none
HTTP(S) Adapter and Certificates

    Question

  • Our customer has an HTTPS site that we should send messages using the HTTP adapter.

    The SSL port is not standard and the certificate is self created.

     

    I have added the certificate to the personal store of the service account but I still receive:

     

    The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

     

    If the adapter is run using my own account wich has administrative rights the connection works.

     

    What could be the issue?

     

    Regards,

     

    Antti

    Monday, February 04, 2008 3:02 PM

Answers

  • Hi

     

    those steps to send messages to HTTPS URL using HTTP adapter

    1 – Log in the Server using the same credential that run the BizTalk Server services

    2 – Add your Certificate to the Personal Store in the “Current User Certificate Store”

    -          Be sure your certificate has no warning , and has trusted root bath.

    -          And your client is successfully deploying your certificate

    3 - get the Issued To Name for your client certificate

    4 -  add issued to  name to your HOSTS file “C:\WINDOWS\system32\drivers\etc\hosts” so you can use the issued to name instead of IP.

    You should be able to browse your client url now with no warning using this template (the browser will ask you to provide your certificate ‘this is normal’)

    https://IssuedToName/URL

    5 – Create HTTP Send Port

    -in the Authentication tab Inter your certificate thump print to “SSL Client Certificate Thump

    Print”

    -Use https://IssuedToName/URL as URL to you Send port

     

    This is the steps to do this procedure

    “if it is not working , try to add your certificate to the Personal store under Local Computer

     

    Enjoy ...
    Sunday, May 04, 2008 11:07 AM

All replies

  • Do you mean that when the bts service account is an admin account, the scenario works, if it's a non admin account, it doesnt?

     

    Thanks,

    Hanu

     

    Monday, February 11, 2008 10:12 PM
  • Hi,

     

    We did get this work with the service account. The certificate was added to different credential stores and the HTTP host instance was restarted. Unfortunately I do not know which store is actually needed. Machine Account / Service Account?

     

    I could not find a good explanation what certificate store is used with ssl nor what has to be done to make change effective.

    Tuesday, February 12, 2008 8:23 AM
  • The safe bet is the Machine->Personal store.

     

    SSL sometimes fails when client certs are asked for also and possibly when the certs issues are inhouse. Which means that CA certs needs to be deployed within the appropriate Cert Store->Trusted Certificate Authorities.

     

    The 'Service Account' store is just like a personal user store for the Service.

     

    When applications are using Certificates, they'll issue one of two commands - 'EnumerateCerts' and 'GetCert' etc.etc.

    The underlying Crypto API basically accepts a parameter to these methods, USER or MACHINE store - indicating the appropriate store.

     

    So in general - with BizTalk go the Machine Account.

     

    Cheers,

    Saturday, April 26, 2008 3:47 PM
  • Hi

     

    those steps to send messages to HTTPS URL using HTTP adapter

    1 – Log in the Server using the same credential that run the BizTalk Server services

    2 – Add your Certificate to the Personal Store in the “Current User Certificate Store”

    -          Be sure your certificate has no warning , and has trusted root bath.

    -          And your client is successfully deploying your certificate

    3 - get the Issued To Name for your client certificate

    4 -  add issued to  name to your HOSTS file “C:\WINDOWS\system32\drivers\etc\hosts” so you can use the issued to name instead of IP.

    You should be able to browse your client url now with no warning using this template (the browser will ask you to provide your certificate ‘this is normal’)

    https://IssuedToName/URL

    5 – Create HTTP Send Port

    -in the Authentication tab Inter your certificate thump print to “SSL Client Certificate Thump

    Print”

    -Use https://IssuedToName/URL as URL to you Send port

     

    This is the steps to do this procedure

    “if it is not working , try to add your certificate to the Personal store under Local Computer

     

    Enjoy ...
    Sunday, May 04, 2008 11:07 AM
  • Amjad..

    is step 4 nesseccery 

    i'm using a companation of ip and port: https://<ipadress>:<port>/URL

    anyhow i falowed your steps but i am stell geting this error:

    +++++++++++++++++++++++++++++++++++++++++++++++++++++++++

    Event Type:        Warning
    Event Source:    BizTalk Server 2009
    Event Category:                BizTalk Server 2009
    Event ID:              5743
    Date:                     12/16/2009
    Time:                     8:15:06 AM
    User:                     N/A
    Computer:          MYSERVER
    Description:
    The adapter failed to transmit message going to send port "BillUpload_1.0.0.0_BillUpload.UploadFill_Bill_905d1e74cbbdd9cd" with URL https://<ipadress>:<port>/URL. It will be retransmitted after the retry interval specified for this Send Port. Details:"The request was aborted: Could not create SSL/TLS secure channel."

    +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

    any idea ????  .... Please help

    Wednesday, December 16, 2009 10:56 AM
  • I guess there is no answer to my problem ..

    Tuesday, December 22, 2009 11:49 AM
  • step 4 in amjad answer solved my issues.

     

    it seems that Biztalk does not handle the IP address it shouls be a host. so adding issued to name to my HOSTS list and using https://<hostname>:<port>/URL  insted of https://<ipadress>:<port>/URL solved this issue

    Monday, January 25, 2010 10:13 AM