Validate certificates on external web service endpoints called from AL HttpClient

Business value

This new feature enhances the security of HTTP calls in your AL applications by validating all server certificates used for outgoing web service calls. With certificate validation enabled by default, you can ensure a higher level of trust and security in your communications. If needed, you have the flexibility to selectively disable certificate validation for specific calls, and a new telemetry event helps you debug any failures. By providing robust security measures and debugging tools, this feature adds value by protecting your business from potential security threats and ensuring smooth, secure operations.

Feature details

To enhance security of HTTP calls from AL, the AL runtime now validates all server certificates used when calling a web service endpoint from the HttpClient datatype. Certificate validation is enabled by default. A server certificate is installed on the endpoint side—it's not the certificate you attach to a request in AL.

If an app or per-tenant extension needs to selectively disable certificate validation, a new property has been added to the HttpClient datatype that allows the AL code to disable server certificate validation for the outgoing web service call.

If the publisher of an app or per-tenant extension needs to debug failing HTTP calls due to server certificates that fail to be validated, a new telemetry event has been added and will be emitted in case of certificate validation failures.

The ability to disable certificate validation is controlled by a feature management key to allow app and per-tenant extension publishers to modify their code. In version 27, certificate validation will be enabled by default without the ability to switch it off.

Tell us what you think

Help us improve Dynamics 365 Business Central by discussing ideas, providing suggestions, and giving feedback. Use the forum at https://aka.ms/bcideas.