Professional Documents
Culture Documents
Security
In the last chapter we learned about EDI. In this chapter we will dive into the techniques
required for a BizTalk Administrator to keep BizTalk Server environment secure. As
BizTalk administrator you are responisble to prevent that unauthorized people have
access to your BizTalk environment let alone give someone the ability to pry on
messages that contain sentive data. Collaboration with system engineers from the IT
department is important to assure that this will not happen.
The following topics will be discussed:
Securing the BizTalk environment
Secure Messaging Infrastructure
o Managing the Certificate Store
o Message Level Security
o Transport Level Security
Managing the SSO
o Credential Mapping
o Managing SSO Affiliate Applications
o Using SSO to store application configuration data
SQL Server 2008 R2 Encryption Techniques
These tasks can be performed after the BizTalk environment is deployed and later on
when environment is up and running. The following paragraphs will discuss using the
tools with regards to security. Following up techecklist speaks for itself.
The MBSA includes a graphical and command line interface that can perform local or
remote scans of Microsoft Windows systems. It runs on Windows Server 2008 R2,
Windows 7, Windows Server 2008, Windows Vista, Windows Server 2003, Windows
XP and Windows 2000 systems and will scan for missing security updates, rollups and
service packs using Microsoft Update technologies. It will also scan for common security
misconfigurations (also called Vulnerability Assessment checks) using a known list of
less secure settings and configurations for all versions of Windows, Internet Information
Server (IIS) 5.0, 6.0 and 6.1, SQL Server 2000 and 2005, Internet Explorer (IE) 5.01 and
later, and Office 2000, 2002 and 2003 only.
To run the Microsoft Baseline Security Analyzer, perform one of the following:
Start the Microsoft Baseline Security Analyzer from the Start menu. Go to Start |
Microsoft Baseline Security Analyzer.
Open Windows Explorer and navigate to the Microsoft Baseline Security
Analyzer installation directory (by default, c:\Program Files\ Microsoft Baseline
Security Analyzer 2\) and double-click on mbsa.exe.
2
2. Fill in the appropriate details and options.
3
3. Start Scan.
4. Scanning will start. It will start downloading the security update information
from microsoft. This may take a while.
5. After Scan a report will be presented with possible issues:
4
It will be up to you as BizTalk administrator to work with system engineers to resolve
possible issue(s).
The Best Practices Analyzer (BPA) examines a BizTalk Server deployment and
generates a list of issues pertaining to best practice standards for BizTalk Server
deployments. This tool is designed to assess the configuration of a BizTalk installation. It
can be download from Microsoft download center:
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=15963
5
The BPA performs configuration-level verification by gathering data from different
information sources, such as Windows Management Instrumentation (WMI) classes,
SQL Server databases, and registry entries and presents a report to the user. Under the
hood, it uses the data to evaluate the deployment configuration. It does not modify any
system settings and is not a self-tuning tool. The tool is there to deliver support in
achieving the best suitable configuration and report issues or possible issues, that could
potentially harm the BizTalk environment.
As a user, you need an account that has local administrative rights, that is a
member of the BizTalk Server Administrators group, and a member of the SSO
Administrators group to be able to run the BPA.
1. As soon as you start the BPA, it will check for updates. The user can decide
whether or not to check for updates for newer versions of the configuration:
6
2. If a newer version is found, you are able to download the latest updates. The next
step is to perform a scan by clicking on Start a scan:
7
3. After starting the scan, starts data will be gathered from different information
sources as described earlier.
4. After the scan has been completed, the user can decide to view the report of the
performed scan:
8
5. You can click View a report of this Best Practices scan and the report will be
generated. After generation of the report, several tabs will appear:
o Critical Issues
o All Issues
o Non-Default Settings
o Recent Changes
o Baseline
o Informational Items
9
It will be up to you as administrator to work with system engineers to resolve possible
issue(s).
The BizTalk Message Box Viewer, also known as the Message Box Viewer (MBV), was
created by Jean-Pierre Auconie. The MBV tool retrieves information from a BizTalk
System and identifies many possible issues, which could be critical or need attention, and
presents them in a user friendly format. This tool is like the BizTalk Best Practices
Analyzer (BPA) which is a health check tool that generates reports of a BizTalk System.
Both the BPA and MBV are complementary to each other. The MBV can help
administrators in acquiring information of a production the system very fast, with hardly
any impact on running environment. It can help administrators to identify possible issues,
which could be critical or need attention.
The MBV has two executables; one to fire up a console application and another to the
10
Windows Form application. Both use the same engine by reading only in the BizTalk
databases and Server's registry to retrieve useful lists of information. Both console
applications, as they are Windows Form applications can produce three types of reports:
HTML report: This is the first file to open. It shows a well formatted result of the
health check.
History log file: It contains the history of all reports in a textual format.
Status log file: It contains a detailed status of each query execution and possibly
errors met. The status log file is important to read if some errors were met during
the collect process. It displays the start time of each query.
Both tools also offer the option to generate an XML report. You can download the latest
version of BizTalk Message Box Viewer Version 11
(http://blogs.technet.com/b/jpierauc/archive/2007/12/18/msgboxviewer.aspx
).
The following steps need to be performed to obtain results from the BizTalk Message
Box Viewer to investigate the health of the BizTalk system or for troubleshooting
purposes:
1. Open the MsgBoxViewer application.
2. In the Global Properties tab, you can set properties according to your
requirements, for instance, changing the format of the output file; for example,
you might want the output in an HTML file:
11
3. In the Queries tab, you can change different settings on the queries.
4. Click on the Help tab if you require more information on the tool.
5. Click on the General tab and change the setting to an output file location if you
desire so.
6. Next in Collect Title, fill in a descriptive name.
7. Click on Start to Collect:
12
8. When the collection is done, a dialog will appear asking if you want to see the
HTML report.
9. Click on OK and HTML report will appear:
13
Security Updates
With both previously mentioned analyzers and MBV you can find issues with your
BizTalk environment. It is the BizTalk administrator responsibility to keep the
environment healthy and secure. You can use the analyzers and MBV to keep the
environment healthy and stay up to date with the latest patches. A site to watch for
(security) updates for BizTalk Server is “Service Pack and Cumulative Update list for
BizTalk Server”: http://support.microsoft.com/kb/2555976/en
14
managed in the certificate store. The following paragraph will dicuss the certificate store
before message- and transport level security will be explained.
The BizTalk Server depends mainly on security provided by certificates and uses them
for encryption and digital signatures. By using certificates for encryption and digital
signatures. The BizTalk Server can:
The underlying methodology of digital certificates is called PKI. Here, a user has a key
pair consisting of a public and a private key. Any encryption performed with a private
key can be decrypted with the corresponding public key, and vice versa. As the terms
imply, the private key remains under the sole control of the user and the public key is
made publicly available. For the public to know who is the owner of a certain public key,
data that identifies the owner is added to that key. The combination of that data and the
public key is referred to as a digital certificate.
Digital certificates are stored in certificate stores. A certificate store often has numerous
certificates, possibly issued by a number of different certification authorities. There are
two locations (stores) that BizTalk uses:
Through the Other People certificate store, BizTalk retrieves the public key certificates
needed to encrypt outgoing messages and to verify the digital signatures on incoming
messages. All users can read and use the certificates in this store. The following
screenshot shows the Other People certificate store that the BizTalk Server uses for
public key certificates:
15
BizTalk uses the Personal certificate store to create an association to a private key needed
to decrypt incoming messages and sign outbound messages. The personal certificate store
of the host instance is used to access the private key associated with that service account.
Every Windows account enabled to log on interactively on a computer has a Personal
certificate store that only that account can access.
When a running host instance needs to decrypt incoming or sign outbound messages, it
requires a private key. The certificate that corresponds to that private key must be stored
in the Personal certificate store for the service account that runs that host instance. The
following screenshot shows the Personal certificate store that the BizTalk Server uses for
certificates that have an associated private key:
To import certificates, you can use the Microsoft Management Console (MMC).
16
When typing mmc at the command line the Microsoft Management Console will appear,
and you can choose which snap-in you want to add or remove. You can select Certificates
and click Add.
You will then be presented with a Certificates Snap-ins dialog screen that contains three
options detailing how snap-ins should manage the certificates:
My user account
Service account
Computer account
You will have to select one of these based on what you what to manage. If you want to
manage more than one certificate store than you will have to redo the steps described
above. You are now able to import certificates in the key store. For a checklist of steps to
install the certificates, you can see the document Checklist: Installing and Configuring
Certificates at MSDN (http://msdn.microsoft.com/en-
us/library/gg634541%28v=BTS.70%29.aspx).
17
Message Level Security
Microsoft BizTalk Server 2010 can make use of Public Key Infrastructure (PKI) digital
certificates (http://msdn.microsoft.com/en-us/library/windows/desktop/aa381975.aspx
) for purposes of document encryption and decryption, document signing and verification
(non-repudiation), and party resolution.
With this infrastructure, BizTalk provides security at its boundaries when messages are
received over some communication channel or sent to a party or channel. In general,
BizTalk provides message-level security for:
Inbound messages:
o Receiving trusted data
o Authenticating message sender party
Outbound messages:
o Sending out trusted data
Trust between processes
Within the BizTalk runtime architecture, receive and send handlers are involved in
messagelevel security. The receive handler is responsible for receiving messages from
channels containing one or more receive locations. Such a receive location is a
combination of a receive adapter and a pipeline. The receive pipeline contains four
stages:
Decode
Disassemble
Validate
Resolve party
The first and last stages (decode and resolve party) in receive pipelines deal with message
security. These stages can decrypt a message and verify its digital signature with the help
of certificates. A send handler has a different role and it fetches messages from the
MessageBox through subscriptions, and pushes these messages to a channel. A send
handler is a combination of a send adapter and a pipeline. The send pipeline contains
three stages:
Preassemble
Assemble
Encode
The last stage (encode) can be configured to encrypt or digitally sign messages.
Receive and send handlers together with orchestrations run under what is called a host,
18
which is a logical entity (container). It represents BizTalk runtime services, which
facilitates the operation of these components. A host can be mapped to a BizTalk
physical machine in the BizTalk Server Group. This mapping is named host instance and
runs under a certain Windows account. This account acts as a principle identity (Service
account) of the running host instance and plays a role in message-level security by
providing access to its certificate store.
When securing your message exchange between the BizTalk Server and the external
party with which it communicates you may face security requirements dictating the
encryption of messages from and to the external parties. These requirements could stem
from:
Sensitive data such as financial or healthcare
Privacy regulations
If encryption is not a requirement, you will have to sign your messages or verify the
messages from partners. By signing and verifying messages, you ensure that the data in
message has not been tampered with.
Encryption and Decryption
In certain communication scenarios between two parties, you may need an encryption
mechanism for outbound messages, as well as a decryption mechanism for the inbound
messages. Information in messages can be of a sensitive nature or bound to privacy law.
This can be data such as social security numbers, bank account numbers, addresses,
phone numbers, and so on. The BizTalk Server offers encryption capabilities using
certificates. These certificates contain cryptographic key pairs consisting of a public and
a private key. The owner of a certificate, for instance BizTalk, can share the public key
with communication partner(s). These partners use that public key to encrypt their
messages. As the message can only be decrypted with the corresponding private key, the
partner(s) are certain that the message can only be decrypted by the owner of the
certificate. This means that the private key has to be kept secure and should be protected
by the owner.
BizTalk can send secure, encrypted messages to partners by using the public key
certificate of each of them. A host can have many public keys for sending encrypted
messages, but it can only use one certificate for decrypting messages. The following table
describes the keys and certificates that need to be installed for encrypting and decrypting
messages:
19
receive pipeline with a MIME/SMIME
Decoder pipeline component.
Decryption Partner’s public key The Other People store on each computer
that has a host instance, which has a send
pipeline with a MIME/SMIME Encoder
pipeline component configured to encrypt
messages.
Every certificate contains a unique identifier called a thumbprint, which BizTalk uses to
identify the correct certificate. The thumbprint is calculated by applying a hashing
algorithm to the certificate. Thumbprints are used while configuring a host or a Send port.
Signing and Verifying
The following table describes the keys and certificates that need to be installed to sign
and verify messages:
The BizTalk Server supports only one personal certificate for each BizTalk group. A
BizTalk group can represent an entire enterprise, a department, a hub, or another business
20
unit. The personal certificate that is used by the BizTalk group is specified by setting the
thumbprint of the personal certificate in the BizTalk group properties. To conclude, a
BizTalk group is limited by using one certificate to be used for signing a message. You
must make sure that the signing certificate is available in the certificate store of the
service account of the hosts, where the send pipelines are running:
22
Managing the SSO
The BizTalk Server and another Microsoft Server product, Host Integration Server (HIS),
both support an extension of the Windows Enterprise Security integration called
Enterprise SSO. The Enterprise SSO (http://msdn.microsoft.com/en-
us/library/aa558712.aspx) in total is provided by a set of processes that run on network
servers to provide the following services for heterogeneous systems:
User account and password mapping and caching
SSO to multiple Windows domains and Host security systems
Password Synchronization to simplify administration
The services mentioned earlier are mandatory for the BizTalk Server, even if you do not
require them. The BizTalk Server uses the SSO to help secure information for the receive
locations.
23
When the Enterprise SSO service gets started, it retrieves the encryption key called
master secret from the Master Secret Server. The Master Secret Server is another
Enterprise SSO service that has an additional subservice that distributes and maintains the
master secret. What the Enterprise SSO service does is that it caches the master secret
after it has been retrieved. Every 60 seconds the service synchronizes the master secret
with the Master Secret Server.
Regardless of whether you will use the Enterprise SSO service for credential mapping or
not, it has to be available in any kind of BizTalk configuration. With the Microsoft
Management Console (MMC) or command line ssomanage utility, you are able to
manage the SSO system. With either of these tools, you can update the SSO database,
adding, deleting, and managing applications, and administer user mappings. In the MMC,
you will find all programs of your operating system. Refer to the following screenshot:
24
The command line ssomanage is available in C:\Program Files\Common files\SingleSign
On. You will also find the ssoconfig command-line tool at the specified location, which is
a utility to configure your password synchronization settings.
25
-setcredentials Set the credentials for a user to access a specific
application.
-enablemapping Enable a user mapping before it you can use the
mapping in the Single Sign-On system.
-disablemapping Disable a user mapping when you want to turn off all
operations associated with a given mapping.
A secure way to store application data is using the SSO. Microsoft has built a SSO
Application Configuration snap-in
(www.microsoft.com/download/en/details.aspx?id=14524)
26
that provides an good user experience maintaining custom configuration data. When
downloading the snap-in you will also get code for a .NET Helper Class to support
retrieval of data in BizTalk.
Currently in Enterprise Single Sign-On (SSO), there are three utilities to perform SSO-
based tasks:
SSOConfig
SSOManage
SSOClient
All these tools focus on managing credentials. There has been a lack of tooling for ability
to create and manage configuration-based applications. This has now changed with the
creation of the SSO Configuration Application MMC Snap-In. This tool provides the
ability to add and manage applications, add and manage key value pairs, as well as
import and export configuration applications so that they can be deployed to different
environments. Also provided is a client-side class that makes accessing the SSO system
to retrieve your key/value pairs easy.
Summary
In this chapter, we have learned about the security with BizTalk. We have discussed
securing the BizTalk environment, secure messaging, SSO as credentials- and application
configuration store, mangaging SSO and a data encryption techniques.
An administrator can use the BizTalk Administration Console, Certificate management
snap-in, and SSO tools to perform security related tasks. A BizTalk Server administrator
will primarily work with these tools when dealing with security. His job regarding
security will mean collaboration with system engineers and database administators.
28