by community-syndication | Mar 24, 2007 | BizTalk Community Blogs via Syndication
(This is the third in a series of three posts about CRLs – the first was Web
Services and the 15 Second Delay, and the second was BizTalk
and Certificate Revocation Lists (CRLs) – Part I).
Note: A lot of the information in this post comes from a great MSDN article
located here.
Caveat: My client uses 64-bit servers (AMD Opterons), running 64-bit
versions of Windows 2003 R2 and BizTalk 2006. IIS is running in 32-bit
compatibility mode (as we use Sharepoint). I haven’t yet worked out if the
CRL problem occurs on 32-bit servers – I definitely haven’t noticed the problem on
our 32-bit servers as of yet.
For 2 months, my BizTalk application was working fine. The system passed performance
testing, and was deployed on the Live servers in preparation for final connectivity
testing.
Then one Monday, last week, the test team complained that they were experiencing sporadic
timeouts. On the same day, I was doing some testing on an unrelated BizTalk application
on a separate server… and I noticed that I would occasionally get request-response
latency approaching 70 secs…
Given that the same day I’d noticed I no longer had access to iTunes Radio from that
morning (bah!), I assumed that changes had been made to our proxy sever or firewall.
I fired up TCP View on the server I was working on, and there was our old friend SYN_SENT:
something was blocking access to the CRL again. I spoke to the Tech Support team and
discovered that no changes had been made to the proxy server. Leaving them to check
for changes to our firewall and security policies, I decided to do some research into
why this delay exists (if the call is blocked) and if there was a way around it. Here’s
what I discovered (refer to this article
for a more in-depth explanation of Certificates and CRLs):
-
Any given Digital Certificate contains a property called the CRL Distribution Point
which is a collection of URIs.
-
When a certificate is validated, a CRL retrieval attempt is made using each URI in
the list. Retrieval stops with the first URI to return a valid CRL
-
When a valid CRL is obtained, it is stored in the Certificate Store for
the Local Machine (under Certificates (Local Computer)/Intermediate Certification
Authorities/Certificate Revocation Lists)
-
A CRL is a certificate in its own right and as such, it contains an expiry/update
date called the Next Update date
-
If the CRL already exists in the Certificate Store and is still valid
then this CRL is used; otherwise an attempt is made to download an updated CRL
-
URI schemas valid for CRLs include http://, ldap://, and file:// – it is the Publisher
of the certificate who decides upon the contents of the CRL Distribution Point
-
In large corporations, it is common to use
Active Directory (AD) as the provider of CRLs: AD can download the required CRLs
and either publish them to a master location, or distribute them to servers that need
them
One thing I was curious about was this 15 second delay which kept popping up.
The Xceed
Software post I had read had made reference to there being a 15 second delay hard-coded
into the WinVerifyTrust API
call.
Looking through the
documentation for WinVerifyTrust I noticed two things:
-
Microsoft recommend the use of CertGetCertificateChain for
validating a certificate (instead of WinVerifyTrust)
-
That WinVerifyTrust enumerated a registry key (HKLM\SOFTWARE\Microsoft\Cryptography\Providers\Trust\)
to find out what API call to use to verify the trust of the given object
I’m not about to trace what WinVerifyTrust does to actually check the CRL, but I’d
suspect that it ends up delegating to either CertGetCertificateChain or CertVerifyRevocation (and
I’d bet that internally, CertGetCertificateChain calls CertVerifyRevocation to verify
the CRL for a given certificate).
Suffice to say that CertGetCertificateChain will build a chain of certificates starting
from the given certificate, and building the chain all the way up to the root CA,
and will optionally check the revocation status for each certificate in the chain;
whilst CertVerifyRevocation will verify the revocation status for a single certificate.
And both of them take, as one of their parameters, a struct called CERT_REVOCATION_PARA.
The format of that structure is:
typedef
struct _CERT_REVOCATION_PARA {
DWORD cbSize;
PCCERT_CONTEXT pIssuerCert;
DWORD cCertStore;
HCERTSTORE* rgCertStore;
HCERTSTORE hCrlStore;
LPFILETIME pftTimeToUse;
DWORD dwUrlRetrievalTimeout;
BOOL fCheckFreshnessTime;
DWORD dwFreshnessTime;
LPFILETIME pftCurrentTime;
PCERT_REVOCATION_CRL_INFO pCrlInfo;
LPFILETIME pftCacheResync;
PCERT_REVOCATION_CHAIN_PARA pChainPara;
} CERT_REVOCATION_PARA,
*PCERT_REVOCATION_PARA;
Heh, look, there’s a member called dwUrlRetrievalTimeout.
Wonder if that’s relevant??? 😉
The documentation has this to say:
This member contains the time-out limit,
in milliseconds. If zero, the revocation handler’s default time-out is used.
And what’s the revocation handler’s default time-out?
Well, Microsoft doesn’t specify this directly… but I notice in a related
knowledge base post, that a value of 15000 milliseconds is used i.e. 15 seconds!
So that’s as far as we can go with that – unless IIS includes an option to configure
this timeout, then we can’t change it (and they do, sort of).
Whilst researching this post, I noticed that one solution that is frequently
touted is to modify the following registry key:
HKCU\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust
Providers\Software Publishing\State
But that’s not much use, as that’s for the Current User (hence the HKCU). Great if
I was using my own local user account for the application pools, bad if I’m using
a non-interactive user account (which we are). Plus I’m not sure this would work for
IIS maybe I’ll try it at some stage.
(Note: looks like Microsoft are aware of this issue, because in
Windows Vista/Longhorn there’s now a Group Policy setting which lets you set this
default timeout for non-interactive processes i.e. IIS App Pools!!)
So what’s the solution in this case?
Well, unless the technical support guys can work out what they changed to block CRL
access (I suspect they turned on authentication on the proxy), we have four choices:
-
Use Active Directory to store and publish CRLs (which we should have been
doing from the start IMO)
This is Microsoft’s preferred way of doing it for large customers.
More information on configuring CRLs with AD can be found here.
-
Manually download the required CRL and install it
This is my preferred solution for this particular issue, and is detailed
below.
-
Disable CRL checking for the server
This is an interesting one. I’m not convinced that this can be done – there
are a few posts about how to do this, including one on how to do it for IIS here.
However, this seems to be related to certificate exchange for HTTP request/responses,
as opposed to certificate validation for signed code, which is a whole different thing.
Plus, turing off certificate checking is a rather large security hole as you don’t
know if a given certificate is still valid.
-
Change the default CRL timeout period for CAPI
I
noticed in the Knowledge Base article for an update
to IIS 5.0 that new registry keys had been added, including allowing a value called ChainUrlRetrievalTimeoutMilliseconds to
be set.
Then when browsing through the PKI documentation, I noticed a reference to the same
registry keys, plus a note saying “this setting was first introduced with MS04-011”
(the IIS 5.0 update linked to above).
So it looks like it is possible to set the default timeout.
I haven’t tried this, so can’t verify that it works, but to me it’s not the correct
solution: the CRL should be available, either from AD or the URL, or by installing
it manually – setting the timeout to a lower value seems to be just ignoring the problem,
plus creates a potential security hole as you can’t be sure that the certificate used
to sign code is valid anymore.
Manually downloading and installing a CRL
Needless to say, I thought I’d have a go manually downloading the CRL and installing
it – and it worked a treat. Problem solved (at least until the next CRL update is
needed, which is August 2007). Still, gives us a breather to get it properly sorted.
Finding the URL to the certificate is easy: look in the certificate details for the
CRL Distribution Point, and copy the URL from there. In this case, it’s the Microsoft
Code Signing Public Certification Authority CRL: http://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl
You can put this URL in a web browser, and download the certificate.
(Note: if you’re doing this in Windows Server 2003, you’ll need to add crl.microsoft.com
to your list of Trusted Sites, otherwise you won’t be able to download the CRL file)
Once you have the file, you can install it following the instructions here:
And lo and behold, the problem was fixed.
At least, it is fixed until August 30th 2007 when the CodeSignPCA.crl expires… 😉
But by then, I’m sure we’ll have found a permanent fix!
by community-syndication | Mar 24, 2007 | BizTalk Community Blogs via Syndication
A few people asked for the demos from this presentation.
Links for the presentation are at the bottom of the post
If you have not already set up your development environment for Windows Workflow Foundation (WF) Development, follow the below steps:
Prerequisites:
a) Windows XP, Windows 2003, Windows Vista
b) Visual Studio 2005
Install the following:
1) .Net Framework 3.0 Redistributable
2) Visual Studio 2005 extensions for .NET Framework 3.0 (Windows Workflow Foundation)
3) You can also optionally download and install:
Microsoft%u00ae Windows%u00ae Software Development Kit for Windows Vista%u2122 and .NET Framework 3.0 Runtime Components
Before installing the above read the provided instructions.
Below are some resources for using/learning/developing with WF:
MSDN – Windows Workflow Foundation
MSDN – Windows Workflow Foundation Tutorials
MSDN – Windows Workflow Foundation General Reference
Getting Started with Windows Workflow Foundation Server Virtual Lab
Hands-on Labs for Windows%u00ae Workflow Foundation
Clinic 5136: Introduction to Developing with Windows%u00ae Workflow Foundation and Visual Studio%u00ae 2005
Windows Workflow Foundation Developer Centre
Also please read Paul Andrews blog (Windows Workflow Foundation Technical Product Manager at Microsoft) for the latest and greatest on WF.
Download the presentation demos here.
Please read this before trying to run.
by community-syndication | Mar 24, 2007 | BizTalk Community Blogs via Syndication
I know its been rather quiet on the BizUnitExtensions front, but never fear, theres lots of stuff to come. But firstly, i do hope Kevin Smith responds to my comments on his workspace on joining forces. Im still waiting patiently. Although its good to see a new BizUnit core release with bug fixes and changes, its actually beginning to get problematic now because we have made changes to the core of the BizUnit class and other classes such as Context and now we have to port everything to the latest BizUnit codebase in order to keep things consistent and doing this to a code base which has now structurally changed is not easy. Added to that is the fact that we also wanted to change the structure of the code base (so we keep the standard test steps in one, biztalk specific things in another, msmq in yet another etc) so thats got to match up as well. I suppose these are the kind of scenarios where the C# 3.0 extension methods would come in really handy. Maybe its a good time now to break away from the BizUnit label and move to the more generic integration testing framework. What do BizUnit (and Extensions) users think about this?
Anyway, a good discussion has started on the forums at the extensions site (www.codeplex.com/bizunitextensions) with one of the new users querying BizUnits actual value (Why BizUnit) and finding some answers in the roadmap. I guess the reply to the question would be worth a blog post on its own!
So whats cooking with the Extensions project? Well, first of all I need to put down a release calendar showing whats coming up (based on the roadmap) in the next few releases, but right now the target is to get all the step properties, constructors etc public and to get entlib logging working. I have finished the entlib logging and will make it available as soon as possible. Its rather raw right now (ie) its a simple log format that more or less mirrors the console log but to a text log sink. i hope that this will stimulate some discussion in the community so we can improve the kind of logging (to event logs, perf counters etc).
Making the properties etc completely public is proving to be rather involved and raises lots of questions. For instance, if one could execute a step (for example, filecopy) independently (by just setting the properties and calling Execute) and could do the same for all steps in the test case, then the question arises as to what value does the BizUnit testRunner provide ? Some possible answers are that it provides
(A) Execution context (but this could also be set and passed in) and the ability to keep a constant thread of logging through all the steps and
(b) also provides parallel execution (but MbUnit could provide that). (Speaking of MbUnit, it definitely looks much better than NUnit and i should try running BizUnit inside MbUnit to see what extra stuff i can squeeze with MbUnit.)
I think it might be a better option to provide the ability to set step properties in code but once we create a collection of steps, we would pass the collection to BizUnit and say RunTest(TestStepCollection). This way BizUnit can manipulate context and keep full control. The Execute() methods would all then become “internal” and available to friend assemblies rather than public. If you are using the tool currently or planning to then head down to the codeplex site and post your thoughts on this or email me.
by community-syndication | Mar 24, 2007 | BizTalk Community Blogs via Syndication
I know its been rather quiet on the BizUnitExtensions front, but never fear, theres lots of stuff to come. But firstly, i do hope Kevin Smith responds to my comments on his workspace on joining forces. Im still waiting patiently. Although its good to see a new BizUnit core release with bug fixes and changes, its actually beginning to get problematic now because we have made changes to the core of the BizUnit class and other classes such as Context and now we have to port everything to the latest BizUnit codebase in order to keep things consistent and doing this to a code base which has now structurally changed is not easy. Added to that is the fact that we also wanted to change the structure of the code base (so we keep the standard test steps in one, biztalk specific things in another, msmq in yet another etc) so thats got to match up as well. I suppose these are the kind of scenarios where the C# 3.0 extension methods would come in really handy. Maybe its a good time now to break away from the BizUnit label and move to the more generic integration testing framework. What do BizUnit (and Extensions) users think about this?
Anyway, a good discussion has started on the forums at the extensions site (www.codeplex.com/bizunitextensions) with one of the new users querying BizUnits actual value (Why BizUnit) and finding some answers in the roadmap. I guess the reply to the question would be worth a blog post on its own!
So whats cooking with the Extensions project? Well, first of all I need to put down a release calendar showing whats coming up (based on the roadmap) in the next few releases, but right now the target is to get all the step properties, constructors etc public and to get entlib logging working. I have finished the entlib logging and will make it available as soon as possible. Its rather raw right now (ie) its a simple log format that more or less mirrors the console log but to a text log sink. i hope that this will stimulate some discussion in the community so we can improve the kind of logging (to event logs, perf counters etc).
Making the properties etc completely public is proving to be rather involved and raises lots of questions. For instance, if one could execute a step (for example, filecopy) independently (by just setting the properties and calling Execute) and could do the same for all steps in the test case, then the question arises as to what value does the BizUnit testRunner provide ? Some possible answers are that it provides
(A) Execution context (but this could also be set and passed in) and the ability to keep a constant thread of logging through all the steps and
(b) also provides parallel execution (but MbUnit could provide that). (Speaking of MbUnit, it definitely looks much better than NUnit and i should try running BizUnit inside MbUnit to see what extra stuff i can squeeze with MbUnit.)
I think it might be a better option to provide the ability to set step properties in code but once we create a collection of steps, we would pass the collection to BizUnit and say RunTest(TestStepCollection). This way BizUnit can manipulate context and keep full control. The Execute() methods would all then become “internal” and available to friend assemblies rather than public. If you are using the tool currently or planning to then head down to the codeplex site and post your thoughts on this or email me.
by community-syndication | Mar 23, 2007 | BizTalk Community Blogs via Syndication
There was a delay in posting this, but just wanted to write a quick note on the MVP Summit that I attended last week (March 12 – March 15)
Overall this was an awesome event, well organized, great sessions.
Thanks to Sasha Krsmanovic (MVP Lead – Canada) who provided all the Canadian MVP’s with Red Olympic Hockey Jerseys worn on the 2nd day of the summit. This really pumped up the Canadian MVP’s at Bill Gate’s key note that carried on during the rest of the Summit. I received quite of few comments from other non Canadian MVP’s about the jersey even when I wasn’t wearing the jersey on day 3 of the summit
First couple of days at the summit I was hanging out with fellow MVP Objectsharpees
(past/present and future?):
Barry Gervin
Bruce Johnson
Rob Winsdor
Matt Cassel
Jean Luc David
Justin Lee
Next couple of days of the summit, I was at the BizTalk/ Connected Systems Division specific sessions.
Below are some of the BizTalk MVP’s at the summit. The below list does not cover all of the
attendees, but some are as below:
Tomas Restrepo
Brian Loesgen
Scott Cairney
Ibrahim Gokalp
Paul Somers
Stephen Thomas
Alan Smith
Romualdas Stonkus
Jon Flanders
Jesus Rodriguez
Mick Badran
Scott Colestock
Jon Fancey
Jeff Juday
Charles Young
Here are a few posts on the content of the BizTalk/Connected System MVP sessions.
Day3
Day3
Day4
Finally a big thanks to Marjan Kalantar (Microsoft’s Connected Systems Division Community
Lead), who put together and organized an eclectic spread of talks that covered the Connected
Systems Division and the informal sessions with the Product groups.
by community-syndication | Mar 23, 2007 | BizTalk Community Blogs via Syndication
First of all what does it look like to talk to nearly 2000 people?
Well here is a picture I found on flickr of 900 people… yup I’m in there #9 top row.
Think double this and we will be just about there!
It was all of you that made this event so successfull, THANKS!
Darryl did a great job of MC’ing the keynote at the events and holding it all together! The mindscape guys have done a great job bringing my backgroundmotion idea to life!
Presentation: Web Standards Compliance
Presentation: Extending Application Reach
Presentation: Building Composite Applications
In fact all the pptx decks are now online.
My presentation Building applications users love is there but without the link to the video that I promised.
Click the picture below to watch the Video!
I leave tomorrow for a trip around Europe with my wife and daughter followed by Mix in Las Vagas. The best part is that I’m not taking my laptop! See you again on the 7th of May if not a little sooner!
by community-syndication | Mar 22, 2007 | BizTalk Community Blogs via Syndication
by community-syndication | Mar 22, 2007 | BizTalk Community Blogs via Syndication
I haven't posted for a while I've just finished work on a Banks SOA framework written with extensive use of WCF (which is very very extensible!). Started work implementing their Kiwisaver group investments initiative in BizTalk 2006 R2. We were one of the first out of the blocks in utilising the R2 WCF adapter (could be a bit more configurable), the WCF interceptor and AS2 adapter (interesting BAM continuations). Then after 3 years I decided to leave Synergy and go freelance for a while before moving back to the UK. On the same day I left Synergy I sold my bach and bought a new investment property so it's been busy.
It's been a truly fabulous 3 years working for Synergy International in New Zealand which has recently been re-branded as Fronde. For those of you looking for a change to kick start career development this professional organisation is continuing to grow in all the right directions, they offer great training opportunities, working and learning from very experienced people in a family oriented enviroment.
Well for the next few months I'm integrating a portfolio CRM to an investment banks core trading systems again in BizTalk among other things using BAM for system testing which I will post on later.
Ciao
Rob
by community-syndication | Mar 22, 2007 | BizTalk Community Blogs via Syndication
In my ongoing quest to produce the simplest table possible summarizing the key differences between the various Windows Communication Foundation (WCF) built-in bindings, I came up with the following:
|
Binding Class Name
|
Transport
|
Message Encoding
|
Message Version
|
Security Mode
|
RM
|
Tx Flow*
|
|
BasicHttpBinding
|
HTTP
|
Text
|
SOAP 1.1
|
None
|
X
|
X
|
|
WSHttpBinding
|
HTTP
|
Text
|
SOAP 1.2
WS-A 1.0
|
Message
|
Disabled
|
WS-AT
|
|
WSDualHttpBinding
|
HTTP
|
Text
|
SOAP 1.2
WS-A 1.0
|
Message
|
Enabled
|
WS-AT
|
|
WSFederationHttpBinding
|
HTTP
|
Text
|
SOAP 1.2
WS-A 1.0
|
Message
|
Disabled
|
WS-AT
|
|
NetTcpBinding
|
TCP
|
Binary
|
SOAP 1.2
|
Transport
|
Disabled
|
OleTx
|
|
NetPeerTcpBinding
|
P2P
|
Binary
|
SOAP 1.2
|
Transport
|
X
|
X
|
|
NetNamedPipesBinding
|
Named Pipes
|
Binary
|
SOAP 1.2
|
Transport
|
X
|
OleTx
|
|
NetMsmqBinding
|
MSMQ
|
Binary
|
SOAP 1.2
|
Message
|
X
|
X
|
Notes: X = Not Supported, WS-A = WS-Addressing, WS-AT = WS-AtomicTransaction, OleTx = OleTransactions
* Transaction flow is always disabled by default, but when you enable it, these are the default tx protocols
Although some of these values can be configured differently on certain bindings, the table shows the defaults in each area. I’m pretty happy with this one.
by community-syndication | Mar 22, 2007 | BizTalk Community Blogs via Syndication
The second session I delivered at the event was more lively than the first, and also much simpler. A level 300 session, but focused on beginner developers in .Net 3.0’s WF.
There are two features of WF, which I was unfortunately unable to demonstrate at the session, which I really love: first, dynamic instance update – the ability to modify a running workflow in runtime, adding new activities and modifying its behavior. I can think of several uses for this, some on a professional level, some for fun. 🙂 The second is using custom activities together with WF to define Domain-Specific languages. Simpler than the DSL toolkit (and also with distinct applicabilities), and given the fact that you can run your declarative XAML workflows without recompilation, it’s something I’m really looking into.
