none
Encrypted message send via https RRS feed

  • Question

  • I am sending an encrypted file out via HTTP  adapter to an https url.  I have the certificate in the Local Computer\Other People store, I have the certificate configured on the port, and the thumbprint on the authentication tab (also tried it without the thumbprint there). 

    I even went so far as to verify the cert was available by looking it up by thumbprint from within a pipeline component.

    But I still get: 

    :"The request was aborted: Could not create SSL/TLS secure channel.".

    When I try to send it over.  Any suggestions?


    Down there somewhere, its just ones and zeros.

    Friday, February 10, 2012 11:37 PM

Answers

All replies

  • Check the certificate to make sure the "Key Usage" includes "Key Encipherment" and "Data Encipherment".


    David Downing... If this answers your question, please Mark as the Answer. If this post is helpful, please vote as helpful.

    Saturday, February 11, 2012 4:05 AM
  • Hi,

    You can get this error if account host instance is running under cannot access the store.

    Host for send port runs in certain host instance. Account for that host instance needs to have access to the certificate. You there need to log in to your machine and place the certificate in the appropriate certificate store. The resources below can help you out.

    For a checklist of steps to install the certificates see:

    ·         Checklist: Installing and Configuring Certificates:  http://msdn.microsoft.com/en-us/library/gg634541%28v=BTS.70%29.aspx

    Beside the checklist you can review these resources on MSDN:

    ·         Best Practices for Managing Certificates : http://msdn.microsoft.com/en-us/library/gg634535%28v=BTS.70%29.aspx

    ·         Known Issues with Certificates in BizTalk Server : http://msdn.microsoft.com/en-us/library/gg634590%28v=BTS.70%29.aspx

    ·         Installing and Configuring Digital Certificates : http://msdn.microsoft.com/en-us/library/gg634475%28v=BTS.70%29.aspx

     

    BizTalk Server uses two types of certificate stores, the Other People certificate store for public keys, and the Personal certificate store for each host instance service account for the private key:

     ·         Certificate Stores that BizTalk Server Uses : http://msdn.microsoft.com/en-us/library/aa559322%28v=BTS.70%29.aspx

    ·         Display Certificate Stores : http://technet.microsoft.com/en-us/library/cc725751.aspx

    I'd also suggest test whether you can establish connectivity using SoapUI with a sample request. This might give you some indication of where the problem lies:

    http://geekswithblogs.net/gvdmaaden/archive/2011/02/24/how-to-configure-soapui-with-client-certificate-authentication.aspx

    HTH

    Steef-Jan Wiggers

    MVP & MCTS BizTalk Server 2010

    http://soa-thoughts.blogspot.com/ | @SteefJan

    If this answers your question please mark it accordingly


    BizTalk

    Sunday, February 12, 2012 10:55 AM
    Moderator
  • Hi David,

    Very interesting! I do have Key Encipherment, but not data encipherment.

    It is very strange.  If I just use a pipeline to see if the certificate will encrypt and send it to a file share, it all works. So I know it finds the certificate and it can encrypt.

    But what it won't do is establish an https session with  the target server - and the certificate was supplied by the owner of that server, who uses it with other customers. So the certificate has to be right.

    I have also downloaded the Verisign G3 cert that is supposed to be the right root authority cert, and installed that in each store, thinking maybe it was some kind of chain of authority issue, but that hasn't solved it.

    So I am going crazy trying to figure out what it is!

    Any further suggestions would be greatly appreciated.


    Down there somewhere, its just ones and zeros.

    Monday, February 13, 2012 5:22 PM
  • I found the following excerpt from one of Steef-Jan Wiggers links:

    Test your connection to the target Web site
    • If you are using SSL, ensure that you can connect to the target Web site with Microsoft Internet Explorer® before attempting to connect to the target Web site with the HTTP or SOAP transports. Verify that no dialog boxes are displayed in Internet Explorer when you connect to the target Web site. BizTalk Server has no mechanism for interfacing with any dialog boxes that might be displayed when connecting to the target web site. A dialog box may be displayed by Internet Explorer if the target Web site name does not match the name specified for the Web site in the SSL certificate or if the Root Certification Authority for the SSL certificate is not in the appropriate Trusted Root Certification Authorities store.

    Use the SSL Diagnostics tool to analyze SSL connection issues

    • The SSL Diagnostics tool is an optional component of the IIS Diagnostics Toolkit. You can download the IIS Diagnostics Toolkit from the Internet Information Services Diagnostics Tools page (http://go.microsoft.com/fwlink/?LinkID=64426).

    Are you able to access the HTTP/S URI from Explorer?


    David Downing... If this answers your question, please Mark as the Answer. If this post is helpful, please vote as helpful.

    Tuesday, February 14, 2012 3:30 AM