|
1 | 1 | --- |
2 | | -title: Certificate management in a Service Fabric Cluster |
| 2 | +title: Certificate management in a Service Fabric cluster |
3 | 3 | description: Learn about managing certificates in a Service Fabric cluster secured with X.509 certificates. |
4 | 4 | ms.topic: conceptual |
5 | 5 | ms.date: 04/10/2020 |
6 | 6 | ms.custom: sfrev |
7 | 7 | --- |
8 | | -# X.509 Certificate-based authentication in Service Fabric clusters |
| 8 | +# Certificate management in Service Fabric clusters |
9 | 9 |
|
10 | | -This article addresses the management aspects of certificates used to secure communication in Service Fabric clusters, and complements the introduction to [Service Fabric cluster security](service-fabric-cluster-security.md) as well as the explainer on [X.509 certificate-based authentication in Service Fabric](cluster-security-certificates.md). We assume the reader is familiar with fundamental security concepts, and also with the controls that Service Fabric exposes to configure the security of a cluster. |
| 10 | +This article addresses the management aspects of certificates used to secure communication in Azure Service Fabric clusters, and complements the introduction to [Service Fabric cluster security](service-fabric-cluster-security.md) as well as the explainer on [X.509 certificate-based authentication in Service Fabric](cluster-security-certificates.md). We assume the reader is familiar with fundamental security concepts, and also with the controls that Service Fabric exposes to configure the security of a cluster. |
11 | 11 |
|
12 | 12 | Aspects covered under this title: |
13 | 13 |
|
@@ -50,30 +50,28 @@ It follows that the certificate management burden (as active operations) falls s |
50 | 50 | ## The journey of a certificate |
51 | 51 | Let us quickly revisit the progression of a certificate from issuance to consumption in the context of a Service Fabric cluster: |
52 | 52 |
|
53 | | - - a domain owner registers with the RA of a PKI a domain or subject that they'd like to associate with ensuing certificates; the certificates will, in turn, constitute proofs of ownership of said domain or subject |
54 | | - - the domain owner also designates in the RA the identities of authorized requesters - entities that are entitled to request the enrollment of certificates with the specified domain or subject; in Microsoft Azure, the default identity provider is Azure Active Directory, and authorized requesters are designated by their corresponding AAD identity (or via security groups) |
55 | | - - an authorized requester then enrolls into a certificate via a Secret Management Service; in Microsoft Azure, the SMS of choice is Azure Key Vault (AKV), which securely stores and allows the retrieval of secrets/certificates by authorized entities. AKV also renews/re-keys the certificate as configured in the associated certificate policy. (AKV uses AAD as the identity provider.) |
56 | | - - an authorized retriever - which we'll refer to as a 'provisioning agent' - retrieves the certificate, inclusive of its private key, from the vault, and installs it on the machines hosting the cluster |
57 | | - - the Service Fabric service (running elevated on each node) grants access to the certificate to allowed Service Fabric entities; these are designated by local groups, and split between ServiceFabricAdministrators and ServiceFabricAllowedUsers |
58 | | - - the Service Fabric runtime accesses and uses the certificate to establish federation, or to authenticate to inbound requests from authorized clients |
59 | | - - the provisioning agent monitors the vault certificate, and triggers the provisioning flow upon detecting renewal; subsequently, the cluster owner updates the cluster definition, if needed, to indicate the intent to roll over the certificate. |
60 | | - - the provisioning agent or the cluster owner is also responsible for cleaning up/deleting unused certificates |
| 53 | + 1. A domain owner registers with the RA of a PKI a domain or subject that they'd like to associate with ensuing certificates; the certificates will, in turn, constitute proofs of ownership of said domain or subject |
| 54 | + 2. The domain owner also designates in the RA the identities of authorized requesters - entities that are entitled to request the enrollment of certificates with the specified domain or subject; in Microsoft Azure, the default identity provider is Azure Active Directory, and authorized requesters are designated by their corresponding AAD identity (or via security groups) |
| 55 | + 3. An authorized requester then enrolls into a certificate via a Secret Management Service; in Microsoft Azure, the SMS of choice is Azure Key Vault (AKV), which securely stores and allows the retrieval of secrets/certificates by authorized entities. AKV also renews/re-keys the certificate as configured in the associated certificate policy. (AKV uses AAD as the identity provider.) |
| 56 | + 4. An authorized retriever - which we'll refer to as a 'provisioning agent' - retrieves the certificate, inclusive of its private key, from the vault, and installs it on the machines hosting the cluster |
| 57 | + 5. The Service Fabric service (running elevated on each node) grants access to the certificate to allowed Service Fabric entities; these are designated by local groups, and split between ServiceFabricAdministrators and ServiceFabricAllowedUsers |
| 58 | + 6. The Service Fabric runtime accesses and uses the certificate to establish federation, or to authenticate to inbound requests from authorized clients |
| 59 | + 7. The provisioning agent monitors the vault certificate, and triggers the provisioning flow upon detecting renewal; subsequently, the cluster owner updates the cluster definition, if needed, to indicate the intent to roll over the certificate. |
| 60 | + 8. The provisioning agent or the cluster owner is also responsible for cleaning up/deleting unused certificates |
61 | 61 |
|
62 | 62 | For our purposes, the first two steps in the sequence above are largely unrelated; the only connection is that the subject common name of the certificate is the DNS name declared in the cluster definition. |
63 | 63 |
|
64 | 64 | These steps are illustrated below; note the differences in provisioning between certificates declared by thumbprint and common name, respectively. |
65 | 65 |
|
66 | | -Issuance and provisioning flow of certificates declared by thumbprint. |
| 66 | +*Fig. 1.* Issuance and provisioning flow of certificates declared by thumbprint. |
67 | 67 | <center> |
68 | | - |
69 | 68 | ![Provisioning certificates declared by thumbprint][Image1] |
70 | | -<center> |
| 69 | +</center> |
71 | 70 |
|
72 | | -Issuance and provisioning flow of certificates declared by subject common name. |
| 71 | +*Fig. 2.* Issuance and provisioning flow of certificates declared by subject common name. |
73 | 72 | <center> |
74 | | - |
75 | 73 | ![Provisioning certificates declared by subject common name][Image2] |
76 | | -<center> |
| 74 | +</center> |
77 | 75 |
|
78 | 76 | ### Certificate enrollment |
79 | 77 | This topic is covered in detail in the Key Vault [documentation](../key-vault/create-certificate.md); we're including a synopsis here for continuity and easier reference. Continuing with Azure as the context, and using Azure Key Vault as the secret management service, an authorized certificate requester must have at least certificate management permissions on the vault, granted by the vault owner; the requester would then enroll into a certificate as follows: |
|
0 commit comments