Security

Sending BizTalk documents over HTTP presents a possible security risk. Since HTTP documents exist as clear text streams, it is possible for someone to read a message as it travels to its destination. The BizTalk Framework 2.0 specification provides for the ability to secure your BizTalk document using the S/MIME or PKCS security layers. You can, however, use other security layes if you wish.

An easy way to deal with the problem of open transactions is by using the HTTPS protocol. HTTPS ("S" stands for Secure) is used widely on the Web to protect transactions involving sensitive information such as account balances or credit card numbers. HTTPS relies on public key encryption to armor packets between the client and the server. When a client (usually a Web browser) requests a secure document, the Web server sends it an encryption key. During the rest of the session, the client uses that key to encrypt data. Only the server has the ability to decrypt the data. Public key encryption involves some complicated math concepts that I don't understand, but I do know that they have to do with finding factors by multiplying two very large prime numbers. Anyway, HTTPS works pretty well, depending on the length of the encryption key used. If you're concerned about security, you should upgrade your HTTPS servers to use the greatest key lengths available.

Your BizTalk server should have the ability to provide a secure transmission protocol that wraps around the document, keeping it safe from prying eyes. You'll also need to deal with the issue of unauthorized documents flowing to one of your trading partners. If one of your partners receives BizTalk requests as plain text over a public facility such as HTTP, the possibility exists that someone will send your partner a message that appears to be coming from you. This malicious behavior—known as spoofing—has been around since the earliest days of e-mail.

Your BizTalk server should allow you to attach some kind of digital signature to your message. Including a digital signature can be as easy as using the attachment element of the BizTalk document spec or can be more complex: you can attach the digital signature to the document in a way that depends on the transport-specific envelope.