다음을 통해 공유


BizTalk: Configure TLS 1.2 on BizTalk Server


Introduction

TLS is a successor to Secure Sockets Layer protocol or SSL. TLS provides secure communications on the Internet for such things as e-mail, Internet faxing, and other data transfers. Client-server applications use the TLS protocol to communicate across a network in a way designed to prevent eavesdropping and tampering.

Since applications can communicate either with or without TLS (or SSL), it is necessary for the client to indicate to the server the setup of a TLS connection. One of the main ways of achieving this is to use a different port number for TLS connections, for example, port 443 for HTTPS. 

Once the client and server have agreed to use TLS, they negotiate a stateful connection by using a handshaking procedure. TLS 1.2 was defined in RFC 5246 in August 2008. It is based on the earlier TLS 1.1 specification.

Back to top


TLS 1.2 in BizTalk 2016

There is an official announcement about TLS 1.2 support in BizTalk Server 2016 and highlighting the comments from Microsoft official page as a reference, TLS 1.2 is fully supported in BizTalk Server, including all the adapters and all the accelerators. We can disable SSL, TLS 1.0, and TLS 1.1 on the BizTalk Server.

Key information:

  • Any external systems communicating with BizTalk also need to support TLS 1.2
  • Any custom code, such as functoids, may need to be updated to support TLS 1.2
  • Description of the TLS/SSL protocol describes how to setup a TLS 1.2 environment.

Back to top


TLS 1.2 in BizTalk 2010

For lower version like 2013, R2 or 2010 this is not straightforward to use TLSv1.2. We have to do some tricky exercise to enable TLS 1.2.
Generally, we saw below types of error when trying to connect any external service which is already utilizing the security protocol TLS 1.2,

  • SSL Security error.
  • [DBNETLIB][ConnectionOpen (SECCreateCredentials()).]SSL Security error. 
  • Could not create SSL/TLS secure channel.
  • The remote server returned an error: (403) Forbidden. 

No need to worry about these errors, generally it comes when having SSL/TLS channel issue. We have a solution now to enable TLS 1.2 on BizTalk server. Please follow below steps to enable TLS 1.2.

Step 1:

BizTalk server 2010 supports .NET Framework v4.0 and this version of Framework support only SSL v3.0 and TLS v1.0. However, Framework v4.5, does support the use of TLS 1.1 and TLS 1.2. So now Framework 4.5 require to install on BizTalk machine to establish a connection between both systems, let's do it.

The installer of this version of the framework can, of course, be downloaded from the Microsoft-site, link below.

https://www.microsoft.com/en-us/download/details.aspx?id=42642

The first step completed and now move to the second step because TLS 1.2 is not yet configured. We have to enable it now by updating the registry setting. Let's see step by step how we can do this,

Note: Before making any change in Registry, We would strongly recommended to take a backup of registry...

Step 2:

Open Registry with using the command, Press ctrl + R from keyboard to open Run window and type Regedit like below screenshot.

Registry Editor windows will appear like below screen shot, where in left panel we can find all HKEY details.

Now we have to check TLS 1.2 Key from below highlighted place and if Key is not there then create the below keys and matching DWORDs at the highlighted place.

To Create Keys and matching DWORDs use below values.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] 
"DisabledByDefault"=dword:00000000 
"Enabled"=dword:00000001
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] 
"DisabledByDefault"=dword:00000000 
"Enabled"=dword:00000001


Once all DWORD values configured then it will look like above screenshot.

Step 3:

Now, set the .NET Framework 4.0 to use the latest version of the SecurityProtocol, by creating the DWORDs mentioned below, for both 32- and 64-bit hosts. Go to place highlighted below to check if the latest version of SecurityProtocol is in use, if not then follow below steps.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] 
"SchUseStrongCrypto"=dword:00000001

Once it configured, value will be look like above screen shot.
We have to do the same thing for 64-bit windows version where first check if the latest version of SecurityProtocol is in use, if not then follow below steps.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319] 
"SchUseStrongCrypto"=dword:00000001

Once it configured, the value will be look like above screen shot.
Reboot the BizTalk server in order for the changes to come into effect.

Step 4:

All set to go now, test connection for that we can use Wireshark to check the version of the protocol. Once changes effected on BizTalk server then the value of the protocol will be TLSv1.2

Back to top


TLS 1.2 in BizTalk 2013 / R2

BizTalk server 2013/R2 supports .NET Framework v4.5.x and this version of Framework support TLS v1.2 also. So here we need to configure registry only. Please follow above steps and it should ready to go. We can ignore Step 1 for BizTalk 2013 / R2 and rest Steps will be applicable here. Test again with the same application.

Back to top


Summary

In this article, we reviewed how to configure and setup TLS version 1.2 on BizTalk server 2010, 2013 or R2. Hope you've found this post handy. Feel free to add your comments or ask any questions below. If there's anything specifically that you want to be covered with respect to BizTalk please let us know.

Back to top


See Also

Another important place to find a huge amount of BizTalk related articles is the TechNet Wiki itself. The best entry point is BizTalk Server Resources on the TechNet Wiki.

Back to top


References

↑ Back to top