Install A Secured Window Service Fabric By Using Certificates

I. Preparation

1. Infrastructure

Cluster
Cluster

2. Create Certificates

Certs
Certs

3. Install Certificate to the servers

# The folder of pfx files. all certs in the folder will be imported.
$certLocation = ".\*.pfx";
#Specify the password of the pfx files.
$certPass = "SF";
# Specify the Service account that the cert will be granted to. It should be NETWORK SERVICE as SF is using this account for installation and running.
$serviceAccount= "NETWORK SERVICE";
# The store of certs. The default is Cert:\LocalMachine\My. You can changes to the other store if requires for some reason.
$CertStoreLocation = "Cert:\LocalMachine\My";
...
Certs Installation
Certs Installation
Certs Installed
Certs Installed

4. Download The Service Fabric installer

SFInstall
SFInstall

II. Installation

1. Configuration

{
...,
"nodes": [{
"nodeName": "ss1",
"iPAddress": "ss1.hbd.net",
"nodeTypeRef": "NodeType0",
"faultDomain": "fd:/dc1/r0",
"upgradeDomain": "UD0"
}, {
"nodeName": "ss2",
"iPAddress": "ss2.hbd.net",
"nodeTypeRef": "NodeType0",
"faultDomain": "fd:/dc1/r1",
"upgradeDomain": "UD1"
}, {
"nodeName": "ss3",
"iPAddress": "ss3.hbd.net",
"nodeTypeRef": "NodeType0",
"faultDomain": "fd:/dc1/r2",
"upgradeDomain": "UD2"
}],
...
}
{
...,
"security": {
"metadata": "The Credential type X509",
"ClusterCredentialType": "X509",
"ServerCredentialType": "X509",
"CertificateInformation": {
"ClusterCertificateCommonNames": {
"CommonNames": [
{
"CertificateCommonName": "sf.hbd.net",
"CertificateIssuerThumbprint": "b72061e57300434989f1365014096f096c482db9"
}
],
"X509StoreName": "My"
},
"ServerCertificateCommonNames": {
"CommonNames": [
{
"CertificateCommonName": "sf.hbd.net",
"CertificateIssuerThumbprint": "b72061e57300434989f1365014096f096c482db9"
}
],
"X509StoreName": "My"
},
"ClientCertificateCommonNames": [
{
"CertificateCommonName": "sfclientadmin.hbd.net",
"CertificateIssuerThumbprint": "b72061e57300434989f1365014096f096c482db9",
"IsAdmin": true
},
{
"CertificateCommonName": "sfclient.hbd.net",
"CertificateIssuerThumbprint": "b72061e57300434989f1365014096f096c482db9",
"IsAdmin": false
}
],
"ReverseProxyCertificateCommonNames": {
"CommonNames": [
{
"CertificateCommonName": "sf.hbd.net"
}
],
"X509StoreName": "My"
}
}
},
...
}
{
...,
"ReverseProxyCertificateCommonNames:"{...},
"ClusterCertificateIssuerStores": [{
"IssuerCommonName": "hbd-AD-CA",
"X509StoreNames": "Root"
}],
"ServerCertificateIssuerStores": [{
"IssuerCommonName": "hbd-AD-CA",
"X509StoreNames": "Root"
}],
"ClientCertificateIssuerStores": [{
"IssuerCommonName": "hbd-AD-CA",
"X509StoreNames": "Root"
}],
"ReverseProxyCertificateIssuerStores": [{
"IssuerCommonName": "hbd-AD-CA",
"X509StoreNames": "Root"
}],
...,
}

2. Installation

.\TestConfiguration.ps1 -ClusterConfigFilePath ./ClusterConfig.X509.MultiMachine.json -FabricRuntimePackagePath ./MicrosoftAzureServiceFabric.cab
Test-config
Test-config
.\CreateServiceFabricCluster.ps1 -ClusterConfigFilePath ./ClusterConfig.X509.MultiMachine.json -FabricRuntimePackagePath ./MicrosoftAzureServiceFabric.cab -AcceptEULA
Install-Result
Install-Result

III. Testing

User-Certs
User-Certs
Cert-Login
Cert-Login
SF-Explorer
SF-Explorer
Cert-ReverseProxy
Cert-ReverseProxy

IV. Uninstall SF Cluster

.\RemoveServiceFabricCluster -ClusterConfigFilePath ./ClusterConfig.X509.HBD.MultiMachine.json -DeleteLog -Force
SF-Uninstalled
SF-Uninstalled
SF-Folder
SF-Folder

V. Sample Config Files

Lernt what, share that