none
Sending MD5 Encrypted xml using BizTalk Server 2006 RRS feed

  • Question

  • Dear All,

    Please advise how to send encrypted xml using BizTalk Server 2006.

    At receive port I am getting data suing SQL Adapter and want to dump xml file in specified folder , but requirement is to dump encrypted file

    Pls guide..


    -- Regards Sandeep

    Saturday, May 9, 2015 3:20 AM

Answers

  • Well, here's the thing, they really need to take ownership of this on their end. If they agreed to using MIME, then have to be ready to support it.

    There are some MIME libraries out there such as https://github.com/jstedfast/MimeKit

    However, be warned, you are using MIME in a relatively uncommon way (meaning almost no one does this) which is why you don't see many examples or tools.

    My recommendation for this scenario is PGP.

    • Marked as answer by Angie Xu Friday, May 29, 2015 1:52 AM
    Wednesday, May 27, 2015 6:03 PM
  • As these are separate and new issues, it would be better to start a new thread for each.

    1. The 'S' stands for Secure.

    2. Like https, the encryption is only over the wire.  'Encrypted at rest' is a different requirement.

    3. You have to import and configure the sample SSO application.

    • Marked as answer by Sandeep.Handa Monday, June 1, 2015 12:50 PM
    Monday, June 1, 2015 11:22 AM

All replies

  • The the best of my knowledge, the standard MIME/SMIME encoder Pipeline Component only has the ability to use: DES, DES3 or RC2 as encryption algorithms.

    So if your requirement is MD5, you can write a custom Pipeline Component, that does the encryption and then append it in the Encode stage of a custom Send Pipeline, and use this Pipeline on the Send Port.

    Morten la Cour

    Saturday, May 9, 2015 9:49 AM
  • The thing is, MD5 is a one-way algorithm used to create hashes. You can't decrypt the result so the result isn't very useful.  It's most common to find MD5 hashes along with large, unencrypted, files to verify their consistency.

    "requirement is to dump encrypted file"

    No problem, this is solved 95% of the time using PGP.

    I have used this Pipeline Component a number of times: https://code.msdn.microsoft.com/windowsdesktop/BizTalk-Sample-PGP-ebcbc8b2

    It works as is and can easily be modified.

    Saturday, May 9, 2015 12:07 PM
  • Hi Johns,

    Thanks for reply.

    My business scenario is I will pick some data related to salary of employees and send to third party server .

    As the data is sensitive so its better to encrypt and at the other end vendor will decrypt the file(vendor is not using BizTalk Server  they might using custom code in C# to decrypt)

    So if I use MIME/SMIME encoder Pipeline Component or PGP Encryption/Decryption Pipeline Components how vendor will able to decrypt the file.

    Please advise.


    -- Regards Sandeep


    Saturday, May 9, 2015 12:57 PM
  • sMIME is primarily for 'internet' protocols like http or smtp so it's probably not a real option though technically possible.

    There are many, many PGP clients and libraries so that should not be an issue.

    However, have you or anyone on you side asked the Trading Partner what they can or are willing to support?  That's the first step.

    If the two sides settle on PGP, let them handle it however they want, once they agree, it's not really your problem.

    Saturday, May 9, 2015 2:12 PM
  • Dear Johns,

    My only query is

    1. How to do encryption of file using pipeline as I am new for this.

    2. What information I need to share with vendor so that they can able to decrypt the file.


    -- Regards Sandeep

    Saturday, May 9, 2015 6:10 PM
  • If you are sending to them:

    1. They have to create a Key Pair (or use one they already have).  That means a Private Key, which they keep, and a Public Key, which they give to you.
    2. You configure their Public Key in the PGP Pipeline Component Properties.
    3. It works just like any other BizTalk Pipeline Component.  Add it to a Pipeline, configure on the Send Port and you will get PGP Encrypted files.

    I use Gpg4win on the desktop.  Kleopatra is the GUI where you can encrypt/decrypt and work with keys.

    Saturday, May 9, 2015 11:46 PM
  • Dear Johns,

    I am able to encrypt xml by following below procedure.

    1. Created Certificate under certificate store.

    2. Created pipeline and select encryption method as DES3

    3. Select certificate and pipeline in send port

    4. finally for encrypted file.

    Advise where I need to create private and public key, and how vendor can able to decrypt the file.

    Lastly what all information I should provide to him so that they can successfully decrypt the file.


    -- Regards Sandeep

    Monday, May 11, 2015 5:15 PM
  • That is using the MIME/SMIME Pipeline Component which uses the Certificate store and the Host Instance Thumbprint to retrieve the signing certificate.  These are the same certificates you could use for SSL and can be purchased or generated internally and mutually exchanged.

    These are functionally similar to but different from a key pair used for PGP.  So, if you use SMIMI, you don't need to generate a key pair.

    However, before you go any further, ask the trading partner what they can and are willing to support.  As with PGP, there are many tools and libraries the work with.  But, SMIME for this purpose would be highly unusual, though possible.

    If they accept using SMIME, you need to give them the Public Certificate of the Certificate pair used to encrypt.

    Monday, May 11, 2015 9:35 PM
  • Dear Johns,

    Vendor is not using BizTalk so should I give them .cer certificate file to them to decrypt the file.


    -- Regards Sandeep

    Tuesday, May 12, 2015 11:33 AM
  • As a reminder, once you agree on an a particular method, it's really up to them to handle it however then want.

    I slightly misspoke before on where to configure the Certificate.  The Host Thumbprint is used to decrypt messages.

    If you are sending the encrypted message, the receiver must send you their Public Certificate which is used to encrypt the data.  You would then load this into the local store.

    That Cert is set in the Send Port options in the Certificate section.

    Tuesday, May 12, 2015 12:23 PM
  • As I have created certificate by going to MMC console , so what should I provide to vendor as he is asking for key to decrypt.

    Advise where to find key in the .cer file I have created.


    -- Regards Sandeep

    Tuesday, May 12, 2015 6:09 PM
  • If you are sending the encrypted message, the receiver must send you their Public Certificate which is used to encrypt the data.  You would then load this into the local store.

    You encrypt with the receiver's Public Certificate.

    Tuesday, May 12, 2015 6:17 PM
  • Decryption always happens using a Private-Key-Certificate, so for decryption, the vendor should use his/her own key, and send you a copy of the public-key that you can use for encryption.

    Here is what is true for asymmetric cryptography:

    Encoding: Using the receivers public key, typically stored in your Machine/Root

    Decoding: Using the receivers private key, typically stored in CurrentUser/My

    Signing: Using your own private key, typically stored in CurrentUser/My

    Validating: Using the senders public key, typically stored in Machine/Root

    Morten la Cour

    Tuesday, May 12, 2015 6:18 PM
  • Dear All,

    Pls correct if i am wrong.

    1. Vendor creates a certificate in certificate store and provide me the .cer file which i store in my server.

    2 Using this certificate i configure send port.

    3. Send encrypted file to vendor and vendor will decrypt file using the certificate he created.


    -- Regards Sandeep

    Wednesday, May 13, 2015 8:04 AM
  • 1. Yes, Trading Partner sends you only their Public Certificate.

    2. Yes.

    3. Yes, Trading Partner decrypts with their Private Certificate.

    There is an Wiki Article that describes exactly what you're doing: http://social.technet.microsoft.com/wiki/contents/articles/18737.biztalk-server-2013-encrypting-and-decrypting-a-message.aspx

    • Marked as answer by Angie Xu Tuesday, May 19, 2015 1:33 AM
    • Unmarked as answer by Sandeep.Handa Wednesday, May 27, 2015 5:40 PM
    Wednesday, May 13, 2015 10:35 AM
  • Hello Johns,

    I am able to encrypt the message , my trading partner will be decrypting my message using c# code.

    Please advise how it can be achieved as they don't have BizTalk Server, as they found some code on google to decrypt 3DES encrypted file ..but  no success.

    We both are using same certificate. can you give some advise..


    -- Regards Sandeep

    Wednesday, May 27, 2015 5:42 PM
  • Well, here's the thing, they really need to take ownership of this on their end. If they agreed to using MIME, then have to be ready to support it.

    There are some MIME libraries out there such as https://github.com/jstedfast/MimeKit

    However, be warned, you are using MIME in a relatively uncommon way (meaning almost no one does this) which is why you don't see many examples or tools.

    My recommendation for this scenario is PGP.

    • Marked as answer by Angie Xu Friday, May 29, 2015 1:52 AM
    Wednesday, May 27, 2015 6:03 PM
  • Hi Johns,

    Thanks for reply.

    We are looking for some easy to use encryption and decryption of data.

    Only thing is I am using BizTalk Server and they are writing custom code in c# , so what ever code they find for DES3 is not decrypting my message.

    hence I seek help here to help them out ..

    I gave them below sample code to decrypt DES3 encrypt file..but no success

    http://www.example-code.com/csharp/Pki3Des.asp

    Advise as trading partner don't know about BizTalk Server or MIME message.


    -- Regards Sandeep

    Wednesday, May 27, 2015 6:33 PM
  • Yes, I understand all of that, but they shouldn't be agreeing to something they can't support.

    I already pointed you to another MIME library and there isn't much else.

    I will state again that what you're doing is not very common.

    By far, the most broadly accepted and supported way to exchange encrypted files is PGP. See here: https://code.msdn.microsoft.com/windowsdesktop/BizTalk-Sample-PGP-ebcbc8b2

    If you don't really need to encrypt the file, consider HTTPS, SFTP of FTPS to sent the data over an encrypted channel.

    Wednesday, May 27, 2015 7:10 PM
  • Do BizTalk Server 2006 supports SFTP as I see FTP only in Drop down under send port.

    -- Regards Sandeep

    Friday, May 29, 2015 12:53 PM
  • No.  FTPS shipped with BizTalk Server 2010 and SFTP shipped with BizTalk Server 2013.

    You can add both to BizTalk Server 2006 with either an Adapter from nSoftware or SFTP with an older version of the bLogical SFTP Adapter from CodePlex.

    Friday, May 29, 2015 2:43 PM
  • Dear Johns,

    1. Can PGP encrypted file be decrypted using custom c# code, pls give some example..

    2. Can https be supported in Send port of BizTalk Server 2006.


    -- Regards Sandeep

    Saturday, May 30, 2015 5:52 PM
  • Again, I think you need to push this back to them.  It's a project risk to you handling it this way unless you take ownership of their side as well.  There's nothing wrong with that, just a management/relationship decision.

    1. Yes, this is very common and there are several libraries that have proven reliable.  Bouncy Castle is the library used by the Gallery PGP Pipeline Components.

    2. Yes.


    Saturday, May 30, 2015 9:22 PM
  • Hi Johns,

    I have configured SFTP adapter in BizTalk 2006 and file is getting send to vendor.

    Only thing is as data is sensitive so it need to be encrypted.

    1. Pls advise will SFTP supports encryption

    2. As file is getting dropped at SFTP location as xml file so anyone can open and see it.

    3. To secure it need your help to configure PGP pipeline for encryption

    As I get error as for pipeline

    A message sent to adapter "FILE" on send port "SendPort_OUT_PayrollAmountData" with URI "C:\Documents and Settings\spsapadmin\Desktop\aakash\%MessageID%.xml" is suspended.

    Error details: There was a failure executing the send pipeline: "EpicSapIntegration.PgpEncryptSend, EpicSapIntegration, Version=1.0.0.0, Culture=neutral, PublicKeyToken=f7f57c9961509466" Source: "Unknown " Send Port: "SendPort_OUT_PayrollAmountData" URI: "C:\Documents and Settings\spsapadmin\Desktop\aakash\%MessageID%.xml" Reason: The application does not exist.


    -- Regards Sandeep

    Monday, June 1, 2015 5:27 AM
  • As these are separate and new issues, it would be better to start a new thread for each.

    1. The 'S' stands for Secure.

    2. Like https, the encryption is only over the wire.  'Encrypted at rest' is a different requirement.

    3. You have to import and configure the sample SSO application.

    • Marked as answer by Sandeep.Handa Monday, June 1, 2015 12:50 PM
    Monday, June 1, 2015 11:22 AM