none
Sending SSL Certificate to external Web service in BizTalk 2010 RRS feed

  • Question

  • Hi,

    We are facing issues in calling the external web service(SAP I Web service) which is authenticated using the SSL self signed certificates.

    When BizTalk sends the request to SAP it fails with HTTP 401 error, and in SAP PI the log says calling application not sending the client certificate. Please help us in sending the request to external web service by signing with the client certificate.

    Below are the details,

    1. This is a 2-way SSL communication authenticating based on the client Certificate.

    2. BizTalk server public key certificate is shared to SAP PI and using SAP PI certificate public key in biztalk

    3. Configuration done at BizTalk as given below

    1. Created BizTalk Certificate using makecert command
    2. Client and Server Certificate Installation
    - Installed BizTalk Client Certificate in Certificates Store under
    a. Current User--> Personal (Private Key)
    b. Current User --> Trusted Root Certification Authorities (Public Key)
    c. Local Computer --> Personal (Private key)
    d. Local Computer --> Trusted Root Certification Authorities (Public Key)

    e. Current User--> Other People

    Installed SAP Server Certificate in Certificates Store under
    a. Current User --> Trusted Root Certification Authorities
    b. Current User --> Trusted People
    c. Local Computer --> Trusted Root Certification Authorities
    d. Local Computer --> Trusted People

    e. Current User--> Other People

    3. BizTalk Status Solicit Response Send Port(used to call the SAP PI Web service) Configuration
    - Transport Type  WCF-Custom
    - Binding  BasicHttpbinding
    Security Mode : Transport
     Client Credential Type : Certificate
     Proxy Credential Type : None
     Realm : localhost
    • Message
     Client Credential Type : Certificate
    Client CredentialsClient Certificate
     findValue : CN=< Thumbprint >
     x509Findype : FindByThumbPrint
    • Server Certificate
     findValue : <Thumbprint>
     x509Findype : FindByThumbPrint

    Thursday, December 4, 2014 12:10 PM

All replies

  • Looks like the certificate folder used and the user account used are not correct.

    Check the following article which will guide you review your certificate installation for your requirement.

    http://mibuso.com/blogs/mandyk/2009/04/02/how-to-configure-ssl-certificate-for-biztalk-http-send-port-adapter-part-1/


    If this answers your question please mark it accordingly. If this post is helpful, please vote as helpful by clicking the upward arrow mark next to my reply.

    Thursday, December 4, 2014 12:45 PM
  • Is your certificate updated one .I do face this error when I have expired certificate in my certificate store.

    Another  issues may be  with installation and configuration of your certificate on you machine . There are various post which can help you go go through the correct steps to configure your certificate store .some of them are listed below :

    http://thinkintegration.wordpress.com/2011/12/02/biztalk-https-adapter-and-certificate-configurations/

    http://blogdoc.biztalk247.com/article.aspx?page=2e8daba6-45ae-4f4c-808a-c39b0aa8f9d6

    https://holsson.wordpress.com/2009/09/15/accessing-a-biztalk-wcf-service-over-ssl-with-client-certificate-authentication/ 

    Thanks

    Abhishek



    Thursday, December 4, 2014 1:34 PM
  • When I face this type of issue, I verify 3 things :
    -> Partner's certificate is accessible to the service account (correct certificate store)
    -> My certificate is installed and accessible and correctly attached (private key) with the request
    -> Partner has correct validation procedure

    I always double check whether the certificate is accessible to Service Account under "Service Account"'s certificate store. In order to do so (mmc->File->Add/Remove Snap-In...(Ctrl+M)->Certificates->Add->Service Account->Select the BizTalk Service->Finish->Ok). From the list of the certificates double click to the SAP's certificate and verify with URL/ip/hostfile etc
    I trust you have installed the chain, and have checked certificate is not expired yet.

    Please remember that it can also be because of your partner's side. I had similar issue in past (not with SAP though) when they were actually performing the validation based on their public certificate by mistake instead of my public certificate.
     

    If this answers your question please mark it as Answer and if this post is helpful, please vote as helpful. Thanks !

    Friday, December 5, 2014 12:06 AM
  • Hi All,

    Thanks for the replies, we have installed the certificates as mentioned in the blog, BizTalk certificate in the Personal folder of both Service user and local computer, and the SAP Certificate we have installed in Trusted Root Certification Authority and Other people. The only difference is that BizTalk certificate does not specify “Enhanced Key Usage = Client Authentication”, does this cause any issue?

    Thanks

    Friday, December 5, 2014 10:23 AM
  • Hi,

    The Enhanced key usage field specifies what can be the public key of the certificate used for ie. client authentication or Server authentication. This is a optional field and may not be seen for all the certificate types.

    You can ignore that.

    Rachit 

    Friday, December 5, 2014 11:35 AM
    Moderator
  • No ,  I don't think  you have any issue with Enhanced Key Usage = Client Authentication . There my be some misconfiguration  while your configuration ,Iwould suggest to very your settings again. There is good post ove

    MSDN related to client certificates and server certificates in below link.

    Client Certificates V/s Server Certificates

    Thanks

    Abhishek


    Monday, December 8, 2014 11:31 AM
  • Hi All,

    The reasons why the trigger from BizTalk is failing and the trigger from SoapUI is successful.

    1. In SoapUI configuration we select the Private key of the client certificate and provide the password for the same.
    2. In BizTalk we only have the option of selecting the certificate and we cannot provide the password. Below is the MSDN article for the same

    In one of the Site  , its mentioned as below, Kindly let us knwo whether the below mentioned will work or not

    Organization Security Restrictions::
    Each organization may have restriction on using client certificates for security reasons . One such restriction is when a user requests a client certificate a password prompt is displayed . A client certificate can be used only if the correct password is provided becuase Biztalk Server uses services and services cannot interact with dialog boxes so do not use client certificates requiring password validation.

    To Prevent the issue , configure the policy so no password are prompted when a certificate is used this setting is enforced by the Group policy Object (GPO) system cryptography: Force strong Key protection for user keys stored on the computer . If setting this policy , then the value should be set to "User input is not required when new keys are stored and used "

    Kindly let us know whether setting needs to be done in the system cryptography

    Thanks

    Tuesday, December 9, 2014 5:44 AM