Enable remote access from intranet with TLS/SSL certificate (Advanced)

In this tutorial, you will learn how to set up a self-hosted integration runtime with multiple on-premises machines and enable remote access from intranet with TLS/SSL certificate (Advanced) to secure communication between integration runtime nodes.

Prerequisites

  • An introduction to SSL/TLS Strong Encryption.
  • Certificate could be a general TLS certificate for a Web Server. Requirements:
    • The certificate must be a publicly trusted X509 v3 certificate. We recommend that you use certificates that are issued by a public partner certification authority (CA).
    • Each integration runtime node must trust this certificate.
    • We recommend Subject Alternative Name (SAN) certificates because all the fully qualified domain names (FQDN) of integration runtime nodes are required to be secured by this certificate. (WCF TLS/SSL validate only check last DNS Name in SAN was fixed in .NET Framework 4.6.1. Refer to Mitigation: X509CertificateClaimSet.FindClaims Method for more information.)
    • Wildcard certificates (*) are not supported.
    • The certificate must have a private key (like PFX format).
    • The certificate can use any key size supported by Windows Server 2012 R2 for TLS/SSL certificates.
    • We only support CSP (Cryptographic Service Provider) certificate so far. Certificates that use CNG keys (Key Storage Provider) aren't supported.

Steps

  1. Run below PowerShell command on all machines to get their FQDNs:

    [System.Net.Dns]::GetHostByName("localhost").HostName
    

    For example, the FQDNs are node1.domain.contoso.com and node2.domain.contoso.com.

  2. Generate a certificate with the FQDNs of all machines in Subject Alternative Name.

    Screenshot that shows generating certificate in subject alternative name.

  3. Install the certificate on all nodes to Local Machine -> Personal so that it can be selected on the integration runtime configuration manager:

    1. Click on the certificate and install it.

    2. Select Local Machine and enter the password.

      Screenshot that shows selecting local machine.

    3. Select Place all certificates in the following store. Click Browse. Select Personal.

    4. Select Finish to install the certificate.

  4. Enable remote access from intranet:

    1. During the self-hosted integration runtime node registration:

      1. Select Enable remote access from intranet and select Next.

        Screenshot that shows enabling remote access from intranet.

      2. Set the Tcp Port (8060 by default). Make sure the port is open on firewall.

      3. Click Select. In the pop-up window, choose the right certificate and select Finish.

        Screenshot that shows selecting certificate.

    2. After the self-hosted integration runtime node is registered:

      Note

      The self-hosted integration runtime can change the remote access settings only when it has single node, which is by design. Otherwise, the radio button cannot be checked.

      Screenshot that shows enabling with TLS/SSL certificate (Advanced).

      1. Go to self-hosted Integration Runtime Configuration Manager -> Settings -> Remote access from intranet. Click Change.

      2. Choose Enable with TLS/SSL certificate (Advanced).

      3. Click Select. In the pop-up window, choose the right certificate and select OK.

        Screenshot that shows choosing certificate.

    3. Verify the remote access settings in self-hosted Integration Runtime Configuration Manager.

      Screenshot that shows verifying the remote access settings in Self-hosted Integration Runtime Configuration Manager step 1.

      Screenshot that shows verifying the remote access settings in Self-hosted Integration Runtime Configuration Manager step 2.

  5. Using a self-signed certificate if you don’t have the publicly trusted certificate:

    1. Generate and export a self-signed certificate (this step can be skipped if you already have the certificate):

      1. Generate a self-signed certificate via PowerShell (with elevated privileges):

        New-SelfSignedCertificate -DnsName contoso.com, node1.domain.contoso.com, node2.domain.contoso.com -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -CertStoreLocation cert:\LocalMachine\My
        
      2. To export the generated certificate with a private key to a password protected PFX file, you will need its thumbprint. It can be copied from the results of New-SelfSignedCertificate command. For example, it is CEB5B4372AA7BF877E56BCE27542F9F0A1AD197F.

      3. Export the generated certificate with the private key via PowerShell (with elevated privileges):

        $CertPassword = ConvertTo-SecureString -String “Password” -Force -AsPlainText
        Export-PfxCertificate -Cert
        cert:\LocalMachine\My\CEB5B4372AA7BF877E56BCE27542F9F0A1AD197F -FilePath C:\self-signedcertificate.pfx -Password $CertPassword            
        
      4. You have exported the certificate with the private key to C:\self-signedcertificate.pfx.

    2. Install the certificate on all nodes to: Local Machine -> Trusted Root Certification Authorities store:

      1. Click on the certificate and install it.
      2. Select Local Machine and enter the password.
      3. Select Place all certificates in the following store. Click Browse. Select Trusted Root Certification Authorities.
      4. Select Finish to install the certificate.

      Screenshot that shows install the certificate on all nodes.

  6. Troubleshooting

    1. Verify the certificate exists in the target store:

      1. Follow this procedure How to: View certificates with the MMC snap-in - WCF to view Certificates (Local Computer) in the MMC snap-in.

        Screenshot that shows viewing certificates in MMC snap in.

      2. Confirm the certificate is installed in Personal and Trusted Root Certification Authorities store (If it is a self-signed certificate).

        Screenshot that shows the certificate installed in Personal and Trusted Root Certification Authorities store.

    2. Verify the certificate has a private key and isn’t expired.

      Screenshot that shows verifying the certificate has a private key and isn’t expired.

    3. Make sure the service account for the self-hosted integration runtime (default account is NT SERVICE\DIAHostService) has read permission to the private keys of certificate:

      1. Right click on the certificate -> All Tasks -> Manage Private Keys.

      2. If no, grant the permission, Apply and save.

        Screenshot that shows the Service account for the self-hosted integration runtime has read permission to the private keys of certificate.