Export (0) Print
Expand All

Configuring Certificates for AS2

To help secure AS2 data transfer using encryption and digital signatures, you must have the appropriate certificates installed, in addition to the appropriate AS2 configuration on BizTalk Server.

Certificate Signing for Outgoing Messages in BizTalk Server 2006 R2 Service Pack 1

In BizTalk Server 2006 R2, outgoing AS2 messages are signed using a default certificate defined as part of the BizTalk Group properties. However, there could be scenarios where the party receiving the messages wants the messages to be signed with a private certificate that they provide or expect a different certificate to be used when signing outgoing messages for them. This scenario of signing outgoing messages using other certificates is enabled if you have BizTalk Server 2006 R2 SP1 installed. If a certificate is specified as part of the AS2 properties for a party, that certificate is used for signing outgoing messages. If no certificate is defined for the party, the default certificate specified as part of the BizTalk Group properties is used.

This topic describes the certificates required, how to configure them, and common issues with them.

Certificates Required for AS2 Transport

To help secure AS2 data transfer, you must add the appropriate certificate to the appropriate certificate store, and associate the certificates with the appropriate BizTalk artifacts. The following certificates are used to help secure AS2 messages:

Certificate Usage Certificate Type Pipeline Component User Context Certificate Store Where Defined

Signature (outbound)

Own private key (.pfx)

AS2 encoder

Account used by the host instance associated with the send handler.

Current User\
Personal store of each BizTalk server that hosts a AS2 encoder pipeline as each host instance service account

  • Certificate page of the BizTalk Group Properties dialog box. This is the default signing certificate used when sending signed documents.

  • If you have BizTalk Server 2006 R2 SP1 installed, you can override the default certificate setting and instead use different certificates for different parties. You can do so by specifying the certificate to be used in the Certificate page of the AS2 Properties dialog box. This is the signing certificate used for sending signed messages to a specific party.

Signature verification (inbound)

Trading partner's public key (.cer)

AS2 decoder

Account used by the host instance associated with the receive handler.

Local computer\Other People store of each BizTalk server that hosts a AS2 decoder pipeline as each host instance service account

Certificate page of the Party Properties dialog box

Note: The certificate used to verify a signature for a party must be unique from the certificates used to verify signatures for other parties.

Encryption (outbound)

Trading partner's public key (.cer)

AS2 encoder

Account used by the host instance associated with the send handler.

Local computer\Other People store of each BizTalk server that hosts a AS2 encoder pipeline

Certificate page of the Send Port Properties dialog box

Decryption (inbound)

Own private key (.pfx)

AS2 decoder

Account used by the host instance associated with the receive handler.

Current User\Personal store of each BizTalk server that hosts a AS2 decoder pipeline as each host instance service account

The AS2 Decoder will determine the certificate based upon certificate information in the message.

For the BizTalk MIME Decoder, the certificate must be in the Certificate page of the host used for receiving the message. This is not necessary for the AS2 Decoder.

Adding Certificates to the Certificate Stores

For information about using the Certificate Import Wizard and the Certificates Management Console interface to add a certificate to a store, see the "Set certificates for processing signed messages" section of the How to Install the Business-to-Business Solution. Additional information is in the "Displaying the Certificates Management Console" section of Installing Certificates for the WCF Adapters.

Bb728096.Important(en-us,BTS.20).gifImportant
The Personal certificate store will be available for message processing only if the user profile is loaded for the user whose logon credentials are associated with the host instance. The Personal store is used for signing and decryption certificates (the user's own private key). The user profile is loaded by default for the in-process host instance; however, the user profile is not loaded by default for the isolated host instance. You can have an application load the user profile for the isolated host. Alternatively, you can work around this issue by using the same logon for the in-process host instance and the isolated host instance.

Generating Certificates

You can generate certificates in Windows Server 2003 or Windows Server 2000 by using Certificate Services. Install Certificate Services in the Control Panel by clicking Add or Remove Programs, clicking Add/Remove Windows Components, clicking Certificate Services, and then clicking Next.

To create a certificate, go to http://certsrv, and then click Request a Certificate.

Bb728096.Important(en-us,BTS.20).gifImportant
Certificates used for AS2 transport must have the attributes required for their intended use. For signing and signature verification, the Key Usage attribute of the certificate must be Digital Signature. For encryption and decryption, the Key Usage attribute of the certificate must be Data Encipherment or Key Encipherment. You can verify the Key Usage attribute by double-clicking the certificate, clicking the Details tab in the Certificate dialog box, and checking the Key Usage field.

The following are prerequisites for performing the procedure in this topic:

  • You must be logged on as a member of the BizTalk Server Administrators group.

  1. In BizTalk Server 2006 Administration Console, right-click the BizTalk Group node, and then click Properties.

  2. In the console tree of the Group Properties dialog box, click Certificate.

  3. In the Certificate pane, click Browse, find the certificate you want to use for signing, and then click OK.

    Bb728096.note(en-us,BTS.20).gifNote
    Instead of entering the common name of the certificate, you can enter just the thumbprint. You can get the thumbprint by double-clicking the certificate in the certificate store in MMC or in the file system, clicking the Details tab, clicking the Thumbprint field, and copying the thumbprint.

  4. Click OK.

  1. In the BizTalk Server Administration console, click the Parties node, in the right-pane right-click a party, and then select AS2 Properties.

  2. In the console tree of the AS2 Properties dialog box, click Certificate.

  3. In the Certificate pane, click Override Group Signature Certificate.

  4. Click Browse, find the certificate you want to use for signing, and then click OK.

    Bb728096.note(en-us,BTS.20).gifNote
    Instead of entering the common name of the certificate, you can enter just the thumbprint. You can get the thumbprint by double-clicking the certificate in the certificate store in MMC or in the file system, clicking the Details tab, clicking the Thumbprint field, and copying the thumbprint.

  5. Click OK.

  1. In BizTalk Server 2006 Administration Console, open the BizTalk Group node, and then open the Parties node.

  2. Right-click the party that you will be receiving signed messages from, and then click Properties.

  3. In the console tree, click Certificate.

  4. In the Certificate pane, click Browse, find the certificate you want to use for verifying the digital signature, and then click OK.

    Bb728096.note(en-us,BTS.20).gifNote
    Instead of entering the common name of the certificate, you can enter just the thumbprint. You can get the thumbprint by double-clicking the certificate in the certificate store in MMC or in the file system, clicking the Details tab, clicking the Thumbprint field, and copying the thumbprint.

  5. Click OK.

  1. In BizTalk Server 2006 Administration Console, open the BizTalk Group node, open the Applications node, and open the node of the application that contains the send port that you will be sending the encrypted message on.

  2. Open the Send Ports node, right-click the send port, and then click Properties.

  3. In the console tree, click Certificate.

  4. In the Certificate pane, click Browse, find the certificate that you want to use for encryption, and then click OK.

    Bb728096.note(en-us,BTS.20).gifNote
    Instead of entering the common name of the certificate, you can enter just the thumbprint. You can get the thumbprint by double-clicking the certificate in the certificate store in MMC or in the file system, clicking the Details tab, clicking the Thumbprint field, and copying the thumbprint.

  5. Click OK.

Community Additions

ADD
Show:
© 2014 Microsoft