How to: |
If you are creating your own certificates for testing purposes, then consult the Microsoft documentation on using the Certificate Creation Tool (MakeCert.exe), or see the following website, which provides an article describing how to create temporary certificates for use during development:
http://msdn.microsoft.com/en-us/library/ms733813.aspx
Note: You must generate a PFX file instead of a CER file to be able to assign a SSL certificate to a port.
The following certificates are required:
PFX files are used to store the certificates and keys in one file on Windows systems (Personal Information Exchange PKCS#12 or PFX format). The PEM format can be used on non-Windows systems.
A PFX copy of the server certificate is required, installed into the Windows certificate store, which can be created using the Certificate Creation Tool (MakeCert.exe).
A PFX copy of the client certificate is required, which can be created using the Certificate Creation Tool (MakeCert.exe).
The server certificate PFX file (server.pfx) is installed in the host credentials store file, and the certificate thumbprint is used to bind the SSL Socket for communication over HTTPS. The Java Virtual Machine (JVM) of the adapter server will be used to create a keystore containing the server certificate and (optionally) a client certificate.
Before you create a SSL (HTTPS) connection using the iWay Application Adapter for Microsoft Dynamics CRM 2011 On-Premises, the certificate for the machine running the adapter must first be installed as a trusted certificate in the Java keystore.
JAVA_HOME\jre\bin\root.cer
where:
Is the root installation directory of your Java Runtime Environment (JRE).
Note: The root.cer file contains the CN=machine.domain.idomain setting of the machine running iWay Service Manager (iSM) and the adapter. For example:
CN=Server24.mySite.com
where:
Is the name of the machine as located by the DNS server (Domain Name System). This value is case-sensitive.
Is the domain that identifies where the machine is running.
Is the Internet-level domain where the domain (for example, mySite) is located.
JAVA_HOME\jre\bin
keytool -importcert -file drive:\path\root.cer -keystore -file drive:\path\trustStore.jks -storetype jks -alias crm2011AdapterKeyStore
where:
Is the command used to import the certificate.
Is the path to the root certificate. For example, c:\certs.
Is the command used to create the keystore.
Is the path and name of the keystore file to be created during the import process.
Specifies what type of storage to be created. The type must be jks (Java KeyStore).
Is a unique name for the keystore. It is also an alternate name for the keystore to help understand its usage.
The keytool program displays information about the imported root certificate used in the keytool command. The keytool program provides a prompts, which asks you whether you want to trust the certificate.
If executed successfully, a message is displayed indicating that the certificate was added to the keystore and a new file called trustStore.jks has been created.
The server.pfx file is imported into the Windows certificate store as described in Using SSL Server Certificates.
Note: In this example, the root.cer file has been used to create the client.cer file.
JAVA_HOME\jre\bin
where:
Is the root installation directory of your Java Runtime Environment (JRE).
keytool -importkeystore -deststorepass destpass -destkeystore drive:\path\clientStore.jks -srckeystore drive:\path\client.pfx -srcstoretype PKCS12 -srcstorepass 123456
where:
Is the command used to import the keystore.
Is a password for the keystore to be created. The password must be a standard alphanumeric 32-character password.
Is the path for the destination keystore and where the client certificate should be imported.
Is the source file (keystore) where the client certificate with the private key is located.
Is the type of the original source. This value must always be set to PKCS12.
Is the password for the keystore source file (client.pfx). This password was specified at the time the file was created, and must be a standard alphanumeric 32-character password.
Note: As of iSM Version 6.1.7, clientStore.jks must be the file name used for the client store.
iwayhome\lib
where:
Is the root location where iWay Service Manager (iSM) is installed.
if you are using HTTPS/SSL with client authentication:
iwayhome\lib\trustStore.jks
If you are using the client keystore:
{iwayhome}\lib\clientStore.jks
This must be the same password that was specified for the -deststorepass setting in step 3.
<baseAddresses> <add baseAddress="https://server.site.com:port/RoutingService"/> </baseAddresses>
<binding> <security mode="Transport"> <transport clientCredentialType="Certificate"/> </security> </binding>
iWay Software |