Documentation Center

Configuring certificates in a user interface

The Content Manager user interfaces, Content Manager Explorer and Experience Manager, connect to the Content Manager through the Core Service. If you are using LDAP, you need to configure certificates in the user interface Web.config file.

About this task

For demonstration purposes, the following certificate thumbprints and subject names are referenced in this section (select the certificate in IIS, choose View and go the Details tab to see certificate fields and values):

CertificateThumbPrintSubjectName
Token Issuer7b89dcbe0e0abf36bca681d6bbe425ec56255a3eTokenIssuer
Core Service4c05947bae2a140614631b24257cdd7abfbd5646CoreService

Procedure

  1. On the Content Manager, access the %TRIDION_HOME%\web\ directory.
  2. Open the Web.config file in a plain-text or XML editor.
  3. Modify the following endpoints:
    <endpoint name="netSamlTcp_201501" address="net.tcp://localhost:2660/CoreService/201501/netTcp" 
    	binding="netTcpBinding" bindingConfiguration="CoreService_netTcpBinding" 
    	contract="Tridion.ContentManager.CoreService.Client.ISessionAwareCoreService" />
    <endpoint name="batch_netSamlTcp_201501" address="net.tcp://localhost:2660/CoreService/201501/batch_netTcp" 
    	binding="netTcpBinding" bindingConfiguration="CoreService_netTcpBinding" 
    	contract="Tridion.ContentManager.CoreService.Client.ICoreServiceBatch" />
    1. Change binding="netTcpBinding" to binding="customBinding"
    2. Change bindingConfiguration="CoreService_netTcpBinding" to bindingConfiguration="CoreService_netFederationTcpBinding"
    3. Add behaviorConfiguration="CoreService_SamlBehavior"
    4. Change address="net.tcp://localhost:2660/CoreService/201501/netTcp" to address="net.tcp://localhost:2660/CoreService/201501/netFederationTcp"
    5. address="net.tcp://localhost:2660/CoreService/201501/batch_netTcp" to address="net.tcp://localhost:2660/CoreService/201501/batch_netFederationTcp"
    6. Add an <identity> element and set the value to matches that of the certificate, for example:
      <identity>
      	<dns value="DomainName"/>
      </identity>
    For example:
    <endpoint name="netSamlTcp_201501" address="net.tcp://localhost:2660/CoreService/201501/netFederationTcp" 
    	binding="customBinding" bindingConfiguration="CoreService_netFederationTcpBinding" 
    	contract="Tridion.ContentManager.CoreService.Client.ISessionAwareCoreService" behaviorConfiguration="CoreService_SamlBehavior"
    	<identity>
    		<dns value="DomainName"/>
    	</identity>
    </endpoint>
    <endpoint name="batch_netSamlTcp_201501" address="net.tcp://localhost:2660/CoreService/201501/batch_netFederationTcp" 
    	binding="customBinding" bindingConfiguration="CoreService_netFederationTcpBinding" 
    	contract="Tridion.ContentManager.CoreService.Client.ICoreServiceBatch" behaviorConfiguration="CoreService_SamlBehavior">
    	<identity>
    		<dns value="DomainName"/>
    	</identity>
    </endpoint>
  4. Go to the <behaviors> section:
    <behaviors>
    	<endpointBehaviors>
    		<behavior>
    			<clientCredentials type="Tridion.ContentManager.CoreService.Client.Security.ClaimsClientCredentials, Tridion.ContentManager.CoreService.Client" supportInteractive="false">
    				<clientCertificate storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" findValue="TokenIssuer" />
    				<serviceCertificate>
    					<defaultCertificate storeLocation="LocalMachine" storeName="TrustedPeople" x509FindType="FindBySubjectName" findValue="CoreService" />
    				</serviceCertificate>
    			</clientCredentials>
    		</behavior>
    	</endpointBehaviors>
    </behaviors>
  5. In the <clientCertificate> section, set the <defaultCertificate> element values to match your Token Issuer certificate:
    <clientCertificate storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" findValue="TokenIssuer" />
    The <clientCertificate> element has the following attributes:
    AttributeDescription
    storeName

    It is recommended to use My, unless you are familiar with certificates:

    http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.storename

    storeLocation

    It is recommended to use LocalMachine, or you can store the certificate specifically for the Windows User running Core Service related processes:

    http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.storelocation

    x509FindType

    It is recommended to use FindBySubjectName, although you can use something else such as FindByThumbPrint:

    http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509findtype.aspx

    findValueThe unique value of the certificate, identified depending on the x509FindType setting. In IIS, select the certificate and choose View. The Details tab shows the fields and values.
  6. In the <serviceCertificate> section, set the <defaultCertificate> element values to match your Core Service certificate:
    <serviceCertificate>
    	<defaultCertificate storeLocation="LocalMachine" storeName="TrustedPeople" x509FindType="FindBySubjectName" findValue="CoreService" />
    </serviceCertificate>
    The <serviceCertificate> element has the following attributes:
    AttributeDescription
    storeName

    It is recommended to use My, unless you are familiar with certificates:

    http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.storename

    storeLocation

    It is recommended to use LocalMachine, or you can store the certificate specifically for the Windows User running Core Service related processes:

    http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.storelocation

    x509FindType

    It is recommended to use FindBySubjectName, although you can use something else such as FindByThumbPrint:

    http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509findtype.aspx

    findValueThe unique value of the certificate, identified depending on the x509FindType setting. In IIS, select the certificate and choose View. The Details tab shows the fields and values.
  7. Save and close Web.config.
  8. Restart IIS.