Merge pull request #18609 from haraldfianbakken/release-local-disconnectednew

CLI doc improvement

Author: Stacyrch140

azure-local/manage/disconnected-operations-cli.md

@@ -109,7 +109,7 @@ For disconnected operations:
         }
 
         # Run the helper method in PowerShell:
-        UpdatePythonCertStore -ApplianceRootCertPath D:\applianceIngressRoot.cer
+        UpdatePythonCertStore -ApplianceRootCertPath C:\AzureLocalDisconnectedOperations\applianceRoot.cer
     ```
 
 ## Set up Azure CLI for disconnected operations
@@ -123,56 +123,39 @@ To set up Azure CLI for disconnected operations on Azure Local, follow these ste
     ```PowerShell
     function Get-ApplianceAzCliCloudConfig
     {
-    [CmdletBinding()]
-    [OutputType([String])]
-    param (
-    [Parameter(Position = 0, Mandatory = $true)]
-    [string]
-    $ArmEndpoint,
+        [CmdletBinding()]
+        [OutputType([String])]
+        param (
+        [Parameter(Position = 0, Mandatory = $true)]
+        [string]
+        $fqdn,
+        [Parameter(Position = 1, Mandatory = $false)]
+        [string]
+        $exportToFile
+        )
     
-    [Parameter(Position = 1, Mandatory = $false)]
-    [string]
-    $OutputFolder,
-    
-    [Parameter(Position = 2, Mandatory = $false)]
-    [string]
-    $ApiVersion = "2022-09-01" )
-    
-    $armMetadataUrl = "$($ArmEndpoint.TrimEnd('/'))/metadata/endpoints?api-version=${ApiVersion}"
-    try
+    $cloudConfig = @"
     {
-    $response = Invoke-WebRequest $armMetadataUrl `
-    -Method 'GET' `
-    -ContentType "application/json" `
-    -UseBasicParsing
-    }
-    catch
-    {
-    Write-Error "Failed to get ARM metadata endpoints at '$armMetadataUrl'."
-    throw $_
-    }
-    
-    $cloudEndpoints = $response.Content | ConvertFrom-Json
-    $cloudConfig = @{
-    endpoints = @{
-    activeDirectory = "$($cloudEndpoints.authentication.loginEndpoint.TrimEnd('/'))/adfs"
-    activeDirectoryGraphResourceId = $cloudEndpoints.graph
-    activeDirectoryResourceId = $cloudEndpoints.authentication.audiences[0]
-    resourceManager = $cloudEndpoints.resourceManager
-    microsoftGraphResourceId = $cloudEndpoints.graph
-    }
-    suffixes = @{
-    storageEndpoint = $cloudEndpoints.suffixes.storage
-    keyvaultDns = $cloudEndpoints.suffixes.keyvaultDns
-    acrLoginServerEndpoint = $cloudEndpoints.suffixes.acrLoginServer
-    }
+        "suffixes":  {
+                        "keyvaultDns":  ".vault.autonomous.cloud.private",
+                        "storageEndpoint":  "autonomous.cloud.private",
+                        "acrLoginServerEndpoint":  ".edgeacr.autonomous.cloud.private"
+                    },
+        "endpoints":  {
+                        "activeDirectory":  "https://login.autonomous.cloud.private/adfs",
+                        "activeDirectoryGraphResourceId":  "https://graph.autonomous.cloud.private",
+                        "resourceManager":  "https://armmanagement.autonomous.cloud.private",
+                        "microsoftGraphResourceId":  "https://graph.autonomous.cloud.private",
+                        "activeDirectoryResourceId":  "https://armmanagement.autonomous.cloud.private"
+                    }
     }
-    $cloudConfigJson = $cloudConfig | ConvertTo-Json
-    if ($OutputFolder)
+    "@ -replace "autonomous.cloud.private", $fqdn
+
+    if ($exportToFile)
     {
-    $cloudConfigJson | Set-Content -Path "$OutputFolder\cloudconfig.json"
+        $cloudConfig | Set-Content -Path "$exportToFile"
     }
-    return $cloudConfigJson
+    return $cloudConfig
     }
     ```
 
@@ -182,7 +165,7 @@ To set up Azure CLI for disconnected operations on Azure Local, follow these ste
     az config set core.enable_broker_on_windows=false
     az config set core.instance_discovery=false
     $fqdn = "autonomous.cloud.private"
-    $cloudConfigJson = Get-ApplianceAzCliCloudConfig -ArmEndpoint "https://armmanagement.$($fqdn)/"
+    $cloudConfigJson = Get-ApplianceAzCliCloudConfig -fqdn $fqdn
 
     # Write the content to a file cloudConfig.json
     $cloudConfigJson | Out-File -FilePath cloudConfig.json

azure-local/manage/disconnected-operations-deploy.md

@@ -177,7 +177,7 @@ To prepare the first machine for the disconnected operations appliance, follow t
     Here's an example:
     
     ```powershell
-    $applianceConfigBasePath = 'D:\AzureLocalDisconnectedOperations\'
+    $applianceConfigBasePath = 'C:\AzureLocalDisconnectedOperations'
     ```
 
 1. Copy the disconnected operations installation files (appliance and manifest) to the first machine. Save these files into the base folder you created earlier.  
@@ -222,11 +222,11 @@ To prepare the first machine for the disconnected operations appliance, follow t
     Copy-Item \\fileserver\share\azurelocalcerts $certspath -recurse  
     ```
 
-1. Verify the certificates, public key, and management endpoint. You should have two folders: `ManagementEndpointCerts` and `IngressEndpointCerts` and at least 24 certificates.
+1. Verify the certificates, public key, and management endpoint. You should have two folders: `ManagementEndpointCerts` and `IngressEndpointsCerts` and at least 24 certificates.
 
     ```powershell  
     Get-ChildItem $certsPath 
-    Get-Item $certsPath -recurse -filter *.cer  
+    Get-ChildItem $certsPath -recurse -filter *.cer  
     ```  
 
 1. Install the BitLocker feature including the management tool.
@@ -238,9 +238,9 @@ To prepare the first machine for the disconnected operations appliance, follow t
 1. Import the **Operations module**. Run the command as an administrator using PowerShell. Modify the path to match your folder structure.
 
     ```powershell  
-    Import-Module "$applianceConfigBasePath \OperationsModule\Azure.Local.DisconnectedOperations.psd1" -Force
+    Import-Module "$applianceConfigBasePath\OperationsModule\Azure.Local.DisconnectedOperations.psd1" -Force
     $mgmntCertFolderPath = "$certspath\ManagementEndpointCerts"  
-    $ingressCertFolderPath = "$certspath\IngressEndpointCerts"  
+    $ingressCertFolderPath = "$certspath\IngressEndpointsCerts"  
     ```
 
 ## Initialize the parameters
@@ -323,138 +323,13 @@ Populate the required parameters based on your deployment planning. Modify the e
 
     For more information, see [PKI for disconnected operations](disconnected-operations-pki.md).
 
-1. Generate the appliance manifest file:
+1. Copy the appliance manifest file (Downloaded from Azure) to your configuration folder:
 
     ```powershell
-    $stampId = (New-Guid).Guid
-    $resourcename = "appliance1"
-    $resourcegroupname= "rg"
-    $subscriptionId= "subscriptionid"
-
-    $applianceManifest = @{  
-        resourceId = "/subscriptions/$subscriptionId/resourceGroups/$resourceGroupName/providers/Microsoft.Edge/azurelocaldisconnected/$resourceName"  
-        resourceName = $resourceName  
-        stampId = $stampId  
-        location = "eastus"  
-        billingModel = "model"  
-        connectionIntent = "Disconnected"  
-    }  
-    $applianceManifestJsonPath = "$applianceConfigBasePath\AzureLocal.DisconnectedOperations.Appliance.manifest.json"  
-    $applianceManifest | ConvertTo-JSON | Out-File $ApplianceManifestJsonPath | Out-Null  
+    # Modify your source path accordingly 
+    copy-item AzureLocal.DisconnectedOperations.Manifest.json $applianceConfigBasePath\AzureLocal.DisconnectedOperations.Appliance.manifest.json
     ```  
 
-## Validate the management endpoint certificates
-
-Before you install the appliance, validate the management endpoint certificates. Ensure that the certificate has a validated certificate chain, isn't expired, has the correct subject, the appropriate enhanced key usage (EKUs), and the supported cryptography.
-
-Run the following script:
-
-```powershell
-function Test-SSLCertificateSAN {
-    [CmdletBinding()]
-    param(
-        [Parameter(Mandatory = $true)]
-        [string]$HostName,
-
-        [Parameter(Mandatory = $true)]
-        [System.Security.Cryptography.X509Certificates.X509Certificate2]$SslCertificate
-    )
-
-    $sanExtension = $SslCertificate.Extensions | Where-Object { $_.Oid.FriendlyName -ieq "Subject Alternative Name" }
-
-    if (-not $sanExtension) {
-        throw "Subject Alternative Name is not specified in the certificate. Correct the certifcate and try again."
-    }
-
-    $sanExtensionContent = $sanExtension.Format(0)
-    $sanList = $sanExtensionContent.Split(",") | ForEach-Object { $_.Trim() }
-    
-    if ($sanList -inotcontains "DNS Name=$HostName") {
-        throw "Subject Alternative Name does not contain the hostname $HostName. It only has Subject Alternative Name: $sanExtensionContent. Correct the certificate and try again."
-    }
-}
-
-function Test-SSLCertificateChain {
-    [CmdletBinding()]
-    param(
-        [Parameter(Mandatory = $true)]
-        [System.Security.Cryptography.X509Certificates.X509Certificate2]$SslCertificate
-    )
-
-    $chain = New-Object System.Security.Cryptography.X509Certificates.X509Chain
-    $chain.ChainPolicy.RevocationMode = [System.Security.Cryptography.X509Certificates.X509RevocationMode]::NoCheck
-    $chain.ChainPolicy.VerificationFlags = [System.Security.Cryptography.X509Certificates.X509VerificationFlags]::NoFlag
-
-    $chain.Build($SslCertificate) | Out-Null
-
-    if ($chain.ChainStatus.Count -ne 0) {
-        throw "Certificate chain validation failed with error message: `r`n$(($chain.ChainStatus).StatusInformation -Join "`r`n"). Correct the certificate chain and try again."
-    }
-}
-
-function Test-SslCertificateEnhancedKeyUsage {
-    [CmdletBinding()]
-    param(
-        [Parameter(Mandatory = $true)]
-        [System.Security.Cryptography.X509Certificates.X509Certificate2]$SslCertificate
-    )
-
-    $extensions = $SslCertificate.Extensions | Where-Object { $_ -is [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension] }
-    $serverAuthenticationValue = "1.3.6.1.5.5.7.3.1"
-    $serverAuth = $extensions.EnhancedKeyUsages | Where-Object { $_.Value -ieq $serverAuthenticationValue }
-
-    if (-not $serverAuth) {
-        throw "Certificate does not have Server Authentication Enhanced Key Usage. Correct the certificate and try again."
-    }
-}
-
-function Test-SslCertificateCrypto {
-    [CmdletBinding()]
-    param(
-        [Parameter(Mandatory = $true)]
-        [System.Security.Cryptography.X509Certificates.X509Certificate2]$SslCertificate
-    )
-
-    if ($SslCertificate.PublicKey.Oid.FriendlyName -eq "RSA") {
-        if ($SslCertificate.PublicKey.Key.KeySize -lt 2048) {
-            throw "Weak RSA Key: Upgrade to at least 2048-bit"
-        } else {
-            Write-Verbose "RSA Key is secure ($($SslCertificate.PublicKey.Key.KeySize) bits)"
-        }
-    }
-
-    if ($SslCertificate.PublicKey.Oid.FriendlyName -match "ECDSA") {
-        $validCurves = @("ECDSA_P256", "ECDSA_P384", "ECDSA_P521")
-        if ($validCurves -contains $SslCertificate.PublicKey.Oid.FriendlyName) {
-            Write-Verbose "ECDSA with $($SslCertificate.PublicKey.Oid.FriendlyName) curve is secure"
-        } else {
-            throw "Weak ECDSA Curve: Use P-256, P-384, or P-521"
-        }
-    }
-
-    if ($SslCertificate.SignatureAlgorithm.FriendlyName -match "sha1") {
-        throw "Weak Signature Algorithm: Upgrade to SHA-256 or higher"
-    }
-}
-
-# Test SSL Certificate for Management cert
-$HostName = $ManagementNetworkConfiguration.ManagementIpAddress
-$SslCertificate = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new(`
-            $ManagementNetworkConfiguration.TlsCertificatePath,
-            $ManagementNetworkConfiguration.TlsCertificatePassword)
-
-$currentDate = Get-Date
-if ($currentDate -lt $SslCertificate.NotBefore) {
-    throw "Certificate is not yet valid (future start date). Correct the certificate and try again."
-} elseif ($currentDate -gt $SslCertificate.NotAfter) {
-    throw "Certificate has expired. Correct the certificate and try again."
-}
-
-Test-SSLCertificateSAN -HostName $HostName -SslCertificate $SslCertificate | Out-Null
-Test-SSLCertificateChain -SslCertificate $SslCertificate | Out-Null
-Test-SslCertificateEnhancedKeyUsage -SslCertificate $SslCertificate | Out-Null
-Test-SslCertificateCrypto -SslCertificate $SslCertificate | Out-Null
-```
 
 ## Install and configure the appliance  
 

azure-local/manage/disconnected-operations-pki.md

@@ -85,11 +85,11 @@ On the host machine or Active Directory virtual machine (VM), follow the steps i
 You need these certificates to deploy the disconnected operations appliance. You also need the public key for your local infrastructure to provide a secure trust chain.
 
 > [!NOTE]
-> **IngressEndpointCerts** is the folder where you store all 24 certificate files. **IngressEndpointPassword** is a secure string with the certificate password.
+> **IngressEndpointsCerts** is the folder where you store all 24 certificate files. **IngressEndpointPassword** is a secure string with the certificate password.
 
 1. Connect to the CA.
 1. Create a folder named **IngressEndpointsCerts**. Use this folder to store all certificates.
-1. Create the 24 certs in the table above and export them into the IngressEndpointCerts folder. 
+1. Create the 24 certs in the table above and export them into the IngressEndpointsCerts folder. 
 
 Here's an example script you can modify and run. It creates ingress certificates and exports them to the configured folder by creating CSRs and issuing them to your CA.
 
@@ -206,7 +206,7 @@ $AzLCerts = @(
   }
   ``` 
 
-- Copy the original certificates (24 .pfx files / *.pfx) obtained from your CA to the directory structure represented in IngressEndpointCerts.
+- Copy the original certificates (24 .pfx files / *.pfx) obtained from your CA to the directory structure represented in IngressEndpointsCerts.
 
 ### Management endpoint
 
@@ -294,7 +294,7 @@ _continue_ = "DNS=$subject"
 You need the root certificate public key for deployment. The following example shows how to export your root certificate public key:
 
 ```azurecli
-certutil -ca.cert applianceRoot.cer
+certutil -ca.cert C:\AzureLocalDisconnectedOperations\applianceRoot.cer
 ```
 
 For more information, see [Active Directory Certificate Services](/troubleshoot/windows-server/certificates-and-public-key-infrastructure-pki/export-root-certification-authority-certificate).

azure-local/manage/disconnected-operations-security.md

@@ -98,7 +98,7 @@ To back up Host Guardian Service certificates from your cluster, run these comma
 1. To export the Host Guardian Service certificates to a specific path, run `Export-ApplianceHGSCertificates`.
 
     ```powershell
-    Export-ApplianceHGSCertificates -Path D:\AzureLocal\HGSBackup    
+    Export-ApplianceHGSCertificates -Path C:\AzureLocalDisconnectedOperations\HGSBackup    
     ```
     
 ## Configure syslog forwarding