TLS Support in BizTalk360

Published on : Aug 16, 2018

Category : BizTalk360 Update

Praveena

Author

BizTalk360 is the One platform monitoring solution for BizTalk server. It only takes about 15 minutes to install the product and have it ready for use. The installation is very smooth and straightforward. During the installation, the web application, Monitoring and Analytics services and the database will be installed as per the selection of choice by the users.
One of the main advantage of the BizTalk360 installer is that you have the option to view the installer logs in case if there are any errors during the process. The installation log would contain the complete details of the installation steps, the service account details, the database connection string details etc. and of course the error details, if any.
Our BizTalk360 support team receive tickets from customers seeking assistance during the installation. In this blog, I would like to share an interesting case from a customer related to BizTalk360 installation.

The customer scenario

When the customer tried to install BizTalk360, they got below error in the creation of the BizTalk360 database step.

Here are the investigation steps

When the installer fails, our first step of investigation would be to check for the installation logs. In the logs, there was the following error message: Error 0x80004005: ‘failed to check if database exists’.
The next option would be to check for the permissions for the BizTalk360 service account in the SQL server hosting the BizTalk360 database. As a prerequisite for smooth installation of BizTalk360, the service account must be provided the db_owner permission for the BizTalk360 database. At the customer end, all the permissions were intact but still the error persisted. After a thorough analysis, we found the root cause to be with the TLS version installed in the servers.

Standards for securing communication

As database driven applications are increasing their hold on the systems market, the security of the retained information is also increasing. One way of mitigating a potential attack during a user’s session, would be to use a secure communication protocol to encrypt data in transit between the user and the server on which the sensitive information resides. Two of these communication protocols used are: Secure Sockets Layer (SSL) and Transport Layer Security (TLS).
SSL was first introduced by Netscape back in 1993-1994. The growth of the Internet was rising and so was the need for transport security. Today SSL/TLS is used in almost every conceivable online service. TLS is the protocol that allows digital devices (such as computers and phones) to communicate over the internet securely, without the transmission being vulnerable to an outside audience. The latest version of TLS is TLS1.2.

How did TLS hinder the installation of BizTalk360?

As per any organization’s security policy, they would be installing TLS protocol for more security. But do you think that this protocol would make the BizTalk360 installer to fail? How is that related to BizTalk360? Let’s move on to find the answer.
Let us consider the following setup for BizTalk360. Having a single BizTalk Server & standalone BizTalk360 environment, the setup will look like below.

The BizTalk360 database may be hosted on a separate SQL Server as well. In that scenario, all the servers will have the TLS installed and they communicate with each other through the protocol. In some of the customers’ cases, where they disabled TLS 1.0 and enabled TLS 1.2, they had the difficulty in installing BizTalk360 as the database was not getting created. However, once TLS 1.0 was enabled and TLS1.2 disabled, the installation was successful with the database creation.

The different scenario of the customer

In another customer scenario, they were using the SQL Express Edition for hosting the BizTalk360 database. This is first time we have come across such a case with the SQL Server edition. At first, we suggested them to enable TLS1.0 and disable TLS1.2. But when TLS1.2 was disabled, they faced the error in connecting to the SQL Server as shown below.

We tried different options for enabling the TLS versions, but this did not solve the error at all. Let’s move ahead to know the real cause of the error and how we resolved it.

The WiX toolset and BizTalk360 installer

BizTalk360 installer uses the WiX toolset for the installation package and database creation. It seemed that there was no support for TLS 1.2 in the WiX toolset for the SQL Express edition. Hence it was not able to connect to the SQL Server for the database creation.
The BizTalk360 installer is so robust that each and every error will be displayed, and it won’t allow the installation to proceed in case if it encounters any problem. The installation logs are an added advantage to get the clear picture of the error message. The below picture shows the TLS settings at the customer end.

As a quick step for testing this case, we immediately provisioned a VM with the same configuration as the customer and we were able to reproduce the exact issue. After a complete analysis and research, we found the issue with the WiX toolset. Now that we had identified the issue with the WiX toolset, the update was available for it. With this updated version of the installer,  the installation was successful, and the database was also created.
This was a different experience and of course a good learning for us. We, the support people, now had acquired the background knowledge of the installer as well as the TLS protocols.

Conclusion

New experiences lead to new learnings. As TLS 1.0 has been deprecated, many of our customers who have already moved to TLS 1.2 were not sure if BizTalk360 supports the latest version. Now the installer supports the latest TLS version, which is TLS1.2. This will be updated in our upcoming release version of BizTalk360 v8.9. When the customers upgrade to v8.9, they can have TLS 1.2 enabled which was not the case previously. When they had TLS1.0 disabled, they were not able to install BizTalk360. They had to enable TLS1.0, disable TLS1.2, install BizTalk360 and then once again disable TLS 1.0, which is a cumbersome job.
Now BizTalk360 supports TLS 1.2. Happy monitoring with BizTalk360!!! 😊.