Working with Trading Partners

The definition of trading partner in the BizTalk Server glossary reads, "An external organization with which your home organization exchanges electronic data.The messaging ports, distribution lists, channels, and XLANG schedules that you create govern the exchange of documents among trading partners." A big part of that governing is ensuring that the messages/documents you receive from your trading partners are really coming from them, have not been tampered with, and preferably have been encrypted to keep the contents from unauthorized users. If you use SSL (for Secure HTTP data exchange) or IPSec, the data will be protected from network eavesdropping, but once it arrives on the server, it becomes readable again.The use of certificates enables you to achieve the level of security you need.

It is important to know where BizTalk Server looks for certificates. The certificates it uses to authenticate its own messages are stored in the Personal Certificate store on the local computer, the server running the BizTalk Server ser-vice.The certificates of the trading partners are kept in the BizTalk Store on the local computer.You can manage these using the Certificates (Local Computer) snap-in (Figure 8.30).

To populate the 'Personal Store' with certificates (remember that "personal" means "this computer"), you can request a new certificate or import a certificate from a file. In case you import a certificate, it also needs to include the private key, or else you are not able to use it to sign and encrypt outgoing messages/documents or secure communications.

Without going into too much detail of the use of certificates, it is important to know that they, in most cases, make use of public key technology. This means that you have two asymmetric keys, a public one and a private one. Simply put, the private key that is well protected by Windows is used to decrypt your messages that you receive. The public key, which is wrapped in the certificate and can be available to everyone, is used to encrypt messages that are meant for you.

To populate the BizTalk store, you need the public key—hence, the certificate, of your trading partners—and they need your public key. Before you can develop any COM+ application in which you actively work with certificates (see the section CryptoAPI), you must be in the possession of these public keys.You need to ask your trading partners to supply you with the certificate they are going to use in the BizTalk document exchange. In case you have a limited number of known trading partners, for supply-chain or e-procurement, and you hold a central position in these relationships, you could consider becoming the

CA for your BizTalk application.Your trading partners can enroll for a certificate, using your CA, by using the Certificate Enroll Web site application that comes with the Certificate Services (called certsrv).The advantage is that since you trust your own CA, you can trust all certificates that are issued by this CA, giving you better control over the certificates used. If you do not want to be bothered with setting up and maintaining your own CA, you should define the certificates that you accept for using with your BizTalk application:

■ Which hash algorithms do you allow/support?

■ What key lengths do you allow/support?

■ What public-key encryption algorithms do you allow/support?

Let's clarify the enrollment, export, and import of certificates using the following example. Assume you decide to have your own CA for the BizTalk application, and you will only accept certificates issued by your BizTalk CA.You will also define certificates in your channel definitions. Perform the following steps:

1. Trading partner requests a certificate from the BizTalk CA.

2. After having received the certificate, the trading partner needs to export it to the BizTalk application.

3. The certificate has to be imported into the BizTalk store.

4. A local certificate and the imported certificate have to be selected for a channel.

The trading partner will use the Certificate Services Web site to request a certificate. To be able to access the CA, he needs a username and password within the domain.This is only a viable solution if you know your trading partners, and they are limited. However, the benefit is better control of the used certificates; hence, security. Every trading partner has to perform the following steps to obtain a certificate:

1. Open the browser and point to the Certificates Services Web site, by default called certsrv. After authentication, you enter the Web site (Figure 8.33).

2. Select the option Request a certificate, already selected by default.

3. Press Next to move to the next page, requesting for the appropriate type.

Figure 8.33 Requesting a Certificate Using the Certificate Services Web Site

Figure 8.33 Requesting a Certificate Using the Certificate Services Web Site

4. Select Advanced Request, and press Next.You need to select this type to make the key exportable, as you will see later.

5. On the Advanced Certificate Requests, select the option Submit a certificate request to this CA using a form, and press Next.

6. You are now on the second page of the Advanced Certificate Request (Figure 8.34) and should make the following selections:

■ For Certificate Template, use User.

■ For CSP, use Microsoft Strong Cryptographic Provider, although the default also works.

■ For Key size, use 1024; a larger key size takes more processing power without providing additional security for your BizTalk application.

■ Select Create new key set.

■ Check the box Enable strong private key protection.

■ Check the box Mark keys as exportable.This is the main reason to go for the Advanced Request, or else you will not be able to export your private key, which you will need for the application that will exchange messages/documents with your BizTalk application.

■ Check the box Export keys to file, and fill in a filename; for example, BizTalk_Exchange.

Figure 8.34 The Advanced Certificate Request Page on the Certificate Services Web Site

Figure 8.34 The Advanced Certificate Request Page on the Certificate Services Web Site

Press Submit.

A dialog will appear that prompts you for a password to protect the key file. Enter the password twice, and press OK.

You are now on the Certificate Issued page, and you can select the type of encoding. For this purpose, both will do, so keep the default.

Click the link Download CA certificate, and the Windows dialog for File download appears. Save the disk to file.

Close the browser.

At this point, the trading partner has a file containing the certificate, including the private key. This file can be installed on the server in the appropriate store, by double-clicking this file, pressing Install Certificate..., and launching the Certificate Import Wizard. After completing the Import Wizard, the trading partner can export the certificate by going to the Details tab and pressing Copy to File____This will start the Certificate Export Wizard.The

Certificate file can be send to you.

Since the trading partner needs also a certificate from you, follow the same steps and install the certificate in the Personal store of the local computer, being the server that runs BizTalk Server.You can request a certificate directly from the MMC with the Certificates - Current User snap-in. Go to the Personal store, right-click it, and select All Tasks | Request New

Certificate____You can set the same options as with the CA Web site. After the certificate is created, it automatically installs in your Personal store.You can move it to the Certificates (Local Computer) Personal store by cutting and pasting the certificate.

After receiving the certificate from your trading partner, you need to install it in the BizTalk store of the local computer. Do this from the MMC with the Certificates (Local Computer) snap-in:

1. Expand Certificates (local Computer).

2. Select BizTalk folder.

3. Right-click this folder, and select All Tasks | Import. . The Certificate Import Wizard starts.

4. Click Next.

5. Browse for the Certificate file, and select it, and click Next.

6. The dialog asking for the Certificate store will select the option Place all certificates in the following store, with BizTalk selected as the store.

7. Click Next, followed by Finish, and the certificate is installed.

In this example, we decided that an inbound document on a channel will be both encrypted and signed.Therefore, you need to select one of your own local system certificates for decrypting an inbound document on a channel, and a trading partner's certificate to validate the signing of the message (Figure 8.35).

Since you expect the inbound document to be signed by the trading partner, you must also sign your outbound documents. This certificate also needs to be picked from the Personal Certificates (My Store) of the local computer.You can do this on the Outbound Document page of the Channel Properties window.

Figure 8.35 Selecting the Inbound Document Certificates on the Channel Properties Window

Figure 8.35 Selecting the Inbound Document Certificates on the Channel Properties Window

Was this article helpful?

0 0

Post a comment