none
certifiacte RRS feed

  • Question

  • I have updated the new certificate in host level but it is not updating properly.

    it is taking old certificate so messages getting failed.

    please can you help me to resolve this issue. i have done all activities but still am facing this issue.

    Wednesday, June 1, 2016 5:25 PM

Answers

  •  i will explain the problem 

    Actually today one of  our customer certificate has been expired  so they are unable to send the files to us.

    so they are asking for the certificate. so we have provided another customer certificate to them i have configured same certificate in host  level.. they are install certificate and they are send the files but those files were failed in biztalk.

    can you suggest me plz how we can resolve this issue.

    Are you 100% sure the partner is using the correct keys?

    You need to clearly examine about the certificates you are using for your AS2 communication. Problem lies there itself. The certificates has to be at the right store, under right account and at the proper locations of the BizTalk [Group, Host and Party]. Also the AS2 communication happens through WCF adapter which runs under Isolated adapter. Thus account used for isolated adapter must also need to have the server certificates and party needs to have partner's certificate.

    Few pointer:

    1) You need to verify that the public key used in the encryption process and the private key used in the decryption process match.

    2) The decryption certificate should be registered as the BizTalk Isolated Host process user account as mentioned above.

    3) Verify that the Key Usage property of the certificate used for encryption and decryption is set to "data encipherment" as mentioned above.

    4) You need to configure this in Party Configuration as well. Can you please refer below article for AS2 cert configuration and validate all the steps.

    http://geekswithblogs.net/VishnuTiwariBlog/articles/biztalk-as2-certificate-configuration.aspx



    Rachit Sikroria (Microsoft Azure MVP)

    • Proposed as answer by Angie Xu Tuesday, June 14, 2016 8:35 AM
    • Marked as answer by Angie Xu Tuesday, June 14, 2016 8:35 AM
    Wednesday, June 1, 2016 7:31 PM
    Moderator

All replies

  • From what I understand you are trying to setup certificate to decrypt the Encrypted message received from partner.

    You need to install the Partner Encrypted certificate in Other People Certificate store.

    If you want to use receive authorization, you must provide the thumbprint of the decryption certificate in the properties of the host that you want to authorize to receive the message. 

    Use this

    To do this

    Description

    Displays a description of the displayed decryption certificate.

    Thumbprint

    Displays the thumbprint of the private key certificate used to decrypt inbound messages for this host. The certificate thumbprint has the format HHHH HHHH HHHH HHHH HHHH HHHH HHHH HHHH HHHH HHHH, where H is a hexadecimal digit (a number from 0 through 9 or a letter from A through F).

    Remove certificate

    Click to remove the displayed decryption certificate from the host.

    Browse

    Click to display the Select Certificate dialog box, where you select the decryption certificate from the Local Machine or Other People certificate store that you want to use with the host.

    How?

    To install the encryption certificates in the certificates store

    1. Partner A requests a private-public key pair for encryption from the CA.

    2. Partner A installs the private key certificate for decrypting the messages in the appropriate store. (If Partner A is using Windows 2000 Server, Windows Server 2003, Windows Server 2008 SP2, install the private key in the personal certificate store.)

    3. Partner A sends you its public key for encrypting messages sent to Partner A.

    4. In BizTalk Server, log on to the server that has a host instance running a handler that will send messages to Partner A. Install the Partner A public key certificate for encrypting messages sent to Partner A in the Other People store. The following figure shows the certificate store where you install the certificate.

    Certificates required to send secure messages

    To configure BizTalk hosts for receiving encrypted messages

    1. Click Start, point to All Programs, point to Microsoft BizTalk Server 2013 R2, and then click BizTalk Server Administration.

    2. In the BizTalk Server Administration console, expand Platform Settings, expand Hosts.

      1. On the right pane, right-click a BizTalk host that is the handler for receiving the encrypted messages, and then click Properties.

      2. On the Host Properties dialog box, click Certificate, click Browse.

      3. On the Select Certificate dialog box, select the decryption certificate that you installed, and then close all of the dialog boxes.

    Restart both the IIS and BizTalk host instance for the changes to reflect.

    Also refer: http://social.technet.microsoft.com/wiki/contents/articles/18737.biztalk-server-2013-encrypting-and-decrypting-a-message.aspx


    Rachit Sikroria (Microsoft Azure MVP)

    Wednesday, June 1, 2016 5:54 PM
    Moderator
  • An output message of the component "Microsoft.BizTalk.EdiInt.PipelineComponents" in receive pipeline "Microsoft.BizTalk.EdiInt.DefaultPipelines.AS2Receive, Microsoft.BizTalk.Edi.EdiIntPipelines, Version=3.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" is suspended due to the following error: 
         An error occurred when decrypting an AS2 message..
     The sequence number of the suspended message is 2. 

    am getting above error

    Wednesday, June 1, 2016 6:26 PM
  • The problem looks like with certificate configuration. You need to get partner certificate's public key. Can you please refer below documentation and then let me know if you still facing any problem.

    http://geekswithblogs.net/VishnuTiwariBlog/articles/biztalk-as2-certificate-configuration.aspx

    Infact you need to provide partner's in the AS2 party configuration and your certificate at the BizTalk Group property and at the send port.

    This error is actually because your private key isn't matching the message.  The trade partner is using your public key to encrypt the message and BizTalk needs to use your private key to decrypt it. When you are installing the certificates in your certificate store, make sure you are logged in as the same user as the biztalk host account. 

    Also refer: https://msdn.microsoft.com/en-us/library/bb898958(v=bts.70).aspx

    To resolve this error, do one or more of the following:

    • Verify that the encryption wrapper in the AS2 message is valid. If not, determine why the message was encoded improperly by the encoder.
    • Verify that the public key used in the encryption process and the private key used in the decryption process match.
    • Verify that the Key Usage property of the certificate used for encryption and decryption is set to "data encipherment".
    • Verify that there is not a broken chain of intermediate certificate authorities. If there is, delete the old certificate, and create and use a new certificate.
    • Verify that the certificate has not timed out by checking its expiration date in the Certificates store (using MMC with a certificates snap-in.).
    • Verify that the certificate has not been revoked by checking the Certification Revocation List. (You can have BizTalk Server check this automatically by checking the Check Certification Revocation List property in the General AS2 properties in the BizTalk Server Administration console.)
    • Verify that the certificate used for decryption is stored in the Current User\Personal store of each BizTalk server that hosts a MIME/SMIME decoder pipeline as each host instance service account.
    Also, What's the serial number on the partner's cert?  If the serial number is 00 then Biztalk will not consider it valid.  Here's a link to a similar question


    http://social.msdn.microsoft.com/Forums/is/biztalkediandas2/thread/d4a8d620-b951-4345-8b3b-6800f740568a


    Rachit Sikroria (Microsoft Azure MVP)

    Wednesday, June 1, 2016 6:36 PM
    Moderator
  •  i will explain the problem 

    Actually today one of  our customer certificate has been expired  so they are unable to send the files to us.

    so they are asking for the certificate. so we have provided another customer certificate to them i have configured same certificate in host  level.. they are install certificate and they are send the files but those files were failed in biztalk.

    can you suggest me plz how we can resolve this issue.

    Wednesday, June 1, 2016 6:45 PM
  • we are not sending any files to customer only picking and placing the file in production system.

    they are sending through as2 connection and we receiving the files through HTTP by using /BTSHTTPHandler.dll

    Wednesday, June 1, 2016 6:47 PM
  •  i will explain the problem 

    Actually today one of  our customer certificate has been expired  so they are unable to send the files to us.

    so they are asking for the certificate. so we have provided another customer certificate to them i have configured same certificate in host  level.. they are install certificate and they are send the files but those files were failed in biztalk.

    can you suggest me plz how we can resolve this issue.

    Are you 100% sure the partner is using the correct keys?

    You need to clearly examine about the certificates you are using for your AS2 communication. Problem lies there itself. The certificates has to be at the right store, under right account and at the proper locations of the BizTalk [Group, Host and Party]. Also the AS2 communication happens through WCF adapter which runs under Isolated adapter. Thus account used for isolated adapter must also need to have the server certificates and party needs to have partner's certificate.

    Few pointer:

    1) You need to verify that the public key used in the encryption process and the private key used in the decryption process match.

    2) The decryption certificate should be registered as the BizTalk Isolated Host process user account as mentioned above.

    3) Verify that the Key Usage property of the certificate used for encryption and decryption is set to "data encipherment" as mentioned above.

    4) You need to configure this in Party Configuration as well. Can you please refer below article for AS2 cert configuration and validate all the steps.

    http://geekswithblogs.net/VishnuTiwariBlog/articles/biztalk-as2-certificate-configuration.aspx



    Rachit Sikroria (Microsoft Azure MVP)

    • Proposed as answer by Angie Xu Tuesday, June 14, 2016 8:35 AM
    • Marked as answer by Angie Xu Tuesday, June 14, 2016 8:35 AM
    Wednesday, June 1, 2016 7:31 PM
    Moderator
  • Hi,

    Thank you for posting on MSDN forum.

    Have you check the below article,

    http://social.technet.microsoft.com/wiki/contents/articles/18846.biztalk-server-importing-certificates.aspx

    BizTalk Server depends mainly on the security provided by certificates and uses them for encryption, decryption, signing and verifying digital signatures. By making use of the certificates BizTalk Server can:

    • Send and receive data that can be trusted
    • Make sure that the data it processes is secure
    • Make sure that authorized parties receive its messages
    • Make sure that it receives messages from authorized parties

    Thanks,

    If my reply is helpful please mark as Answer or vote as Helpful.

    My blog | Twitter | LinkedIn

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Wednesday, June 1, 2016 7:58 PM
    Moderator