Productivity solutions

  • 10/9/2017
Contents

Skill: Create and configure a Business Connectivity Services (BCS) and Secure Store application

Business Connectivity Services (BCS) is a powerful feature that allows both SharePoint and non-SharePoint data and information to be represented within the same interface. Successfully presenting this data requires that the SharePoint administrator be familiar with both BCS itself as well as the Secure Store, which is required for storing credentials to these external systems.

This section covers how to:

  • Import and configure BCS models

  • Configure BCS model security

  • Configure BCS for search

  • Generate a Secure Store master key

  • Manage Secure Store Target Application permissions

  • Create Secure Store Target Applications

  • Configure hybrid BCS

Import and configure BCS models

Designing a data connection for use with BCS requires the use of a model. This model is an XML file that contains sets of descriptions of one or more external content types, the related external systems, and other environment-specific information, such as authentication properties.

Important

BCS used to be called Business Data Catalog (BDC) in previous versions of SharePoint. Throughout this section, this functionality is referred to by its name in Central Administration for clarity. One of the places where this naming standard appears is in the naming of models; the XML model imported into BCS is still referred to as a BDC model.

Four main data sources are available for use within BCS:

  • Windows Communication Foundation

  • SQL Server

  • SQL Azure

  • OData sources (including SQL OData sources)

Importing a BCS model

Once a BCS model has been made for the data source, it must be imported for use within SharePoint. Selecting the Business Data Connectivity service application allows for the management of the BDC service (Figure 4-10).

FIGURE 4-10

FIGURE 4-10 Managing the BDC service application

Selecting the Import icon on the ribbon begins the import process, with the following options:

  • BDC Model Browse to and upload a BDC model XML file.

  • File Type Choose the file type (model or resource).

    • Model A BDC model definition file contains the base XML metadata for a system.

    • Resource A resource definition file enables you to import or export only the localized names, properties, permissions, or any combination of the three.

  • Advanced Settings Advanced Settings allows you to do the following:

    • Choose Which Resources To Import It is possible to select more than one of the following: Localized names (selected by default), Properties (selected by default), and Permissions (not selected).

    • Custom Environment Settings If you imported a resource file type, it can include custom settings.

exa.jpg Exam Tip

A BDC model can be imported using a combination of both the Get-SPBusinessDataCatalogMetadataObject and Import-SPBusinessDataCatalogModel cmdlets, as shown in the TechNet article “Import-SPBusinessDataCatalogModel” at https://technet.microsoft.com/library/ff607757.aspx. For the exam, be familiar with these cmdlets and also note that neither uses the phrase Business Connectivity Services or BCS.

Configuring an External Content Type Profile Page Host

Once the BCS model has been uploaded, Profile Pages can then be configured by selecting the Configure icon on the ribbon. The configuration process allows you simply to specify an External Content Type Profile Page Host, as shown in Figure 4-11.

FIGURE 4-11

FIGURE 4-11 Configuring an External Content Type

Profile Pages are used to display information for an entity (External Content Type). New Profile Pages are added by selecting the External Content Type and then selecting Create/Upgrade Profile Page (Figure 4-12).

FIGURE 4-12

FIGURE 4-12 Creating a new Profile Page

Need More Review?

Creating and configuring BDC and BCS connections can be a very complex task. For a better understanding, review the TechNet article “Plan a Business Connectivity Services solution in SharePoint 2013” at https://technet.microsoft.com/library/jj219580.aspx.

Configure BCS model security

BCS often connects to other line-of-business systems, which can contain sensitive data. As with any other system, security requires that we plan for the authentication to the data source as well as the authorization (permissions) for accessing the data source.

Authentication

BCS supports three different authentication methods:

  • Credentials-based authentication User name and password credentials are passed directly from BCS to the external system.

  • Claims-based authentication The external system will accept credentials from a third-party authentication service (a security token provider). These credentials are comprised of assertions about the requestor (a claim).

  • Custom authentication If neither credentials- nor claims-based authentication is supported by the external system, then a custom solution will be required to translate credentials from BCS to a format understood by the external system.

Authorization

Once authentication has been performed, the next discussion is which roles will be assigned access to the solution. The security of this data should be assigned to three roles in a SharePoint farm:

  • Administrative roles Administrators are responsible for permissions management, creating and managing the BDC service application, importing BDC models, and managing permissions. If Add-ins are also used, then administrators will also publish the Add-in and create and manage connection objects.

  • Developer or Designer roles These roles create the external content types, BDC models, and the Add-ins for SharePoint by using BCS.

  • User roles Multiple groupings of users may be assigned to consume and possibly manipulate external data in the BCS solution.

Permissioning in BCS needs to be managed for four distinct components of the BCS solution:

  • External system The external system administrator will assign and manage permissions for the solution; if users are required to use their SharePoint credentials, the Secure Store service might need to be set up in SharePoint.

  • BCS central infrastructure This has to do with the security of the service application contained within Central Administration on the SharePoint farm; permissions to this service application can be delegated (as can happen on a number of other service applications in SharePoint).

  • Development environment As a development environment will likely be required for BCS design efforts, this environment can have fewer users but permissions can be a bit more relaxed, so as not to impede development efforts.

  • User environment User permissions differ based on the mechanisms used for accessing BCS data. For instance, it is a different matter (in terms of scope and execution) to configure external lists and columns, than to assign permissions via Office and SharePoint Add-ins.

Need More Review?

BCS security extends from the SharePoint user, through administration, and into the destination system. Ensuring that these data connections are secure is a fundamental requirement for implementing successful BCS solutions. For a better understanding of the detailed tasks required for securing a BCS solution, review the TechNet article “Overview of Business Connectivity Services security tasks in SharePoint 2013” at https://technet.microsoft.com/library/jj683116.aspx.

Generate a Secure Store master key

The Secure Store service in SharePoint 2016 is a claims-aware service that stores authorization credentials in an encrypted database. These credentials can be used by other service applications in the farm, particularly to access external data sources.

Creating the Secure Store service application

As service applications go, setting up the Secure Store service application is quite easy. After selecting Manage Service Applications from within Central Administration, all that must be provided is a handful of information:

  • Service Application Name A name for the new service application.

  • Database The server and database names, along with the authentication mechanism used (Windows or SQL).

  • Failover Server Only used if you implement SQL mirroring.

  • Application Pool Create a new application pool (or reuse an existing one).

  • Enable Audit Choose whether or not to enable an Audit log for the Secure Store service (and how many days it spans), which will then be stored in the Secure Store database.

Several guidelines exist for the secure configuration of the Secure Store service application. These guidelines are designed to help secure this database, as it stores potentially sensitive credentials.

  • Run the Secure Store service in a separate application pool from all other service applications.

  • Run the Secure Store service in a separate application server not used for any other service.

  • Deploy the Secure Store database to a different instance of SQL Server than is used for the SharePoint 2016 installation.

Creating a new key

Aside from creating the Secure Store service application (created from Central Administration, Service Applications), the only other task that remains is to create a new encryption key for use with the Secure Store database.

On the initial installation of the Secure Store service application, the service will not allow you to create new Target Applications until this key has been generated (Figure 4-13).

FIGURE 4-13

FIGURE 4-13 Warning message about generating a new key

Three guidelines exist for the creation and management of the encryption key:

  • Back up the Secure Store database:

    • Before generating a new encryption key

    • After it’s initially created

    • Each time credentials are re-encrypted

  • Back up the encryption key (located in the Secure Store service application):

    • After initially setting up Secure Store

    • Each time it is regenerated

  • Do not store the encryption key backup media in the same location as the backup media used for the Secure Store database.

Clicking the Generate New Key icon starts the process of generating and applying the encryption key. This process requires that you create a case-sensitive pass phrase for use with the encryption key, and which is used when adding new Secure Store service servers as well as restoring a backed-up Secure Store database (Figure 4-14).

FIGURE 4-14

FIGURE 4-14 Creating a new pass phrase while generating a new encryption key

Once the key has been generated, make sure to record the pass phrase, as both it and the encryption key are required to successfully restore the Secure Store database.

Important

At this point, you should perform a full backup of both the Secure Store service application (under Shared Services in Central Administration, Backup and Restore) as well as the Secure Store database.

Create Secure Store Target Applications

Creating a new Secure Store Target Application is a three-step process. On the ribbon, clicking the New icon begins this process.

First Configuration page

On the first configuration page, shown in Figure 4-15, you have the opportunity to provide the following values:

  • Target Application ID (name) A unique, unchangeable identifier for your Target Application.

  • Display Name A friendly (display) name for the Target Application.

  • Contact E-mail The e-mail for the primary contact for this Target Application.

  • Target Application Type Choose from an Individual Ticket, Individual Restricted, Individual (Default), Group Ticket, Group Restricted, or Group.

  • Target Application Page URL Choose whether to use Default Page, a Custom Page (specify), or None.

FIGURE 4-15

FIGURE 4-15 Creating a new Secure Store Target Application (Page 1)

Need More Review?

Target Application types have to do with the type of account used to map user credentials. More information on these items can be found in the MSDN article “How to: Use Secure Store Service to Connect to an External System” at https://msdn.microsoft.com/library/office/ee554863(v=office.14).aspx.

Second configuration page

On the second configuration page, you have the opportunity to provide both two field names and two matching field types (Figure 4-16). Field Name simply describes what the field is to be called, and is not a field for entering a user name or a password. The Masked check box can be selected to hide either the user name, password, or both when setting credentials, as you will see shortly.

FIGURE 4-16

FIGURE 4-16 Creating a new Secure Store Target Application (Page 2)

Third configuration page

On the third and final configuration page, the Target Application Administrators can be selected. These users are then given privileges to manage the Target Application settings (Figure 4-17).

FIGURE 4-17

FIGURE 4-17 Creating a new Secure Store Target Application (Page 3)

Important

Farm administrators automatically have access to the Target Application.

Need More Review?

The settings on this page depend greatly on which Target Application type was previously selected. For a clearer understanding of the effect this choice has on the Secure Store Target Application, review the TechNet article “Plan the Secure Store Service in SharePoint Server 2016” at https://technet.microsoft.com/library/ee806889(v=office.16).aspx.

Manage Secure Store Target Application permissions

Permissions for the Secure Store Target Application have to do with two actions: setting credentials and setting permissions.

Setting credentials

Once the Target Application has been created, user credentials need to be initially set. Selecting Target Application, Set Credentials provides the opportunity to specify a Credential Owner as well as individual or group user names and passwords (Figure 4-18).

FIGURE 4-18

FIGURE 4-18 Setting credentials for the Secure Store Target Application

Important

This credential entry provides no opportunity for user lookups or validation; be careful of the values you enter here, as it would be easy enough to accidentally include a typographical error.

Setting permissions

After the Target Application is created, user permissions can be applied after the fact. Selecting the Target Application ID and then choosing to Set Permissions will give the ability to specify one or more permission sets (Target Application Administrators shown in Figure 4-19), depending on the Target Application type previously chosen.

FIGURE 4-19

FIGURE 4-19 Setting permissions

Important

As we will see shortly, the Search service account should be given member access at both the Secure Store Target Application as well as on the appropriate BDC External Content Type.

Configure BCS for search

To surface a BDC External Content Type in Search, the External Content Type needs to be configured as a Content Source in the Search service application.

Within the Search service application, selecting New Content Source begins this process, requiring the following fields (shown in Figure 4-20):

  • Name The name of the Search content source.

  • Type of content to be crawled Selections include SharePoint Sites, Web Sites, File Shares, Exchange Public Folders, Line Of Business Data (selected), and Custom Repository.

  • Select The Business Connectivity Service Application Allows for the selection of a BCS service application (assuming there is more than one).

  • Crawl Either Crawl All External Data Sources or Crawl Selected External Data Source, in this case Wingtiptoys.

FIGURE 4-20

FIGURE 4-20 Configuring a BCS content source

Configure hybrid BCS

BCS is available both on-premises and in SharePoint online. By using the Microsoft BCS hybrid deployment scenario, you can publish on-premises data to an external list or add-in on SharePoint Online.

Prerequisites

Prior to its use, an environment must be configured for use with the BCS hybrid scenario. This configuration has several prerequisites:

  • There must be an S2S trust with Azure Access Control Service for inbound hybrid connections.

  • Ensure that all on-premises user accounts accessing the BCS hybrid solution are federated accounts.

  • Create a service account in the on-premises domain intended to access the OData service endpoint.

  • Create a global security group in the on-premises domain.

  • Add the federated accounts from the on-premises domain to the global security group.

Configuration steps for hybrid BCS

Configuring the on-premises environment to use the hybrid BCS scenario requires several steps, intended to establish the relationship between the two environments:

  • Create and configure a Secure Store Target Application, which links the global security group to the service account, both of which were created in the prerequisites section.

  • Create and configure the OData service endpoint; this will also include the assignment of permissions to the data source represented by this endpoint.

  • Prepare the SharePoint Online site and App Catalog, identifying the site through which the data will be offered, and configuring the App Catalog (if an Add-in for SharePoint will be used).

  • Set permissions on the BDC Metadata Store in SharePoint Online (for use with manual imports of External Content Type method).

  • Validate external access to the on-premises SharePoint environment using the URL published through your reverse proxy.

  • Create and configure the External Content Type by using Visual Studio.

  • From BCS in SharePoint Online, configure a connection settings object, which contains additional information used to establish the connection to the external system and OData source.

Need More Review?

Establishing the relationship between environments is error-prone, often requiring a lot of troubleshooting. Fortunately, this process is documented in Chapter 3 (“BCS hybrid”) of the ebook Configuring Microsoft SharePoint Hybrid Capabilities, available for free download at https://blogs.msdn.microsoft.com/microsoft_press/2016/07/06/free-ebook-configuring-microsoft-sharepoint-hybrid-capabilities/.

Save to your account

This chapter is from the book