Skip to main content

Xconnect certificate thumbprint and communication with sitecore and xconnect

Hello People,

One of my blog post i was writing about the issue i had with my xconnect and experience analytics not working

On the same line i had to troubleshoot and check xconnect certificate and thumbprint in config files, So i also discovered in this process that lot of people like me did not have exact idea about how xconnect and sitecore communicates and what is thumbprint and why it is used and where it is configured, So thought to do a quick blog post about it.

Communication between Sitecore and Xconnect
Everyone of us will need to work with xconnect directly or indirectly, so its better to understand how sitecore talks to xconnect.


xconnect (Definition)
xConnect is the service layer that sits in between the xDB and any trusted client, device, or interface that wants to read, write, or search xDB data. Communication must happen over HTTPS and clients must have the appropriate certificate thumbprint

Now my point of interest here is to tell you is how Sitecore and xconnect connects and what is the  thumbprint for it and where it is configured.

So xconnect is the server where client connects, so here in our case sitecore is the client which connect to xconnect for its services like analytics and marketing automation features and services which are abstracted in xconnect.

Why xconnect certificate is used
It provides additional layer of scurity and It is considered secure than traditional user name and password to communicate and it is cryptographically secure way to have a communication between Sitecore & Xconnect.

Now if we observe the xconnect AppSettings.config file of xconnect role



  • AllowInvalidClientCertificates 
         This defines if the Sitecore is allowed to connect even if the certificate is invalid, So this is also   interesting to know that if you still want to connect if you do not have trusted client certificate, you can still use that certificate but you just need to keep the value of AllowInvalidClientCertificates =true. (though not recommended for production)
  • ValidateCertificateThumbprint
         This is thumbprint of the xconnect certificate, and this setting defines that what other roles should have which thumbprint, you can verify this thumbprint with the certificate thumbprint to make sure that which certificate is being used to communicate.



As shown above, i have opened the xconnect certificate and see the thumbprint, so we can make sure that this is the certificate and the thumbprint should be used in all roles (if scaled environment)

  • Thumbprint needed in what roles in scaled environments 
In our case we had CM server and CD server, and on CM server we had different roles installed on same CM server with different IIS instance of those role configured, So go to Connectionstring.config and AppSettings.config of all roles like Processing, Reporting, Xconnect Search, Content Managemnet, Content Delivery and verify the thumbprint with xconnect thumbprint and make sure that those are same as xconnect certificate thumbprint.


So, hope above information helps to understand why xconnect is needed, where to find thumbprint, what if we do not have trusted certificate and what all roles will need the same thumbprint to connect with xconnect.


Labels:

Comments

Post a Comment

Popular posts from this blog

An error occurred while receiving the HTTP response to This could be due to the service endpoint binding not using the HTTP protocol. This could also be due to an HTTP request context being aborted by the server (possibly due to the service shutting down). See server logs for more details.

You have noticed many times that everything was working fine and suddenly the below error starts coming and you find no way to work it out An error occurred while receiving the HTTP response to This could be due to the service endpoint binding not using the HTTP protocol. This could also be due to an HTTP request context being aborted by the server (possibly due to the service shutting down). See server logs for more details. The reason for this is the receiving size of WCF service is smaller then the data which is coming from service It was working before because it was small,So you will have to try to increase the receiving setting in your end point,Possible settings can be following maxStringContentLength="2147483647" maxReceivedMessageSize="2147483647" maxBufferSize="2147483647" maxArrayLength="2147483647" That would definately help you!!!
1 comment
Read more

Sitecore Serialization - Error connecting to /.well-known/openid-configuration: Bad Gateway

Hi Team, Recently, I faced an issue where for the new project my Sitecore serialization started giving me following error. Error: "Error connecting to https://sc10.dev.local/.well-known/openid-configuration: Bad Gateway" My identity server when browsed above url was also not working and showing following. Well, I tried seeing logs and different things, I also followed what is given on these links.  https://sitecore.stackexchange.com/questions/34744/open-id-configuration-issue-with-sitecore-cli https://tekkishare.azurewebsites.net/pages/sitecore-clilogin-error-badgateway https://www.stockpick.nl/english/sitecore-cli-login-error/ But I was still getting the same error. Solution If you see above screenshot of my identity server, in "Troubleshooting steps" it is mentioned that "Check the system event log for error messages." It triggered me, I opened event log of windows, and I could see following error.  Now, i already update my .net run time version accordin
Post a Comment
Read more

Set up leprechaun code generation with Sitecore XM Cloud Starterkit

Hi Sitecorians, It has been amazing learning year so far and with the change in technology and shift of the focus on frontend frameworks and composable products, it has been market demand to keep learning and exploring new things. Reasons behind this blog Today's topic is something that was in my draft from April-May, and I always thought that there is already a good documentation out there for  Leprechaun  and a blog post is not needed, Until I realized that there was so many of us facing same kind of issues and same kind of problems and spending same amount of time, That is where I thought, if I could write something which can reduce that repetitive troubleshooting time, That would really help the community. 1)  In a project environment, if we get into some configuration issues, we resolve them, we make sure we are not blocked and continue, but if you think same issue, same step and same scenario will come to other people, so if we can draft it online, it will help other people 2
Post a Comment
Read more