For a while we were planning to do an event in Australia, but the magnitude of arranging something on the other side of the planet was daunting and we couldn’t persuade it for a long time. It all changed when Dean Robertson from Mexia consulting attended our popular BizTalk Summit London event this year and […]
The post Experience organising BizTalk Summit 2014, Australia appeared first on BizTalk360 Blog.
Blog Post by: Saravana Kumar
In my last post I explained how to implement Unit Testing in Schemas and Maps in BizTalk Server 2013 project within Visual Studio 2012. I also describe that there is an issue when we try to perform Unit Testing in maps and each time we try to run the unit test it give us the […]
Blog Post by: Sandro Pereira
When a transformation or routing process fails, the ESB creates an exception message and submits it through a direct-bound port to the Message Box database. The ESB also implements a send port named ALL.Exceptions that subscribes to and retrieves exception messages and publishes them to the ESB Management Portal.
The ESB Management Portal that ships with the ESB Toolkit is a sample website and is not really intended for production environments. Installation can also be quite difficult because the sample depends on many other components that must be installed first before the ESB Management Portal can be installed and there is not much documentation about it. Because of the installation difficulties there are quite some blogs created on how to install the Portal and there are also many questions about it in the BizTalk ESB Toolkit forum.
Another option is to access the ESB exception data directly via BizTalk360. In that case you only have to do one simple configuration in the BizTalk360 settings and you can avoid using different portals and tools to access your data, BizTalk360 consolidates everything in one place, making you productive.
|You first have to configure the ESB Portal Settings in BizTalk360 before you can use the ESB Portal.|
|Click on the Settings icon to go to the BizTalk360 Settings.|
|Click in the Menu on “ESB Portal Settings” to configure the ESB Exception database connection string.|
Using the ESB Portal
|Click in the Menu on “ESB Exceptions” to go to the ESB Exception Management.|
|Select an Exception and click on the properties button in order to see detailed information.|
The ESB Portal in BizTalk360 works very well. Almost no configuration, the navigation is clear, it’s fast and the design is pretty. It would be nice that you could also edit and resubmit the fault message but the company stated that they are bringing a lot of new features as part of future release like Edit, Resubmit, Bulk Resubmit and more!
You can download it here:
BizTalk360 Free Trial
To implement BizTalk Server 2013 unit test within Visual Studio 2012 to test Schemas and Map we need to: Open your BizTalk Project in Visual Studio.NET 2012, in this sample: “UnitTestingFeatureWithMaps.sln” In Solution Explorer, right-click in the BizTalk Server project, in this sample “UnitTestingFeatureWithMaps”, and then click Properties. In Project Designer, click the Deployment property […]
Blog Post by: Sandro Pereira
Digital certificates and asymmetric security is notoriously hard to get right in a Windows environment. Getting it right in a BizTalk context isn’t exactly easier.
In this scenario a BizTalk Server act as a client and communicates with a service over https. The service also uses a client certificate for client authentication.
Long story short
Third party root certificates always needs to be places under “Third-Party Root Certification Authorities” or directly under the “Trusted Root Certification Authorities” folder on Local Machine level in Windows. When however also configuring the “WCF-BasicHttp” adapter to also use client certificate authorization the BizTalk Administration console requires the thumbprint id of a specific server certificate (in addition to the client certificate thumbprint). This makes the runtime also look for the for the public certificates under “Trusted People” folder and causes an error if we don’t also place it that folder.
In the end this requires us to add the public root certificate in two different places.
Let’s start by getting the server certificate right.
After configuring everything in BizTalk using a standard
WCF-BasicHttp port and selecting
Transport security I encountered the following error message.
A message sent to adapter “WCF-BasicHttp” on send port “SP1” with URI “https://skattjakt.cloudapp.net/Service1.svc” is suspended.
Error details: System.ServiceModel.Security.SecurityNegotiationException: Could not establish trust relationship for the SSL/TLS secure channel with authority ‘skattjakt.cloudapp.net’. —> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. —> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
The error message is pretty straightforward:
Could not establish trust relationship for the SSL/TLS secure channel with authority.
The first thing that happens when trying to establish SSL channel is that a public server certificate is sent down the client for the client to use when encrypting further messages to the server. This certificate is validated so it hasn’t been revoked, that it’s
Valid to date hasn’t passed, that the
Issued to name actually matches the services domain and so on.
But to be able to trust the information in the certificate it needs to be issued by someone we trust, a certificate authority (CA).
If we take an example of a request to Google we actually don’t trust the information in the Google server certificate, neither do we trust the intermediate certificate they use to sign their public server certificate. The root certificate that issued the intermediary Google Certificate is however one of the preinstalled trusted certificate authorities in Windows.
What authorities and certificates to trust is in Windows based on what certificates exists in the Certificate Store under the
Trusted Root Certificate Authorities folder.
In our case the service didn’t use a certificate from one of the trusted authorities but had based their certificate on a root certificate they created themselves.
Further the Certificate Manager in Windows has three different levels: “Local Machine”, “Service” and “Current User”. The top level is the “Local Machine” and certificates added on this level are available for all users. “Service” and “Current User” are more specific and only available for specific services and users. From a BizTalk perspective it’s important to place the certificate so it’s accessible for the user running the BizTalk host instance.
So after requesting the used root certificate and placing it in the trusted authorities folder for the Local Machine we’re able to successfully establish an SSL session!
As the server however required a client certificate for authorization I reconfigured the send port to use
Certificate as client credential type.
The BizTalk Administration Console then requires one to enter the thumbprint of the private client certificate to use. When browsing for picking the client certificate the console will look for certificates to choose from in the “Personal” folder on the “Current User” level. So for the certificate to show up one has to add the client certificate to the “Personal” folder running as the user that eventually will hit the browse button in the console. Adding it only to the “Personal” folder of “Local Machine” will not make it show up in the console. As the “Current User” level also is separate for each user it’s very important to add it to the “Personal” folder for the user that eventually will run the BizTalk process as this user otherwise won’t find the certificate at runtime. In this case just pasting the thumbprint id from the certificate will work fine.
Certificate client credential type the BizTalk Administration console also requires one to pick what public server certificate to use – even though we still just want to use the same root certificate as just added to the trusted store on machine level ..? When locating server certificates to display the console will look in the “Other People” folder on “Local Computer” level. So for making our root certificate show up in the console we also have to this to this folder. It turns however out that when having a pinpointed specific server certificate the BizTalk runtime will throw an error if the server certificate is not placed in the “Other People” folder. Likewise will an error we be thrown if the certificate is placed only in one of the trusted authorities folders.
A message sent to adapter “WCF-BasicHttp” on send port “SP1” with URI “https://skattjakt.cloudapp.net:444/Service42.svc” is suspended.
Error details: System.InvalidOperationException: Cannot find the X.509 certificate using the following search criteria: StoreName ‘AddressBook’, StoreLocation ‘LocalMachine’, FindType ‘FindByThumbprint’, FindValue ’70A9899E6CF89B014E6195ADE6E1BA12BEA58728′.
So in this case we need to add the public CA certificate in two different places for the communication to work.
Frankly I don’t see the point of having to point out a server certificate at all in this case – all I want is to configure what client certificate to use for authorization and the runtime to validate the server certificate against all CA I have in the trusted folders.
What is the human impact of DevOps? I recently got this question from a viewer of my recent DevOps: The Big Picture course on Pluralsight. @rseroter just watched your DevOps Pluralsight. Great tool discussion was hoping you could talk more on org structure….— Tim Barcz (@TimBarcz) August 16, 2014 I prepared this course based on […]
Blog Post by: Richard Seroter
Sentinet is highly extendable through standard Microsoft .NET, WCF and WIF extensibility points, and through the Sentinet API interfaces.
In the last post we saw how to build a custom alert handler for SLA violations notification. In this 4th post I want to continue the Sentinet Extensibility series exploring another possible customization, the routing.
Recently I was asked to assist an organization using BizTalk Server that was experiencing problems on their BizTalk 2010 production environment. They were losing incoming messages and were unable to figure out what was causing the issue.
What if you could take all infrastructure cloud providers and combine their best assets into a single, perfect cloud? What would it look like? In my day job, I regularly see the sorts of things that cloud users ask for from a public cloud. These 9 things represent some of the most common requests: Scale. […]
Blog Post by: Richard Seroter
Great news for the BizTalk community, for the third time the BizTalkCrew (Steef-Jan Wiggers, Tord Glad Nordahl, Nino Crudele, Saravana Kumar and me) are hosting the BizTalk Innovation Day, an one-day event focused purely on Microsoft BizTalk Server/BizTalk Services and related topics, in Norway! The two previous BizTalk Innovation Day editions in Norway were carried […]
Blog Post by: Sandro Pereira