Upgrade Service Bus to support TLS 1.2
Overview
Assumptions
TLS 1.2 must not be enforced prior to running this upgrade.
This guide goes through the steps to upgrade a typical installation of Workflow Manager(CU2, Refresh) and Service Bus 1.1 to Service Bus 1.1 with TLS 1.2
Warning
The steps in this guide is for a single-server setup of Service Bus/Workflow Manager. The upgrade scenario for multiple nodes will differ.
Installed Programs
| Name | Version |
|---|---|
| Windows Service Bus 1.1 | 2.0.30904.0 |
| Windows Fabric | 1.0.976.0 |
| Workflow Manager 1.0 | 2.0.40131.0 |
| Workflow Manager Client 1.0 | 2.1.10607.2 |
Installed Updates
| Name | Version |
|---|---|
| Service Bus 1.1 | KB3086798 |
| Windows Fabric Patch | 1.0.976.0 |
Requirements
- You must have the CertificateAutoGenerationKey for Service Bus availble
- You must have the Credential for ServiceBus RunAs account available
Stop Services
Stop Zervicepoint, Workflow Manager and Service Bus
# PowerShell prompt must be run as an administrator
Stop-Service -Name ProcessSystem,ProvisioningSystem,ProvisioningSystemInventory
# PowerShell prompt must be run as an administrator
Stop-WFHost
# PowerShell prompt must be run as an administrator
Stop-SBFarm
Remove SB Host
Tip
Save the "SBFarmDBConnectionString" from the outpot of Remove-SBHost command as you will need it later.
Remove-SBHost
Uninstall ServiceBus 1.1 and Windows Fabric
Uninstall the following programs from Control Panel > Programs > Program and Features
Ensure "C:\Program Files\Service Bus" is removed
Restart Computer
Install Service Bus with TLS 1.2
After rebooting the server, you can proceed with installing Service Bus TLS 1.2 using the Web Platform Installer.
Install Windows Azure Pack: Service Bus 1.1 with TLS 1.2 Support
Restart Computer
You must Restart the computer after installing Service Bus 1.1 with TLS 1.2 Support. Dependency failures will occur if no restart is completed.
Upgrade Service Bus Farm
After installing ServiceBus 1.2 and restarting the server, we need to run the PowerShell cmdlet Invoke-SBFarmUpgrade. For this command we need the following data for the input parameters. (SBFarmDBConnectionString, CertificateAutoGenerationKey)
Info
CertificateAutoGenerationKey is the "secret" that was used when installing Service Bus.
# PowerShell prompt must be run as an administrator
$key = ConvertTo-SecureString -String "<MySecret>" -AsPlainText -Force
$SBFarmDBConnectionString = "<the connection string in the output from the Remove-SBhost command>"
Invoke-SBFarmUpgrade -SBFarmDBConnectionString $SBFarmDBConnectionString -CertificateAutoGenerationKey $key -Verbose
Note
If you encounter this error 'Invoke-SBFarmUpgrade : Upgrade encountered an exception in upgrade_GatewayDatabase_2.13.0.0_1.7.81.0: Online index operations can only be performed in Enterprise edition of SQL Server.', a workaround is to edit the ugprade script file C:\Program Files\Service Bus\1.1\CommonGatewayStoreUpgrade.sql by replacing "ONLINE = ON" with "ONLINE = OFF". Rebuilding indexes on invokesbfarmupgrade
Add Service Bus node back to farm
# PowerShell prompt must be run as an administrator
$key = ConvertTo-SecureString -String "<MySecret>" -AsPlainText -Force
$RunAsPassword = ConvertTo-SecureString -String "<MySecret>" -AsPlainText -Force # This is the password of the RunAs account for Service Bus
$SBFarmDBConnectionString = "<the connection string in the output from the Remove-SBhost command>"
Add-SBHost -SBFarmDBConnectionString $SBFarmDBConnectionString -RunAsPassword $RunAsPassword -CertificateAutoGenerationKey $key -EnableFirewallRules:$true -Verbose
Upgrade Workflow Manager to CU5
Install Workflow Manager 1.0 Cumulative Update 5 using the Web Platform Installer.
Post-Upgrade steps for Workflow Manager to CU5
After installing CU5 for Workflow Manager, two SQL Scripts must be run.
Run this script on the database WFInstanceManagementDB
C:\Program Files\Workflow Manager\1.0\Workflow\WorkflowServiceInstanceManagementDBUpgradeScript.sql
Run this script on the database WFResourceManagementDB
C:\Program Files\Workflow Manager\1.0\Workflow\WorkflowServiceResourceManagementDBUpgradeScript.sql
How to run script on database
- Start SQL Management Studio and connect to the SQL instance that hosts the Workflow Manager databases.
- Right-Click the database and run "New Query"
- Copy+Paste the query from the sql query file.
- Click "Execute" or F5 to run the query.
Ensure ServiceBus and Workflow Manager is running
Verify Service Bus is running
Get-SBFarmStatus
Get-WFFarmStatus
Start-Service -Name ProcessSystem
Post-Configuration
Force .NET to use TLS 1.2
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord
Restart Computer
Restart-Computer
Zervicepoint, ServiceBus and Workflow Manager should now be able to work with just TLS 1.2
If you want to test this out, you can configure the Windows Registry to enforce TLS 1.2