Sunday, January 23, 2011

How to: Configure Dynamics AX AIF Services to listen for SSL Requests (https)

This post covers my experience on integrating Commerce Server Services with AIF Web Services across 2 domains. It was a bit challenging setup especially configuring the communication between AIF and Commerce Server over https, Troubleshooting WCF Bindings was the major component in this whole piece.

Note, in our infrastructure topology we have Dynamics AX 2009 SP 1 (Rollup 6), IIS 7.5 and Commerce Server 2009.

So, in brief these were the following steps carried out to make the integration work:

a. Import the Certificate and Configure IIS to listen for https requests
b. Troubleshooting TSL SSL Error
c. Troubleshooting AIF Authentication windows error
d. Troubleshooting  binding web.config (bindings "Transport")


Now, Let's get into the details:

How to: Import Certificate and Configure IIS for SSL

http://blogs.iis.net/rlucero/archive/2008/05/23/iis-7-walkthrough-one-to-one-client-certificate-mapping-configuration.aspx

http://www.digicert.com/ssl-support/pfx-import-export-iis-7.htm

In my case, I already had the certificates ready supplied by the internal support team, so had to follow the Import Certificate and Configure website steps in the above link.

Once the IIS, is configured to listen to HTTPS, then one should be able to browse the AIF Services successfully through browser, note it will prompt for Certificate, accept it and move ahead.

Troubleshooting TSL SSL Error

Trying to invoke the AIF Services through the Commerce Server Client interface gives this error " Could not establish trust relationship for the SSL/TLS secure channel with authority ". This was fixed by invoking an explicit  remoteCallback validation for the certificate in the client code.

///
          /// Remotes the certificate validate.
          ///

.          private static bool RemoteCertificateValidate(

             object sender, X509Certificate cert,
.              X509Chain chain, SslPolicyErrors error)

          {

               return true;
           }



Troubleshooting AIF Authentication windows error


Moving forward, encounterd this error "The Application Integration Framework Web service cannot determine the Windows login of the user calling the Web service"
This was logged in the Event viewer of AOS box, atleast had a sigh of relief to see that the communication reached till AOS box.


This is the core problem which we faced and the reason is AIF Web Services are built with a tighter windows user authentication as it doesn't understand Certificate mode of authentication and this error is thrown from the Microsoft AIF Intergration Framework dll.


I tried couple of workarounds by creating small demo applications and configurations and presented it to our Solution Team

i. Firstly, changed the binding to basicHttpBinding on the AIF Server and Created a small app on the Commerce Server client box and this works fine and it can communicate without any problems with AIF Web Services. The downside is it's not much secure. But basicHttpBinding is much faster than wsHttpBinding.


ii. Installed and Configured Microsoft Dynamics AX .Net Business Connector on the Commerce Server Client box and created a small app which can communicate to AX via the .Net Business Connector. This works fine but I won't be recommending it as we need to rewrite the AIF Logic which AIF Framework provides out of the box and the other downside to this approach is maintainability issues as we need to maintain .Net BC on Commerce Server box (i.e. the Commerce Server code will have a tight coupling with AX .Net BC Code, and also upgrades to .Net BC means we would need to take the Commerce Server Web Sites down)


iii.To host intermediary Non-AIF Services on the same box where AIF Services resides. This will act as wrapper services for AIF Services. So, the Commerce Server client will be invoking the Non-Aif Services and this will inturn invoke the AIF Web Services, there won't be a direct or live connection  between Commerce Server and AIF. Any communication between these 2 apps will be handled by this broker or intermediary web service. The downside is performance may hamper a bit as there is an extra layer.



We chose to go with basicHttpBinding with Certificates installed on server and client and explicitly passing the Business Connectory Proxy Credentials in the code before invoking the service.

Troubleshooting  binding web.config (bindings "Transport")

This is the final version of how the server-side and client-side bindings look. I tried various combinations on the security and transport mode before arriving at this one.



 


References:
Florian in his blog has an interesting article on securing AIF Services cross domain which works with IIS 6.0 and Windows Server 2003.
http://floditt.blogspot.com/2010/06/cross-domain-access-to-aif-webservices.html



No comments:

Post a Comment