Configuring certificates in a user interface

The Content Manager user interfaces, Content Manager Explorer and Experience Manager, connect to the Content Manager through the Core Service. If you are using LDAP, you need to configure certificates in the user interface Web.config file.

About this task

For demonstration purposes, the following certificate thumbprints and subject names are referenced in this section (select the certificate in IIS, choose View and go the Details tab to see certificate fields and values):

CertificateThumbPrintSubjectName
Token Issuer7b89dcbe0e0abf36bca681d6bbe425ec56255a3eTokenIssuer
Core Service4c05947bae2a140614631b24257cdd7abfbd5646CoreService

Procedure

  1. On the Content Manager server, access the web\ subdirectory of %TRIDION_HOME%.
  2. Open Web.config for editing.
  3. Modify the following endpoints:
    <endpoint name="netSamlTcp_201701" address="net.tcp://localhost:2660/CoreService/201701/netTcp" 
    binding="netTcpBinding" bindingConfiguration="CoreService_netTcpBinding" contract="Tridion.ContentManager.CoreService.Client.ISessionAwareCoreService" 
    behaviorConfiguration="Tridion.ContentManager.CoreServiceBehavior" />
    <endpoint name="batch_netSamlTcp_201701" address="net.tcp://localhost:2660/CoreService/201701/batch_netTcp" binding="netTcpBinding" 
    bindingConfiguration="CoreService_netTcpBinding" contract="Tridion.ContentManager.CoreService.Client.ICoreServiceBatch" 
    behaviorConfiguration="Tridion.ContentManager.CoreServiceBehavior" />
    1. Change binding="netTcpBinding" to binding="customBinding"
    2. Change bindingConfiguration="CoreService_netTcpBinding" to bindingConfiguration="CoreService_netFederationTcpBinding"
    3. Add behaviorConfiguration="CoreService_SamlBehavior"
    4. Change address="net.tcp://localhost:2660/CoreService/201701/netTcp" to address="net.tcp://localhost:2660/CoreService/201701/netFederationTcp"
    5. address="net.tcp://localhost:2660/CoreService/201701/batch_netTcp" to address="net.tcp://localhost:2660/CoreService/201701/batch_netFederationTcp"
    6. Add an <identity> element and set the value to matches that of the certificate, for example:
      <identity>
      	<dns value="DomainName"/>
      </identity>
    For example:
    <endpoint name="netSamlTcp_201701" address="net.tcp://localhost:2660/CoreService/201701/netFederationTcp" 
    	binding="customBinding" bindingConfiguration="CoreService_netFederationTcpBinding" 
    	contract="Tridion.ContentManager.CoreService.Client.ISessionAwareCoreService" behaviorConfiguration="CoreService_SamlBehavior"
    	<identity>
    		<dns value="DomainName"/>
    	</identity>
    </endpoint>
    <endpoint name="batch_netSamlTcp_201701" address="net.tcp://localhost:2660/CoreService/201701/batch_netFederationTcp" 
    	binding="customBinding" bindingConfiguration="CoreService_netFederationTcpBinding" 
    	contract="Tridion.ContentManager.CoreService.Client.ICoreServiceBatch" behaviorConfiguration="CoreService_SamlBehavior">
    	<identity>
    		<dns value="DomainName"/>
    	</identity>
    </endpoint>
  4. Go to the <behaviors> section:
    <behaviors>
      <endpointBehaviors>
        <behavior name="Tridion.ContentManager.CoreServiceBehavior">
          <dataContractSerializer maxItemsInObjectGraph="2147483647" />
          <etwTracingBehaviour />
        </behavior>
        <!-- 
          For custom certificates, configure the clientCertificate and serviceCertificate - adjust the store locations, store names and 
          subject names for your certificates. Client certificate is used to issue SAML tokens, and service certificate represents the 
          CoreService host.
          Note: check and update the Version of Tridion.ContentManager.CoreService.Client below.
    
          <behavior name="CoreService_SamlBehavior">
            <clientCredentials type="Tridion.ContentManager.CoreService.Client.Security.ClaimsClientCredentials, Tridion.ContentManager.CoreService.Client, 
              Version=9.0.0.0, Culture=neutral, PublicKeyToken=ddfc895746e5ee6b" supportInteractive="false">
              <clientCertificate storeLocation="LocalMachine" storeName="TrustedPeople" x509FindType="FindByThumbprint" 
                findValue="abcdef1234567890abcdef1234567890abcdef12" />
              <serviceCertificate>
                <defaultCertificate storeLocation="LocalMachine" storeName="TrustedPeople" x509FindType="FindByThumbprint" findValue="abcdef1234567890abcdef1234567890abcdef12" />
              </serviceCertificate>
            </clientCredentials>
          </behavior>
        -->
      </endpointBehaviors>
    </behaviors>
  5. Uncomment the commented-out behavior element, and in the clientCertificate element, set the attribute values to match your Token Issuer certificate:
    <clientCertificate storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" findValue="TokenIssuer" />
    The <clientCertificate> element has the following attributes:
    AttributeDescription
    storeName

    It is recommended to use My, unless you are familiar with certificates:

    http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.storename

    storeLocation

    It is recommended to use LocalMachine, or you can store the certificate specifically for the Windows User running Core Service related processes:

    http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.storelocation

    x509FindType

    It is recommended to use FindBySubjectName, although you can use something else such as FindByThumbPrint:

    http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509findtype.aspx

    findValueThe unique value of the certificate, identified depending on the x509FindType setting. In IIS, select the certificate and choose View. The Details tab shows the fields and values.
  6. In the <serviceCertificate> section, set the <defaultCertificate> element values to match your Core Service certificate:
    <serviceCertificate>
    	<defaultCertificate storeLocation="LocalMachine" storeName="TrustedPeople" x509FindType="FindBySubjectName" findValue="CoreService" />
    </serviceCertificate>
    The <serviceCertificate> element has the following attributes:
    AttributeDescription
    storeName

    It is recommended to use My, unless you are familiar with certificates:

    http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.storename

    storeLocation

    It is recommended to use LocalMachine, or you can store the certificate specifically for the Windows User running Core Service related processes:

    http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.storelocation

    x509FindType

    It is recommended to use FindBySubjectName, although you can use something else such as FindByThumbPrint:

    http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509findtype.aspx

    findValueThe unique value of the certificate, identified depending on the x509FindType setting. In IIS, select the certificate and choose View. The Details tab shows the fields and values.
  7. Save and close Web.config.
  8. Restart IIS.