Installing Certificates for the WCF Adapters

The WCF adapters can use public key infrastructure (PKI) digital certificates for purposes of message encryption and decryption, message signing and verification (non-repudiation), and client authentication. This topic describes various certification usage scenarios and configuration option guidelines for using digital certificates with the WCF adapters.

Certificate Usage Scenarios for the WCF Receive Locations

The following table shows how to install the certificates for the WCF receive locations.

Certificate usage User context Certificate store location Certificate type When to install the certificates
Decryption and signing depending on the security settings of the receive location Account used by the host instance associated with the receive handler Log on to each computer running BizTalk Server that will host the receive locations as each host instance service account, and import the service certificate to the Current User \ Personal (My) store. Own private certificate Specify the value for the Service certificate - Thumbprint property in the following configurations:

- The Security mode property of the WCF-BasicHttp receive location is set to Message.
- The Transport client credential type property of the WCF-BasicHttp receive location is set to Certificate for the TransportCredentialOnly security mode.
- The Message client credential type property of the WCF-WSHttp receive location is set to None, Certificate, or UserName for the Message security mode.
- The Transport client credential type property of the WCF-NetTcp receive location is set to None or Certificate for the Transport security mode.
- The Message client credential type property of the WCF-NetTcp receive location is set to None, UserName, or Certificate for the Message security mode.
- The Message client credential type property of the WCF-NetTcp receive location is set to Windows, UserName, or Certificate for the TransportWithMessageCredential security mode.
- The Security mode property of the WCF-NetMsmq is set to Message or Both.
Client authentication N/A Log on to each computer running BizTalk Server that will host the receive locations as Administrators, and import the CA certificate chain for the client X.509 certificates to the Trusted Root Certification Authorities certificate store of the computer so that the clients can be authenticated to this receive location. The CA certificate chain for the client X.509 certificates Install the CA certificate chain for the client X.509 certificates to the Trusted Root Certification Authorities certificate store in the following configurations:

- The Message client credential type or Transport client credential type property of the WCF-BasicHttp receive location is set to Certificate.
- The Message client credential type or Transport client credential type property of the WCF-WSHttp receive location is set to Certificate.
- The Message client credential type or Transport client credential type property of the WCF-NetTcp receive location is set to Certificate.
- The Message client credential type or MSMQ authentication mode property of the WCF-NetMsmq receive location is set to Certificate.

Note

Because the standard WCF receive adapters use the ChainTrust mode to validate the client certificates, you must install the CA certificate chain for the client X.509 certificates. You can use the WCF-Custom or the WCF-CustomIsolated adapters to cange this default behavior.

Note

For the isolated WCF receive adapters, you need to match the user account between an isolated host instance and the corresponding application pools. For more information about the BizTalk isolated hosts, see Enabling Web Services.

Note

For the WCF-Custom and WCF-CustomIsolated receive locations, the user context, certificate store location, and certificate type for the certificates to install varies between the serviceCredentials and clientCredentials behavior element settings.

Note

If the receive location uses the certificate element for the Endpoint Identity property, you also have to install the certificate for the published service identity into the certificate store specified in the Endpoint Identity property.

Note

Instead of log on to the computer using host instance service account or administrator account, you can alternatively use Run As command with applicable accounts to perform the same action.

Certificate Usage Scenarios for the WCF Send Ports

The following table shows how to install the certificates for the WCF send ports.

Certificate usage User context Certificate store location Certificate type When to install the certificates
Client authentication Account used by the host instance associated with the send port Log on to each computer running BizTalk Server that will host the send ports as each host instance service account, and import the client certificate to the Current User \ Personal (My) store. Own private certificate Specify the value for the Client certificate - Thumbprint property in the following configurations:

- The Message client credential type or Transport client credential type property of the WCF-BasicHttp send port is set to Certificate.
- The Message client credential type or Transport client credential type property of the WCF-WSHttp send port is set to Certificate.
- The Message client credential type or Transport client credential type property of the WCF-NetTcp send port is set to Certificate.
- The Message client credential type or MSMQ authentication mode property of the WCF-NetMsmq send port is set to Certificate.
Service authentication, signature verification, and encryption depending on the security settings of the send port N/A Log on to each computer running BizTalk Server that will host the send ports as Administrators, and import the service certificate to the Local Computer \ Other people (AddressBook) store. You also have to install the CA certificate chain for the service certificates to the Trusted Root Certification Authorities certificate store of the computer. - Service public certificate
- The CA certificate chain for the service certificate
Specify the value for the Service certificate - Thumbprint property in the following configurations:

- The Message client credential type or Transport client credential type property of the WCF-BasicHttp send port is set to Certificate.
- The Message client credential type property of the WCF-WSHttp send port is set to None, UserName, or Certificate when the Negotiate service credential option is cleared.
- The Security mode of the WCF-NetMsmq send port is set to Message or Both.
Service authentication, signature verification, and encryption depending on the security settings of the send port N/A Log on to each computer running BizTalk Server that will host the send port as Administrators, and import the CA certificate chain for the client X.509 certificates to the Trusted Root Certification Authorities certificate store of the computer so that the service can be authenticated to this send port. The CA certificate chain for the service certificate If you do not explicitly specify the service certificate for the Service certificate - Thumbprint property, install the CA certificate chain for the service X.509 certificates to the Trusted Root Certification Authorities certificate store in the following configurations:

- The Security mode of the WCF-BasicHttp send port is set to Transport or TransportWithMessageCredential.
- The Security mode of the WCF-WSHttp send port is set to Transport or TransportWithMessageCredential.
- The Security mode of the WCF-NetTcp send port is set to TransportWithMessageCredential.
- The Transport client credential type property of the WCF-NetTcp send port is set to None or Certificate.
- The Message client credential type property of the WCF-NetTcp send port is set to None, UserName, or Certificate.

Note

Because the standard WCF send adapters use the ChainTrust mode to validate the service certificates, you must install the CA certificate chain for the service X.509 certificates. You can use the WCF-Custom or the WCF-CustomIsolated adapters to change this default behavior.

Note

For the WCF-Custom and WCF-CustomIsolated send ports, the user context, certificate store location, and certificate type for the certificates to install varies between the serviceCredentials and clientCredentials behavior element settings.

Note

If the send port uses the certificate element for the Endpoint Identity property, you also have to install the certificate for the expected service identity into the certificate store specified in the Endpoint Identity property.

Note

Instead of log on to the computer using host instance service account or administrator account, you can alternatively use Run As command with applicable accounts to perform the same action.

Displaying the Certificates Management Console

To display the Certificates Management Console interface for Local Computer and Current User, perform the following steps:

  1. Click Start, click Run, type MMC, and click OK to open the Microsoft Management Console.

  2. On the File menu, click Add/Remove Snap-in to display the Add/Remove Snap-in dialog box.

  3. Click Add to display the Add Standalone Snap-in dialog box.

  4. Select Certificates from the list of snap-ins, and then click Add.

  5. Select Computer account, click Next, and then click Finish. This adds the Certificates Management Console interface for Local Computer.

  6. Ensure that Certificates is still selected from the list of snap-ins, and then click Add again.

  7. Select My user account, and then click Finish. This adds the Certificates Management Console interface for Current User.

    Note

    This displays the Certificates Management Console for the account that you are currently logged on as. If you need to import certificates into the Personal store for a service account then you should log on with the service account credentials first.

  8. Click Close in the Standalone Snap-in dialog box.

  9. Click OK in the Add/Remove Snap-in dialog box.