IP OnRamp Service Configuration

The GMC SOA Team prefers to install the OnRamp for Global Partners (GP).

This document contains instructions for an GP to install and configure an OnRamp (previously referred to as an "OffRamp") service on a Windows 2008 Server. This OnRamp will receive messages sent from Compass to the GP through the GMC Messaging system.

Note: All references in this document and screenshots to "OffRamp" are synonymous with "OnRamp.">

You will need a test OnRamp to interface with the new GP Test Environment and a separate one for Production. Items highlighted in Yellow are examples, you may substitute them with your desired names.

We prefer you (the GP) give a person on the GMC SOA Team remote admin access to the server you want to the GP OnRamp installed on, and they will do it for you per to following steps:

Or we will send you an installer package and work with you to get it installed.

Here are the steps to get started:

  1. GP to create a ticket in Service Now, asking for help setting up an GP Test OnRamp Service.
  2. GMC SOA Team to create a ticket for the Compass Team, to assist in the setting up of Compass side of testing – Allocating Children, etc.
  3. GP to determine and provide the URL for their OnRamp to the GMC SOA Team.
  4. GP to provide the certificate to be used for SSL communication to the GMC SOA Team. For example: if you have an SSL certificate for “services.compassion.xx” you may choose a URL for GP Test as “https://services.compassion.xx/IPTestOnRamp/OnRampService.svc”.
  5. GP creates a new local, private, transactional MSMQ queue called “iptestqueue.” GP has freedom to name this whatever they wish.

Install OnRamp

  1. Run setup.exe from OnRamp Install package.
  2. Click Next.
    Setup wizard screenshot
  3. Click Next.
    Setup wizard screenshot
  4. Enter User Name (Ensure that this account has the appropriate read/write access to the queue previously created and ensure this account has read access to the certificate used for SSL) and also enter the Password for that account. Then click Next.
    Setup wizard screenshot
  5. Enter Application Name for your OnRamp service i.e. IPTestOnRamp. Then click Next.
    Setup wizard screenshot
  6. Enter or Browse to Folder Name where you want the OnRamp Service to reside, (ie.. C:\CIESB\Services\IPTestOnRamp). Then click Next.
    Setup wizard screenshot

The OnRamp will now be installed.

Edit the web.config File

Edit the web.config file for the new OnRamp service at (C:\CIESB\Services\IPTestOnRamp\web.config) and set the MessageQueueAddress to your new local queue as follows:
<add key="MessageQueueAddress" value=".\Private$\iptestqueue" />

Configure IIS

In IIS, set up an Application Pool for this OnRamp in order to define the service account under which the OnRamp will run by adding an application called IPTestOnRamp – so that the resulting url to the service will be your URL like “https://services.compassion.xx/IPTestOnRamp/OnRampService.svc”.

When done you should be able to browse to this URL.If not here are some troubleshooting tips:

  • Can you browse to https://localhost , and then https://localhost/iptestofframp/OffRampService.svc?
  • If not is binding for certificate set for port 443 - >netsh http show sslcert?

Configure URL

Configure this new URL as an application in ADFS per instructions below. The binding configuration for the service requires a ws-federation binding which is secured through a Secure Token Service (STS). We currently use Active Directory Federation Services (ADFS) as the STS, which supplies the SAML Token necessary to ensure that the caller is authenticated through Compassion’s Active Directory. The CornerstoneConnect Team will need to work with you to configure the OnRamp service in a trust relationship before it can be put into service.

Server Preparation

  1. Install Windows identity Foundation run time and SDK on your server.
    http://www.microsoft.com/en-us/download/details.aspx?displaylang=en&id=17331
    http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=4451
  2. Check DNS for “adfs.ci.org”
    Make sure adfs.ci.org maps to the GMC’s ADFS server by making sure you can browse to https://adfs.ci.org/federationMetadata/2007-06/federationMetadata.xml

Modify Service Configuration on Client Server

Since this is for a GP (i.e. your server) use web.config of C:\CIESB\Services\IPTest

  1. In web.config add address to service endpoint
    Example: <endpoint address="https://services.compassion.xx/IPTestOnRamp/OnRampService.svc" binding="ws2007FederationHttpBinding" contract="IOffRampService" bindingConfiguration="IOnRampService_ws2007FederationHttpBinding" />
  2. Open “FEDUtil” at C:\Program Files (x86)\Windows Identity Foundation SDK\v4.0
  3. Set Application configuration location as C:\CIESB\Services\IPTest\web.config and application URI as https://services.compassion.xx/IPTestOnRamp/OnRampService.svc, then click Next.
    Federation utility wizard screenshot
  4. Click Next.
    Federation utility wizard screenshot
  5. On Service Token Service page, Select “Use an existing STS”. Input location as https://adfs.ci.org/federationMetadata/2007-06/federationMetadata.xml. Then click Next.
    Federation utility wizard screenshot
  6. Select “Enable encryption” option on “Security token encryption” page, and “Select an existing certificate from store”. Click on “Select Certificate” and select your certificate. Then click Next.
    Federation utility wizard screenshot
  7. Click Next on "Offered claims" page.
    Federation utility wizard screenshot
  8. Click Finish on the "Summary" page.
    Federation utility wizard screenshot

Modify the Configuration

Modify the configuration file accordingly per instructions below.

  1. Since this is for GP (i.e. your server), using the web.config of C:\CIESB\Services\IPTestOnRamp – remove/comment out address in the service endpoint address towards top of file.
    Example: <!--<endpoint address="https://services.compassion.xx/IPTestOnRamp/OnRampService.svc" binding="ws2007FederationHttpBinding" contract="IOffRampService" bindingConfiguration="IOnRampService_ws2007FederationHttpBinding" />-->
  2. Change security mode.
    Example:
  3. <ws2007FederationHttpBinding>
    <binding name="IOnRampService_ws2007FederationHttpBinding">
    <security mode="TransportWithMessageCredential">
  4. Change behavior to httpsGetEnabled
    Example:
  5. <serviceBehaviors>
    <behavior>
    <serviceMetadata httpsGetEnabled="true" />
  6. Save the web.config
  7. Make sure you can browse to your URL.
    Example: https://services.compassion.xx/IPTestOnRamp/OnRampService.svc
  8. Send copy of the newly created FederationMetadata.xml file at C:\CIESB\Services\IPTestOnRamp\FederationMetadata\2007-06\ to your contact at the GMC so they can have the Relying Party Trust setup within ADFS for your OnRamp at the GMC.

After testing is successful in the GP test environment, you can repeat steps in this document to configure your production environment by using your desired production name where IPTest is referenced.

Docs Navigation