Configure TLS 1.2 On BizTalk Server

09.10.2018

Introduction

TLS is a successor to Secure Sockets Layer protocol or SSL. TLS provides secure communications on the Internet for such things as email, Internet faxing, and other data transfers. Client-server applications use the TLS protocol to communicate across a network in a way designed to prevent eavesdropping and tampering.

Since applications can communicate either with or without TLS (or SSL), it is necessary for the client to indicate to the server the setup of a TLS connection. One of the main ways of achieving this is to use a different port number for TLS connections, for example, port 443 for HTTPS.

Once the client and server have agreed to use TLS, they negotiate a stateful connection by using a handshaking procedure. TLS 1.2 was defined in RFC 5246 in August 2008. It is based on the earlier TLS 1.1 specification.

TLS 1.2 in BizTalk 2016

There is an official announcement about TLS 1.2 support in BizTalk Server 2016 and highlighting the comments from Microsoft official page as a reference, TLS 1.2 is fully supported in BizTalk Server, including all the adapters and all the accelerators. We can disable SSL, TLS 1.0, and TLS 1.1 on the BizTalk Server.

Key information

  • Any external systems communicating with BizTalk also need to support TLS 1.2
  • Any custom code, such as functoids, may need to be updated to support TLS 1.2
  • Description of the TLS/SSL protocol describes how to set up a TLS 1.2 environment.

TLS 1.2 in BizTalk 2010

For lower versions like 2013, R2 or 2010 it is not straightforward to use TLSv1.2. We have to do some tricky exercises to enable TLS 1.2.

Generally, we saw the below types of errors when trying to connect any external service which is already utilizing the security protocol TLS 1.2:

  • SSL Security error.
  • [DBNETLIB][ConnectionOpen (SECCreateCredentials()).]SSL Security error.
  • Could not create SSL/TLS secure channel.
  • The remote server returned an error: (403) Forbidden.

No need to worry about these errors, generally it comes when we have a SSL/TLS channel issue. We have a solution now to enable TLS 1.2 on BizTalk server. Please follow the below steps to enable TLS 1.2.

Step 1

BizTalk server 2010 supports .NET Framework v4.0 and this version of Framework supports only SSL v3.0 and TLS v1.0. However, Framework v4.5 does support the use of TLS 1.1 and TLS 1.2. So now Framework 4.5 needs to be to installed on a BizTalk machine to establish a connection between both systems. Let's do it.

The installer of this version of the framework can, of course, be downloaded from the Microsoft site, the link is below.

https://www.microsoft.com/en-us/download/details.aspx?id=42642

The first step is completed and now let's move to the second step because TLS 1.2 is not yet configured. We have to enable it now with an update to the registry setting. Let's see step by step how we can do this.

Note
Before making any change in Registry, we strongly recommend taking a backup of the registry.

Step 2

Open Registry by using a command, Press Ctrl + R from the keyboard to open Run window and type Regedit like the below screenshot.

Registry Editor windows will appear like the below screenshot, where in the left panel we can find all HKEY details.

Now we have to check TLS 1.2 Key from the below highlighted place and if the Key is not there then create the below keys and matching DWORDs at the highlighted place.

To Create Keys and matching DWORDs use below values.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]

"DisabledByDefault"=dword:00000000

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]

"DisabledByDefault"=dword:00000000

"Enabled"=dword:00000001

Once all DWORD values are configured then it will look like the above screenshot.

Step 3

Now, set the .NET Framework 4.0 to use the latest version of the SecurityProtocol, by creating the DWORDs mentioned below, for both 32- and 64-bit hosts. Go to the below-highlighted place to check if the latest version of SecurityProtocol is in use, if not then follow the below steps.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]

"SchUseStrongCrypto"=dword:00000001

Once it configured, the value will look like the above screenshot.

We have to do the same thing for 64-bit windows version where we first check if the latest version of SecurityProtocol is in use, if not then follow the below steps.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]

"SchUseStrongCrypto"=dword:00000001

Once it is configured, the value will look like the above screenshot.

Reboot the BizTalk server in order for the changes to come into effect.

Step 4

All set to go now. For testing the connection we can use Wireshark to check the version of the protocol. Once changes are reflected on the BizTalk server then the value of the protocol will be TLSv1.2

TLS 1.2 in BizTalk 2013 / R2

BizTalk server 2013/R2 supports .NET Framework v4.5.x and this version of Framework support TLS v1.2 also. So here we need to configure registry only. Please follow these steps and it should ready to go. We can ignore Step 1 for BizTalk 2013 / R2 and the rest of the steps will be applicable here. Test again with the same application.

Summary

In this article, we reviewed how to configure and setup TLS version 1.2 on BizTalk server 2010, 2013 or R2. Hope you've found this post handy. Feel free to add your comments or ask any questions below. If there's anything specifically that you want to be covered with respect to BizTalk please let us know.