none
AS2 Encryption certificate RRS feed

  • Question

  • Hi.  I am working on my first AS2 implentation and am stuck big time with encryption issues on the receive side.  The error verbiage i get isn't very helpful:

    "An error occurred when decrypting an AS2 message"

    My certificates are stored according to this table:  http://blogs.msdn.com/biztalkb2b/archive/2007/05/30/as-2-certificate-management.aspx and I did install my private key while logged on as the service account that my isolated host runs under.  For my trading partner, i have configured their party AS2 properties and linked their party it to their public certificate.

    My specific questions are:

    1.  Is the certificate i have assoicated with the service account that my isolated host runs under is sufficient for decryption?  Or do i also have to create a receive party representing me as receiver and link to that certificate in the party config as well?  I do understand I have to have a party representing me for the EDI side, but i would rather not link a certificate to the party representing me if i do not have to because I share an environment with multiple divisions within our organization and don't want to have to create a isolated host for each of those divisions (we share a single host for https transactions).

    In other words, While i have configured "AS2-To" alias for the party representing me, i have not linked that party to my private key, my reasoning being that the AS2 decode component knows what certificate to use because the isolated host account has its key stored properly and assoicated with the host.  Am i delusional?

    2.  My trading partner is using a self signed certificate.  Would that have any affect on the pipelines ability to decrypt?  Does this mean i would also have to install their certificate in the "trusted" store in addition to installing it in the "other people" store? 

    tia!



    Doug Griffin
    Thursday, June 25, 2009 11:01 PM

Answers

  • Doug,

    In answer to question 1, the certificate you use must have key usage for signing and encryption (sometimes noted as secure email). You can check this on the details tab of the opened certificate.

    In answer to question 2, the root certificate of the self signed certificate should also be in the Trusted Root CA store. If the certificate is the only certificate in the chain (verified on the Certification Path tab of the opened certificate), then it is basically it's own root CA and needs to be in the Trusted Root CA store.

    A good way to get the certificate where it needs to be is by using the CertWizard tool, found in the <BizTalk Install Directory>\SDK\Utilities\Certificate Wizard folder.  Instructions for the utility are here: http://msdn.microsoft.com/en-us/library/bb727929.aspx

    Once the certificates are in place, you need to ensure your certificate is associated with the BizTalk Group and with your AS2 receive location, and your trading partners certificate is associated with their party definition and send port (and that their send port is associated with their party definition). Lastly, you need to set your and your trading partner AS2 properties to the proper settings (Sync or Async MDN, signed receipt, encryption, etc.).

    If you still run into problems, you can contact me directly through the e-mail link my home page, which you can find viewing my MSDN forum profile. I've done several BizTalk AS2 implementations and know it can be daunting.


    Saturday, June 27, 2009 1:25 AM

All replies

  • Doug,

    In answer to question 1, the certificate you use must have key usage for signing and encryption (sometimes noted as secure email). You can check this on the details tab of the opened certificate.

    In answer to question 2, the root certificate of the self signed certificate should also be in the Trusted Root CA store. If the certificate is the only certificate in the chain (verified on the Certification Path tab of the opened certificate), then it is basically it's own root CA and needs to be in the Trusted Root CA store.

    A good way to get the certificate where it needs to be is by using the CertWizard tool, found in the <BizTalk Install Directory>\SDK\Utilities\Certificate Wizard folder.  Instructions for the utility are here: http://msdn.microsoft.com/en-us/library/bb727929.aspx

    Once the certificates are in place, you need to ensure your certificate is associated with the BizTalk Group and with your AS2 receive location, and your trading partners certificate is associated with their party definition and send port (and that their send port is associated with their party definition). Lastly, you need to set your and your trading partner AS2 properties to the proper settings (Sync or Async MDN, signed receipt, encryption, etc.).

    If you still run into problems, you can contact me directly through the e-mail link my home page, which you can find viewing my MSDN forum profile. I've done several BizTalk AS2 implementations and know it can be daunting.


    Saturday, June 27, 2009 1:25 AM
  • Hi Sid.  Thanks much for the advice.  I didn't know about the certifcate wizard tool and it was most helpful.  I did not see that it did anything I had not already done manually though (except allow me to specify "usage = both"), but it will surely come in handy when i finally get ready to deploy this to our production servers.

    I have taken all the steps you listed except for:  "certificate is associated with the BizTalk Group and with your AS2 receive location".  I have linked my certificate to the Group (though I aml curious as why this is necessary as it seems to me that linking to host would be sufficient), but I'm not sure i understand the "with your AS2 receive location" part.  There is no configuration options that I can see in BT2006 for linking a certificate to a receive location that I can see.

    Also, i'm wondering about my certificate itself.  You say "key usage for signing and encryption (sometimes noted as secure email)".  My key has these for key usage:

    Digital Signature, Non-Repudiation, Key Encipherment, Data Encipherment

     


    Is that sufficient?  I see that the "Intended Purpose" of my certificate is set to "Server Authentication".  Is that relevent?  Or must the intended purpose be be "Secure Email" as you implied?


    Doug Griffin
    Tuesday, July 7, 2009 8:36 PM
  • Doug,

    My apologies for being a bit confusing, and you are correct that the certificate is not explicitly associated in the receive location properties.  (I did not have my test server spun-up to verify all the points where the certificate and wanted to error on the side of more checks.) I may get corrected on this, but I believe associating the certificate with the host is not sufficient because the AS2 process runs under IIS control (meaning isolated host).

    A certificate with Digital Signature, Non-Repudiation, Key Encipherment, and Data Encipherment should work. I know if the certificate's intended purpose includes Server Authentication and Client Authentication it will work, and if the certificates intended purpose is Secured Email it will work, but I would have to test a certificate with only Server Authentication on its own to speak definitively on whether it matters.

    From what you describe, I think the certificate is OK, but the party and port setups are probably not all setup correctly. Unfortunately, the error messages that get generated when something is set wrong rarely say "the setting is wrong, change it to <this>". If you'd like to review your setting with me off line, let me know.

    How are you testing your setup (i.e. with your trading partner or a local loopback)? 

    Sid
    Wednesday, July 8, 2009 12:29 AM
  • Doug,

    I missed addressing the question you raised regarding associating the certificate to the party representing you, and yes - your certificate shoud be associated with your party definition, too.

    Sid

    Wednesday, July 8, 2009 12:40 AM
  • Is it mandatory that you have to be logged in using the account that BizTalk Services runs under to install the certificate. in my case BTSAppHost is the user. I keep getting the error " A BTS MIME error was encountered when attempting to encode a message. Error: The Signing Certificate has not been configured for AS2 party. AS2-From: XXX AS2-To: XXX"
    Friday, April 30, 2010 3:38 PM
  • You should probably open this under a new thread, but to answer your question...

    When using the wizard, I believe there is an option to specify the user account for the certificates and you need the account's password. The process is easier when you are logged in under the host account.

    • Edited by R Sid Thursday, May 1, 2014 3:05 PM
    Friday, April 30, 2010 6:14 PM