Configuring certificates in Core Service

If the Core Service is hosted in IIS, you need to configure certificates in the web.config file. If the Core Service is hosted as a TcmServiceHost, you need to configure certificates in the TcmServiceHost.exe.config file.

About this task

For demonstration purposes, the following certificate thumbprints and subject names are referenced in this section (select the certificate in IIS, choose View and go the Details tab to see certificate fields and values):

CertificateThumbPrintSubjectName
Token Issuer7b89dcbe0e0abf36bca681d6bbe425ec56255a3eTokenIssuer
Core Service4c05947bae2a140614631b24257cdd7abfbd5646CoreService

Procedure

  1. If the Core Service is hosted as IISHost:
    1. Open the Web.config configuration file, by default located in your %TRIDION_HOME%\webservices directory, in a text editor.
    2. In the <service behaviorConfiguration> section, uncomment the wsFederationHttp endpoint
      <endpoint address="wsFederationHttp" binding="ws2007FederationHttpBinding" bindingConfiguration="CoreService_wsFederationHttpBinding" name="wsFederationHttp" bindingNamespace="http://www.sdltridion.com/ContentManager/CoreService/2012" contract="Tridion.ContentManager.CoreService.ISessionAwareCoreService2012">
      	<identity>
      		<dns value="localhost" />
      	</identity>
      </endpoint>
  2. If the Core Service is hosted as a TcmServiceHost:
    1. Open the TcmServiceHost.exe.config configuration file, by default located in your %TRIDION_HOME%\bin directory, in a text editor.
    2. In the <service behaviorConfiguration> section, uncomment the netFederationTcp and batch_netFederationTcp endpoints:
      <endpoint name="netFederationTcp" address="netFederationTcp" binding="customBinding" bindingConfiguration="CoreService_netFederationTcpBinding" bindingNamespace="http://www.sdltridion.com/ContentManager/CoreService/2012" contract="Tridion.ContentManager.CoreService.ISessionAwareCoreService2012" />
      	<endpoint name="batch_netFederationTcp" address="batch_netFederationTcp" binding="customBinding" bindingConfiguration="CoreService_netFederationTcpBinding" bindingNamespace="http://www.sdltridion.com/ContentManager/CoreService/2012" contract="Tridion.ContentManager.CoreService.ICoreServiceBatch2012" />
  3. In both the Web.config and TcmServiceHost.exe.config configuration files:
    1. In the <behaviors><serviceBehaviors> section, uncomment the following section:
      <federatedServiceHostConfiguration>
    2. In the <microsoft.identityModel> section, uncomment the following section and set the certificate thumbprint and name values from the Token Issuer certificate:
      <trustedIssuers>
      	<add thumbprint="7b89dcbe0e0abf36bca681d6bbe425ec56255a3e" name="TokenIssuer" />
      </trustedIssuers>
    3. In the <serviceCertificate> section, set the <certificateReference> element values to match your Core Service certificate:
      <serviceCertificate>
      	<certificateReference storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" findValue="CoreService" />
      </serviceCertificate>
      The <certificateReference> element has the following attributes:
      AttributeDescription
      storeName

      It is recommended to use My, unless you are familiar with certificates:

      http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.storename

      storeLocation

      It is recommended to use LocalMachine, or you can store the certificate specifically for the Windows User running Core Service related processes:

      http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.storelocation

      x509FindType

      It is recommended to use FindBySubjectName, although you can use something else such as FindByThumbPrint:

      http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509findtype.aspx

      findValueThe unique value of the certificate, identified depending on the x509FindType setting. In IIS, select the certificate and choose View. The Details tab shows the fields and values.
  4. Save and close Web.config or TcmServiceHost.exe.config configuration files.
  5. Open Component Services:
    1. In Component Services > Computers > My Computer > COM+ Applications, restart the Tridion COM+ Applications.
    2. In Services, restart the Tridion Windows Service TcmServiceHost.
  6. Restart IIS.