SHA2 option in Parties RRS feed

  • Question

  • I have installed CU9 on biztalk 2010 server and restarted the computer, now I am trying to see whether my parties  as2 agreement -- Acknowledgments -- Signed MDN doesn;t have the SHa2 as an option. What else do I need to do to get that.
    Tuesday, July 12, 2016 7:16 PM


  • Hi

    SHA2 encryption algorithm is not supported even with CU9, since only .NET 4.6 and above has support for SHA2 encryption algorithms. So, the dropdown will not have option to select any SHA2 algorithms.

    What BizTalk CU9 adds is support for SHA2 signed certificates - there's a big difference. Meaning with CU9 you can now consume certificates that were signed using SHA2 algorithms. If you inspect the certificate properties in certmgr.msc, you will see fields for "Signature algorithm" and "Signature hash algorithm". CU9 will enable you to consume certificates in BizTalk that has SHA2 based algorithms for those properties/fields.

    SHA2 encryption/decryption algorithm support will only be available from BizTalk Server 2016.

    This is a nice summary of the situation-

    Microsoft have decided to bring in SHA2 support for BizTalk 2010 and 2013 in addition to 2013 R2. Please find the comprehensive support statement below.

      • BizTalk 2016 – This will be the first version of BizTalk to support SHA2 certificates and SHA2 encryption/decryption algorithms.  This is achievable by moving to 4.6 CLR.
      • BizTalk 2010, 2013 and 2013 R2 – A future CU (CU2 for 2013R2, CU4 for 2013 and CU9 for 2010) will add support for using SHA2 certificates within BizTalk configuration so customers who get a new SHA2 cert from their CA can use that. Microsoft will publish a guideline on how to replace a certificate. BizTalk will continue to use SHA1 encryption/decryption algorithms since that is not related to the certificate specified.  For example, in AS2 and Rosettanet GUIs, the dropdown that contains SHA1 and MD5 will continue to only have those options.  Customers who need SHA2 encryption/decryption to communicate with their partners will need to move to BizTalk 2016.  This has potential impact for customers but there are technical constraints that make it risky to add SHA2 encryption/decryption support to these versions of BizTalk.

    Thanks Arindam

    • Edited by Arindam Paul Roy Tuesday, July 12, 2016 7:36 PM
    • Marked as answer by Soneta Tuesday, July 12, 2016 7:36 PM
    Tuesday, July 12, 2016 7:24 PM