Configuring certificates in a user interface
The Content Manager user interfaces, Content Manager Explorer and Experience Manager, connect to the Content Manager through the Core Service. If you are using LDAP, you need to configure certificates in the user interface Web.config file.
About this task
For demonstration purposes, the following certificate thumbprints and subject names are referenced in this section (select the certificate in IIS, choose View and go the Details tab to see certificate fields and values):
| Certificate | ThumbPrint | SubjectName |
|---|---|---|
Token Issuer | 7b89dcbe0e0abf36bca681d6bbe425ec56255a3e | TokenIssuer |
Core Service | 4c05947bae2a140614631b24257cdd7abfbd5646 | CoreService |
Procedure
- On the Content Manager, access the %TRIDION_HOME%\web\ directory.
- Open the
Web.configfile in a plain-text or XML editor. - Modify the following endpoints:
<endpoint name="netSamlTcp_2012" address="net.tcp://localhost:2660/CoreService/2012/netTcp" binding="netTcpBinding" bindingConfiguration="CoreService_netTcpBinding" contract="Tridion.ContentManager.CoreService.Client.ISessionAwareCoreService" /> <endpoint name="batch_netSamlTcp_2012" address="net.tcp://localhost:2660/CoreService/2012/batch_netTcp" binding="netTcpBinding" bindingConfiguration="CoreService_netTcpBinding" contract="Tridion.ContentManager.CoreService.Client.ICoreServiceBatch" />- Change
binding="netTcpBinding"tobinding="customBinding" - Change
bindingConfiguration="CoreService_netTcpBinding"tobindingConfiguration="CoreService_netFederationTcpBinding" - Add
behaviorConfiguration="CoreService_SamlBehavior" - Change
address="net.tcp://localhost:2660/CoreService/2012/netTcp"toaddress="net.tcp://localhost:2660/CoreService/2012/netFederationTcp" address="net.tcp://localhost:2660/CoreService/2012/batch_netTcp"toaddress="net.tcp://localhost:2660/CoreService/2012/batch_netFederationTcp"- Add an
<identity>element and set the value to matches that of the certificate, for example:<identity> <dns value="DomainName"/> </identity>
For example:<endpoint name="netSamlTcp_2012" address="net.tcp://localhost:2660/CoreService/2012/netFederationTcp" binding="customBinding" bindingConfiguration="CoreService_netFederationTcpBinding" contract="Tridion.ContentManager.CoreService.Client.ISessionAwareCoreService"behaviorConfiguration="CoreService_SamlBehavior"<identity> <dns value="DomainName"/> </identity> </endpoint> <endpoint name="batch_netSamlTcp_2012" address="net.tcp://localhost:2660/CoreService/2012/batch_netFederationTcp" binding="customBinding" bindingConfiguration="CoreService_netFederationTcpBinding" contract="Tridion.ContentManager.CoreService.Client.ICoreServiceBatch"behaviorConfiguration="CoreService_SamlBehavior"> <identity> <dns value="DomainName"/> </identity> </endpoint> - Change
- Go to the
<behaviors>section:<behaviors> <endpointBehaviors> <behavior> <clientCredentials type="Tridion.ContentManager.CoreService.Client.Security.ClaimsClientCredentials, Tridion.ContentManager.CoreService.Client" supportInteractive="false"> <clientCertificate storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" findValue="TokenIssuer" /> <serviceCertificate> <defaultCertificate storeLocation="LocalMachine" storeName="TrustedPeople" x509FindType="FindBySubjectName" findValue="CoreService" /> </serviceCertificate> </clientCredentials> </behavior> </endpointBehaviors> </behaviors> - In the
<clientCertificate>section, set the<defaultCertificate>element values to match yourToken Issuercertificate:
The<clientCertificate storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" findValue="TokenIssuer" /><clientCertificate>element has the following attributes:Attribute Description storeNameIt is recommended to use
My, unless you are familiar with certificates:http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.storename
storeLocationIt is recommended to use
LocalMachine, or you can store the certificate specifically for the Windows User running Core Service related processes:http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.storelocation
x509FindTypeIt is recommended to use
FindBySubjectName, although you can use something else such asFindByThumbPrint:findValueThe unique value of the certificate, identified depending on the x509FindTypesetting. In IIS, select the certificate and choose View. The Details tab shows the fields and values. - In the
<serviceCertificate>section, set the<defaultCertificate>element values to match yourCore Servicecertificate:
The<serviceCertificate> <defaultCertificate storeLocation="LocalMachine" storeName="TrustedPeople" x509FindType="FindBySubjectName" findValue="CoreService" /> </serviceCertificate><serviceCertificate>element has the following attributes:Attribute Description storeNameIt is recommended to use
My, unless you are familiar with certificates:http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.storename
storeLocationIt is recommended to use
LocalMachine, or you can store the certificate specifically for the Windows User running Core Service related processes:http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.storelocation
x509FindTypeIt is recommended to use
FindBySubjectName, although you can use something else such asFindByThumbPrint:findValueThe unique value of the certificate, identified depending on the x509FindTypesetting. In IIS, select the certificate and choose View. The Details tab shows the fields and values. - Save and close
Web.config. - Restart IIS.