Title: Biztalk
SFTP Adaptor Configuration:
Author: Toraj
Khavari
Date: January
29, 2015 – Version 1.0.2529.01
Objective: The Microsoft Biztalk out of the box supports Secure File Transfer Protocol (SFTP). The SFTP adapter is a great technology to communicate information across corporate
firewall securely via internet. An introduction to Biztalk SFTP configuration
is my objective.
Article Body: In this article we explore how to configure
Biztalk SFTP for external partner inbound and outbound ports. Let us start with
some basic principles and standards.
-
When
you are designing Biztalk communication with external servers and services,
minimize A-dec’s (company) risk with a few fundamental best practices.
o
Empower
A-dec BizTalk adaptors to Get and Post information. Minimize, or better limit,
external companies putting information inside A-dec firewalls.
o
Use
Biztalk SFTP anywhere possible. The need for SSL and A-dec firewall compromise will
reduce by using SFTP.
o
Keep
A-dec Security coordinators and Support Services, in the loop for any external FTP.
o
If
the A-dec external partners select FTP protocol with Secure File Transfer Protocol Server, consider utilizing encryption and decryption technologies and protect
the information at source.
o
A-dec
has a rich set of encryption and decryption assemblies. If the posted
information is sensitive, in addition to using SFTP, use the encryption and
decryption technologies.
-
An
A-dec external partner inbound port is an A-dec post (e.g., EDI 850 Purchase
Order (PO) to a vendor).
-
An
A-dec external partner outbound port is an A-dec get (e.g., EDI 856, Advance
Shipping Notice (ASN) from a vendor, EDI 810 Invoice from a vendor).
-
A-dec
may select to communicate using SFTP. The partners have the freedom to
communicate using other protocols (e.g., FTP). The partners’ decision has no
effect on A-dec’s choice and vice versa.
In
my case, I have multiple vendors, W&H Dentalwerk® and East Side Plating®
(ESP). Each vendor partner has its own dedicated Inbound and Outbound port in
the Management File Transfer (MFT)
Server. The A-dec Biztalk SFTP adaptor securely communicates with the MFT
server without any Firewall compromise or custom SSL setup. In this article, we
will focus on W&H Dentalwerk, Also Known As (AKA), WH, WandH and W&H.
To have a comprehensive end to end testing, WHReceived and WHSend ports are
created in the A-dec Biztalk Server. The following diagram will describe the top-level
architecture, pictorially.
The
A-dec PO to W&H Partner can place in the WHRecived and Biztalk will map,
orchestrate, and post it in the WHInbound. The W&H ASN and Invoice can be
placed in WHOutbound. Thereafter, Biztalk will get the source file, map,
orchestrate, and place it in WHSend.
Hints:
-
I
have selected File adaptors for WHRecived and WHSend for simplicity. You can
select any Biztalk adaptors to meet you requirements, such as, WCF*, MSMQ,
POP3, SMTP, SQL etc. The adaptors can support Dynamics AX Application Interface
Framework (AIF), SharePoint Services, Databases, and the list goes on.
-
To
properly configure and test the SFTP adaptor, prepare as follows:
o
Have
access to a tested MFT server. Have appropriate user account and password.
o
Install
and setup your favorite file transfer and browser. In my case, I am using
FileZilla and Putty.
o
Have
a set of tested and ready Biztalk Schema and MAP for Inbound and Outbound
Orchestrations.
o
Have
a few inbound and outbound data source files.
o
MFT
Servers come in different operating systems, Windows, UNIX, and Linux. Biztalk
SFTP syntax and semantics will accommodate them. The MFT operating system will
have minimal impact on the SFTP configuration.
o
Do
not surprise your security czar, if you are going outside A-dec. Let them know
what you are doing.
Biztalk SFTP Configuration:
Let
us start with information orchestration between WHReceived and WHInbound. The
A-dec Posts W&H PO.
1- Start
the Microsoft Biztalk Admin tool.
2- Create a
Static One-Way Send Port > Select SFTP Adaptor Type > Press the
Configuration Button > Complete the SFTP Transport Properties > Select
Apply > OK > Select the appropriate Send handler and Send Pipeline >
Apply > OK.
The
standard SFTP is a very secure communication. However, if you insists to have
your own SSH Host Key, set the AcceptAnySSHServerHostKey to False, generate a
SSH Key Finger Print between MFT server and SFTP adaptor, and copy the key in
the SSHServerHostKeyFingerPrint.
It
is a good practice to use the MFT Server Domain Name System (DNS) instead of IP
Address. It will provide a layer of separation and fits in the Service Oriented
Architecture (SOA) model, nicely.
3- Setup
the Biztalk Filter for the Send Port. You can use any of the Filters’ Property
to meet your requirements. For now, I just point it to the receive port name.
Select Apply and OK.
4- Create
the One-Way WHInternalReceive Port. 1- Select Receive Ports > 2- New > 3-
One-way Receive Port > 4- General Tab Name is WHInternalReceive > 5-
Select Receive Locations > 6- New > 7- General Tab Name is WHInternalReceiveLocation
> 8- Select File Adaptor > 9- Select Configure button > 10- Configure
the File Transport Properties > 11- Select the desired Receive handler and
pipeline > 12- Apply and OK.
5- At this
point the receive port requires a map to orchestrate the information. Navigate
to the Inbound Maps for the Receive Port and select the Biztalk deployed Source
Document, MAP, and Target Document.
If
you do not see your maps, check the deployment script and your Biztalk solution
Maps in the Applications folder in the Biztalk Admin tool.
At
this point, we have all the needed connections to meet the WHReceived and WHInbound
orchestration. Start the WHSFTPRaceSpaceInbound and WHInternalReceiveLocation.
Hints:
-
The
WHSFTPRaceSpaceInbound URI must have “//” (two “/”) between the MFT server name
and the partner folder path.
-
The
WHInternalReceiveLocation URI must point to A-dec internal server.
-
The
WHSFTPRaceSpaceInbound and WHInternalReceiveLocation
status must be green.
Let
us start with the information orchestration between WHOutbound and WHSend. The
W&H Posts A-dec’s ASN and Invoice in the WHOutbound port. Thereafter,
Biztalk gets the information and orchestrates it to the WHSend port. There are
some similarities between the WHOutbound and WHSend orchestration and WHReceived
and WHInbound. Therefore, I omit the duplicated instructions.
1- Create a
new EDIWHSFTPRaceSpaceReceive Receive Port using Biztalk SFTP adaptor.
There
no maps required.
2- Create a
new Send Port, EDIWHSend, and configure it.
3- Utilize
the Send Port’s filter to identify the partner. The Partners information
configured in the Biztalk Admin tool’s Parties services.
At
this point, you can start the EDIWHSFTPRaceSpaceReceive and EDIWHSend ports.
The
entire Biztalk configuration is completed. Henceforth, utilize FileZilla post
information and watch for Biztalk orchestration result set.
Lessons Learned:
Although
I have imbedded a lot of my lessons learned in the above instructions, let me
share with you a few more.
-
If
you run into “Microsoft.BizTalk.Adapter.SftpInvoker.SftpException: Open SFTP
connection error.” before changing the AcceptAnySSHServerHostKey to False, and
entering SSH Server Host key, I recommend the following.
o
Use
your favorite FTP tool, FileZilla or Putty, try to copy file between source and
destination folders. During this process, any security violation will become
apparent.
o
The
issue usually is Read, Write, and Execute credential. After credential changes,
the Biztalk 2013 SFTP adaptor works fine.
-
Biztalk
Event log and Suspended query are great resources. Use them.
-
Biztalk
Suspended query does not capture all the security and SFTP errors. Use the
Biztalk Event log.
Have
fun with Biztalk. It has come a long way. A few years ago, we had to add code
to handle SFTP. Now the Biztalk 2013 version bundles enhanced SFTP adaptors in
the standard install.
Cheers,
Toraj
References:
1. BizTalk
Server 2013: How to use SFTP Adapter, http://social.technet.microsoft.com/wiki/contents/articles/19781.biztalk-server-2013-how-to-use-sftp-adapter.aspx
2. EXPLORING
THE OUT-OF-THE-BOX SUPPORT FOR SFTP IN BIZTALK SERVER 2013, http://blog.quicklearn.com/2013/07/26/exploring-the-out-of-the-box-support-for-sftp-in-biztalk-server-2013/
3. How to
view the fingerprint of the ssh host key,
http://www.enricozini.org/2008/tips/ssh-host-key-fingerprint/
4. Line of
Business Adapter Pack, http://www.microsoft.com/en-us/biztalk/product-information/line-of-business-adapter-pack.aspx
Special
thanks to James Ward and his assistance during this assessment, his
continuing support, and dedication.
|
THE VERY GOOD BLOG TO IMPROVE OUR KNOWLEDGE
ReplyDeleteAzure Training in Chennai | Certification | Azure Online Training Course | Azure Training in Bangalore | Certification | Azure Online Training Course | Azure Training in Hyderabad | Certification | Azure Online Training Course | Azure Training in Pune | Certification | Azure Online Training Course | Azure Training | microsoft azure certification | Azure Online Training Course