CAPÍTULO 2. Marco teórico
1. Legislación comparada con relación de hijos afines dentro de una familia ensamblada
1.3 Legislación Argentina
1.3.3 Delegación en el progenitor afín y el ejercicio conjunto con el progenitor afín en caso de
Prerequisites
The Service Bus component (Microsoft.ServiceBus.dll v1.8), which is included with the Windows Azure Libraries for .NET. To install it, visit the Windows Azure SDK download page. (The
Microsoft.ServiceBus.dll must be placed in the “Bin” folder of the website that the service is
deployed to)
You have installed the AIF Windows Azure Service Bus Adapter Hotfix:
http://support.microsoft.com/kb/2845539
You have installed the AX Web Services on IIS 7.5.
An X.509 token signing certificate is installed on the AD FS 2.0 server and on the machine that is running the WCF service, in the Trusted Root Certification Authorities store. For more information,
see Microsoft Dynamics AX Connector for Mobile Applications.
A Windows Azure Service Bus namespace has been created, and the shared secret and issuer name for the namespace are available. For more information, see Microsoft Dynamics AX
Connector for Mobile Applications.
Overview
The following steps enable publishing an AIF service that listens to messages incoming from the Azure Service Bus, without a middle-tier WCF service.
You must register your Windows Azure Service Bus namespace with the AIF before you can publish services to the Service Bus. Registration requires that you supply the X++ and WCF authentication classes that will authenticate incoming Service Bus messages. Go to Create the authentication classes,
and then go to Register your Service Bus namespace with the AIF. Next, see Publish your AIF service. Authentication overview
The Service Bus requires each on-premises service to be authenticated and authorized to “listen” on a particular address before establishing a new relay connection. Clients must also be authenticated and authorized before the Service Bus will relay messages on their behalf. The Service Bus relies on ACS for authenticating services and clients.
Service authentication
Microsoft Dynamics AX services use a “shared secret” token provider to authenticate with the Service Bus. The shared secret is provided to the AIF when you Register your Service Bus Namespace.
Client authentication
The following two types of client authentication are required:
Service Bus authenticationClients are required to provide a “send” claim in order to be able to send messages to a service on the Service Bus. The ACS must trust the identity provider used by the client. This must be set up as described in Microsoft Dynamics AX Connector for Mobile Applications.
Microsoft Dynamics AX authenticationWhen the Service Bus relays a message to the on-premises service, the caller identity is used to log on to Microsoft Dynamics AX. This caller identity is determined by calling a custom authentication component to parse the incoming message token and to provide a valid claims identity. The user specified by the claims identity must be a valid Microsoft Dynamics AX user.
Sample authentication component
A sample ADFS authentication component is provided here:
http://blogs.msdn.com/b/aif/archive/2013/04/29/aif-windows-azure-service-bus-adapter.aspx.
You can use it as it is or modify it to suit your needs. This component searches for an ADFS token in a custom message header titled PassthroughBinarySecurityToken. If this token is found, the token is validated by using the trusted issuer thumbprint of the ADFS STS and the claims that are extracted. A Windows Account Name claim type identifies the user account. For more information, see
http://blogs.msdn.com/b/willpe/archive/2010/10/25/windows-authentication-adfs-and-the-access- control-service.aspx.
Create custom authentication classes A custom authentication component has two parts:
An X++ class that implements the AifAuthenticationManager interface and provides configuration information.
A .NET class that implements the System.ServiceModel.ServiceAuthenticationManager interface to provide runtime authentication.
AifAuthenticationManager interface
This X++ interface must be implemented by an X++ authentication manager class. This interface is used by the services framework to get information that is used to configure and deploy the custom authentication runtime component.
X++ interface AifAuthenticationManager { AifAuthenticationManagerName getName(); str getAuthenticationManagerType(); str getAuthorizationPolicyType(); AifAssemblyName getAuthenticationManagerAssemblyName(); Map getAppSettings(); MenuItemNameDisplay getConfigurationDisplayMenuItem; } Interface methods:
AifAuthenticationManagerName getName()
Returns the friendly name of the component. This is displayed for selection in the ServiceBus configuration form.
str getAuthenticationManagerType()
Returns the .NET type of the WCF custom authentication class in the runtime assembly.
str getAuthorizationPolicyType()
Returns the .NET type of the WCF authorization policy class in the runtime assembly.
AifAssemblyName getAuthenticationManagerAssemblyName()
Returns the name of the authentication assembly that contains the WCF custom authentication class.
Map getAppSettings()
Returns custom settings that are required by the .net authentication component at
authentication time. These settings are available in the AppSettings section of the web.config file, which is located in the IIS website directory. Returns null if app settings are not required.
MenuItemNameDisplay getConfigurationDisplayMenuItem
Returns the name of the display menu item for the configuration form of this component. Returns the empty string if no configuration form is available.
Custom authentication component
A class that implements the following interfaces can perform custom authentication: System.ServiceModel.ServiceAuthenticationManager
System.IdentityModel.Policy.IAuthorizationPolicy
The System.ServiceModel.ServiceAuthenticationManager interface contains the ReadOnlyCollection method.
C#
ReadOnlyCollection<IAuthorizationPolicy> Authenticate( ReadOnlyCollection<IAuthorizationPolicy> authPolicy, Uri listenUri,
ref Message message)
The implementation of this method can inspect the request message and headers, perform the custom authentication, and set the authenticated principal on the message as a property.
The System.IdentityModel.Policy.IAuthorizationPolicy interface has a the properties and the Evaluate method shown in the following example:
C#
bool Evaluate(
EvaluationContext evaluationContext, ref Object state
)
The implementation of the Evaluate method sets the authenticated principal and identity on the security context of the message.
Registering the authentication component
Before an authentication component can be used, it must be registered with the Services framework. The registerAuthenticationManager and unregisterAuthenticationManager methods on the
AifAuthenticationHelper class must be used to register and unregister the authentication component. Create an X++ job that calls these X++ methods to register/unregister the authentication
components. When a component is registered, the .NET assembly is uploaded to the database so that it is accessible to all AOS instances. The file path that you use must grant read permissions to the AOS service account. For more information about the AOS service account, see
http://technet.microsoft.com/en-us/library/ee355089.aspx and http://technet.microsoft.com/en-
us/library/ee355089.aspx and http://technet.microsoft.com/en-us/library/jj585430.aspx.
The following code shows the methods and describes the parameters:
X++
static public void registerAuthenticationManager(
AifAuthenticationManagerClass authenticationManagerClass, FilePath assemblyFolder,
AuthenticationManagerClass is class ID of the X++ authentication manager class AssemblyFolder is the path of the folder that contains the .net authentication manager
assembly.
UpdateExisting is the flag indicating that any existing assembly in the database should updated with the assembly in the folder.
X++
static public void unregisterAuthenticationManager(
AifAuthenticationManagerClass authenticationManagerClass)
authenticationManagerClass is the class ID of the X++ authentication manager class
Encryption key containers
Encryption is used to protect confidential data in the web.config file. This requires a machine-level key container to be created and configured on all the involved machines. We have provided scripts for this process. Download the scripts here: http://blogs.msdn.com/b/aif/archive/2013/04/29/aif-
windows-azure-service-bus-adapter.aspx.
These scripts use the IIS configuration utility aspnet_regiis.exe to manage the key containers. 1. Create an exportable machine-level key container on the IIS computer. Go to the directory
where you want to export the container before running this script. In this example we use the root of the C drive.
Windows Command Prompt C:\> CreateKeyContainer “MyKey”
2. Export the key container to an XML file. The following script will export the key container to MyKey.xml.
Windows Command Prompt C:\> ExportKeyContainer “MyKey”
3. Import the key container into each machine (machine running IIS and machine running the AOS).
Windows Command Prompt
C:\> ImportKeyContainer “MyKey” “MyKey.xml”
4. On each machine, grant the appropriate users access to the key containers.
For the IIS Machine, this user is the AppPool identity (which is the same as the BC proxy account). For the AOS machine, this is the AOS account (Network Service or domain account).
For a Domain account:
For a Network account:
Windows Command Prompt
C:\> GrantAccessToKeyContainer “MyKey”
5. Delete the exported MyKey.xml files. In this example, we exported the MyKey file to the root of the C drive. This is important to prevent unauthorized access to the key container. Publish AIF Service using the Service Bus Adapter
We are now going to publish the UnreconciledExpense service operation that we created in
Create the service operation.
Register your Service Bus namespace
1. Open the Microsoft Dynamics AX Client.
Click System administration > Setup > Services and Application Integration
Framework > Azure Service Bus Configuration .
2. Provide Service Bus details in the Azure Service Bus Configuration form:
a. Supply your Azure Service Bus namespace, which was created when you registered the namespace by following instructions in Microsoft Dynamics AX Connector for
Mobile Applications.
b. Supply your Azure Service Bus issuer name and issuer secret.
c. For Deployment website, select the IIS website to deploy the service on. d. For Class name, specify the authentication class that you registered.
e. Click Configure. The Mobile Authentication Configuration form is shown. i. Enter the certificate thumbprint (from your ADFS).
ii. Click Close.
f. For the RSA key container name, type the name of the key container that you created previously in the Encryption key containers section.
g. For a description, provide a description for the Service Bus namespace, as shown in the following illustration:
h. Click Close.
Deploy your AIF service to the Azure Service Bus
To create a new port to publish your service on:
1. Click System Administration > Services and Application Integration Framework > Inbound Ports.
2. Click New to create a new port.
3. Type the name of the port. It is a best practice to incorporate the name that you used for the Azure Service Bus namespace on the Azure Service Bus Configuration form (2- a).
4. Type a description of the port to provide a description of the services that this port hosts.
5. Select Azure Service Bus for Adapter.
6. Click the button beside the URI field to open the Select Azure Service Bus
Namespace form, and select the namespace that you created.
8. Click the Service Operations button, which is located below Service Contract customizations.
9. Find the UnreconciledExpense service from Create the expense service operations in the right-hand pane.
i. Select all of the operations on your service that you want to publish by highlighting each one, and then clicking the < button.
ii. Click Close.
10. In the Inbound Ports form, highlight your port in the left-hand pane. 11. Click Activate.
12. The UnreconciledExpense Service is now published to IIS 7.5. The URL to access the Microsoft Dynamics AX service through the Service Bus is displayed in the URI: field, as shown in the previous illustration. For the example in this document, the URI field should be:
https://ContosoMobile.servicebus.windows.net/UnreconciledExpense/xppservice.svc
You may now refer to the remainder of this document to develop the client that will
communicate with Microsoft Dynamics AX using the AX service that you have published to the Windows Azure Service Bus.