Tuesday, November 3, 2015

Send signed and encrypted SOAP request in BizTalk Server using WS-Security


To send the signed and encrypted SOAP request to a web service from BizTalk server then follow these steps:

Step 1: Create send port (One Way/Solicit Response as per requirement) select WCF-Custom in transport type.

Step 2: Select customBinding for Binding Type, by default customBinding has textMessageEncoding and httpTransport, you can change it as per your need.

Step 3: Add security binding extension element to the custom binding. Make sure the order of element is as shown below:

Step 4: Configure the security binding element as shown below:

Step 4.1: Set allowInsercureTransport to True if you are using httpTransport leave it as False in case you are using the httpsTransport.

Step 4.2: Set authenticationMode to MutualCertificate.

Step 4.3: Set messageSecurityVersion to WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10

Step 5: Add clinetCredentails behaviour in Behavior tab.

Step 5.1: Configure the ClientCertificate (with the information related to your private key for signing) and ServiceCertificate/DefaultCertificate(for the public key of service for encryption)
 
 
BizTalk will produce the SOAP envelope With both Header and body signed and encrypted as shown below (for clarity most of encrypted content has been skipped from this output):

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
 <s:Header>
  <a:Action s:mustUnderstand="1" u:Id="_3"/>
  <a:MessageID u:Id="_4">urn:uuid:6ebdf6f8-b9fd-4fbd-8029-a7d2dd37c2d4</a:MessageID>
  <a:ReplyTo u:Id="_5">
   <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
  </a:ReplyTo>
  <a:To s:mustUnderstand="1" u:Id="_6">http://localhost:6600/DummyService/DummyService.svc</a:To>
  <o:Security s:mustUnderstand="1" xmlns:o="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
   <u:Timestamp u:Id="uuid-8bfab354-dd65-4ad2-9bc0-276979f19440-1">
    <u:Created>2015-11-03T06:46:38.270Z</u:Created>
    <u:Expires>2015-11-03T06:51:38.270Z</u:Expires>
   </u:Timestamp>
   <o:BinarySecurityToken u:Id="uuid-c6a8190f-5f53-40a0-980d-7b7ee55eb01a-3" ValueType="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">MIIDuTCCAqGgAwIBAgIQBbX...</o:BinarySecurityToken>
   <e:EncryptedKey Id="_0" xmlns:e="
http://www.w3.org/2001/04/xmlenc#">
    <e:EncryptionMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
     <DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1" xmlns="http://www.w3.org/2000/09/xmldsig#"/>
    </e:EncryptionMethod>
    <KeyInfo xmlns="
http://www.w3.org/2000/09/xmldsig#">
     <o:SecurityTokenReference>
      <o:KeyIdentifier ValueType="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">fOepp/dW66vQ0heuTt2ETjlMRAM=</o:KeyIdentifier>
     </o:SecurityTokenReference>
    </KeyInfo>
    <e:CipherData>
     <e:CipherValue>oDZc/9rKTiVjeildC...J6iaPsYg==</e:CipherValue>
    </e:CipherData>
    <e:ReferenceList>
     <e:DataReference URI="#_2"/>
     <e:DataReference URI="#_7"/>
    </e:ReferenceList>
   </e:EncryptedKey>
   <e:EncryptedData Id="_7" Type="
http://www.w3.org/2001/04/xmlenc#Element" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
    <e:EncryptionMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
    <e:CipherData>
     <e:CipherValue>jZnJpp1vi2Jl/gpLfLF+bIj...r0BkGUUHeVQ==</e:CipherValue>
    </e:CipherData>
   </e:EncryptedData>
  </o:Security>
 </s:Header>
 <s:Body u:Id="_1">
  <e:EncryptedData Id="_2" Type="
http://www.w3.org/2001/04/xmlenc#Content" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
   <e:EncryptionMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
   <e:CipherData>
    <e:CipherValue>y0QXU2uwNr...zOvFM=</e:CipherValue>
   </e:CipherData>
  </e:EncryptedData>
 </s:Body>
</s:Envelope>


Cheers
Rohit C. M. Sharma

3 comments:

siffnn said...

Nice Article,

Tom said...

Nice article

Anonymous said...

Rohit, Nice article, I’m doing something similar but I need to sign the first child of the SOAP body and couple of sections in SOAP header-Timestamp and Business Header (custom SOAP header).

I did everything as per this article, as your SOAP envelope example, SOAP Body and all SOAP Headers are getting signed.
Is there any way to sign the SOAP envelope selectively because my requirement is to sign the first child of the SOAP body, Time stamp and business header.

Thanks,

Post a Comment