How to secure Service Fabric cluster with an X.509 certificate

, 6 minutes to read

You prob­a­bly no­ticed that Ser­vice Fab­ric Ex­plorer is publicly ac­ces­si­ble and does not re­quire any user­name or pass­word. Ser­vice Fab­ric Ex­plorer al­lows mon­i­tor­ing and man­age­ment ac­tions like dis­abling nodes or ap­pli­ca­tion dele­tion. The clus­ter and its man­age­ment can be eas­ily se­cured with an X.509 self-signed cer­tifi­cate. Af­ter that the cer­tifi­cate is re­quired prior to ac­cess Ser­vice Fab­ric Ex­plorer or pub­lish­ing ap­pli­ca­tions to the clus­ter.

Step 1: choose a cluster name

We need to know the name of the clus­ter be­fore we can start with cer­tifi­cate gen­er­a­tion. The name must be unique in the Azure re­gion.

In Azure por­tal, click on New Com­pute Ser­vice Fab­ric Clus­ter. Choos­ing the clus­ter name is the first step of the Ser­vice Fab­ric clus­ter cre­ation wizard. In this ar­ti­cle, I will choose a tra­di­tional name con­toso.

Step 2: generate a certificate

The cer­tifi­cate can be gen­er­ated in many ways. This topic far ex­ceeds the in­tent of this ar­ti­cle. You can gen­er­ate the cer­tifi­cate by a pro­cess you trust. The only re­quire­ment is the X.509 stan­dard and the sub­ject name (CN) must be the URL of your clus­ter, e.g. con­toso.wes­teu­rope.clou­dapp.azure.com.

I will use Win­dows Cryp­toAPI, Mi­crosoft .NET Frame­work and Plu­ral­Sight.Crypto NuGet pack­age. Launch Vi­sual Stu­dio and cre­ate a new con­sole app (Start Page Cre­ate a new project… In­stalled Tem­plates Vi­sual C# Win­dows Clas­sic Desk­top Con­sole App (.NET Frame­work) OK). In the So­lu­tion Ex­plorer (View → So­lu­tion Ex­plorer) right click to the Con­soleApp1 and choose Man­age NuGet pack­ages… Choose Browse and search for Plu­ral­Sight.Crypto. In­stall the pack­age. Re­place con­tent of the Pro­gram.cs file with fol­low­ing code and mod­ify sub­ject­Name vari­able.

using Pluralsight.Crypto; using System; using System.IO; using System.Security.Cryptography.X509Certificates; namespace ConsoleApp1 { class Program { static void Main(string[] args) { var subjectName = "contoso.westeurope.cloudapp.azure.com"; using (CryptContext ctx = new CryptContext()) { ctx.Open(); X509Certificate2 cert = ctx.CreateSelfSignedCertificate( new SelfSignedCertProperties { IsPrivateKeyExportable = true, KeyBitLength = 4096, Name = new X500DistinguishedName("cn=" + subjectName), ValidFrom = DateTime.Today.AddDays(-1), ValidTo = DateTime.Today.AddYears(2), }); File.WriteAllBytes("contoso.pfx", cert.Export(X509ContentType.Pfx)); Console.WriteLine(cert.Thumbprint); Console.ReadLine(); }; } } }

Build the project (Ctrl + Shift + B). In So­lu­tion Ex­plorer right click to the Con­soleApp1 project and choose Open Folder in the File Ex­plorer. Nav­i­gate to the bin/De­bug di­rec­tory and keep the win­dow open for later use.

The code above cre­ates the cer­tifi­cate for you (by press­ing F5). It saves the cer­tifi­cate to the file. It also prints the cer­tifi­cate’s thumbprint. Do not close the con­sole win­dow by press­ing En­ter, keep it open, be­cause you will need the thumbprint later.

Step 3: upload the certificate to Key Vault

In Azure por­tal, click on New Se­cu­rity + Iden­tity Key Vault and cre­ate a Key Vault.

In Ad­vanced Ac­cess pol­icy check the En­able ac­cess to Azure Vir­tual Ma­chines for de­ploy­ment.

Nav­i­gate to the Key Vault and choose Se­crets.

Then click to Add.

Upload the cer­tifi­cate from a lo­ca­tion you opened in the pre­vi­ous step. Choose a name of the cer­tifi­cate.

Nav­i­gate to the Prop­er­ties of the Key Vault and keep it opened.

Step 4: configure the cluster security

We can re­turn to the Ser­vice Fab­ric clus­ter cre­ation wizard. In the step 3 we will as­sign the pri­mary cer­tifi­cate.

You may see an un­ex­pected er­ror telling you that cer­tifi­cate thumbprint is in­valid. It may hap­pen when the thumbprint starts with an in­vis­i­ble left-to-right mark char­ac­ter. Nav­i­gate the cur­sor af­ter the first let­ter of the thumbprint, press Backs­pace two times and type the first let­ter again.

Management & application deployment

The cer­tifi­cate is the user­name and pass­word for our clus­ter. It must be in­stalled on the com­puter used to mon­i­tor or de­ploy ap­pli­ca­tions to the clus­ter. Dou­ble click to cer­tifi­cate’s file icon to in­stall it. You can in­stall the cer­tifi­cate to the lo­ca­tion au­to­mat­i­cally de­ter­mined by the Im­port cer­tifi­cate wizard.

Deploying applications

You can cre­ate an empty Ser­vice Fab­ric ap­pli­ca­tion to test the de­ploy­ment. From the Start Page click to Cre­ate a new project… In­stalled Tem­plates Vi­sual C# Cloud Service Fab­ric Application OK State­less Ser­vice OK. In So­lu­tion Ex­plorer, right click to the Ap­pli­ca­tion1 project and choose Pub­lish…

In the Pub­lish Ser­vice Fab­ric Ap­pli­ca­tion di­a­log, set Store­Lo­ca­tion to Cur­ren­tUser and Store­Name to My.

Accessing Service Fabric Explorer

We can nav­i­gate to https://con­toso.wes­teu­rope.clou­dapp.azure.com:19080/Ex­plorer. The browser will alert you that the cer­tifi­cate is in­valid. This is nor­mal, be­cause the cer­tifi­cate is self-signed. Con­tinue and choose the ap­pro­pri­ate cer­tifi­cate. Ser­vice Fab­ric Ex­plorer will show up. The com­puter which is miss­ing the cer­tifi­cate can­not ac­cess clus­ter’s Ser­vice Fab­ric Ex­plorer.

Certificate renewal

You can add a sec­ond cer­tifi­cate and swap the pri­mary with sec­ondary cer­tifi­cate to re­new the cer­tifi­cate. How­ever, this cur­rently can­not be done without Pow­er­Shell.