EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Evaluating BizCrypto

Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.
#34690
Posted: 10/08/2015 16:14:11
by David Syskowski (Basic support level)
Joined: 10/08/2015
Posts: 7

I installed a trial of BizCrypto into our BizTalk 2009 environment for testing. I set up a send and receive port to connect to one of our AS2 partners that supports an active test environment. I am not at all sure of the settings or whether I missed something, but upon first test got this:

A message sent to adapter "BizCrypto AS2 Adapter" on send port "TEST AS2 Outbound HTTP To Office Depot" with URI "bc-as2://b2bwmedi.officedepot.com/invoke/edi.ediint/receive" is suspended.
Error details: URI is not valid to load conditions.
MessageId: {681A2C18-8079-4082-892D-1F86D93AE0C1}
InstanceID: {C53D6397-0DFD-4A8A-867E-7B7C8A314A0E}

After doing some reading in these forums it looks like a resource needed to be added for the default pipelines DLL so I did that. But no matter what I try no additional pipelines are available for me to select. The above test was done with the BizTalk AS2 send pipeline which sounds like it could be wrong.

We also want to use certificates from the certificate store so I took a chance on using the certificate friendly name? Not at all clear what to use there. • We want to use certificates from the certificate store. The thumbprint?
#34691
Posted: 10/08/2015 17:18:59
by Ken Ivanov (EldoS Corp.)

Hi David,

Thank you for your interest in our products.

There are no benefits in using BizTalk AS2 pipeline with BizCrypto AS2 adapter, as they both duplicate each other in some aspects (so you might end up with enveloping your messages twice). Unless your environment is fairly unusual, you would either need to use Passthrough or XML pipeline with your BizCrypto AS2 adapter.

I suggest you to start with enabling extended log options (set Trace Level to Debug, Trace to Event Log to False, Trace to File to True, and point Trace Filename to some local file to receive the log), restarting the adapter and the host instance, and capturing the trace of an unsuccessful submission. The contents of the trace might give some hints on what exactly is going wrong.

Quote
We also want to use certificates from the certificate store so I took a chance on using the certificate friendly name?

Although friendly names are not (yet) supported by BizCrypto, there are other options you can use to identify a particular system certificate. This article provides an extensive insight into the use of system certificates with BizCrypto.

Ken
#34699
Posted: 10/09/2015 10:19:00
by David Syskowski (Basic support level)
Joined: 10/08/2015
Posts: 7

Did the things above and this is what is in the log file.

[10/9/2015 10:07:20.679] Searching for installed BizCrypto addons.
[10/9/2015 10:07:20.679] No addons found (the exact message: BizCrypto.BizTalk.Addons. Could not load file or assembly 'BizCrypto.BizTalk.Addons, Version=11.0.255.0, Culture=neutral, PublicKeyToken=5a62fa96d0ac431a' or one of its dependencies. The system cannot find the file specified.)
[10/9/2015 10:07:20.679] EldoS AS2 Adapter: Loading certificates
[10/9/2015 10:07:20.679] EldoS AS2 Adapter: Loading client certificate(s)
[10/9/2015 10:07:20.679] EldoS AS2 Adapter: 0 certificates loaded
[10/9/2015 10:07:20.679] EldoS AS2 Adapter: Loading trusted certificate(s)
[10/9/2015 10:07:20.679] EldoS AS2 Adapter: 0 certificates loaded
[10/9/2015 10:07:20.788] EldoS AS2 Adapter: Resolving DNS name '' failed. Web tunneling disabled.
[10/9/2015 10:07:20.944] EldoS AS2 Adapter: Error: No certificates for signing specified (error code is 9991)

Stack:
at SBASCommon.TElASSMIMESignature.RaisePKCS7Error(Int32 Code)
at SBASCommon.TElASSMIMESignature.Sign(Stream Data, Int64 Size)
at SBASCommon.TElASMessage.SaveEncryptedUncompressedSigned(Stream Data, Stream DestHeaders, Stream DestBody)
at SBASCommon.TElASMessage.Save(Stream Data, Stream DestHeaders, Stream DestBody)
at SBASCommon.TElASMessage.Save(Stream Data, Stream Dest)
at BizCrypto.BizTalk.Adapters.AS2.AS2Common.DoOperation(Trace trace, IBaseMessage message, AdapterProperties props, ImpersonateUser& impersonateUser)
[10/9/2015 10:07:20.960] Error: No certificates for signing specified (error code is 9991)

Here is what the settings for the certificate are:
store="Other people", subject="/O=Office Depot, Inc./CN=b2bwmedi.officedepot.com"

Since Office Depot has given us both prod and test certificates and they are the same owner name on both, I assumed that I would need to add something distinguishing and so added CN. I also looked up store names and Microsoft states that "AddressBook" is what to use when stored in the Other People location. This did not work. So I pointed it directly to the .CER file and that did not work either.
#34702
Posted: 10/09/2015 15:49:58
by Ken Ivanov (EldoS Corp.)

David,

Thank you for capturing the trace, that's exactly what we need.

BizCrypto expects you to reference the system store by its internal name rather than its friendly name. The internal name for 'Other People' store in AddressBook, so a 'store="AddressBook"' identifier should be used. This way, the method where

Quote
I also looked up store names and Microsoft states that "AddressBook" is what to use when stored in the Other People location. This did not work.


should work fine. Could you please check if there are any errors reported in the log from the certificate lookup routine? A common mistake is forgetting to set the Signing Certificate Source property to System.

Another common reason for the impossibility for BizCrypto to find the certificate is where the certificate is actually located in a different copy of the system store (e.g. the certificate is contained in some user's copy of the store, while BizTalk looks for it in the local machine store). The article provides some insights on configuring the stores properly.

Quote
So I pointed it directly to the .CER file and that did not work either.

And it wouldn't indeed - the .CER file only contains the public certificate and does not contain its private key. Therefore a .CER certificate alone can't be used for signing.

Ken
#34731
Posted: 10/12/2015 10:54:45
by David Syskowski (Basic support level)
Joined: 10/08/2015
Posts: 7

There is definitely a problem I can't crack with finding the certificates. No matter whether I try file or system. I turned off signing and so now the error message is Error: No certificates for encryption specified (error code is 9990). I get this message no matter what combination of file and system is specified. And that is the extent of the error messages -- no more.

When pulling from the system location, our certificates are installed in one place in the certificate store (local computer) and not per a specific user. BizTalk easily picks up these certificates for AS2 processing via the AS2 Send pipeline so I know they are in the right place.

The log is as follows:
[10/12/2015 10:46:06.499] Searching for installed BizCrypto addons.
[10/12/2015 10:46:06.514] No addons found (the exact message: BizCrypto.BizTalk.Addons. Could not load file or assembly 'BizCrypto.BizTalk.Addons, Version=11.0.255.0, Culture=neutral, PublicKeyToken=5a62fa96d0ac431a' or one of its dependencies. The system cannot find the file specified.)
[10/12/2015 10:46:06.514] EldoS AS2 Adapter: Loading certificates
[10/12/2015 10:46:06.514] EldoS AS2 Adapter: Loading client certificate(s)
[10/12/2015 10:46:06.514] EldoS AS2 Adapter: 0 certificates loaded
[10/12/2015 10:46:06.514] EldoS AS2 Adapter: Loading trusted certificate(s)
[10/12/2015 10:46:06.514] EldoS AS2 Adapter: 0 certificates loaded
[10/12/2015 10:46:06.545] EldoS AS2 Adapter: Resolving DNS name '' failed. Web tunneling disabled.
[10/12/2015 10:46:06.561] EldoS AS2 Adapter: Error: No certificates for encryption specified (error code is 9990)

Stack:
at SBASCommon.TElASSMIMEEncryption.ValidateSettings(Stream Data)
at SBASCommon.TElASMessage.ValidateSettings(Stream Data)
at SBAS2.TElAS2Message.ValidateSettings(Stream Data)
at SBASCommon.TElASMessage.Save(Stream Data, Stream DestHeaders, Stream DestBody)
at SBASCommon.TElASMessage.Save(Stream Data, Stream Dest)
at BizCrypto.BizTalk.Adapters.AS2.AS2Common.DoOperation(Trace trace, IBaseMessage message, AdapterProperties props, ImpersonateUser& impersonateUser)
[10/12/2015 10:46:06.561] Error: No certificates for encryption specified (error code is 9990)
#34748
Posted: 10/12/2015 16:15:13
by Ken Ivanov (EldoS Corp.)

Hi David,

How exactly do you specify the location of the encryption certificates in the system store (could you please show the exact line - you can alter the subject part with some dummy values if you wish)?

Normally you would set the properties to something like this:

1) Encryption Certificates Source: System;

2) Encryption Certificates: (store="ADDRESSBOOK", subject="/CN=Administrator/C=US", accesstype="LocalMachine")

3) Encryption Certificate Path: <empty string>.

What you could actually try to start with, regarding the second property, is to specify the widest possible criteria:

(store="ADDRESSBOOK", accesstype="LocalMachine")

This is supposed to pick all the certificates residing in the Local Machine copy of the ADDRESSBOOK store and use them all for encryption. If no certificates are found even after assigning Encryption Certificates with the above line, this means that the components can't access the store due to some permission issue, or the certificates are actually stored in a different copy of the store. The second case can be investigated by trying to assign different values to the accesstype parameter of the filter (CurrentService", "CurrentUser", "CurrentUserGroupPolicy", "LocalMachine", "LocalMachineEnterprise", "LocalMachineGroupPolicy", "Services", "Users").

Ken
#34749
Posted: 10/12/2015 16:48:56
by David Syskowski (Basic support level)
Joined: 10/08/2015
Posts: 7

Well! Some progress.

I elected to try your suggestion of the store="ADDRESSBOOK", accesstype="LocalMachine" setting. And this time it reports back with having found one certificate. (Not sure how it decided that since there are fifty nine certificates installed. But is definitely different than before.) Now the error message is:
Error was founded when loading receipt message. Status: No content type specified (error code is 10009).

So this is some progress, I suppose. Don't know what certificate it chose, and also don't see anywhere where a receipt content type is specified.


[10/12/2015 16:35:25.115] Searching for installed BizCrypto addons.
[10/12/2015 16:35:25.131] No addons found (the exact message: BizCrypto.BizTalk.Addons. Could not load file or assembly 'BizCrypto.BizTalk.Addons,

Version=11.0.255.0, Culture=neutral, PublicKeyToken=5a62fa96d0ac431a' or one of its dependencies. The system cannot find the file specified.)
[10/12/2015 16:35:25.131] EldoS AS2 Adapter: Loading certificates
[10/12/2015 16:35:25.131] EldoS AS2 Adapter: Loading client certificate(s)
[10/12/2015 16:35:25.193] EldoS AS2 Adapter: 0 certificates loaded
[10/12/2015 16:35:25.193] EldoS AS2 Adapter: Loading trusted certificate(s)
[10/12/2015 16:35:25.193] EldoS AS2 Adapter: 1 certificates loaded
[10/12/2015 16:35:25.490] EldoS AS2 Adapter: Resolving DNS name '' failed. Web tunneling disabled.
[10/12/2015 16:35:26.363] EldoS AS2 Adapter: Running certificate validation handler
[10/12/2015 16:35:26.363] EldoS AS2 Adapter: validating server certificate
[10/12/2015 16:35:26.394] EldoS AS2 Adapter: chain entry is found in the trusted storage. Validation succeeded.
[10/12/2015 16:35:26.394] EldoS AS2 Adapter: Validation finished with the following result: True
[10/12/2015 16:35:26.394] EldoS AS2 Adapter: Running certificate validation handler
[10/12/2015 16:35:26.394] EldoS AS2 Adapter: Running certificate validation handler
[10/12/2015 16:35:27.767] EldoS AS2 Adapter: OnReceivingHeaders
[10/12/2015 16:35:27.783] EldoS AS2 Adapter: OnDocumentBegin
[10/12/2015 16:35:27.783] EldoS AS2 Adapter: OnData
[10/12/2015 16:35:27.814] EldoS AS2 Adapter: Error: EldoS AS2 Adapter: Error was founded when loading receipt message. Status: No content type

specified (error code is 10009)

Stack:
at BizCrypto.BizTalk.Adapters.AS2.AS2Common.ValidateReceipt(MemoryStream streamReceipt)
at BizCrypto.BizTalk.Adapters.AS2.AS2Common.DoOperation(Trace trace, IBaseMessage message, AdapterProperties props, ImpersonateUser&

impersonateUser)
[10/12/2015 16:35:27.814] Error: EldoS AS2 Adapter: Error was founded when loading receipt message. Status: No content type specified (error code

is 10009)
#34752
Posted: 10/12/2015 17:28:46
by Ken Ivanov (EldoS Corp.)

Hi David,

Good to hear there is some progress (very limited though).

Quote
I elected to try your suggestion of the store="ADDRESSBOOK", accesstype="LocalMachine" setting. And this time it reports back with having found one certificate

Could you please check the contents of the store with MMC. Please do the following:

1) Click Win+R, type 'mmc' and click 'OK'. MMC window will open.

2) Go to File -> Add/Remove snap-in menu. Choose 'Certificates' from the list, click 'Add >' and tick the 'Computer account' radio button. On the next page, ensure that 'Local computer' radio button is ticked and click 'Finish'. A snap-in will be added to the tree at the left.

3) Expand the 'Other people' branch and check how many certificates are shown to reside there.

Quote
Error was founded when loading receipt message. Status: No content type specified (error code is 10009).

Could you please try setting the Content Type property to 'application/octet-stream' (let's just try to start with that) and checking if it changes anything?

Ken
#34763
Posted: 10/13/2015 09:20:31
by David Syskowski (Basic support level)
Joined: 10/08/2015
Posts: 7

Did as instructed. Other people shows 59 certificates.

Changing to the application/octet-stream did not yield a different result.

"EldoS AS2 Adapter: Error was founded when loading receipt message. Status: No content type specified (error code is 10009)".


#34764
Posted: 10/13/2015 09:25:37
by David Syskowski (Basic support level)
Joined: 10/08/2015
Posts: 7

Is there a way to dump all of the settings that I have for the send port? You might be able to spot something if I was able to do that.
Also by EldoS: CallbackDisk
Create virtual disks backed by memory or custom location, expose disk images as disks and more.

Reply

Statistics

Topic viewed 8272 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!