <Transforms>
       <Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/>
      </Transforms>
      <DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1"/>
      <DigestValue>QhNTDZm5G+hGSpv/fkTQ0sHlFSE=</DigestValue>
     </Reference>
     <Reference URI="#uuid-9a964984-1374-485c-97bc-bdb76408d981-1">
      <Transforms>
       <Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/>
      </Transforms>
      <DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1"/>
      <DigestValue>WzEWN6/iE6FnafJg4G9se5dB7yE=</DigestValue>
     </Reference>
    </SignedInfo>
    <SignatureValue>jRu...kWSjsJWA70vc/lRw==</SignatureValue>
    <KeyInfo>
     <o:SecurityTokenReference>
      <o:Reference ValueType="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-c2fe0a8f-ca9f-41c7-8f4b-6357ebdc5a09-2"/>
     </o:SecurityTokenReference>
    </KeyInfo>
   </Signature>
  </o:Security>
 </s:Header>
 <s:Body u:Id="_1">
  <Dummy>Sample Request</Dummy>
 </s:Body>
</s:Envelope>

Cheers
Rohit C. M. Sharma

Send signed and encrypted SOAP request in BizTalk Server using WS-Security


To send the signed and encrypted SOAP request to a web service from BizTalk server then follow these steps:

Step 1: Create send port (One Way/Solicit Response as per requirement) select WCF-Custom in transport type.

Step 2: Select customBinding for Binding Type, by default customBinding has textMessageEncoding and httpTransport, you can change it as per your need.

Step 3: Add security binding extension element to the custom binding. Make sure the order of element is as shown below:

Step 4: Configure the security binding element as shown below:

Step 4.1: Set allowInsercureTransport to True if you are using httpTransport leave it as False in case you are using the httpsTransport.

Step 4.2: Set authenticationMode to MutualCertificate.

Step 4.3: Set messageSecurityVersion to WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10

Step 5: Add clinetCredentails behaviour in Behavior tab.

Step 5.1: Configure the ClientCertificate (with the information related to your private key for signing) and ServiceCertificate/DefaultCertificate(for the public key of service for encryption)
 
 
BizTalk will produce the SOAP envelope With both Header and body signed and encrypted as shown below (for clarity most of encrypted content has been skipped from this output):

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
 <s:Header>
  <a:Action s:mustUnderstand="1" u:Id="_3"/>
  <a:MessageID u:Id="_4">urn:uuid:6ebdf6f8-b9fd-4fbd-8029-a7d2dd37c2d4</a:MessageID>
  <a:ReplyTo u:Id="_5">
   <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
  </a:ReplyTo>
  <a:To s:mustUnderstand="1" u:Id="_6">http://localhost:6600/DummyService/DummyService.svc</a:To>
  <o:Security s:mustUnderstand="1" xmlns:o="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
   <u:Timestamp u:Id="uuid-8bfab354-dd65-4ad2-9bc0-276979f19440-1">
    <u:Created>2015-11-03T06:46:38.270Z</u:Created>
    <u:Expires>2015-11-03T06:51:38.270Z</u:Expires>
   </u:Timestamp>
   <o:BinarySecurityToken u:Id="uuid-c6a8190f-5f53-40a0-980d-7b7ee55eb01a-3" ValueType="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">MIIDuTCCAqGgAwIBAgIQBbX...</o:BinarySecurityToken>
   <e:EncryptedKey Id="_0" xmlns:e="
http://www.w3.org/2001/04/xmlenc#">
    <e:EncryptionMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
     <DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1" xmlns="http://www.w3.org/2000/09/xmldsig#"/>
    </e:EncryptionMethod>
    <KeyInfo xmlns="
http://www.w3.org/2000/09/xmldsig#">
     <o:SecurityTokenReference>
      <o:KeyIdentifier ValueType="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">fOepp/dW66vQ0heuTt2ETjlMRAM=</o:KeyIdentifier>
     </o:SecurityTokenReference>
    </KeyInfo>
    <e:CipherData>
     <e:CipherValue>oDZc/9rKTiVjeildC...J6iaPsYg==</e:CipherValue>
    </e:CipherData>
    <e:ReferenceList>
     <e:DataReference URI="#_2"/>
     <e:DataReference URI="#_7"/>
    </e:ReferenceList>
   </e:EncryptedKey>
   <e:EncryptedData Id="_7" Type="
http://www.w3.org/2001/04/xmlenc#Element" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
    <e:EncryptionMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
    <e:CipherData>
     <e:CipherValue>jZnJpp1vi2Jl/gpLfLF+bIj...r0BkGUUHeVQ==</e:CipherValue>
    </e:CipherData>
   </e:EncryptedData>
  </o:Security>
 </s:Header>
 <s:Body u:Id="_1">
  <e:EncryptedData Id="_2" Type="
http://www.w3.org/2001/04/xmlenc#Content" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
   <e:EncryptionMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
   <e:CipherData>
    <e:CipherValue>y0QXU2uwNr...zOvFM=</e:CipherValue>
   </e:CipherData>
  </e:EncryptedData>
 </s:Body>
</s:Envelope>


Cheers
Rohit C. M. Sharma

Monday, May 27, 2013

Message Box Viewer (MBV) 13 does not work with BizTalk 360 v6.0

From Saravana Blog post I came to know that the new Message Box Viewer 13 is available now at JPBlog. I thought of integrating it with BizTalk360 v6.0 but I was not able to do so, ans was getting the below mentioned error:

Could not load file or assembly 'MYHC, Version=2.0.0.0, Culture=neutral, PublicKeyToken=null' or one of its dependencies.
The located assembly's manifest definition does not match the assembly reference. (Exception from HRESULT: 0x80131040) 
File name: 'MYHC, Version=2.0.0.0, Culture=neutral, PublicKeyToken=null'    
at Kovai.BizTalk360.MBVConsole.MBVFacade.Init(String[] args)    
at Kovai.BizTalk360.MBVConsole.Program.Main(String[] args)
in c:\B360.Main\src\v6.0\Kovai.BizTalk360\Kovai.BizTalk360.InfoTrack\Kovai.BizTalk360.MBVConsole\Program.cs:line 13    

I tried to investigate it and here is my finding:
When you extracted the zip file MsgBoxViewer13.zip you get the following list of executable and files. 



As mentioned in the error the part of BizTalk360 which execute MBV is Kovai.BizTalk360.MBVConsole.exe and it uses the MYHC.dll. Moreover this file gets copied to the Service folder in the installation directory of BizTalk360 as shown below:



The problem is in MBV 13 version the assembly version of MYHC.dll has been changed to 4.0.0.0 and this assembly has been strongly named i.e. signed and as a result there is no easier way of binding redirection to this new signed assembly from unsigned version. I hope recompiling the code of Kovai.BizTalk360.MBVConsole.exe with updated reference in some future version would fix this issue.

Cheers
Rohit Sharma

Monday, May 13, 2013

BizTalk360: Counter for number of required host instances for healthy environment


Just like me if you have created the host instances for all the hosts on every machine ( 2 in this example )  in BizTalk group and still wondering why you are not getting the count of host instance equal to number of host multiplied by the BizTalk server (in above case 17*2=34) then this could be the answer.

- In this example there were 3 isolated hosts; BizTalk360 was not considering the host instances for these isolated hosts as part of this count, may be because just like BizTalk the BizTalk360 does not access the status information for external processes, so the count get reduced to 28.

Still there is difference of 2.

- In this example two hosts were cluster. BizTalk360 was adding only 1 to the host instances count for each cluster host as only one instance will be active at a time.

So in nutshell this counter indicate how many host instances should be in active state to consider the environment as healthy and it's not count of  total number of host instances.

Cheers
Rohit Sharma

Thursday, May 2, 2013

Message Box Viewer (MBV) Integration with BizTalk 360 v6.0


I was getting this error when trying to Run MBV from BizTalk 360.

MBVActivity
Leaving Execute(Kovai.BizTalk360.InfoTrack.ActivitiesImpl.MBVSvc.MBVActivityImpl).
Fatal exception in generating Message Box Viewer Reports.
System.Exception: MBVActivityImpl:GenerateReport. IsReadyForMBVExecution check failed. Error EULA for MBV Console application must be accepted 


I came across this post by Steef-Jan on this topic. The below mentioned registry key that was working for Steef was already there as the machine was 64-bit in this case too

[HKEY_LOCAL_MACHINE\SOFTWARE\MBVConsole\EULA]
"EULAAccepted"="YES"




Then I manually created the below mentioned registry key as pointed by Steef

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MBVConsole\EULA]
"EULAAccepted"="YES"




And it resolved the issue. I was able to run MBV and reports were getting generated properly.

BizTalk360 MBV
But later I found that generating only the below mentioned key also fix the same problem:

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MsgBoxViewer\EULA]
"EULAAccepted"="YES"




Seems BizTalk360 is looking for either one of these registry keys so create any of these two to fix this problem.

Cheers
Rohit Sharma

Monday, April 22, 2013

Error: Schema referenced by Map has been deleted. The local, cached version of the BizTalk Server group configuration is out of date.

One of my colleges started getting following error on the development machine:

Schema referenced by Map '<Namespace>.<MappName>' has been deleted. The local, cached version of the BizTalk Server group configuration is out of date. You must refresh the BizTalk Server group configuration before making further changes. (Microsoft.BizTalk.Administration.SnapIn)



The deployment script stop working as deploying any DLL using BTSTask.exe was causing the same error:



I figured out that this issue has been fixed for BizTalk Server 2010 as part of KB2516201 and suggested to install the Cumulative Update 1 for BizTalk Server 2010. But it turned out that installing the KB article was not helping in this scenario.

Apart from the bugs fixed in Cumulative Update 1 this error can be caused by one more reason which was the case in this scenario.

You can re-produce this error by following these steps:

Step 1: Create a BizTalk project and add 2 sample schemas to it.
Step 2: Create another project add reference to the above BizTalk Project and add a mapper and use the 2 sample schemas created in Step 1 as source and destination in this map.
Step 3: Deploy the solution to BizTalk.
Step 4: Add another sample schema to the project created in Step 1.
Step 5: Update the mapper created in step 2 and replace either the source or destination schema with the new schema created in Step 4.
Step 6: Deploy only the DLL for the mapper project only.
Step 7: Try to refresh the BizTalk group in the BizTalk Administration Console or use the BTSTask you will start getting this error.

So be careful when using the deployment script and in script try to deploy the assemblies having schema first and if the deployment of any BizTalk assemblies having schema have been failed then script should not  proceed further.

As BTSTask was not able to add/remove any resource so the entry for this mapper from the BizTalk Management DB was removed manually by executing the following queries in SQL management studio:

Step 1: Open the SQL management Studio and connect to the instance having BizTalkMgmtDb. Run this query:

SELECT [id] FROM [BizTalkMgmtDb].[dbo].[bts_item]
WHERE FullName = '<CopyTheNameOfTheMapFromErrorMessage>'
GO

Step 2: Get the value of id and replace it in below query:

DELETE FROM [BizTalkMgmtDb].[dbo].[bt_MapSpec] WHERE itemid = <Value of id from above query>

It will delete the entry for map from the BizTalk Management Database now you can rectify the issue with your deployment script and can redeploy the solution.

Cheers
Rohit Sharma

Friday, April 19, 2013

Installing 64-bit Oracle Data Access Components (ODAC) for BizTalk 2010

I didn't find any good reference on this so though of documenting the steps that worked for me

Step 1: Go to 64-bit Oracle Data Access Components (ODAC) Downloads page and download 64-bit ODAC 11.2 Release 5 (11.2.0.3.20) Xcopy for Windows x64


Step 2: Unzip the file downloaded in Step 1 it to a folder location.



Step 3: Create a folder to install Oracle Client. I created C:\Oracle\ODAC_11_2_Release_5_64_Bit 

Step 4: Run the command prompt as Administrator and browse to location where the zip file was extracted in Step 2. 

Step 5: Install Oracle Instant Client and Oracle Data Provider for .NET 2 by executing the following command on Command prompt: 

install.bat odp.net2 C:\oracle\ODAC_11_2_Release_5_64_Bit OraClient11g_home1 true


Step 6: Install Oracle Data Provider for .NET 4 by executing the following command on Command prompt:

install.bat odp.net4 C:\oracle\ODAC_11_2_Release_5_64_Bit OraClient11g_home1 false

Note: Use the same name OraClient11g_home1 for Oracle home in all commands.


Step 7: Install Oracle Service for MTS by executing the following command on Command prompt:

install.bat oramts C:\oracle\ODAC_11_2_Release_5_64_Bit OraClient11g_home1 false


Step 8: Add the install directory (C:\oracle\ODAC_11_2_Release_5_64_Bit) and install directory's bin subdirectory (C:\oracle\ODAC_11_2_Release_5_64_Bit\bin) to the system environment variable PATH.

Step 9: Create the system environment variable ORACLE_HOME and set it’s value to C:\oracle\ODAC_11_2_Release_5_64_Bit

Step 10: Copy over/Create the tnsnames.ora to/at default location %ORACLE_HOME%/network/admin


Step 11: This step is optional if you need to change the language, territory or character set for the oracle client then in this case you need to change the value of registry key NLS_LANG available at path:

HKEY_LOCAL_MACHINE\SOFTWARE\Oracle\KEY_OraClient11g_home1

Note: If you have specified different name for oracle home instead of OraClient11g_home1 in above commands then you need to look for KEY_<OracleHome>

That's all you are done with installation. In my case I was using only 64-bit host for WCF-Oracle but if you want 32-bit host then you need to install 32-bit oracle client by follow the above steps but do create different folder.

Cheers
Rohit Sharma