Apparently AS2 will not work with Certificates that begin with the serial number of 00.
EDI resolution
Party Resolution
The EDI receive pipeline performs party resolution by performing a series of steps to determine whether there is a match between header fields in the message and properties in the EDI party definition. Once BizTalk Server has determined the party, it determines the document schema that applies to the interchange (see below). It uses the properties associated with the matching party and the relevant schema to validate and process the received message.
To perform party resolution, BizTalk Server proceeds as follows:
1. Resolve the party by matching the sender qualifier and identifier, and the receiver qualifier and identifier, in the interchange header with those in the properties of a party.
2. If step 1 does not succeed, resolve the party by matching just the sender qualifier and identifier in the interchange header with those in the properties of a party.
3. If step 2 does not succeed, use the party values specified in the EDI Global Properties.
In the first step, for X12, BizTalk Server will use the following values to make the match:
- ISA05 (sender qualifier)
- ISA06 (sender identifier)
- ISA07 (receiver qualifier)
- ISA08 (receiver identifier)
For EDIFACT, BizTalk Server will use the following values to make the match:
Many places for CertWizard
In 2006/2009/2010 its under the SDK/Utilities and may or may not be compiled.
It is compiled in the Rosetta adapter in 2009.
Hard to FInd AS2 Certificate Walkthrough (was at bottom of another hard to find doc)
Certificates
The following table describes the AS2 certificate needs:
|
Certificate Usage |
Certificate Type |
Pipeline Component |
User Context |
Certificate Store |
Where Defined |
|
Signature (outbound) |
Own private key (.pfx) |
MIME/SMIME encoder |
Account used by the host instance associated with the send handler. |
Current User |
Certificate option in the BizTalk Group Properties. This is the default signing certificate used when sending signed documents.
Certificate option in the Party Properties. This is the signing certificate used for when sending documents for a specific party.
EdiIntAS.SignatureCertificate context property. This contains the thumbprint of the certificate that the pipeline will use to sign the document. |
|
Signature verification (inbound) |
Trading partner’s public key (.cer) |
MIME/SMIME decoder |
Account used by the host instance associated with the receive handler. |
Local computerOther People store of each BizTalk Server that hosts a MIME/SMIME decoder pipeline as each host instance service account |
Certificate option in the Party Properties dialog box.
Note: The certificate used to verify a signature for a party must be unique from the certificates used to verify signatures for other parties. So, every party gets its own certificate. |
|
Encryption (outbound) |
Trading partner’s public key (.cer) |
MIME/SMIME decoder |
Account used by the host instance associated with the send handler. |
Local computerOther People store of each BizTalk Server that hosts a MIME/SMIME encoder pipeline |
Certificate option in the Send Port Properties. |
|
Decryption (inbound) |
Own private key (.pfx) |
MIME/SMIME decoder |
Account used by the host instance associated with the receive handler. |
Current UserPersonal store of each BizTalk Server that hosts a MIME/SMIME decoder pipeline as each host instance service account |
The AS2 Decoder will determine the certificate based upon certificate information in the message.
For the BizTalk MIME Decoder, the certificate must be in the Certificate option in the properties of the host used for receiving the message. This is not necessary for the AS2 Decoder. |
This chart is also available at http://msdn.microsoft.com/en-us/library/bb728096.aspx.
There are four places to install certificates: BizTalk Group properties, Party properties, Send Port properties and HOST properties.
Certificates used for AS2 transport must have the attributes required for their intended use. For signing and signature verification, the Key Usage attribute of the certificate must be Digital Signature. For encryption and decryption, the Key Usage attribute of the certificate must be Data Encipherment or Key Encipherment. You can verify the Key Usage attribute by double-clicking the certificate, clicking the Details tab in the Certificate dialog box, and checking the Key Usage field.
Group Hub and HOST Certificate Import Instructions
The certificate with the private key must be imported to the BizTalk service account’s Personal store. There are 3 options to do this:
Option 1: Login to the BizTalk server as the BizTalk service account.
Option 2: Open the MMC as the BizTalk service account using the RunAs feature: runas /user:BizTalkServiceAccount mmc.exe.
Option 1 and Option 2 steps:
1. Open the MMC on the BizTalk server and add the Certificate snap-in for My User Account.
2. Select Personal, right-click, select All Tasks and then select Import.
3. This opens the Certificate Import Wizard. Select the following:
a) Click Next.
b) Browse to the .pfx file and click Open. Click Next.
c) If you specified a password on Windows 2003, enter it. If not, leave it blank. On Windows 2008, enter the password. Check Mark this key as exportable and click Next.
d) Click Next to import into the Personal store.
e) Click Finish.
4. In BizTalk Administration, open the BizTalk Group properties. Click Certificate and then Browse to your newly-imported certificate. For the BizTalk HOST, open the HOST properties, click Certificates and then Browse to your newly-imported certificate.
Option 3: Use the CertWizard.exe SDK Utility. This option ensures that the certificate is correct imported into the MMC and the BizTalk Group properties. Steps:
1. Build the CertWizard.csproj project in Program Files (x86)Microsoft BizTalk Server 2009SDKUtilitiesCertificate Wizard to create CertWizard.exe in the binDebug directory.
2. Open a command window and go to the Program Files (x86)Microsoft BizTalk Server 2009SDKUtilitiesCertificate WizardbinDebug directory.
3. Type the following and press Enter. CertWizard will find the BizTalk service account and ask you for the password for every HOST instance.
certwizard /privatekey Cert.pfx /Filepassword password /Usage both /Exportable true
To confirm the certificate has been successfully imported in the BizTalk Group properties, select the Certificate option. You should see a Thumbprint with no Common Name. The Common Name is not needed by BizTalk.
To confirm the certificate has been successfully imported in the Personal store of the BizTalk service account, use the RunAs feature to open the MMC: runas /user:BizTalkUserAccount mmc.exe.
BizTalk 2009 Help provides more info on the CertWizard utility.
Party and Send Port Certificate Import Instructions
You can trump the certificate at the BizTalk Group level by specifying a certificate in the Party and Send Port properties. You will do this if a partner sends you a certificate or you are sending a partner a certificate. A certificate can only be used by one party. The Party and Send Port certificate must be imported to the Other People store; which can be read by all users. Import steps:
1. Open the MMC on the BizTalk server and add the Certificate snap-in for the Computer Account.
2. Select Other People, right-click, select All Tasks and then select Import.
3. This launches the Certificate Import Wizard. Select the following:
a) Browse to the CertificateName.pfx (private key) or CertificateName.cer (public) file.
b) If you specified a password on Windows 2003, enter it. If not, leave it blank. On Windows 2008, enter the password. Check Mark this key as exportable and click Next.
c) Click Next to import into the Other People store.
d) Click Finish.
4. In BizTalk Administration, open the Party and/or Send Port properties. Click Certificate and click Browse. You should now see the imported certificate.
Scenario A
You are receiving messages from a partner that encrypts data using a certificate. To decrypt the message, you must install the certificate on the BizTalk server.
Solution
The partner must send you the certificate with the public key (CertName.cer). Once received, import the CertName.cer file using the Certificates snap-in in the Other People store. Then, modify the Party properties to use this certificate.
Scenario B
You are sending signed messages to a partner. Your messages are encrypted using a certificate purchased from a 3rd party.
Solution
You will have the certificate with the private key (CertName.pfx) installed on your BizTalk server. You must send the certificate with the public key (CertName.cer) to your partner. Once received, your partner will import the CertName.cer file on their BizTalk server.
ESB 2.1 problems
At least we have a guide of roadblocks 😉
BizTalk Trace tool
Resolvers don’t properly show on 2.1 installation
Exception management framework for ESB
Other 2010 ESB Fixes.
Someone else who is attempting to create work-a-rounds to ESB 2.1
BizTalk 2010 Beta WCF Services HowTo: AppPool-SQL walkthrough
Step One:
Start-> Run -> INETMGR
or
Goto Application Pools:
Add new Application Pool (name is irrelevant)
Then Right click On the New Application pool and "Set Application Pool Defaults"
Then Choose the … next to the Identity Tab
Set the credentials to a user that has access to the BizTalkMgmtDB or to a new user or to any user you are comfortable with using with this AppPool.
Once Done the Identity should be that name.
If you used a new user or random user you will need to Log into SQL Server 2008R2 and choose the user you created:
Right-Click-> Properties
THen set the appropriate permissions on the database. The account I happened to use is my administrator account on my DEV machine, same user that I used to setup and configure BizTalk.
You will need to allow for appropriate access to your database for your user.
