Tuesday, November 3, 2015

Send signed SOAP request without encrypting the header and body in BizTalk Server using WS-Security


Simply follow all the required steps mentioned in my previous post and then create a custom behaviour extension to disable the encryption by using the following code in the AddBindingParameters function.

 
You can get the complete code for the behvior from this link.

Build the downloaded solution and GAC the DLL.

Update the machine.config for both 64 and 32 bit with the following entry.

<behaviorExtensions>
<add name="SignSoapRequestBehavior" type="WCF.Behavior.SignSoapRequest.SignSoapRequestBehaviorExtensionElement, WCF.Behavior.SignSoapRequest, Version=1.0.0.0, Culture=neutral, PublicKeyToken=ba7175b2b6205a29" />
...

Add this bahvior to the send port.

BizTalk will produce the SOAP request with both the header and body signed as shown below (for clarity most of encrypted content has been skipped from this output):
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
 <s:Header>
  <a:Action s:mustUnderstand="1" u:Id="_2">http://example.com</a:Action>
  <a:MessageID u:Id="_3">urn:uuid:78e28d0b-4944-48f7-86e1-16deef77cfdd</a:MessageID>
  <a:ReplyTo u:Id="_4">
   <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
  </a:ReplyTo>
  <a:To s:mustUnderstand="1" u:Id="_5">http://localhost:6600/BradyContractService/ReceiveContract.svc</a:To>
  <o:Security s:mustUnderstand="1" xmlns:o="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
   <u:Timestamp u:Id="uuid-9a964984-1374-485c-97bc-bdb76408d981-1">
    <u:Created>2015-11-03T07:28:27.508Z</u:Created>
    <u:Expires>2015-11-03T07:33:27.508Z</u:Expires>
   </u:Timestamp>
   <o:BinarySecurityToken u:Id="uuid-c2fe0a8f-ca9f-41c7-8f4b-6357ebdc5a09-2" ValueType="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">MIIDuTCCAqG...mNi0</o:BinarySecurityToken>
   <Signature xmlns="
http://www.w3.org/2000/09/xmldsig#">
    <SignedInfo>
     <CanonicalizationMethod Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/>
     <SignatureMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
     <Reference URI="#_1">
      <Transforms>
       <Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/>
      </Transforms>
      <DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1"/>
      <DigestValue>ee6Ma40RghCCEzDnDA4VZNJynBM=</DigestValue>
     </Reference>
     <Reference URI="#_2">
      <Transforms>
       <Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/>
      </Transforms>
      <DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1"/>
      <DigestValue>0TSzFgakSshEA4QJJOFiDguAmaA=</DigestValue>
     </Reference>
     <Reference URI="#_3">
      <Transforms>
       <Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/>
      </Transforms>
      <DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1"/>
      <DigestValue>iDbgU1OHYaUGdFWCXjmuzgSAqlE=</DigestValue>
     </Reference>
     <Reference URI="#_4">
      <Transforms>
       <Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/>
      </Transforms>
      <DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1"/>
      <DigestValue>l6mMmQ2LE9VFtjaA6Qc4GKBXURw=</DigestValue>
     </Reference>
     <Reference URI="#_5">
      <Transforms>
       <Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/>
      </Transforms>
      <DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1"/>
      <DigestValue>QhNTDZm5G+hGSpv/fkTQ0sHlFSE=</DigestValue>
     </Reference>
     <Reference URI="#uuid-9a964984-1374-485c-97bc-bdb76408d981-1">
      <Transforms>
       <Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/>
      </Transforms>
      <DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1"/>
      <DigestValue>WzEWN6/iE6FnafJg4G9se5dB7yE=</DigestValue>
     </Reference>
    </SignedInfo>
    <SignatureValue>jRu...kWSjsJWA70vc/lRw==</SignatureValue>
    <KeyInfo>
     <o:SecurityTokenReference>
      <o:Reference ValueType="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-c2fe0a8f-ca9f-41c7-8f4b-6357ebdc5a09-2"/>
     </o:SecurityTokenReference>
    </KeyInfo>
   </Signature>
  </o:Security>
 </s:Header>
 <s:Body u:Id="_1">
  <Dummy>Sample Request</Dummy>
 </s:Body>
</s:Envelope>

Cheers
Rohit C. M. Sharma

Send signed and encrypted SOAP request in BizTalk Server using WS-Security


To send the signed and encrypted SOAP request to a web service from BizTalk server then follow these steps:

Step 1: Create send port (One Way/Solicit Response as per requirement) select WCF-Custom in transport type.

Step 2: Select customBinding for Binding Type, by default customBinding has textMessageEncoding and httpTransport, you can change it as per your need.

Step 3: Add security binding extension element to the custom binding. Make sure the order of element is as shown below:

Step 4: Configure the security binding element as shown below:

Step 4.1: Set allowInsercureTransport to True if you are using httpTransport leave it as False in case you are using the httpsTransport.

Step 4.2: Set authenticationMode to MutualCertificate.

Step 4.3: Set messageSecurityVersion to WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10

Step 5: Add clinetCredentails behaviour in Behavior tab.

Step 5.1: Configure the ClientCertificate (with the information related to your private key for signing) and ServiceCertificate/DefaultCertificate(for the public key of service for encryption)
 
 
BizTalk will produce the SOAP envelope With both Header and body signed and encrypted as shown below (for clarity most of encrypted content has been skipped from this output):

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
 <s:Header>
  <a:Action s:mustUnderstand="1" u:Id="_3"/>
  <a:MessageID u:Id="_4">urn:uuid:6ebdf6f8-b9fd-4fbd-8029-a7d2dd37c2d4</a:MessageID>
  <a:ReplyTo u:Id="_5">
   <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
  </a:ReplyTo>
  <a:To s:mustUnderstand="1" u:Id="_6">http://localhost:6600/DummyService/DummyService.svc</a:To>
  <o:Security s:mustUnderstand="1" xmlns:o="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
   <u:Timestamp u:Id="uuid-8bfab354-dd65-4ad2-9bc0-276979f19440-1">
    <u:Created>2015-11-03T06:46:38.270Z</u:Created>
    <u:Expires>2015-11-03T06:51:38.270Z</u:Expires>
   </u:Timestamp>
   <o:BinarySecurityToken u:Id="uuid-c6a8190f-5f53-40a0-980d-7b7ee55eb01a-3" ValueType="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">MIIDuTCCAqGgAwIBAgIQBbX...</o:BinarySecurityToken>
   <e:EncryptedKey Id="_0" xmlns:e="
http://www.w3.org/2001/04/xmlenc#">
    <e:EncryptionMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
     <DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1" xmlns="http://www.w3.org/2000/09/xmldsig#"/>
    </e:EncryptionMethod>
    <KeyInfo xmlns="
http://www.w3.org/2000/09/xmldsig#">
     <o:SecurityTokenReference>
      <o:KeyIdentifier ValueType="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">fOepp/dW66vQ0heuTt2ETjlMRAM=</o:KeyIdentifier>
     </o:SecurityTokenReference>
    </KeyInfo>
    <e:CipherData>
     <e:CipherValue>oDZc/9rKTiVjeildC...J6iaPsYg==</e:CipherValue>
    </e:CipherData>
    <e:ReferenceList>
     <e:DataReference URI="#_2"/>
     <e:DataReference URI="#_7"/>
    </e:ReferenceList>
   </e:EncryptedKey>
   <e:EncryptedData Id="_7" Type="
http://www.w3.org/2001/04/xmlenc#Element" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
    <e:EncryptionMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
    <e:CipherData>
     <e:CipherValue>jZnJpp1vi2Jl/gpLfLF+bIj...r0BkGUUHeVQ==</e:CipherValue>
    </e:CipherData>
   </e:EncryptedData>
  </o:Security>
 </s:Header>
 <s:Body u:Id="_1">
  <e:EncryptedData Id="_2" Type="
http://www.w3.org/2001/04/xmlenc#Content" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
   <e:EncryptionMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
   <e:CipherData>
    <e:CipherValue>y0QXU2uwNr...zOvFM=</e:CipherValue>
   </e:CipherData>
  </e:EncryptedData>
 </s:Body>
</s:Envelope>


Cheers
Rohit C. M. Sharma