Certificate Placement For Synchronous AS2 BizTalk Application

Due to the fact that BizTalk has a lot of different options and configurations, it can be bit confusing to know exactly how to setup a particular application into a new environment.  In this particular case, we needed to move a BizTalk 2006 AS2 application into a new environment for BizTalk 2010.

This particular application was a fairly simple process where it would take in a file and drop it out to a network file location.   The requirements were that it had to receive a file that was signed and encrypted.  It also had to send an MDN acknowledgement back that was also signed and encrypted.  And last, it had to be synchronous.

The easy part was to export the application and bindings into the new environment.  The part that can get a little confusing is setting up the certificates.  Let us begin by taking a look at the following diagram:

Let us walk through each step and help answer the question of where to place my certificates?  As you can see the first part is the external party of URCompany sends a signed and encrypted file into MyCompany.  It sends the file to the following URL:

http://www.mycompany.com/MyWebService_Receive/BTSHTTPReceive.dll

Note that we can setup URL Re-write in IIS to make this a friendlier url.  I will show how this is done in a future blog.

In order to receive the file through BizTalk, we first setup IIS.

  • We created a virtual directory of /URCompany_Receive that points to the BTSHttpReceive.dll on the file system.
  • An application pool was created named BiztalkAppPool_AS2 and it was setup to run under a domain service account of MyDomainBizService_AS2_Dev.

 

In BizTalk, to fulfill the synchronous requirement, we created an application and a request-response receive port with request-response receive location.  You can see this setup below.

 

The key piece of information here is that receive handler is setup to run under the BizTalkServerIsolatedHost.  This means that BizTalk will use the account that the IIS virtual directory of URCompany_Receive is running under.  In our case this is the MyDomainBizService_AS2_Dev domain service account of the BiztalkAppPool_AS2 application pool.

Since we are using a synchronous setup, both the incoming message and outgoing message will use this account.  So to setup the certificates, log into the BizTalk server as MyDomainBizService_AS2_Dev.

Let’s setup our company certificate first.  For this we will need the private key certificate named mycompany.as2.dev.com.pfx.  Run the mmc console and add the “Certificates” snap-in.  Select the “My User Account” radio button and click Finish and OK.  We will import this certificate in the personal store.

Certificate Placement For Synchronous AS2 BizTalk Application - pic4

With this, the AS2Receive Pipeline will be able to decrypt (2B in diagram) the incoming message and the AS2Send pipeline will be able to sign (3A in diagram) the MDN acknowledgement back.

Now setup the URCompany public certificate of urcompany.certificate.com.cer.  Note that this party will have to provide you with their public certificate.  Again, open the mmc console and add the “Certificates” snap-in.  This time, select the “Computer Account” radio button and click Finish and OK.  We will import this certificate in the Other People store

Certificate Placement For Synchronous AS2 BizTalk Application - pic5

With this, the AS2Receive Pipeline will be able to verify (2A in diagram) the signature of the incoming message and the AS2Send pipeline will be able to encrypt (3B in diagram) the MDN acknowledgement back.

The last piece is to configure BizTalk.  You can go to the following link for this, which also has a summary of information of how this solution was setup.

http://msdn.microsoft.com/en-us/library/bb728096.aspx