[Service Fabric] How to Secure a standalone cluster (On Prem)
This blog post is based on this article –https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-cluster-creation-for-windows-server; I ran into issue, so would like to break into step by step for easier reference along with precautions.
Step 1 and 2 objective is same. All we need here is, just make sure to have NETWORK SERVICE added and have permission set.
1) Install the certificate in server node :- Console Root > Local Computer > Personal > Certificates > install at this level and hit refresh to confirm
Once after the installation, right click the cert > All tasks > Manage private keys > Add NETWORK SERVICE and provide the default permission as it is and save. we should see “Allow” for Full control & Read permission.
2) Alternatively you could also achieve the same using PS. Open the PS ISE window, run the below PS in Admin mode to make this update. This step is optional if you have already performed the step #1 manually.
param
(
[Parameter(Position=1, Mandatory=$true)]
[ValidateNotNullOrEmpty()]
[string]$pfxThumbPrint,
[Parameter(Position=2, Mandatory=$true)]
[ValidateNotNullOrEmpty()]
[string]$serviceAccount
)
$cert = Get-ChildItem -Path cert:LocalMachineMy | Where-Object -FilterScript { $PSItem.ThumbPrint -eq $pfxThumbPrint; }
# Specify the user, the permissions and the permission type
$permission = “$($serviceAccount)”,”FullControl”,”Allow”
$accessRule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $permission
# Location of the machine related keys
$keyPath = Join-Path -Path $env:ProgramData -ChildPath “MicrosoftCryptoRSAMachineKeys”
$keyName = $cert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName
$keyFullPath = Join-Path -Path $keyPath -ChildPath $keyName
# Get the current acl of the private key
$acl = (Get-Item $keyFullPath).GetAccessControl(‘Access’)
# Add the new ace to the acl of the private key
$acl.SetAccessRule($accessRule)
# Write back the new acl
Set-Acl -Path $keyFullPath -AclObject $acl -ErrorAction Stop
# Observe the access rights currently assigned to this certificate.
get-acl $keyFullPath| fl
———————-
Parameter:-
On execution, enter your cert thumbprint and service account details as below.
pfxThumbPrint: AA4E00A783B246D53A88433xxxx55F493AC6D7
serviceAccount: NETWORK SERVICE
Output:-
Path : Microsoft.PowerShell.CoreFileSystem::C:ProgramDataMicrosoftCryptoRSAMachineKeys
Owner : NT AUTHORITYSYSTEM
Group : NT AUTHORITYSYSTEM
Access : Everyone Allow Write, Read, Synchronize
NT AUTHORITYNETWORK SERVICE Allow FullControl
BUILTINAdministrators Allow FullControl
Audit :
Sddl : O:SYG:SYD:PAI(A;;0x12019f;;;WD)(A;;FA;;;NS)(A;;FA;;;BA)
3) Step (1 or 2) is the only change required at Server side for certificate.
Now start downloading > “Download the Service Fabric standalone package” https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-cluster-creation-for-windows-server and extract say C:WindowsServiceFabricCluster
4) Pick this template “ClusterConfig.X509.DevCluster” json template file and update with your thumbprint and save it.
Ps:- I have removed secondary certificate and proxy certificate section for simplicity
“security”: {
“metadata”: “The Credential type X509 indicates this is cluster is secured using X509 Certificates. The thumbprint format is – d5 ec 42 56 b9 d5 31 24 25 42 64.”,
“ClusterCredentialType”: “X509”,
“ServerCredentialType”: “X509”,
“CertificateInformation”: {
“ClusterCertificate”: {
“Thumbprint”: “AA4E00A783B246D53Axxxxx3203855F493AC6D7”,
“X509StoreName”: “My”
},
“ServerCertificate”: {
“Thumbprint”: “AA4E00A783B246D53A8xxxxxx3855F493AC6D7”,
“X509StoreName”: “My”
},
“ClientCertificateThumbprints”: [
{
“CertificateThumbprint”: “AA4E00A783B24xxxxx203855F493AC6D7”,
“IsAdmin”: false
},
{
“CertificateThumbprint”: “AA4E00A783B246D5xxxxxx203855F493AC6D7”,
“IsAdmin”: true
}
]
}
},
5) Now run the PS command let from this directory to create the cluster
PS C:WindowsServiceFabricCluster>.CreateServiceFabricCluster.ps1 -ClusterConfigFilePath .ClusterConfig.X509.DevCluster.json -AcceptEULA
Creating Service Fabric Cluster…
If it’s taking too long, please check in Task Manager details and see if Fabric.exe for each node is running. If not, please look at: 1. traces in DeploymentTraces directory and 2. traces in FabricLogRoot
configured in ClusterConfig.json.
Trace folder already exists. Traces will be written to existing trace folder: C:tempMicrosoft.Azure.ServiceFabric.WindowsServerDeploymentTraces
Running Best Practices Analyzer…
Best Practices Analyzer completed successfully.
Creating Service Fabric Cluster…
Processing and validating cluster config.
Configuring nodes.
Default installation directory chosen based on system drive of machine ‘localhost’.
Copying installer to all machines.
Configuring machine ‘localhost’.
Machine localhost configured.
Running Fabric service installation.
Successfully started FabricInstallerSvc on machine localhost
Successfully started FabricHostSvc on machine localhost
Your cluster is successfully created! You can connect and manage your cluster using Microsoft Azure Service Fabric Explorer or Powershell. To connect through Powershell, run ‘Connect-ServiceFabricCluster [
ClusterConnectionEndpoint]’.
6) At this stage, we should see the cluster creation success message with that. We are done with cluster creation and securing them.
7) Now at client side/end user machine where try to browse the secured cluster over IE, we should see dialog prompt asking for certificate. It means, it is working as expected – so far good.
8) Now install the client certificate at your client machine. For simplicity sake, I am using the same machine as Client and Server. But certificate has to be installed under Current User when accessing the cluster over IE.
Certmgr > Current User > Personal > Certificates.
9) Now we are ready to access, browse the cluster url say – https://localhost:19080/, we should see a cert selection dialog displayed.
How to create self signed certificate (PFX):- (Optional)
—————————————————————–
1) Open the PS windows > Run this script as .CertSetup.ps1 -Install.
CertSetup.ps1 script present inside the Service Fabric SDK folder in the directory C:Program FilesMicrosoft SDKsService FabricClusterSetupSecure. You can edit this file if you do not wanted certain things in that PS.
2) Export .cer to PFX
$pswd = ConvertTo-SecureString -String “1234” -Force –AsPlainText
Get-ChildItem -Path cert:localMachinemy<Thumbprint> | Export-PfxCertificate -FilePath C:mypfx.pfx -Password $pswd
Precaution:-
- How to: Retrieve the Thumbprint of a Certificate
https://msdn.microsoft.com/en-us/library/ms734695(v=vs.110).aspx - Remove the invisible chars in Thumbprint (User notepad++ > Encoding > Encode in ANSI to reveal the invisible chars) – Don’t use Notepad. http://stackoverflow.com/questions/11115511/how-to-find-certificate-by-its-thumbprint-in-c-sharp
- Couple of this PS will help us to remove the cluster or clean the previous installation RemoveServiceFabricCluster.ps1 & .CleanFabric.ps1
- Make sure to use PFX and not the cert. Just in case, if you are run into some environment problem during dev stage, it is better to reimage and retry.
Hope this helps. Let me know if you see/need change in this.
Add-AzureAccount issue: Your Azure credentials have not been set up or have expired
For some reason, I started experiencing this issue. Tried clearing the local cache, temp folders or cookies etc but none helped. So grabbed fiddler log to see what is going wrong. Noticed it was having the very old session token (3-4 months older) getting served for some reason and no clue where it lies also. Checked few command lets to clear this out within PS and noted Clear-AzureProfile flushed the older tokens which resolved this issue.
PS C:WINDOWSsystem32> Add-AzureAccount
Id Type Subscriptions Tenants
— —- ————- ——-
xxxx@microsoft.com User xx-c5bc-xx-a7e0-xx{xxx-86f1-41af-91ab-xxxx}
PS C:WINDOWSsystem32> Get-AzureRoleSize
Get-AzureRoleSize : Your Azure credentials have not been set up or have expired, please run Add-AzureAccount to set up your Azure credentials.
At line:1 char:1
+ Get-AzureRoleSize
+ ~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Get-AzureRoleSize], ArgumentException
+ FullyQualifiedErrorId : Microsoft.WindowsAzure.Commands.ServiceManagement.HostedServices.AzureRoleSizeCommand
Solution:-
Run the Clear-AzureProfle Commandlet and then try Add-AzureAccount to get the valid bearer token to continue.
PS C:WINDOWSsystem32> Clear-AzureProfile –Force
Let me know if you see this issue and root cause for this.
Happy scripting…
-
Recent
- The ID token is not yet valid. Make sure your computer’s time and time zone are both correct. Current epoch = 1689517128
- .NET Core – How to create a .NET GUI app which runs across the platform
- AKS 2022 updates
- Linux firewall and connectivity issues
- Microsoft Ignite (Sep22-24) event recap & On-demand sessions
- [Linux] Steps to install and configure sysstat package for monitoring.
- Azure Security Enablement – Centralized place for all the links
- Presenting tech session with stories [linkedin learning notes]
- gRPC using .NET core notes
- .NET in 2020 (Build recap)
- #KubeCon CNCF – North America 2019 watchlist
- AKS CLI Sheetcheat for the labs
-
Links