1 course Introduction
This course will configure as2-related security transmission configurations. You can familiarize yourself with the related security configurations through this course.
2. Preparations
In order to simulate the actual B2B interaction process, this experiment requires two BizTalk Server 2010 virtual machines (with the help of two students ). Contoso uses BizTalk as the message sender and fabrikam uses BizTalk as the message receiver.
Complete as2 transfer non-EDI messages before proceeding to this course! This course no longer describes how to configure the corresponding port of the program.
3. Demonstration 3.1 Certificate Application
Note: The certificate in this experiment may be provided or applied based on the actual situation. If the certificate is provided directly, ignore the content in this section.
3.1.1 access the Certificate Server and add the Certificate Server to the local security site. Click to request a certificate.
3.1.2 select Advanced 3.1.3 In the pop-up page and enter relevant information in the certificate ID 3.1.4 as shown in key options for selection
3.1.5 after the certificate application is completed, wait for review
3.1.6 after the certificate application is approved, view the status of a pending certificate request on the Certificate Application page to view the certificate. Click the corresponding certificate to install
3.2 install the root certificate
Click Install and install the CA certificate,
Install the CA certificate to trusted root certification authorities according to the certificate Installation Wizard.
3.2.1 after the CA certificate is installed, refresh the page and click Install Certificate
3.2.2 enter MMC in the "run" (CTRL + r) command line to add the certificate management for the current account and the local computer account respectively.
3.2.3 confirm that the CA certificate is under the Trusted Root Certification Authorities node.
3.2.4 confirm that the new certificate is under the current user
3.2.5 right-click my certificate and select Export
3.2.6 select not to export the Private Key
3.2.7 select der
3.2.8 Save the output file. 3.2.9 configure another BizTalk Server Certificate 3.2.10 with reference to 3.1 and 3.2 to exchange two server certificates (public keys) and import the certificate from the other server to another account on the local server.
3.3 BizTalk bind the certificate 3.3.1 after configuration, bind the corresponding certificate according to the following requirements:
Certificate usage |
Certificate type |
MPs queue Components |
User Context |
Certificate Storage Area |
Define location |
Signature (outbound) |
Private Key (. pfx) |
As2 Encoder |
The account used by the host instance associated with the sending handler. |
The "current user \ individual" storage area for each server instance service account on each BizTalk Server that carries the as2 encoder Pipeline |
• "Certificate" page in the "group properties" dialog box. The default signature certificate used to send signed documents. • The default certificate settings can be overwritten, and different certificates can be used for different participants. You can select "Overwrite group signature certificate" on the "Certificate Signature" page on the one-way protocol tab in the "protocol properties" dialog box to perform the operation, and then specify the signature certificate. If this attribute is already set, use the certificate provided on the "signature certificate" Page, instead of providing the as2 message for resolving the Protocol as part of the certificate signature for the BizTalk group attribute. |
Encryption (outbound) |
Trade Partner's public key (. CER) |
As2 Encoder |
The account used by the host instance associated with the sending handler. |
The "local computer \ others" storage area on the BizTalk Server that carries the as2 encoder Pipeline |
Certificate page in the Send Port Properties dialog box |
Decryption (inbound) |
Private Key (. pfx) |
As2 Decoder |
The account used by the host instance associated with the receiving handler. |
The "current user \ individual" storage area for each server instance service account on each BizTalk Server that carries the as2 decoder Pipeline |
The as2 decoder determines the certificate based on the certificate information in the message. For the BizTalk mime decoder, the certificate must be on the certificate page of the host used to receive messages. This is not necessarily the case for as2 decoders. |
3.3.2 certificate used for signature (Your Own Public Key) [server group configuration]
3.3.3 Certificate used to send encrypted messages (the peer's public key) [sending port configuration]
3.3.4 configuring the Certificate for decrypting an inbound message on the receiving host (your own key) [receiving host]
3.4 configure as2 protocol 3.4.1 on the contoso-> as2 contoso-> fabrikam page of the sending server. Other options and servers do not need to be configured. 3.4.2 configure the Output Message signature, compression, verification, and other configurations under validation
3.4.3 configure and return the MDN configuration under Acknowledgements (mdns)
3.5 Test
Note: This test is based on the successful completion of as2 transmission of non-EDI messages. If the test is not completed, complete the test first.
3.5.1 only select "message shocould be signed" in validation, save, restart the instance, and send a file test.
We can see the corresponding tag through the tcptrace trace.
3.5.2 select "message shocould be encrypted", save, restart the instance, and send a file test.
As2 header is
3.5.3 select "validation setting for inbound messages", save, restart the instance, and send a file test.
As2 header is
3.5.4 Similarly, different signature algorithms are configured in acknowledgements (mdns ).
The returned messages are different.
Biztalk hands-on Experiment (15th) as2 secure message transmission