Tuesday, November 3, 2015

Send signed and encrypted SOAP request in BizTalk Server using WS-Security


To send the signed and encrypted SOAP request to a web service from BizTalk server then follow these steps:

Step 1: Create send port (One Way/Solicit Response as per requirement) select WCF-Custom in transport type.

Step 2: Select customBinding for Binding Type, by default customBinding has textMessageEncoding and httpTransport, you can change it as per your need.

Step 3: Add security binding extension element to the custom binding. Make sure the order of element is as shown below:

Step 4: Configure the security binding element as shown below:

Step 4.1: Set allowInsercureTransport to True if you are using httpTransport leave it as False in case you are using the httpsTransport.

Step 4.2: Set authenticationMode to MutualCertificate.

Step 4.3: Set messageSecurityVersion to WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10

Step 5: Add clinetCredentails behaviour in Behavior tab.

Step 5.1: Configure the ClientCertificate (with the information related to your private key for signing) and ServiceCertificate/DefaultCertificate(for the public key of service for encryption)
 
 
BizTalk will produce the SOAP envelope With both Header and body signed and encrypted as shown below (for clarity most of encrypted content has been skipped from this output):

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
 <s:Header>
  <a:Action s:mustUnderstand="1" u:Id="_3"/>
  <a:MessageID u:Id="_4">urn:uuid:6ebdf6f8-b9fd-4fbd-8029-a7d2dd37c2d4</a:MessageID>
  <a:ReplyTo u:Id="_5">
   <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
  </a:ReplyTo>
  <a:To s:mustUnderstand="1" u:Id="_6">http://localhost:6600/DummyService/DummyService.svc</a:To>
  <o:Security s:mustUnderstand="1" xmlns:o="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
   <u:Timestamp u:Id="uuid-8bfab354-dd65-4ad2-9bc0-276979f19440-1">
    <u:Created>2015-11-03T06:46:38.270Z</u:Created>
    <u:Expires>2015-11-03T06:51:38.270Z</u:Expires>
   </u:Timestamp>
   <o:BinarySecurityToken u:Id="uuid-c6a8190f-5f53-40a0-980d-7b7ee55eb01a-3" ValueType="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">MIIDuTCCAqGgAwIBAgIQBbX...</o:BinarySecurityToken>
   <e:EncryptedKey Id="_0" xmlns:e="
http://www.w3.org/2001/04/xmlenc#">
    <e:EncryptionMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
     <DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1" xmlns="http://www.w3.org/2000/09/xmldsig#"/>
    </e:EncryptionMethod>
    <KeyInfo xmlns="
http://www.w3.org/2000/09/xmldsig#">
     <o:SecurityTokenReference>
      <o:KeyIdentifier ValueType="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">fOepp/dW66vQ0heuTt2ETjlMRAM=</o:KeyIdentifier>
     </o:SecurityTokenReference>
    </KeyInfo>
    <e:CipherData>
     <e:CipherValue>oDZc/9rKTiVjeildC...J6iaPsYg==</e:CipherValue>
    </e:CipherData>
    <e:ReferenceList>
     <e:DataReference URI="#_2"/>
     <e:DataReference URI="#_7"/>
    </e:ReferenceList>
   </e:EncryptedKey>
   <e:EncryptedData Id="_7" Type="
http://www.w3.org/2001/04/xmlenc#Element" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
    <e:EncryptionMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
    <e:CipherData>
     <e:CipherValue>jZnJpp1vi2Jl/gpLfLF+bIj...r0BkGUUHeVQ==</e:CipherValue>
    </e:CipherData>
   </e:EncryptedData>
  </o:Security>
 </s:Header>
 <s:Body u:Id="_1">
  <e:EncryptedData Id="_2" Type="
http://www.w3.org/2001/04/xmlenc#Content" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
   <e:EncryptionMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
   <e:CipherData>
    <e:CipherValue>y0QXU2uwNr...zOvFM=</e:CipherValue>
   </e:CipherData>
  </e:EncryptedData>
 </s:Body>
</s:Envelope>


Cheers
Rohit C. M. Sharma

7 comments:

Anonymous said...

Nice Article,

Anonymous said...

Rohit, Nice article, I’m doing something similar but I need to sign the first child of the SOAP body and couple of sections in SOAP header-Timestamp and Business Header (custom SOAP header).

I did everything as per this article, as your SOAP envelope example, SOAP Body and all SOAP Headers are getting signed.
Is there any way to sign the SOAP envelope selectively because my requirement is to sign the first child of the SOAP body, Time stamp and business header.

Thanks,

sreedevi said...

very useful .thank you for sharing Biztalk Online course Hyderabad

svrtechnologies said...

Whatever we gathered information from the blogs, we should implement that in practically then only we can understand that exact thing clearly on biztalk training courses , but it’s no need to do it, because you have explained the concepts very well. It was crystal clear, keep sharing..

Blogger said...

Your Affiliate Money Printing Machine is ready -

Plus, getting it running is as easy as 1--2--3!

This is how it works...

STEP 1. Tell the system which affiliate products the system will push
STEP 2. Add some PUSH button traffic (it LITERALLY takes JUST 2 minutes)
STEP 3. Watch the affiliate products system grow your list and sell your affiliate products for you!

Are you ready???

Get the full details here

Akhila said...

Nice blog keep sharing more
biztalk training for beginers
biztalk certification training
biztalk training
biztalk course
learn biztalk online
online biztalk traning
microsoft biztalk training courses
biztalk online training hyderabad
biztalk online training india

Anna Buckley said...

Thank you so much for sharing this fantastic blog post. Your writing style and the way you present your ideas are excellent. I believe I have a good understanding of this topic now. About Auto Clicker iPhone, you can find out more. The auto clicker is discussed in this article.

Post a Comment