Configuring certificates in a user interface
The Content Manager user interfaces, Content Manager Explorer and Experience Manager, connect to the Content Manager through the Core Service. If you are using LDAP, you need to configure certificates in the user interface Web.config file.
About this task
For demonstration purposes, the following certificate thumbprints and subject names are referenced in this section (select the certificate in IIS, choose View and go the Details tab to see certificate fields and values):
| Certificate | ThumbPrint | SubjectName |
|---|---|---|
Token Issuer | 7b89dcbe0e0abf36bca681d6bbe425ec56255a3e | TokenIssuer |
Core Service | 4c05947bae2a140614631b24257cdd7abfbd5646 | CoreService |
Procedure
- On the Content Manager server, access the web\ subdirectory of %TRIDION_HOME%.
- Open
Web.configfor editing. - Modify the following endpoints:
<endpoint name="netSamlTcp_201701" address="net.tcp://localhost:2660/CoreService/201701/netTcp" binding="netTcpBinding" bindingConfiguration="CoreService_netTcpBinding" contract="Tridion.ContentManager.CoreService.Client.ISessionAwareCoreService" behaviorConfiguration="Tridion.ContentManager.CoreServiceBehavior" /> <endpoint name="batch_netSamlTcp_201701" address="net.tcp://localhost:2660/CoreService/201701/batch_netTcp" binding="netTcpBinding" bindingConfiguration="CoreService_netTcpBinding" contract="Tridion.ContentManager.CoreService.Client.ICoreServiceBatch" behaviorConfiguration="Tridion.ContentManager.CoreServiceBehavior" />- Change
binding="netTcpBinding"tobinding="customBinding" - Change
bindingConfiguration="CoreService_netTcpBinding"tobindingConfiguration="CoreService_netFederationTcpBinding" - Add
behaviorConfiguration="CoreService_SamlBehavior" - Change
address="net.tcp://localhost:2660/CoreService/201701/netTcp"toaddress="net.tcp://localhost:2660/CoreService/201701/netFederationTcp" address="net.tcp://localhost:2660/CoreService/201701/batch_netTcp"toaddress="net.tcp://localhost:2660/CoreService/201701/batch_netFederationTcp"- Add an
<identity>element and set the value to matches that of the certificate, for example:<identity> <dns value="DomainName"/> </identity>
For example:<endpoint name="netSamlTcp_201701" address="net.tcp://localhost:2660/CoreService/201701/netFederationTcp" binding="customBinding" bindingConfiguration="CoreService_netFederationTcpBinding" contract="Tridion.ContentManager.CoreService.Client.ISessionAwareCoreService" behaviorConfiguration="CoreService_SamlBehavior" <identity> <dns value="DomainName"/> </identity> </endpoint> <endpoint name="batch_netSamlTcp_201701" address="net.tcp://localhost:2660/CoreService/201701/batch_netFederationTcp" binding="customBinding" bindingConfiguration="CoreService_netFederationTcpBinding" contract="Tridion.ContentManager.CoreService.Client.ICoreServiceBatch" behaviorConfiguration="CoreService_SamlBehavior"> <identity> <dns value="DomainName"/> </identity> </endpoint> - Change
- Go to the
<behaviors>section:<behaviors> <endpointBehaviors> <behavior name="Tridion.ContentManager.CoreServiceBehavior"> <dataContractSerializer maxItemsInObjectGraph="2147483647" /> <etwTracingBehaviour /> </behavior> <!-- For custom certificates, configure the clientCertificate and serviceCertificate - adjust the store locations, store names and subject names for your certificates. Client certificate is used to issue SAML tokens, and service certificate represents the CoreService host. Note: check and update the Version of Tridion.ContentManager.CoreService.Client below. <behavior name="CoreService_SamlBehavior"> <clientCredentials type="Tridion.ContentManager.CoreService.Client.Security.ClaimsClientCredentials, Tridion.ContentManager.CoreService.Client, Version=9.0.0.0, Culture=neutral, PublicKeyToken=ddfc895746e5ee6b" supportInteractive="false"> <clientCertificate storeLocation="LocalMachine" storeName="TrustedPeople" x509FindType="FindByThumbprint" findValue="abcdef1234567890abcdef1234567890abcdef12" /> <serviceCertificate> <defaultCertificate storeLocation="LocalMachine" storeName="TrustedPeople" x509FindType="FindByThumbprint" findValue="abcdef1234567890abcdef1234567890abcdef12" /> </serviceCertificate> </clientCredentials> </behavior> --> </endpointBehaviors> </behaviors> - Uncomment the commented-out
behaviorelement, and in theclientCertificateelement, set the attribute values to match yourToken Issuercertificate:
The<clientCertificate storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" findValue="TokenIssuer" /><clientCertificate>element has the following attributes:Attribute Description storeNameIt is recommended to use
My, unless you are familiar with certificates:http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.storename
storeLocationIt is recommended to use
LocalMachine, or you can store the certificate specifically for the Windows User running Core Service related processes:http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.storelocation
x509FindTypeIt is recommended to use
FindBySubjectName, although you can use something else such asFindByThumbPrint:findValueThe unique value of the certificate, identified depending on the x509FindTypesetting. In IIS, select the certificate and choose View. The Details tab shows the fields and values. - In the
<serviceCertificate>section, set the<defaultCertificate>element values to match yourCore Servicecertificate:
The<serviceCertificate> <defaultCertificate storeLocation="LocalMachine" storeName="TrustedPeople" x509FindType="FindBySubjectName" findValue="CoreService" /> </serviceCertificate><serviceCertificate>element has the following attributes:Attribute Description storeNameIt is recommended to use
My, unless you are familiar with certificates:http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.storename
storeLocationIt is recommended to use
LocalMachine, or you can store the certificate specifically for the Windows User running Core Service related processes:http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.storelocation
x509FindTypeIt is recommended to use
FindBySubjectName, although you can use something else such asFindByThumbPrint:findValueThe unique value of the certificate, identified depending on the x509FindTypesetting. In IIS, select the certificate and choose View. The Details tab shows the fields and values. - Save and close
Web.config. - Restart IIS.