8

Security

In the last chapter we learned about EDI. In this chapter we will dive into the techniques
required for a BizTalk Administrator to keep BizTalk Server environment secure. As
BizTalk administrator you are responisble to prevent that unauthorized people have
access to your BizTalk environment let alone give someone the ability to pry on
messages that contain sentive data. Collaboration with system engineers from the IT
department is important to assure that this will not happen.
The following topics will be discussed:
 Securing the BizTalk environment
 Secure Messaging Infrastructure
o Managing the Certificate Store
o Message Level Security
o Transport Level Security
 Managing the SSO
o Credential Mapping
o Managing SSO Affiliate Applications
o Using SSO to store application configuration data
 SQL Server 2008 R2 Encryption Techniques

Securing the BizTalk environment

Security is important aspect of a BizTalk deployment. Deployment is not going to be
discussed in this chapter, yet some tasks are important for BizTalk administrator to assure
that the environment is secure. The following tasks can be considered to be done by
administrator:

 Use Microsoft Baseline Security Analyzer 2.2 (Security Updates)

 Run the BizTalk Best Practice Analyzer 1.2
 Run the BizTalk MessageBoxViewer (MBV)
  Follow up on the Checklist: Planning for Operations in a Secure Environment
(http://msdn.microsoft.com/en-us/library/gg634428.aspx)

These tasks can be performed after the BizTalk environment is deployed and later on
when environment is up and running. The following paragraphs will discuss using the
tools with regards to security. Following up techecklist speaks for itself.

Use Microsoft Baseline Security Analyzer 2.2

The Microsoft Baseline Security Analyzer (MBSA) provides a streamlined method to

identify missing security updates and common security misconfigurations. It can be
downloaded from Microsoft download center:
http://www.microsoft.com/download/en/details.aspx?id=7558.

The MBSA includes a graphical and command line interface that can perform local or
remote scans of Microsoft Windows systems. It runs on Windows Server 2008 R2,
Windows 7, Windows Server 2008, Windows Vista, Windows Server 2003, Windows
XP and Windows 2000 systems and will scan for missing security updates, rollups and
service packs using Microsoft Update technologies. It will also scan for common security
misconfigurations (also called Vulnerability Assessment checks) using a known list of
less secure settings and configurations for all versions of Windows, Internet Information
Server (IIS) 5.0, 6.0 and 6.1, SQL Server 2000 and 2005, Internet Explorer (IE) 5.01 and
later, and Office 2000, 2002 and 2003 only.

To run the Microsoft Baseline Security Analyzer, perform one of the following:

 Start the Microsoft Baseline Security Analyzer from the Start menu. Go to Start |
Microsoft Baseline Security Analyzer.
 Open Windows Explorer and navigate to the Microsoft Baseline Security
Analyzer installation directory (by default, c:\Program Files\ Microsoft Baseline
Security Analyzer 2\) and double-click on mbsa.exe.

The following steps need to be performed to do the analysis:

1. Select Scan Computer.

2
2. Fill in the appropriate details and options.

3
 3. Start Scan.
4. Scanning will start. It will start downloading the security update information
from microsoft. This may take a while.
5. After Scan a report will be presented with possible issues:

4
It will be up to you as BizTalk administrator to work with system engineers to resolve
possible issue(s).

Run the BizTalk Best Practice Analyzer 1.2

The Best Practices Analyzer (BPA) examines a BizTalk Server deployment and
generates a list of issues pertaining to best practice standards for BizTalk Server
deployments. This tool is designed to assess the configuration of a BizTalk installation. It
can be download from Microsoft download center:
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=15963

5
The BPA performs configuration-level verification by gathering data from different
information sources, such as Windows Management Instrumentation (WMI) classes,
SQL Server databases, and registry entries and presents a report to the user. Under the
hood, it uses the data to evaluate the deployment configuration. It does not modify any
system settings and is not a self-tuning tool. The tool is there to deliver support in
achieving the best suitable configuration and report issues or possible issues, that could
potentially harm the BizTalk environment.

As a user, you need an account that has local administrative rights, that is a
member of the BizTalk Server Administrators group, and a member of the SSO
Administrators group to be able to run the BPA.

To run the Best Practices Analyzer, perform one of the following:

 Start the BizTalk Server Best Practices Analyzer from the Start menu. Go to
Start |Programs | Microsoft BizTalk Server Best Practices Analyzer |
Microsoft BizTalk Server Best Practices Analyzer.
 Open Windows Explorer and navigate to the Best Practices Analyzer installation
directory (by default, c:\Program Files\BizTalkBPA\) and double-click on
BizTalkBPA.exe.
 Open a command prompt, change to the installation directory, and then enter
BizTalkBPACmd.exe.

The following steps need to be performed to do the analysis:

1. As soon as you start the BPA, it will check for updates. The user can decide
whether or not to check for updates for newer versions of the configuration:

6
2. If a newer version is found, you are able to download the latest updates. The next
step is to perform a scan by clicking on Start a scan:

7
 3. After starting the scan, starts data will be gathered from different information
sources as described earlier.
4. After the scan has been completed, the user can decide to view the report of the
performed scan:

8
5. You can click View a report of this Best Practices scan and the report will be
generated. After generation of the report, several tabs will appear:
o Critical Issues
o All Issues
o Non-Default Settings
o Recent Changes
o Baseline
o Informational Items

9
It will be up to you as administrator to work with system engineers to resolve possible
issue(s).

Run the MessageBoxViewer (MBV)

The BizTalk Message Box Viewer, also known as the Message Box Viewer (MBV), was
created by Jean-Pierre Auconie. The MBV tool retrieves information from a BizTalk
System and identifies many possible issues, which could be critical or need attention, and
presents them in a user friendly format. This tool is like the BizTalk Best Practices
Analyzer (BPA) which is a health check tool that generates reports of a BizTalk System.
Both the BPA and MBV are complementary to each other. The MBV can help
administrators in acquiring information of a production the system very fast, with hardly
any impact on running environment. It can help administrators to identify possible issues,
which could be critical or need attention.

The MBV has two executables; one to fire up a console application and another to the
10
Windows Form application. Both use the same engine by reading only in the BizTalk
databases and Server's registry to retrieve useful lists of information. Both console
applications, as they are Windows Form applications can produce three types of reports:

 HTML report: This is the first file to open. It shows a well formatted result of the
health check.
 History log file: It contains the history of all reports in a textual format.
 Status log file: It contains a detailed status of each query execution and possibly
errors met. The status log file is important to read if some errors were met during
the collect process. It displays the start time of each query.

Both tools also offer the option to generate an XML report. You can download the latest
version of BizTalk Message Box Viewer Version 11
(http://blogs.technet.com/b/jpierauc/archive/2007/12/18/msgboxviewer.aspx
).

The following steps need to be performed to obtain results from the BizTalk Message
Box Viewer to investigate the health of the BizTalk system or for troubleshooting
purposes:
1. Open the MsgBoxViewer application.
2. In the Global Properties tab, you can set properties according to your
requirements, for instance, changing the format of the output file; for example,
you might want the output in an HTML file:

11
 3. In the Queries tab, you can change different settings on the queries.
4. Click on the Help tab if you require more information on the tool.
5. Click on the General tab and change the setting to an output file location if you
desire so.
6. Next in Collect Title, fill in a descriptive name.
7. Click on Start to Collect:

12
8. When the collection is done, a dialog will appear asking if you want to see the
HTML report.
9. Click on OK and HTML report will appear:

13
Security Updates

With both previously mentioned analyzers and MBV you can find issues with your
BizTalk environment. It is the BizTalk administrator responsibility to keep the
environment healthy and secure. You can use the analyzers and MBV to keep the
environment healthy and stay up to date with the latest patches. A site to watch for
(security) updates for BizTalk Server is “Service Pack and Cumulative Update list for
BizTalk Server”: http://support.microsoft.com/kb/2555976/en

Secure Messaging Infrastructure

Concept of BizTalk Server is messaging based on publish and subscribe architecture.
Goal with this architecture is to establish message exchange between systems through
ports. Within these ports you can setup the security with BizTalk and other systems.
Secure messaging can be on message- or transport level. Certificates play an important
role in both. Either you use certificates for signing and/or verifying messages, encrypt
and or decrypt messages or setup secure transportation (HTTPS). Certificates are

14
managed in the certificate store. The following paragraph will dicuss the certificate store
before message- and transport level security will be explained.

Managing Certificate Store

The BizTalk Server depends mainly on security provided by certificates and uses them
for encryption and digital signatures. By using certificates for encryption and digital
signatures. The BizTalk Server can:

 Send and receive data that can be trusted

 Make sure that the data it processes is secure
 Make sure that the authorized parties receive its messages
 Make sure that it receives messages from the authorized parties

The underlying methodology of digital certificates is called PKI. Here, a user has a key
pair consisting of a public and a private key. Any encryption performed with a private
key can be decrypted with the corresponding public key, and vice versa. As the terms
imply, the private key remains under the sole control of the user and the public key is
made publicly available. For the public to know who is the owner of a certain public key,
data that identifies the owner is added to that key. The combination of that data and the
public key is referred to as a digital certificate.

Digital certificates are stored in certificate stores. A certificate store often has numerous
certificates, possibly issued by a number of different certification authorities. There are
two locations (stores) that BizTalk uses:

 Other People certificate store

 Personal certificate store

Through the Other People certificate store, BizTalk retrieves the public key certificates
needed to encrypt outgoing messages and to verify the digital signatures on incoming
messages. All users can read and use the certificates in this store. The following
screenshot shows the Other People certificate store that the BizTalk Server uses for
public key certificates:

15
BizTalk uses the Personal certificate store to create an association to a private key needed
to decrypt incoming messages and sign outbound messages. The personal certificate store
of the host instance is used to access the private key associated with that service account.
Every Windows account enabled to log on interactively on a computer has a Personal
certificate store that only that account can access.

When a running host instance needs to decrypt incoming or sign outbound messages, it
requires a private key. The certificate that corresponds to that private key must be stored
in the Personal certificate store for the service account that runs that host instance. The
following screenshot shows the Personal certificate store that the BizTalk Server uses for
certificates that have an associated private key:

To import certificates, you can use the Microsoft Management Console (MMC).
16
When typing mmc at the command line the Microsoft Management Console will appear,
and you can choose which snap-in you want to add or remove. You can select Certificates
and click Add.

You will then be presented with a Certificates Snap-ins dialog screen that contains three
options detailing how snap-ins should manage the certificates:

 My user account
 Service account
 Computer account

You will have to select one of these based on what you what to manage. If you want to
manage more than one certificate store than you will have to redo the steps described
above. You are now able to import certificates in the key store. For a checklist of steps to
install the certificates, you can see the document Checklist: Installing and Configuring
Certificates at MSDN (http://msdn.microsoft.com/en-
us/library/gg634541%28v=BTS.70%29.aspx).

17
Message Level Security
Microsoft BizTalk Server 2010 can make use of Public Key Infrastructure (PKI) digital
certificates (http://msdn.microsoft.com/en-us/library/windows/desktop/aa381975.aspx
) for purposes of document encryption and decryption, document signing and verification
(non-repudiation), and party resolution.

With this infrastructure, BizTalk provides security at its boundaries when messages are
received over some communication channel or sent to a party or channel. In general,
BizTalk provides message-level security for:

 Inbound messages:
o Receiving trusted data
o Authenticating message sender party
 Outbound messages:
o Sending out trusted data
 Trust between processes

Within the BizTalk runtime architecture, receive and send handlers are involved in
messagelevel security. The receive handler is responsible for receiving messages from
channels containing one or more receive locations. Such a receive location is a
combination of a receive adapter and a pipeline. The receive pipeline contains four
stages:

 Decode
 Disassemble
 Validate
 Resolve party

The first and last stages (decode and resolve party) in receive pipelines deal with message
security. These stages can decrypt a message and verify its digital signature with the help
of certificates. A send handler has a different role and it fetches messages from the
MessageBox through subscriptions, and pushes these messages to a channel. A send
handler is a combination of a send adapter and a pipeline. The send pipeline contains
three stages:

 Preassemble
 Assemble
 Encode

The last stage (encode) can be configured to encrypt or digitally sign messages.
Receive and send handlers together with orchestrations run under what is called a host,
18
which is a logical entity (container). It represents BizTalk runtime services, which
facilitates the operation of these components. A host can be mapped to a BizTalk
physical machine in the BizTalk Server Group. This mapping is named host instance and
runs under a certain Windows account. This account acts as a principle identity (Service
account) of the running host instance and plays a role in message-level security by
providing access to its certificate store.

When securing your message exchange between the BizTalk Server and the external
party with which it communicates you may face security requirements dictating the
encryption of messages from and to the external parties. These requirements could stem
from:
 Sensitive data such as financial or healthcare
 Privacy regulations

If encryption is not a requirement, you will have to sign your messages or verify the
messages from partners. By signing and verifying messages, you ensure that the data in
message has not been tampered with.
Encryption and Decryption
In certain communication scenarios between two parties, you may need an encryption
mechanism for outbound messages, as well as a decryption mechanism for the inbound
messages. Information in messages can be of a sensitive nature or bound to privacy law.
This can be data such as social security numbers, bank account numbers, addresses,
phone numbers, and so on. The BizTalk Server offers encryption capabilities using
certificates. These certificates contain cryptographic key pairs consisting of a public and
a private key. The owner of a certificate, for instance BizTalk, can share the public key
with communication partner(s). These partners use that public key to encrypt their
messages. As the message can only be decrypted with the corresponding private key, the
partner(s) are certain that the message can only be decrypted by the owner of the
certificate. This means that the private key has to be kept secure and should be protected
by the owner.

BizTalk can send secure, encrypted messages to partners by using the public key
certificate of each of them. A host can have many public keys for sending encrypted
messages, but it can only use one certificate for decrypting messages. The following table
describes the keys and certificates that need to be installed for encrypting and decrypting
messages:

Certificate Purpose Certificate Type Certificate Store

Encryption Own private key The Personal store for each Service
account of a host instance that has a

19
 receive pipeline with a MIME/SMIME
Decoder pipeline component.
Decryption Partner’s public key The Other People store on each computer
that has a host instance, which has a send
pipeline with a MIME/SMIME Encoder
pipeline component configured to encrypt
messages.

Every certificate contains a unique identifier called a thumbprint, which BizTalk uses to
identify the correct certificate. The thumbprint is calculated by applying a hashing
algorithm to the certificate. Thumbprints are used while configuring a host or a Send port.
Signing and Verifying

To prevent tampering with a message, it can be signed with a certificate to guarantee it is

authentic. The BizTalk Server uses a private key to sign outgoing messages. The signing
of messages can be achieved by using the standard encoding component
(MIME/SMIME) in the send pipeline. The encoding component then needs to be
configured to sign all outgoing messages. The signing key and certificate that are used to
sign the outgoing message are retrieved from the personal certificate store for the host
service account where the pipeline is running.

The following table describes the keys and certificates that need to be installed to sign
and verify messages:

Certificate Purpose Certificate Type Certificate Store

Signing Own private key with Personal store for each service account
associated certificate of a host instance that has a send
pipeline with a MIME/SMIME Encoder
pipeline component configured to sign
messages.
Verifying Partner's public Other People store on each computer
key,found in the that has a host instance that uses a
Partner's certificate receive pipeline with a MIME/SMIME
Decoder pipeline component.

The BizTalk Server supports only one personal certificate for each BizTalk group. A
BizTalk group can represent an entire enterprise, a department, a hub, or another business
20
unit. The personal certificate that is used by the BizTalk group is specified by setting the
thumbprint of the personal certificate in the BizTalk group properties. To conclude, a
BizTalk group is limited by using one certificate to be used for signing a message. You
must make sure that the signing certificate is available in the certificate store of the
service account of the hosts, where the send pipelines are running:

Transport level security

Secure transport can be provided by HTTPS, which is a combination of the Hypertext
Transfer Protocol (HTTP) with Secure Sockets Layer (SSL)/Transport Level Security
(TLS) protocol to provide encrypted communication and secure identification of a
network web server. SSL provides secure connections by allowing two applications
connecting over a network connection to authenticate the identity and by encrypting the
data exchanged between the applications. Authentication allows a server and optionally a
client to verify the identity of the application on the other end of a network connection.
Encryption makes data transmitted over the network intelligible only to the intended
21
recipient. Where message level security focuses on data in the message itself, transport-
level security focuses on protecting the data while it is in transit from the sender to the
recipient. With BizTalk, transport-level security can be accomplished with HTTP, FTP,
WCF-BasicHttp adapters, and WCF-WSHttp adapters.
Secure communication between the BizTalk Server and an external party can be
configured using one-way or two-way SSL authentication. With a one-way SSL, the
server is required to present a certificate to the external party, but the external party is not
required to present a certificate to the server. To successfully negotiate an SSL
connection, the external party must authenticate the server, but the server will accept any
external party into the connection. A one-way SSL is common on the Internet where
users want to create secure connections before they share personal data. With a two-way
SSL, the client also presents a certificate to the server. A server can be configured with a
requirement for the clients to submit valid and trusted certificates before completing the
SSL connection.
To have transport-level security through SSL, you need to configure the appropriate send
adapter when sending a message securely to an external party. After you have deployed
your BizTalk solution, you will configure Send ports that require transport security.

22
Managing the SSO
The BizTalk Server and another Microsoft Server product, Host Integration Server (HIS),
both support an extension of the Windows Enterprise Security integration called
Enterprise SSO. The Enterprise SSO (http://msdn.microsoft.com/en-
us/library/aa558712.aspx) in total is provided by a set of processes that run on network
servers to provide the following services for heterogeneous systems:
 User account and password mapping and caching
 SSO to multiple Windows domains and Host security systems
 Password Synchronization to simplify administration

The services mentioned earlier are mandatory for the BizTalk Server, even if you do not
require them. The BizTalk Server uses the SSO to help secure information for the receive
locations.
23
When the Enterprise SSO service gets started, it retrieves the encryption key called
master secret from the Master Secret Server. The Master Secret Server is another
Enterprise SSO service that has an additional subservice that distributes and maintains the
master secret. What the Enterprise SSO service does is that it caches the master secret
after it has been retrieved. Every 60 seconds the service synchronizes the master secret
with the Master Secret Server.
Regardless of whether you will use the Enterprise SSO service for credential mapping or
not, it has to be available in any kind of BizTalk configuration. With the Microsoft
Management Console (MMC) or command line ssomanage utility, you are able to
manage the SSO system. With either of these tools, you can update the SSO database,
adding, deleting, and managing applications, and administer user mappings. In the MMC,
you will find all programs of your operating system. Refer to the following screenshot:

24
The command line ssomanage is available in C:\Program Files\Common files\SingleSign
On. You will also find the ssoconfig command-line tool at the specified location, which is
a utility to configure your password synchronization settings.

User Mapping (Credential Mapping)

A BizTalk administrator can define an affiliate application and can define it either as an
application with individual mappings, or as an application with a group mapping. With an
individual mappings a BizTalk administrator can create a one-to-one mapping between
Windows users and their corresponding non-Windows credentials. The SSO system will
maintain the one-to-one relation for the user's Windows account and the user's non-
Windows account. Group mapping differs from individual mapping as multiple Windows
users are mapped to a single account in the affiliate application. In both cases the
mappings can only be created for Windows domain accounts. Local accounts cannot be
mapped.
Mappings can be managed through the ssomanage command line tool. With this
command line tool you can administer user mappings. Table below shows the commands
that can be used with the ssomanage command line tool with regards to mapping.
Command Description
-listmappings Provide a list of user mappings
-createmappings Create one or more mappings based on a xml file.
For instance like sample file below:
<sso>
<mapping>
<windowsDomain>domain</windowsDomain>
<windowsUserId>WindowsUserName</windowsUserId>
<externalApplication>Application
name1</externalApplication>
<externalUserId>App1UserName</externalUserId>
</mapping>
<mapping>
<windowsDomain>domain</windowsDomain>
<windowsUserId>WindowsUserName</windowsUserId>
<externalApplication>Application
name2</externalApplication>
<externalUserId>App2UserName</externalUserId>
</mapping>
</sso>

-deletemappings Delete one of more mappings based on xml file.

25
-setcredentials Set the credentials for a user to access a specific
application.
-enablemapping Enable a user mapping before it you can use the
mapping in the Single Sign-On system.
-disablemapping Disable a user mapping when you want to turn off all
operations associated with a given mapping.

Managing SSO Affiliate Applications

In previous paragraph defining an affiliate application is mentioned. An affiliate

application can represent a back-end system such as a mainframe or UNIX computer.
You will find more information through the MSDN article SSO Affiliate Applications
(http://msdn.microsoft.com/en-us/library/aa754070%28v=bts.10%29.aspx).
A BizTalk administrator can create an affiliate application through ENTSSO Microsoft
Management Console or ssomanage command line. Creating an application is one of the
operation a BizTalk administrator can perform. He can also perform the following
operation through either ssomanage command line or ENTSSO Management Console:
 Delete an Affiliate Application
 Update the Properties of an Affiliate Application
 Enable an Affiliate Application
 Disable an Affiliate Application
 List Affiliate Applications
 List the Properties of an Affiliate Application
 Clear the Application Cache

Using SSO to store application configuration data

There are a couple of options a developer can have when comes to using application
configurable values. These options can be divided into three categories:
 File: BTSNTSvc.exe.config, Custom config file, Enterprise Library
 Database: Business Rule Engine, SSO, or Custom database
 Registry

A secure way to store application data is using the SSO. Microsoft has built a SSO
Application Configuration snap-in
(www.microsoft.com/download/en/details.aspx?id=14524)

26
 that provides an good user experience maintaining custom configuration data. When
downloading the snap-in you will also get code for a .NET Helper Class to support
retrieval of data in BizTalk.

Currently in Enterprise Single Sign-On (SSO), there are three utilities to perform SSO-
based tasks:

 SSOConfig
 SSOManage
 SSOClient

All these tools focus on managing credentials. There has been a lack of tooling for ability
to create and manage configuration-based applications. This has now changed with the
creation of the SSO Configuration Application MMC Snap-In. This tool provides the
ability to add and manage applications, add and manage key value pairs, as well as
import and export configuration applications so that they can be deployed to different
environments. Also provided is a client-side class that makes accessing the SSO system
to retrieve your key/value pairs easy.

As administrator your responsibility lies with maintain the SSO Application

Configuration Snap in that can contain sensitive data (like username, passwords) that can
be used within orchestrations.

Managing BizTalk Security

After BizTalk environment has been deployed, secured with applications running it be
will up to BizTalk administrator, system engineers and database adaministrator to keep
running. Keeping BizTalk healthy is one of the main tasks for BizTalk administrator.
With keeping it healthy also will mean to keep it secure. Some of the tasks you need to
perform as an administrator have been described in the previous paragraphs. These tasks
include manage accounts, certificates, and passwords. You will find more information
through MSDN article Managing BizTalk Security (http://msdn.microsoft.com/en-
us/library/aa578061.aspx).

SQL Server 2008 R2 Encryption Techniques

Another aspect of security is securing data that flows through BizTalk Server. Data can
be very sensitive and not be viewed by anyone. This also account for data that is backed
up through BizTalk Server backup jobs. With BizTalk Server 2010, the transparent data
encryption (TDE) feature of SQL Server can be used to protect data that contains
confidential and sensitive information information in messages (for instance credit card
27
data). To enable and disable TDE, backing up the TDE enabled BizTalk Server databases
and restoring them you can follow the steps explained in MSDN article Understanding
Transparent Data Encryption (TDE) (http://msdn.microsoft.com/en-
us/library/bb934049%28v=sql.105%29.aspx). This task is for a database administrator to
carried out, unless the BizTalk Server administrator combines this role with maintaining
databases.

Summary
In this chapter, we have learned about the security with BizTalk. We have discussed
securing the BizTalk environment, secure messaging, SSO as credentials- and application
configuration store, mangaging SSO and a data encryption techniques.
An administrator can use the BizTalk Administration Console, Certificate management
snap-in, and SSO tools to perform security related tasks. A BizTalk Server administrator
will primarily work with these tools when dealing with security. His job regarding
security will mean collaboration with system engineers and database administators.

28