SSL and HTTP send port

Question

Hi All

I need to post data using https via HTTP send Adapter. I've a cerificate provided by the vendor.

I installed the certificate in personal store of biztalk service account. i've given the SSL Client Certificate thumbprint value on the Authentication tab of HTTP transport properties.Still am not able to establish the connection to the host site.

I couldn't understand the difference between  SSL Client Certificate thumbprint value on the Authentication tab of HTTP transport properties and Certifcate option available on the send port properties.

i would like to know which option should be choosen? what is the use of both options.

Thanks in advance.

 

 

Answer 1

Hi Balu,

I think you are missing some steps please see this post to know how to do it in BizTalk:

http://www.codeproject.com/KB/security/HTTPBizTalk2009Win2008R2.aspx

---

Mark As Answer or Vote As Helpful if My Reply Does, Regards, -Rohit

Answer 2

Hi,

Certificate option available on the send properties is intended for encryption or signing of documents, while HTTP Adapter transport properties is intended for SSL. For SSL you need to use thumbprint value in HTTP Adapter transport properties. What kind of issues are you experiencing? What is being logged in the eventlog?

HTH

Regards,

Steef-Jan Wiggers
MVP & MCTS BizTalk Server
http://soa-thoughts.blogspot.com/
If this answers your question please mark it accordingly

 

---

BizTalk

Answer 3

Hi Steef

am getting the following error

 Could not establish trust relationship for the SSL/TLS secure channel with authority

 

Regards

Balu

Answer 4

Hi Balu,

Have you added the root certificate from the vendor to the list of Trusted Root Certification Authorities? Usually this resolves the error your are getting.

HTH

Regards,

Steef-Jan Wiggers
MVP & MCTS BizTalk Server
http://soa-thoughts.blogspot.com/
If this answers your question please mark it accordingly

 

---

BizTalk

Answer 5

Hi steef,

I got one pfx file from vendor. i installed that certificate .

i dont know about root certificate. will it be the same or different?

 

Regards

Balu

Answer 6

Hi,

Did you double click on this file or did you import it through mmc. If you click on certificate personal store, does provide information if it is trusted or not? A .PFX/.P12 is a Public-Key Cryptography Standards #12 (PKCS #12) format file that include personal certificates with private keys as well as certificates that install into the intermediate and root certificate stores.

HTH

Regards,

Steef-Jan Wiggers
MVP & MCTS BizTalk Server
http://soa-thoughts.blogspot.com/
If this answers your question please mark it accordingly

---

BizTalk

Answer 7

I've imported the pfx to the following location

1. BizTalk host user (Current User)
   1. Personal
   2. Trusted Root Certificate Authorities
2. Local Machine user
   1. Personal
   2. Trusted Root Certificate Authorities
   3. Other People

But now am getting "The client certificate is not found in the certificate store".

 

Answer 8

Hi,

It is important that certificate is installed under the user account, which BizTalk host instance is running under. I assume you have done so, and you can verify that by running runas /user [BTServiceAccount] mmc(through this mmc you need to install certificates!) and look in personal store and trusted root certificate authorities. Local machine you need to store in trusted root authorities, personel and other people (you have done so). For reference see this thread.

HTH

Regards,

Steef-Jan Wiggers
MVP & MCTS BizTalk Server
http://soa-thoughts.blogspot.com/
If this answers your question please mark it accordingly

---

BizTalk

Answer 9

Hi

I've done this time using run as  runas /user [BTServiceAccount] mmc

it is installed properly in personal store

but  when am trying to import the pfx to  Trusted Root Certificate Authorities  am getting error

---------------------------
Certificate Import Wizard
---------------------------
The import failed because the operation was cancelled.
---------------------------
OK  
---------------------------

and the root path is installed in

1. BizTalk host user (Current User)
   1. Trusted Root Certificate Authorities
2. Local Machine user
   1. Trusted Root Certificate Authorities

Now am getting client certificate not found.

Do i need to do anything else like updating registry,host file as mentioned in

http://www.codeproject.com/KB/security/HTTPBizTalk2009Win2008R2.aspx?

 

 

Answer 10

Am giving the thumb print value by removing all spaces . is this the right way to set the value in ssl client certificate thumb print?

Answer 11

Hi,

In certificate you will find the thumbprint and you can copy that, you do not have to remove the spaces!

HTH

Regards,

Steef-Jan Wiggers
MVP & MCTS BizTalk Server
http://soa-thoughts.blogspot.com/
If this answers your question please mark it accordingly

---

BizTalk

Answer 12

Thank you steef
 runas /user [BTServiceAccount] mmc(through this mmc you need to install certificates is worked for me

Answer 13

HI Steef,

 i had received intermediate,Root and public certificates from my customer. i had installed the same in the corresponding folders in certificates. when i started testing with customer i am facing error called "The request was aborted: Could not create SSL/TLS secure channel." can you please let me know what may be the reasons behind it and my customer is using Webmethods and i am using Dynamic Send port through HTTPS.

Please let me know if you require more details from my end.

---

Regards, Bala.

Answer 14

HI Steef,

 i had received intermediate,Root and public certificates from my customer. i had installed the same in the corresponding folders in certificates. when i started testing with customer i am facing error called "The request was aborted: Could not create SSL/TLS secure channel." can you please let me know what may be the reasons behind it and my customer is using Webmethods and i am using Dynamic Send port through HTTPS.

Please let me know if you require more details from my end.

---

Regards, Bala.

Hi Bala, We are also facing same issue in BizTalk 2013 R2 with SHA2 support update package. Please let us know how you had solved the issue. Thanks

Answer 15

Hi,

Another option is to into the transport of the wire using WireShark. Inspecting the communication helped me on another occasion to resolve an issue.

Kind Regards,

Steef-Jan Wiggers (Microsoft Azure MVP)

---

BizTalk

Answer 16

Hi Steef,

Greatly appreciated for your timely advice to use WireShark.  Thank you very much :-)

As per WireShark, we find out the handshake issue due to wrong client cert.