Monthly Archives: August 2010

Filtering to choose between AS2 and AS2EDI send on non ESB Port Driven Applications

Leave a comment
Long story short we had an issue where we needed ot send EDI documents to a customer and AS2 MDN’s to a customer as a response.
The problem was when we started up the AS2 the filters werent properly set.  So every time we created an EDI message out it would send the XML over AS2 (From the AS2 only port) and the complete package EDI packages within AS2EDI send port.
 
Since MDN’s dont have a payload we found that this filter worked well and blocked our EDI sends from goign out the regular AS2 port.
 
Using this in the filter worked out well and remember it isnt a string so just False or True will work on that specific send port filter.
This is strict port binding with no Orchestrations, ESB Guidance etc.  Otherwise,I would suggest an altered Dynamic send port.
 
Share on Facebook

The complete walkthrough of using an inf file to generate a certificate for AS2 via Certificate services.

Leave a comment

http://technet.microsoft.com/en-us/library/ff625722%28WS.10%29.aspx

Note this has KeyUsage = 0xA0  ; Digital Signature, Key Encipherment   which is needed by most VAN’s

Keywords:

Generate Key Encipherment certificate

Windows Server

2003 2008 R2

Public private pfx p12 

[Version] 

Signature="$Windows NT$"

[NewRequest]
Subject = "CN=www01.fabrikam.com" ; Remove to use an empty Subject name. 
;Because SSL/TLS does not require a Subject name when a SAN extension is included, the certificate Subject name can be empty.
;If you are using another protocol, verify the certificate requirements. 

EncipherOnly = FALSE ; Only for Windows Server 2003 and Windows XP. Remove for all other client operating system versions.
Exportable = FALSE   ; TRUE = Private key is exportable
KeyLength = 2048     ; Valid key sizes: 1024, 2048, 4096, 8192, 16384
KeySpec = 1          ; Key Exchange – Required for encryption
KeyUsage = 0xA0      ; Digital Signature, Key Encipherment
MachineKeySet = True
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"


RequestType = PKCS10 ; or CMC.


[EnhancedKeyUsageExtension]
; If you are using an enterprise CA the EnhancedKeyUsageExtension section can be omitted 

OID=1.3.6.1.5.5.7.3.1 ; Server Authentication
OID=1.3.6.1.5.5.7.3.2 ; Client Authentication

[Extensions]
; If your client operating system is Windows Server 2008, Windows Server 2008 R2, Windows Vista, or Windows 7
; SANs can be included in the Extensions section by using the following text format. Note 2.5.29.17 is the OID for a SAN extension.

2.5.29.17 = "{text}"
_continue_ = "dns=www01.fabrikam.com&"
_continue_ = "dn=CN=www01,OU=Web Servers,DC=fabrikam,DC=com&"
_continue_ = "url=http://www.fabrikam.com&"
_continue_ = "ipaddress=172.31.10.134&"
_continue_ = "email=hazem@fabrikam.com&"
_continue_ = "upn=hazem@fabrikam.com&"
_continue_ = "guid=f7c3ac41-b8ce-4fb4-aa58-3d1dc0e36b39&"


; If your client operating system is Windows Server 2003, Windows Server 2003 R2, or Windows XP
; SANs can be included in the Extensions section only by adding Base64-encoded text containing the alternative names in ASN.1 format.
; Use the provided script MakeSanExt.vbs to generate a SAN extension in this format.

2.5.29.17=MCaCEnd3dzAxLmZhYnJpa2FtLmNvbYIQd3d3LmZhYnJpa2FtLmNvbQ==

[RequestAttributes]
; If your client operating system is Windows Server 2003, Windows Server 2003 R2, or Windows XP
; and you are using a standalone CA, SANs can be included in the RequestAttributes 
; section by using the following text format.

SAN="dns=www01.fabrikam.com&dns=www.fabrikam.com&ipaddress=172.31.10.130"




; Multiple alternative names must be separated by an ampersand (&).

CertificateTemplate = WebServer  ; Modify for your environment by using the LDAP common name of the template.
;Required only for enterprise CAs.

 
 
 
 

Share on Facebook

Back on EDIGuidance Conversion

Leave a comment
Starting from scratch since the work arounds didnt pull up the proper properties
Share on Facebook

As2 Weird quirk- Dont use Serial numbers that start with 00

Leave a comment
Apparently AS2 will not work with Certificates that begin with the serial number of 00.
 
Share on Facebook

EDI resolution

Leave a comment

Party Resolution

The EDI receive pipeline performs party resolution by performing a series of steps to determine whether there is a match between header fields in the message and properties in the EDI party definition. Once BizTalk Server has determined the party, it determines the document schema that applies to the interchange (see below). It uses the properties associated with the matching party and the relevant schema to validate and process the received message.

To perform party resolution, BizTalk Server proceeds as follows:

1.       Resolve the party by matching the sender qualifier and identifier, and the receiver qualifier and identifier, in the interchange header with those in the properties of a party.

2.       If step 1 does not succeed, resolve the party by matching just the sender qualifier and identifier in the interchange header with those in the properties of a party.

3.       If step 2 does not succeed, use the party values specified in the EDI Global Properties.

In the first step, for X12, BizTalk Server will use the following values to make the match:

  • ISA05 (sender qualifier)
  • ISA06 (sender identifier)
  • ISA07 (receiver qualifier)
  • ISA08 (receiver identifier)

For EDIFACT, BizTalk Server will use the following values to make the match:

Share on Facebook

Many places for CertWizard

Leave a comment
In 2006/2009/2010 its under the SDK/Utilities and may or may not be compiled.
It is compiled in the Rosetta adapter in 2009.
 
Share on Facebook

Hard to FInd AS2 Certificate Walkthrough (was at bottom of another hard to find doc)

Leave a comment

From http://download.microsoft.com/download/E/F/D/EFD62427-FBDB-4BA3-B52A-F307AF075965/Learning%20the%20New%20EDI%20Features%20of%20BizTalk%20Server%202009.docx

 

 

Certificates

 

 

The following table describes the AS2 certificate needs:

 

Certificate Usage

Certificate Type

Pipeline Component

User Context

Certificate Store

Where Defined

Signature (outbound)

Own private key (.pfx)

MIME/SMIME encoder

Account used by the host instance associated with the send handler.

Current User
Personal store of each BizTalk Server that hosts a MIME/SMIME encoder pipeline as each host instance service account

Certificate option in the BizTalk Group Properties. This is the default signing certificate used when sending signed documents.

 

Certificate option in the Party Properties. This is the signing certificate used for when sending documents for a specific party.

 

EdiIntAS.SignatureCertificate context property. This contains the thumbprint of the certificate that the pipeline will use to sign the document.

Signature verification (inbound)

Trading partner’s public key (.cer)

MIME/SMIME decoder

Account used by the host instance associated with the receive handler.

Local computerOther People store of each BizTalk Server that hosts a MIME/SMIME decoder pipeline as each host instance service account

Certificate option in the Party Properties dialog box.

 

Note: The certificate used to verify a signature for a party must be unique from the certificates used to verify signatures for other parties. So, every party gets its own certificate.

Encryption (outbound)

Trading partner’s public key (.cer)

MIME/SMIME decoder

Account used by the host instance associated with the send handler.

Local computerOther People store of each BizTalk Server that hosts a MIME/SMIME encoder pipeline

Certificate option in the Send Port Properties.

Decryption (inbound)

Own private key (.pfx)

MIME/SMIME decoder

Account used by the host instance associated with the receive handler.

Current UserPersonal store of each BizTalk Server that hosts a MIME/SMIME decoder pipeline as each host instance service account

The AS2 Decoder will determine the certificate based upon certificate information in the message.

 

For the BizTalk MIME Decoder, the certificate must be in the Certificate option in the properties of the host used for receiving the message. This is not necessary for the AS2 Decoder.

 

This chart is also available at http://msdn.microsoft.com/en-us/library/bb728096.aspx.

 

There are four places to install certificates: BizTalk Group properties, Party properties, Send Port properties and HOST properties.

 

Certificates used for AS2 transport must have the attributes required for their intended use. For signing and signature verification, the Key Usage attribute of the certificate must be Digital Signature. For encryption and decryption, the Key Usage attribute of the certificate must be Data Encipherment or Key Encipherment. You can verify the Key Usage attribute by double-clicking the certificate, clicking the Details tab in the Certificate dialog box, and checking the Key Usage field.

 

 

Group Hub and HOST Certificate Import Instructions

 

The certificate with the private key must be imported to the BizTalk service account’s Personal store. There are 3 options to do this:

 

Option 1: Login to the BizTalk server as the BizTalk service account.

Option 2: Open the MMC as the BizTalk service account using the RunAs feature: runas /user:BizTalkServiceAccount mmc.exe.

 

Option 1 and Option 2 steps: 

 

1. Open the MMC on the BizTalk server and add the Certificate snap-in for My User Account.

2. Select Personal, right-click, select All Tasks and then select Import.

3. This opens the Certificate Import Wizard. Select the following:

 

a) Click Next.

b) Browse to the .pfx file and click Open. Click Next.

c) If you specified a password on Windows 2003, enter it. If not, leave it blank. On Windows 2008, enter the password. Check Mark this key as exportable and click Next.

d) Click Next to import into the Personal store.

e) Click Finish.

 

4. In BizTalk Administration, open the BizTalk Group properties. Click Certificate and then Browse to your newly-imported certificate. For the BizTalk HOST, open the HOST properties, click Certificates and then Browse to your newly-imported certificate.

 

 

Option 3: Use the CertWizard.exe SDK Utility. This option ensures that the certificate is correct imported into the MMC and the BizTalk Group properties. Steps:

 

1. Build the CertWizard.csproj project in Program Files (x86)Microsoft BizTalk Server 2009SDKUtilitiesCertificate Wizard to create CertWizard.exe in the binDebug directory.

2. Open a command window and go to the Program Files (x86)Microsoft BizTalk Server 2009SDKUtilitiesCertificate WizardbinDebug directory.

3. Type the following and press Enter. CertWizard will find the BizTalk service account and ask you for the password for every HOST instance.

 

certwizard /privatekey Cert.pfx /Filepassword password /Usage both /Exportable true

 

To confirm the certificate has been successfully imported in the BizTalk Group properties, select the Certificate option. You should see a Thumbprint with no Common Name. The Common Name is not needed by BizTalk.

 

To confirm the certificate has been successfully imported in the Personal store of the BizTalk service account, use the RunAs feature to open the MMC: runas /user:BizTalkUserAccount mmc.exe.

 

BizTalk 2009 Help provides more info on the CertWizard utility.

 

 

Party and Send Port Certificate Import Instructions

 

You can trump the certificate at the BizTalk Group level by specifying a certificate in the Party and Send Port properties. You will do this if a partner sends you a certificate or you are sending a partner a certificate. A certificate can only be used by one party. The Party and Send Port certificate must be imported to the Other People store; which can be read by all users. Import steps:

 

1. Open the MMC on the BizTalk server and add the Certificate snap-in for the Computer Account.

2. Select Other People, right-click, select All Tasks and then select Import.

3. This launches the Certificate Import Wizard. Select the following:

 

a) Browse to the CertificateName.pfx (private key) or CertificateName.cer (public) file.

b) If you specified a password on Windows 2003, enter it. If not, leave it blank. On Windows 2008, enter the password. Check Mark this key as exportable and click Next.

c) Click Next to import into the Other People store.

d) Click Finish.

 

4. In BizTalk Administration, open the Party and/or Send Port properties. Click Certificate and click Browse. You should now see the imported certificate.

 

 

Scenario A

You are receiving messages from a partner that encrypts data using a certificate. To decrypt the message, you must install the certificate on the BizTalk server.

 

Solution

The partner must send you the certificate with the public key (CertName.cer). Once received, import the CertName.cer file using the Certificates snap-in in the Other People store. Then, modify the Party properties to use this certificate.

 

 

Scenario B

You are sending signed messages to a partner. Your messages are encrypted using a certificate purchased from a 3rd party.

 

Solution

You will have the certificate with the private key (CertName.pfx) installed on your BizTalk server. You must send the certificate with the public key (CertName.cer) to your partner. Once received, your partner will import the CertName.cer file on their BizTalk server.

Share on Facebook

ESB 2.1 problems

Leave a comment
Share on Facebook

BizTalk Trace tool

Leave a comment
Share on Facebook

Resolvers don’t properly show on 2.1 installation

Leave a comment
Share on Facebook