Inter-node communication

Inter-node security ensures that only the authorized nodes can join a cluster and host applications. The nodes in a cluster running on Windows Server can be secured using either certificate security or Windows security. Let's discuss how we can secure a cluster using certificates so that only authorized nodes can join the cluster and only authorized cluster management commands can execute against the cluster.

While deploying the earlier examples, you must have noticed that we used to omit cluster security settings to simplify development. However, at this step you can specify the X.509 certificate that Service Fabric should use to secure communication between nodes. You can specify the certificate to use through any medium you wish to create your Service Fabric cluster, that is the Azure Portal, ARM template, or standalone JSON template. Also, you can specify up to two certificates in the configurations, one of which is the primary certificate used to secure the cluster, and the second certificate is an optional secondary certificate that can be used for certificate rollovers.

For the walkthrough, we will use a self-signed certificate; however, use of a certificate from a trusted certificate authority (CA) is advised for production workloads:

  1. Create a new self-signed certificate. You can use PowerShell, tools such as OpenSSL, or any other tool that you personally prefer for the purpose. I will use PowerShell to generate a new self-signed certificate and save it on my desktop:
      $certificatePassword = ConvertTo-SecureString 
       -String [plain text password] -AsPlainText -Force 
        New-SelfSignedCertificate -CertStoreLocation 
      Cert:CurrentUserMy -DnsName [your cluster DNS name] 
      -Provider 'Microsoft Enhanced Cryptographic Provider v1.0' | 
      Export-PfxCertificate -FilePath 
      ([Environment]::GetFolderPath('Desktop')+
       '/ClusterCertificate.pfx') -Password $certificatePassword
  1. In the next step, we will sign in to our Azure subscription to perform the remaining operations:
      Login-AzureRmAccount
      Get-AzureRmSubscription
      Set-AzureRmContext -SubscriptionId [azure subscription id]
  1. Now let's create a resource group for our Service Fabric cluster and other resources that we will use:
      New-AzureRmResourceGroup -Name [resource group name] 
        -Location [resource group location]
  1. We will use a cloud-based certificate store to store our certificate and provide it to our Service Fabric cluster. Azure Key Vault is a service that manages keys and passwords in the cloud. Key Vault helps decouple sensitive information such as passwords and certificates from applications. You may use an existing Key Vault but ideally, your Key Vault should reside in the same region and resource group for easy manageability and performance. The certificate added to the Key Vault will be installed on all the nodes in the cluster later through a configuration, as illustrated by the following diagram. This action can be accomplished through an ARM template, or by using a combination of PowerShell and Management Portal as we are doing currently:
Applying security certificate on Service Fabric cluster from Key Vault

The following command will create a new Key Vault instance for you:

      New-AzureRmKeyVault -VaultName [name of key vault] 
       -ResourceGroupName [name of resource group] 
       -Location [key vault location] -EnabledForDeployment
  1. The execution of the preceding command will generate a summary of the generated Key Vault instance. You can copy the ResourceId of the generated instance to apply it on Service Fabric cluster configuration later. It is of the following format /subscriptions/[subscription id]/resourceGroups/[resource group name]/providers/Microsoft.KeyVault/vaults/[key vault name]:
Resource ID of KeyVault instance
  1. We will now upload our certificate that we previously stored on the desktop to our Key Vault instance:
      $cer = Add-AzureKeyVaultKey -VaultName [name of key vault] 
        -Name [key name] -KeyFilePath   
      ([Environment]::GetFolderPath('Desktop')+
      '/ClusterCertificate.pfx') -KeyFilePassword $certificatePassword
  1. You will now need to create a secret based on the certificate. For this purpose, we will create a JSON payload using the contents of the .pfx file:
      $bytes = [System.IO.File]::ReadAllBytes(([Environment]:
               :GetFolderPath('Desktop')+'/ClusterCertificate.pfx'))
      $base64 = [System.Convert]::ToBase64String($bytes)
      $jsonBlob = @{
         data = $base64
         dataType = 'pfx'
         password = $password
         } | ConvertTo-Json
      $contentbytes = [System.Text.Encoding]::UTF8.GetBytes($jsonBlob)
      $content = [System.Convert]::ToBase64String($contentbytes)
      $secretValue = ConvertTo-SecureString -String $content
        -AsPlainText -Force 
       Set-AzureKeyVaultSecret -VaultName [name of key vault]
       -Name [key name] -SecretValue $secretValue
  1. The Set-AzureKeyVaultSecret command returns a summary of the generated secret. From the summary, copy the ID of the secret:
Id of Secret in KeyVault
  1. You will also need the thumbprint of the certificate that you used. You can copy it from the certificate properties or use the following PowerShell command for the purpose:
      $clusterCertificate = new-object 
       System.Security.Cryptography.X509Certificates.
       X509Certificate2 ([Environment]::GetFolderPath('Desktop')+
       '/ClusterCertificate.pfx'), 
      $certificatePassword
      $clusterCertificate.Thumbprint
  1. Now, let's move to the Management Portal and create a new Service Fabric cluster. Populate the basic configuration options as before until you reach the security configuration step.

In the Security section, set the Security mode to Secure:

Service Fabric cluster security blade
  1. You will not be asked to provide certificate details. Let's start populating the details one by one:
    • In the Primary certificate details section, set the value of Source key vault to the text that you generated in step 5
    • In the Certificate URL field, set the value to the secret ID that you copied in step 8
    • In the Certificate thumbprint field, set the value to the certificate thumbprint that you generated or copied from the PowerShell command output in step 9
  1. By now, you have successfully applied the security settings on the cluster. Proceed to complete the remaining settings and allow the cluster to provision.

After you have applied a certificate on a Service Fabric cluster, it can only be accessed over HTTPS. You will only be able to navigate to your application on the cluster over HTTPS, which might raise untrusted certificate warnings as we have used a self-signed certificate for this example. You can add the certificate to the Trusted Root Certificate Authority of the local computer store to make the warnings go away.

To connect to your Service Fabric cluster, you would need to use the following command that adds the certificate to your request:

Connect-ServiceFabricCluster -ConnectionEndpoint ([your cluster DNS name] + ':19000')  -X509Credential -ServerCertThumbprint 4b9ae03724412ab0ec4ec9b3bbbcb76e0d5374a9 -FindType FindByThumbprint -FindValue 4b9ae03724412ab0ec4ec9b3bbbcb76e0d5374a9 -StoreLocation CurrentUser -StoreName My

This command will present you with a summary of the cluster as follows:

Summary of Service Fabric cluster

As you can see, now only authenticated clients can connect to your cluster; but additionally, you may want only authorized clients to make structural changes to your cluster, such as stopping nodes.

Let's discuss how we can authorize clients to perform operations on our cluster.

You can secure the inter node communication channel on a standalone Windows cluster using Windows security. You can read more about it at: https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-windows-cluster-windows-security.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.14.8.206