Embed Size (px)
Citation preview
1
Elster Certificate Setup Microsoft Dynamics 365 for Finance and Operations
Here is a step-by-step instruction with screenshots on how to setup Elster in Dynamics 365 for Finance and
Operations (Version 8.0) which requires the certificates to be stored in Key Vault on the Azure Portal.
The steps are with reference to the following articles:
https://support.microsoft.com/en-us/help/4040294/maintaining-azure-key-vault-storage
https://support.microsoft.com/en-us/help/4040305/setting-up-azure-key-vault-client
1. Create a Key Vault storage
- Open the Microsoft Azure portal using the link: https://ms.portal.azure.com/.
- Click the "Create a resource" button on the left panel to create a new resource. Choose the “Security” group
and the "Key Vault" resource type.
- The "Create key vault" page is opened. Here, you should define key vault storage parameters and then click
the "Create" button:
- Specify "Name" of the key vault. This parameter is referred in "Setting up Azure Key Vault Client" as
<KeyVaultName>.
- Select your subscription.
- Choose a resource group. It’s like an internal directory inside the key vault storage. You may both use an
existing resource group or create a new one.
- Select your location.
- Select a pricing tier.
2
- Click "Create".
- Pin the created Key vault to the Dashboard.
3
2. Create an entry point for your application Create an entry point for your application that uses the key vault storage.
- Click on "Azure Active Directory" from the left panel and opened the active directory - Choose the "App registrations" tab. - Click the "New application registration" button on the bottom panel to create a new application entry. - Specify a "Name" of the application and select an appropriate type.
Note: On this page you may also define the "Sign-on URL", that should have a format http://<AppName>, where <AppName> is an application name specified on the previous page. <AppName> must be defined in the access policies for the key vault storage.
- Click the "Create" button.
4
3. Configure your application
- Open the "App registrations" tab. - Find an appropriate application. The "Application ID" field has the same value as parameter of <Key Vault
Client>. - Click the "Settings" button and then open the "Keys" tab.
- Generate a key. It’s used for a secured access to the key vault storage from the application.
• Fill in the "Description" field.
• You may create a key with the duration period equals one or two years. After clicking the "Save" button in the bottom part of the page, the Key Value becomes visible.
Note: The Key Value is a mandatory parameter for integration with the key vault. It should be copied and then specified in the application. It is referred in "Setting up Azure Key Vault Client" as <Key Vault secret key> parameter.
- Copy the value of "Application ID" from the configuration. It should be specified in the application, and referred in "Setting up Azure Key Vault Client" as <Key Vault Client> parameter.
5
4. Add an application to the key vault storage Add your application to the key vault storage created before.
- Open your key vault storage (eg. TestElster) and click on the tile "Access policies". - Click on the "Add new" button and choose the "Select principal" option. Then you should find your
application by its name. When the application is found, click the "Select" button. - Fill the "Configure from template" field and click the Ok button.
Note: On this page, you also may set up the key permissions if necessary.
5. Prepare the certificates to be uploaded to your Key Vault Storage As the signature key and encryption key are stored in one personal .pfx certificate (which you received from the
German Tax Authority), you need to separate them, so that you have them both as two different .pfx files as the
result.
Export them separately from the management console:
The result should be two different files:
There is a step-by-step instruction in German, how to export them from the management console (mmc) to files:
https://blogs.msdn.microsoft.com/german_nav_developer/elsterzertifikat/
6
The same procedure you need to do for the client-offen.p12 certificate.
Export the “elster-offeneschnittstelle” certificate from management console (use the same password)
to a .pfx file
6. Upload *.pfx certificates to Secrets in Key Vault Storage The certificates with extension *.pfx can be uploaded to the Azure Key Vault using a PowerShell-script.
• Install the module AzureRM for PowerShell following this instruction: https://docs.microsoft.com/ru-ru/powershell/azure/install-azurerm-ps?view=azurermps-5.4.0
• Run a script in the PowerShell like in the example for the “client-offen.p12” certificate is shown below:
--------------------------------------------------
Login-AzureRmAccount
$pfxFilePath = 'C:\Temp\Elster\client-offen\Elster_Authentication_P12.pfx'
$pwd = 'fcacc8c19458068c'
$secretName = 'AuthenticationKey'
$keyVaultName = 'TestElster'
$collection = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection
$collection.Import($pfxFilePath, $pwd, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)
$clearBytes = $collection.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12)
$fileContentEncoded = [System.Convert]::ToBase64String($clearBytes)
$secret = ConvertTo-SecureString -String $fileContentEncoded -AsPlainText –Force
Set-AzureKeyVaultSecret -VaultName $keyVaultName -Name $secretName -SecretValue $Secret -ContentType 'application/x-pkcs12'
--------------------------------------------------
The yellow marked lines, you need to adjust to your environment and certificates.
Afterwards, just copy the lines and paste it into your Windows PowerShell (I ran it as Administrator). The result in PowerShell looks like this
7
And the result in Key Vault Store on Azure Portal looks like this
Do the same with your EncryptionKey and SignatureKey.
8
7. Generate the FrontendKey to Secrets in Key Vault Storage
Regarding the FrontendKey you need to generate manually the certificate to Secrets in your Key Vault Storage
Here please do the following steps:
- In your Key Vault Store click on “Generate/Import”
- Generate the certificate, providing: a. Upload options = Manual b. Name = FrontendKey c. Value =
{"CertBytes":"MIIETDCCAwCgAwIBAgIEO5rKADBBBgkqhkiG9w0BAQowNKAPMA0GCWCGSAFlAwQCAQUAoRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUAogMCASAwRDELMAkGA1UEBhMCREUxDzANBgNVBAoTBkVsc3RlcjELMAkGA1UECxMCQ0ExFzAVBgNVBAMTDkVsc3RlcktyeXB0b0NBMB4XDTE1MDMyNTEzMDMwNFoXDTIwMDkyNTEzMDMwNFowNDELMAkGA1UEBhMCREUxDzANBgNVBAoTBkVsc3RlcjEUMBIGA1UEAxMLRnJvbnRlbmRLZXkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC++P7lo9wZ6XOpGhUo5WBwEROXrO0hp4qToUbNOB9lPKqOAkDGTFRcDL++4eydzYx3g/y/5NBWJLeefw7RVxxjrh2ODCswL/KZLYLn89KlLpWHd7PQlV9xN05GRUv794VghxUo2s0y0FNzyIWcdZYNr4wbo41A/5dFQq1Nv/l4UJdDzNurSDz/1yX77tCF3PwFoa7RAYnp/SziPRiwD/WGF53rjdydo28ZGaDSPLzXh+u91H7MzMUblfvf5ngA8XMAHvPDvw7wllg2UCk/zEPPOxDUDCdqb6hkg7QHDjhn1sIPv88hDIP1wSc3uZPyNmEUDwmQkSGbypvddTKcgXBLAgMBAAGjge0wgeowDgYDVR0PAQH/BAQDAgUgMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFJX2qVD6AgF7W7TBh6SMhMe6lcY/MDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6Ly9jcmwuZWxzdGVyLmRlL0Vsc3RlcktyeXB0b0NBLmNybDBxBgNVHSMEajBogBRVy4hMb7o37P9MFxbVcSdzyGHC3KFKpEgwRjELMAkGA1UEBhMCREUxDzANBgNVBAoTBkVsc3RlcjEPMA0GA1UECxMGUm9vdENBMRUwEwYDVQQDEwxFbHN0ZXJSb290Q0GCBDuay5kwQQYJKoZIhvcNAQEKMDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEgA4IBAQBDuEPIzq0uBt1Bx6v+9j7iACT6XFWkXTTmLWjAL3hPwTiSe5DMZrTbPAjSSJUxrtY0AQEFhdAE6yYYRgoNfJGI6UNjVYshRkPVUJr0zTGXAtPVcWFkzAqGcMEmNyyVth0cfiWa3hUld4b194ivdO1oepju3PHXjmbIKvk2DYeI3/4IoE5pPCbRax0A6ht+jdoyqRZcr7/QgmUQPUeqjMhnv6G8aKT0GSkarXIwEC9fDSg9ElEYelLdZsjCcEQW+wOqJDLLxJCom7v7gsrxexLtxa9kWSHVcmC+UVLqI/yQp2xI66KILFRSp9c4BXuO1V0Rbj64P/ZMQUDFE9Ef256h","Password":""}
d. Content type = application/x-x509-ca-cert
- Click Create - Select the FrontendKey certificate
- On the right side click “Tags”
9
- Enter Tag Name = “type”, Tag Value = “certificate” (without double quotes and lower case) and press OK
- Then click Save
8. Setting up Azure Key Vault Client on Dynamics 365 for Financials and Operations Firstly, you have to activate the “Advance Certificate Store” under
System administration \ Setup \ System parameters
Now open the form "Key Vault parameters" in the System administration module (System administration \ Setup \ Key Vault parameters). Create a new instance of Key Vault parameter, define a name and a description for it.
Go to tab "General" and specify the mandatory parameters used for the integration with Azure Key Vault storage:
• Key Vault URL
You can find this value on your Azure Portal \ Key Vault Storage and select Secrets and eg. EncryptionKey
10
Scroll to the right side and copy the Secret Identifier
• Key Vault client
You can find this value on your Azure Portal \ App registrations \ “Your registered app”
Scroll to the right side and copy the Application ID
• Key Vault secret key
This is the value which you should copy in step “3. Configure your application”
If you did not copy it there, then go to Azure Portal \ App registrations \ “Your registered app”
Click on Settings \ Keys and create a new Password
11
The result should look like this:
Now, you need to reference the certificates to the Secrets Tab:
Click on Add and fill in the first line:
Name = EncryptionKey
Description = Personal Certificate
Secret = vault:///EncryptionKey
Secret type = Certificate
Second Line:
Name = SignatureKey
Description = Personal Certificate
Secret = vault:///SignatureKey
Secret type = Certificate
Third Line:
Name = FrontendKey
Description = Public Certificate
Secret = vault:///FrontendKey
Secret type = Certificate
Forth Line:
Name = AuthenticationKey
Description = Public Certificate
Secret = vault:///AuthenticationKey
Secret type = Certificate
12
Click in all four lines on “Validate” to see if you can fetch the certificates
The validation must be successful in all four lines!
Afterwards go to Tax \ Setup \ Sales Tax \ Electronic tax certificates
and reference the certificates to the users
Signer certificate = SignatureKey
Encrypt certificate = EncryptionKey
Elster certificate = FrontendKey
Auth. certificate = AuthenticationKey
If everything is setup correctly, you should be able to do the Elster submission successfully now.
