BizTalk and SSL Transport
Introduction
Secure transport can be provided by HTTPS, which is a combination of the Hypertext Transfer Protocol (HTTP) with SSL/TLS protocol to provide encrypted communication and secure identification of a network web server. Secure Sockets Layer (SSL) provides secure connections by allowing two applications connecting over a network connection to authenticate the other's identity and by encrypting the data exchanged between the applications. Authentication allows a server (see one-way) and optionally a client (see two-way) to verify the identity of the application on the other end of a network connect Encryption makes data transmitted over the network intelligible only to the intended recipient. Where message level security focuses on data in message itself, transport-level security focuses on protecting the data while it is in transit from the sender to the recipient. With BizTalk transport-level security can be accomplished with the following adapters:
Secure Sockets Layer (SSL)
Secure communication between BizTalk Server and external party can be configured using one-way or two-way SSL authentication.
SSL One-way
With one-way SSL, the server is required to present a certificate to the external party, but the external party is not required to present a certificate to the server. To successfully negotiate an SSL connection, the external party must authenticate the server, but the server will accept any external party into the connection. One-way SSL is common on the Internet where users want to create secure connections before they share personal data.
SSL Two-way
With two-way SSL, the client also presents a certificate to the server. A server can be configured to require clients to submit valid and trusted certificates before completing the SSL connection.
Configure SSL within an BizTalk adapter
To have transport level security through SSL you need to configure the appropriate send adapter when sending a message securely to an external party. After you have deployed your BizTalk solution you will configure send ports that require transport security. Here are some pointers to establish one way SSL with BizTalk HTTP, WCF-BasicHttp and WCF-WSHttp.
For the HTTP Adapter you use the following configuration:
a) Create a Send Port and give it an appropriate name.
b) Select Type HTTP and click configure.
c) Select the Authentication Tab.
d) Select the authentication type according to your requirements.
e) Paste the Thumbprint of the client certificate. The WCF-BasicHttp adapter can be configured as follows:
a) Create a Send Port and give it an appropriate name.
b) Select Type WCF-BasicHttp or WCF-WSHttp and click configure.
c) Select the Security Tab.
d) In security mode choose Transport.
Transport: Security is provided using the HTTPS transport. The SOAP messages are secured using HTTPS. To use this mode, you must set up Secure Sockets Layer (SSL) in Microsoft Internet Information Services (IIS).
e) In Transport Client Credential Type choose Certificate.
Certificate: Client authentication using the client certificate. The CA certificate chain for the client X.509 certificates must be installed in the Trusted Root Certification Authorities certificate store of this computer so that the clients can be authenticated to this receive location.
f) In client certificate click browse and select the appropriate certificate.
For the WCF-WSHttp adapter you use the following configuration:
a) Create a Send Port and give it an appropriate name.
b) Select Type WCF-BasicHttp or WCF-WSHttp and click configure.
c) Select the Security Tab.
d) In Security mode choose Transport.
e) In Transport Client Credential Type choose Certificate.
f) In the client certificate click browse and select the appropriate certificate.
SSL Demystified
SSL uses public key encryption technology for authentication. With public key encryption, a public key and a private key are generated for a server. The keys are related in such a way that data encrypted with the public key can only be decrypted using the corresponding private key and vice versa. The private key is carefully protected so that only the owner can decrypt messages that were encrypted using the public key.
The public key is embedded in a digital certificate with additional information describing the owner of the public key, such as name, street address, and e-mail address. A private key and digital certificate provide the identity for the server. To identify itself to an external party BizTalk uses a certificate from the Personal Certificate Store of the user under which the BizTalk Windows Service is running. The thumbprint of this certificate is used to configure the adapter.
The data embedded in a digital certificate is verified by a certificate authority (also referred to as trusted certificate authority) and digitally signed with the certificate authority's digital certificate. Well-known certificate authorities include VeriSign and Entrust.net. Their digital certificates are trusted by the Windows OS by default. A trusted certificate authority establishes trust for a server.
An application participating in an SSL connection is authenticated when the other party evaluates and accepts their digital certificate. Web browsers, servers, and other SSL-enabled applications generally accept as genuine any digital certificate that is signed by a trusted certificate authority and is otherwise valid. For example, a digital certificate can be invalidated because it has expired or the digital certificate of the certificate authority used to sign it expired. A server certificate can be invalidated if the host name in the digital certificate of the server does not match the host name specified by the client.
See Also
MSDN see the following resources:
BizTalk 2010 the FTP Adapter has been enhanced and supports SSL:
BizTalk Server 2013 introduces the SFTP adapter to send and receive messages from a secure FTP server using the SSH file transfer protocol:
In general you can review overall security of BizTalk through MSDN articles:
Another important place to find a huge amount of BizTalk related articles is the TechNet Wiki itself. The best entry point is BizTalk Server Resources on the TechNet Wiki.