Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Update to add support for SHA2 certificates in BizTalk Server


View products that this article applies to.

Introduction

This article describes a hotfix that enables SHA2 certificate support in Microsoft BizTalk Server.

↑ Back to the top


Summary

After you apply this hotfix, BizTalk Server can consume SHA2-signed certificates together with SHA1-signed certificates (which are already supported). This hotfix supports SHA2-signed certificates based on the following SHA2 digest:
  • SHA256
  • SHA384
  • SHA512

↑ Back to the top


More Information

To roll over the SHA2 certificates in a BizTalk Server environment, follow these steps.

Step1: Check the environment

The first step is to make sure that both Server and Client (Sender or Receiver) will support SHA2-signed certificates before you install the certificates to SHA2-signed certificates. BizTalk Server can safely take part from either side in working with SHA2 certificates.

Step2: Roll over the SHA2 certificates

To install the SHA2-signed certificates, follow the steps that are documented here.

Step3: Update the certificates in the BizTalk Server environment

Update the certificates wherever you use them in your BizTalk Server environment, such as in a BizTalk Server group or in a send port, party, or adapter configuration.

Note You don't have to redeploy the application. However, you must restart BizTalk Server host instances after the certificates are updated in the BizTalk Server environment.

Cumulative update information

The fix to enable SHA2 certificate support is included in the following cumulative update for BizTalk Server:

↑ Back to the top


Additional information

Support for SHA1-based certificates

There is no change in BizTalk Server support of SHA1-based certificates in this hotfix. The SHA1-based certificates will continue to work. In other words, this hotfix does not force any certificate to be updated.

Encryption algorithms support

BizTalk Server supports Data Encryption Algorithms 3 (DES3) and RC2 encryption algorithms. This hotfix continues to support these encryption algorithms with SHA2 certificates.

MIC algorithms support for AS2-signed MDN

Version: 0.1 AS2-signed MDN uses the old SHA1 and MD5 algorithms for MIC calculation for outgoing signed MDN.

The signed MDN receipt that's generated in the BizTalk system for AS2 supports the SHA2 certificates. There is no change in the following supported MIC algorithm:
  • MD5 : Received-Content-MIC field populated by using the MD5 algorithm.
  • SHA1 (Default) : Received-Content-MIC field populated by using the SHA1 algorithm.

Supported digests method in BizTalk Accelerator Rosettanet

This cumulative update continues to support the following digest methods:
  • SHA1
  • MD5

BizTalk Accelerator Rosettanet will not support any new digest method as part of the SHA2 certificate support.

SHA2-based SSL certificates rollover

SHA2-signed SSL certificates can replace an existing SHA1 certificates by following the best practices for managing the certificates, as detailed here.

The BizTalk adapters that depend on the SSL certificates such as FTPs, HTTPs, POP3 adapters, and WCF adapters can consume the SHA2-signed SSL certificates after you install this hotfix.

Roadmap

The road map for BizTalk Server calls for additional support for the following items:
  • Support the Advanced Encryption Standard (AES) exchange system for signature keys in AS2
  • Support for SHA2 based MIC calculation for AS2
  • Support for SHA2 based digest methods in Rosettanet

↑ Back to the top


Keywords: kb, kbqfe, kbsurveynew, kbnotautohotfix, kbfix, kbexpertiseinter

↑ Back to the top

Article Info
Article ID : 3123748
Revision : 1
Created on : 1/7/2017
Published on : 4/13/2016
Exists online : False
Views : 425