AS2 Party Biztalk Encryption on Dynamic Ports using Certificates

Tuesday, September 6, 2011

Q:
Please consider this scenario:
Local (BT)Remote As2 Server (mendelson)
FromTo
Party_AParty_B
  1. Many AS2 relationships.
  2. same account for all of the hosts.
  3. Certificates on this account:
  • Current User\Personal and Trusted root certificates
  • keypair_A
  • Local computer \Other People and Trusted root certificates
  • public_key_B

No certificates have been configured to override the group, nor at the port level (dynamic port). No host has an encryption certificate attached to it.

Test 1: Send a Message from party_B  to Party_A (encrypted and signed). No certificate set for the BizTalk group.
Error: "The Signing Certificate has not been configured for AS2 party.  AS2-From: B AS2-To: A "

Test 2: Same as Test 1, but configuring a certificate for the BizTalk group.
Success. 
But this is a problem, because I need to used other signatures for other relationships! (Say Party_C/Party_D)

Test 3: Send a Message from party_A  to Party_B. Certificate set for the BizTalk group.
Error: "The Encryption Certificate has not been configured for AS2 party.  AS2-From: A AS2-To: B "

Test 4: Same as Test 3, but configuring the public certificate for the Party_B party (not for the profile/signature)
Error: "The Encryption Certificate has not been configured for AS2 party.  AS2-From: A AS2-To: B"
So it doesn't make a difference to setup the certificate at the party level.

Test 5: Same as Test 4, except that the certificate thumbprint was configured at the send port level.
Success
But this shows a high limitation in BizTalk, since a port should be reused by many relationships/parties. I am using a dynamic port, why would I attach an encryption certificate to it while it makes more sense to attach the certificate to the party/relationship? Since the only way to specify the encryption certificate is at the port level, then I would be forced to give up using a dynamic port and instead I'd have to use as many static ports as as2 relationships are in my system. And there can be a lot. This is a maintenance burden.
Up to here this could be enough if I didn’t need to configure other AS2 relationships, and some of them require us to use different signatures. Basically we need to give each partner a brand new signature and ecryption certificate (key pair) that represents us, while we receive their public .cer file.
I also wanted to test the signing certificate override feature:
Test 6: Same as Test 1. Send a Message from party_B  to Party_A (encrypted and signed). No certificate set for the BizTalk group, but instead configured in the party`s profile AS2 settings
Error: "The Signing Certificate has not been configured for AS2 party.  AS2-From: B AS2-To: A "
This means that the overriding did not occur!. OK then, now lets configure a different signature certificate at the biztalk group, perhaps that will make BT happy and let the overriding occur:
Test 7: Same as Test 6. but configuring a different signature, expecting BT to take the one at the As2 properties level of the party (the correct one)
Error: Success on BizTalk side but the AS2 mendelson server complains about the MDN having a signature error, meaning: Verification of digital signature failed (Verification failed)
This means that BizTalk refuses to use the certificate that I want to use (the one at the As2 porperties level) but instead keeps using the one defined at the group level.

So to summarize I am having two issues:
Biztalk forces to use encryption  certificate on the port level, which defeats the purpose of providing the good functionality of dynamic ports. Can encryption certificates be configured dynamically for dynamic ports? (other than programmatically  setting BTS.EncryptionCert which doesnt work)
As for the signatures, I am not able to have Biztalk use signature per party/relationship and keeps using the one defined at the group level. If no certificate defined at the group level then it doesnt matter other configurations, there'd be an error. If the certificate is set, then it can use only that one certificate for signature, regardless of overriding settings.
Any ideas are much appreciated,

Thanks!


Sol:

For the issue of dynamic ports and certificates I got the following from Microsoft:
"Dynamic send ports in BizTalk allow one to specify the destination URL at runtime rather than at design time. Everything else needs to be configured statically. When it comes to picking the appropriate certificate at runtime, dynamic ports can’t help. As for your scenario, we do understand that it is important to minimize the overhead in terms of number of pipelines/ports to be managed. Ideally the dynamic ports  should have been somewhat  flexible in terms of which settings do they allow to be provided dynamically at runtime (currently it is possible for only send URL and everything else must be configured statically). However, there is no such functionality that BizTalk provides as of now. I would suggest you to raise this as a new feature request which will have to go through the SE route (mostly as a DCR – design change request). "
Alright, I went back to the static approach.
Still pending the second issue (BizTalk forces using one single signature certificate for all outbound transmissions, regardless of overriding settings).


For the signatures-per-party issue, it is finally working.

If BT has two parties configured (A=Local, B=Remote), and an agreement( A->B, B->A) the problem was that the signature certificate was being configured on the A->B one way agreement.

When B sent an As2 to A, it was expecting an MDN signed by A, so the tab A->B was the obvious place to set the certificate the A uses to sign. Also, according to http://msdn.microsoft.com/en-us/library/ff629741(BTS.70).aspx, "

Select the Override group signing certificate check box to use the certificate provided in this page for signing outgoing AS2 messages and MDN.

", meaning, the certificate is for outgoing messages from A to B. When set on the oposite tab (B->A) it started working fine.
Ended up using the same signing certificate on both tabs of the agreement. Note that in a multiserver environment changes are not taken immediately. Need to restart the entire server for changes to really be there.



 

No comments:

Post a Comment

Post Your Comment...