Merge pull request #101055 from jagilber/sfAppCertAcl

Court72 · web-flow · commit 0bdede4488f1 · 2022-11-16T08:52:55.000-07:00
modify service fabric articles to add example and links for endpointcertificate in Service Fabric applications
diff --git a/articles/service-fabric/service-fabric-application-and-service-manifests.md b/articles/service-fabric/service-fabric-application-and-service-manifests.md
@@ -188,6 +188,7 @@ For more information about other features supported by application manifests, re
 - [Configure security policies for your application](service-fabric-application-runas-security.md).
 - [Setup HTTPS endpoints](service-fabric-service-manifest-resources.md#example-specifying-an-https-endpoint-for-your-service).
 - [Encrypt secrets in the application manifest](service-fabric-application-secret-management.md)
+- [Azure Service Fabric security best practices](service-fabric-best-practices-security.md)
 
 <!--Image references-->
 [appmodel-diagram]: ./media/service-fabric-application-model/application-model.png
diff --git a/articles/service-fabric/service-fabric-application-and-service-security.md b/articles/service-fabric/service-fabric-application-and-service-security.md
@@ -83,6 +83,25 @@ You can establish secure connection between the reverse proxy and services, thus
 
 The Reliable Services application framework provides a few prebuilt communication stacks and tools that you can use to improve security. Learn how to improve security when you're using service remoting (in [C#](service-fabric-reliable-services-secure-communication.md) or [Java](service-fabric-reliable-services-secure-communication-java.md)) or using [WCF](service-fabric-reliable-services-secure-communication-wcf.md).
 
+
+### Include endpoint certificate in Service Fabric applications
+
+To configure your application endpoint certificate, include the certificate by adding a **EndpointCertificate** element along with the **User** element for the principal account to the application manifest. By default the principal account is NetworkService. This will provide management of the application certificate private key ACL for the provided principal.
+
+```xml
+<ApplicationManifest … >
+  ...
+  <Principals>
+    <Users>
+      <User Name="Service1" AccountType="NetworkService" />
+    </Users>
+  </Principals>
+  <Certificates>
+    <EndpointCertificate Name="MyCert" X509FindType="FindByThumbprint" X509FindValue="[YourCertThumbprint]"/>
+  </Certificates>
+</ApplicationManifest>
+```
+
 ## Encrypt application data at rest
 Each [node type](service-fabric-cluster-nodetypes.md) in a Service Fabric cluster running in Azure is backed by a [virtual machine scale set](../virtual-machine-scale-sets/overview.md). Using an Azure Resource Manager template, you can attach data disks to the scale set(s) that make up the Service Fabric cluster.  If your services save data to an attached data disk, you can [encrypt those data disks](../virtual-machine-scale-sets/disk-encryption-powershell.md) to protect your application data.
 
diff --git a/articles/service-fabric/service-fabric-assign-policy-to-endpoint.md b/articles/service-fabric/service-fabric-assign-policy-to-endpoint.md
@@ -42,5 +42,6 @@ For next steps, read the following articles:
 * [Understand the application model](service-fabric-application-model.md)
 * [Specify resources in a service manifest](service-fabric-service-manifest-resources.md)
 * [Deploy an application](service-fabric-deploy-remove-applications.md)
+* [Azure Service Fabric security best practices](service-fabric-best-practices-security.md)
 
 [image1]: ./media/service-fabric-application-runas-security/copy-to-output.png
diff --git a/articles/service-fabric/service-fabric-best-practices-security.md b/articles/service-fabric/service-fabric-best-practices-security.md
@@ -141,15 +141,33 @@ user@linux:$ openssl smime -encrypt -in plaintext_UTF-16.txt -binary -outform de
 
 After encrypting your protected values, [specify encrypted secrets in Service Fabric Application](./service-fabric-application-secret-management.md#specify-encrypted-secrets-in-an-application), and [decrypt encrypted secrets from service code](./service-fabric-application-secret-management.md#decrypt-encrypted-secrets-from-service-code).
 
-## Include certificate in Service Fabric applications
+## Include endpoint certificate in Service Fabric applications
+
+To configure your application endpoint certificate, include the certificate by adding a **EndpointCertificate** element along with the **User** element for the principal account to the application manifest. By default the principal account is NetworkService. This will provide management of the application certificate private key ACL for the provided principal.
+
+```xml
+<ApplicationManifest … >
+  ...
+  <Principals>
+    <Users>
+      <User Name="Service1" AccountType="NetworkService" />
+    </Users>
+  </Principals>
+  <Certificates>
+    <EndpointCertificate Name="MyCert" X509FindType="FindByThumbprint" X509FindValue="[YourCertThumbprint]"/>
+  </Certificates>
+</ApplicationManifest>
+```
+
+## Include secret certificate in Service Fabric applications
 
 To give your application access to secrets, include the certificate by adding a **SecretsCertificate** element to the application manifest.
 
 ```xml
 <ApplicationManifest … >
   ...
   <Certificates>
-    <SecretsCertificate Name="MyCert" X509FindType="FindByThumbprint" X509FindValue="[YourCertThumbrint]"/>
+    <SecretsCertificate Name="MyCert" X509FindType="FindByThumbprint" X509FindValue="[YourCertThumbprint]"/>
   </Certificates>
 </ApplicationManifest>
 ```
