Experience organising BizTalk Summit 2014, Australia

For a while we were planning to do an event in Australia, but the magnitude of arranging something on the other side of the planet was daunting and we couldn’t persuade it for a long time. It all changed when Dean Robertson from Mexia consulting attended our popular BizTalk Summit London event this year and […]

The post Experience organising BizTalk Summit 2014, Australia appeared first on BizTalk360 Blog.

Blog Post by: Saravana Kumar

ESB Toolkit Tip #19 Use the ESB Portal in BizTalk360 to manage ESB Exceptions

ESB Toolkit Tip #19 Use the ESB Portal in BizTalk360 to manage ESB Exceptions

When a transformation or routing process fails, the ESB creates an exception message and submits it through a direct-bound port to the Message Box database. The ESB also implements a send port named ALL.Exceptions that subscribes to and retrieves exception messages and publishes them to the ESB Management Portal.
The ESB Management Portal that ships with the ESB Toolkit is a sample website and is not really intended for production environments. Installation can also be quite difficult because the sample depends on many other components that must be installed first before the ESB Management Portal can be installed and there is not much documentation about it. Because of the installation difficulties there are quite some blogs created on how to install the Portal and there are also many questions about it in the BizTalk ESB Toolkit forum.
Another option is to access the ESB exception data directly via BizTalk360. In that case you only have to do one simple configuration in the BizTalk360 settings and you can avoid using different portals and tools to access your data, BizTalk360 consolidates everything in one place, making you productive.
 

BizTalk360 Settings

You first have to configure the ESB Portal Settings in BizTalk360 before you can use the ESB Portal.
 
Click on the Settings icon to go to the BizTalk360 Settings.
BizTalk360 Settings
 
Click in the Menu on “ESB Portal Settings” to configure the ESB Exception database connection string.
ESB Portal Settings

 

Using the ESB Portal

Click in the Menu on “ESB Exceptions” to go to the ESB Exception Management.
ESB Exception Management - Overview
 
Select an Exception and click on the properties button in order to see detailed information.
ESB Exception Management - Fault Viewer

 

Conclusion

The ESB Portal in BizTalk360 works very well. Almost no configuration, the navigation is clear, it’s fast and the design is pretty. It would be nice that you could also edit and resubmit the fault message but the company stated that they are bringing a lot of new features as part of future release like Edit, Resubmit, Bulk Resubmit and more!

You can download it here:
BizTalk360 Free Trial

BizTalk Server 2013: Step-by-Step to implement Unit Testing in Schemas and Maps

BizTalk Server 2013: Step-by-Step to implement Unit Testing in Schemas and Maps

To implement BizTalk Server 2013 unit test within Visual Studio 2012 to test Schemas and Map we need to: Open your BizTalk Project in Visual Studio.NET 2012, in this sample: “UnitTestingFeatureWithMaps.sln” In Solution Explorer, right-click in the BizTalk Server project, in this sample “UnitTestingFeatureWithMaps”, and then click Properties. In Project Designer, click the Deployment property […]
Blog Post by: Sandro Pereira

Getting digital certificates right in BizTalk using a third party root certificate in combination with client certificate security and WCF BasicHttp

Getting digital certificates right in BizTalk using a third party root certificate in combination with client certificate security and WCF BasicHttp

Digital certificates and asymmetric security is notoriously hard to get right in a Windows environment. Getting it right in a BizTalk context isn’t exactly easier.

In this scenario a BizTalk Server act as a client and communicates with a service over https. The service also uses a client certificate for client authentication.

Flow

Long story short

Third party root certificates always needs to be places under “Third-Party Root Certification Authorities” or directly under the “Trusted Root Certification Authorities” folder on Local Machine level in Windows. When however also configuring the “WCF-BasicHttp” adapter to also use client certificate authorization the BizTalk Administration console requires the thumbprint id of a specific server certificate (in addition to the client certificate thumbprint). This makes the runtime also look for the for the public certificates under “Trusted People” folder and causes an error if we don’t also place it that folder.

In the end this requires us to add the public root certificate in two different places.

Server certificate

Let’s start by getting the server certificate right.

After configuring everything in BizTalk using a standard WCF-BasicHttp port and selecting Transport security I encountered the following error message.

A message sent to adapter “WCF-BasicHttp” on send port “SP1” with URI “https://skattjakt.cloudapp.net/Service1.svc” is suspended.

Error details: System.ServiceModel.Security.SecurityNegotiationException: Could not establish trust relationship for the SSL/TLS secure channel with authority ‘skattjakt.cloudapp.net’. —> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. —> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.

The error message is pretty straightforward: Could not establish trust relationship for the SSL/TLS secure channel with authority.

The first thing that happens when trying to establish SSL channel is that a public server certificate is sent down the client for the client to use when encrypting further messages to the server. This certificate is validated so it hasn’t been revoked, that it’s Valid to date hasn’t passed, that the Issued to name actually matches the services domain and so on.

But to be able to trust the information in the certificate it needs to be issued by someone we trust, a certificate authority (CA).

If we take an example of a request to Google we actually don’t trust the information in the Google server certificate, neither do we trust the intermediate certificate they use to sign their public server certificate. The root certificate that issued the intermediary Google Certificate is however one of the preinstalled trusted certificate authorities in Windows.

Google

What authorities and certificates to trust is in Windows based on what certificates exists in the Certificate Store under the Trusted Root Certificate Authorities folder.

ca

In our case the service didn’t use a certificate from one of the trusted authorities but had based their certificate on a root certificate they created themselves.

ca2

Further the Certificate Manager in Windows has three different levels: “Local Machine”, “Service” and “Current User”. The top level is the “Local Machine” and certificates added on this level are available for all users. “Service” and “Current User” are more specific and only available for specific services and users. From a BizTalk perspective it’s important to place the certificate so it’s accessible for the user running the BizTalk host instance.

So after requesting the used root certificate and placing it in the trusted authorities folder for the Local Machine we’re able to successfully establish an SSL session!

Client certificate

As the server however required a client certificate for authorization I reconfigured the send port to use Certificate as client credential type.
3

The BizTalk Administration Console then requires one to enter the thumbprint of the private client certificate to use. When browsing for picking the client certificate the console will look for certificates to choose from in the “Personal” folder on the “Current User” level. So for the certificate to show up one has to add the client certificate to the “Personal” folder running as the user that eventually will hit the browse button in the console. Adding it only to the “Personal” folder of “Local Machine” will not make it show up in the console. As the “Current User” level also is separate for each user it’s very important to add it to the “Personal” folder for the user that eventually will run the BizTalk process as this user otherwise won’t find the certificate at runtime. In this case just pasting the thumbprint id from the certificate will work fine.

When selecting Certificate client credential type the BizTalk Administration console also requires one to pick what public server certificate to use – even though we still just want to use the same root certificate as just added to the trusted store on machine level ..? When locating server certificates to display the console will look in the “Other People” folder on “Local Computer” level. So for making our root certificate show up in the console we also have to this to this folder. It turns however out that when having a pinpointed specific server certificate the BizTalk runtime will throw an error if the server certificate is not placed in the “Other People” folder. Likewise will an error we be thrown if the certificate is placed only in one of the trusted authorities folders.

A message sent to adapter “WCF-BasicHttp” on send port “SP1” with URI “https://skattjakt.cloudapp.net:444/Service42.svc” is suspended.
Error details: System.InvalidOperationException: Cannot find the X.509 certificate using the following search criteria: StoreName ‘AddressBook’, StoreLocation ‘LocalMachine’, FindType ‘FindByThumbprint’, FindValue ’70A9899E6CF89B014E6195ADE6E1BA12BEA58728′.

So in this case we need to add the public CA certificate in two different places for the communication to work.

Frankly I don’t see the point of having to point out a server certificate at all in this case – all I want is to configure what client certificate to use for authorization and the runtime to validate the server certificate against all CA I have in the trusted folders.

BizTalk Innovation Day Norway 2014 | September 25, 2014 – Oslo, Norway

BizTalk Innovation Day Norway 2014 | September 25, 2014 – Oslo, Norway

Great news for the BizTalk community, for the third time the BizTalkCrew (Steef-Jan Wiggers, Tord Glad Nordahl, Nino Crudele, Saravana Kumar and me) are hosting the BizTalk Innovation Day, an one-day event focused purely on Microsoft BizTalk Server/BizTalk Services and related topics, in Norway! The two previous BizTalk Innovation Day editions in Norway were carried […]
Blog Post by: Sandro Pereira