You probably noticed that Service Fabric Explorer is publicly accessible and does not require any username or password. Service Fabric Explorer allows monitoring and management actions like disabling nodes or application deletion. The cluster and its management can be easily secured with an X.509 self-signed certificate. After that the certificate is required prior to access Service Fabric Explorer or publishing applications to the cluster.
Step 1: choose a cluster name
We need to know the name of the cluster before we can start with certificate generation. The name must be unique in the Azure region.
In Azure portal, click on New → Compute → Service Fabric Cluster. Choosing the cluster name is the first step of the Service Fabric cluster creation wizard. In this article, I will choose a traditional name contoso.
Step 2: generate a certificate
The certificate can be generated in many ways. This topic far exceeds the intent of this article. You can generate the certificate by a process you trust. The only requirement is the X.509 standard and the subject name (CN) must be the URL of your cluster, e.g. contoso.westeurope.cloudapp.azure.com.
I will use Windows CryptoAPI, Microsoft .NET Framework and PluralSight.Crypto NuGet package. Launch Visual Studio and create a new console app (Start Page → Create a new project… → Installed → Templates → Visual C# → Windows Classic Desktop → Console App (.NET Framework) → OK). In the Solution Explorer (View → Solution Explorer) right click to the ConsoleApp1 and choose Manage NuGet packages… Choose Browse and search for PluralSight.Crypto. Install the package. Replace content of the Program.cs file with following code and modify subjectName variable.
using Pluralsight.Crypto;
using System;
using System.IO;
using System.Security.Cryptography.X509Certificates;
namespace ConsoleApp1 {
class Program {
static void Main(string[] args) {
var subjectName = "contoso.westeurope.cloudapp.azure.com";
using (CryptContext ctx = new CryptContext()) {
ctx.Open();
X509Certificate2 cert = ctx.CreateSelfSignedCertificate(
new SelfSignedCertProperties {
IsPrivateKeyExportable = true,
KeyBitLength = 4096,
Name = new X500DistinguishedName("cn=" + subjectName),
ValidFrom = DateTime.Today.AddDays(-1),
ValidTo = DateTime.Today.AddYears(2),
});
File.WriteAllBytes("contoso.pfx", cert.Export(X509ContentType.Pfx));
Console.WriteLine(cert.Thumbprint);
Console.ReadLine();
};
}
}
}
Build the project (Ctrl + Shift + B). In Solution Explorer right click to the ConsoleApp1 project and choose Open Folder in the File Explorer. Navigate to the bin/Debug directory and keep the window open for later use.
The code above creates the certificate for you (by pressing F5). It saves the certificate to the file. It also prints the certificate’s thumbprint. Do not close the console window by pressing Enter, keep it open, because you will need the thumbprint later.
Step 3: upload the certificate to Key Vault
In Azure portal, click on New → Security + Identity → Key Vault and create a Key Vault.
In Advanced Access policy check the Enable access to Azure Virtual Machines for deployment.
Navigate to the Key Vault and choose Secrets.
Then click to Add.
Upload the certificate from a location you opened in the previous step. Choose a name of the certificate.
Navigate to the Properties of the Key Vault and keep it opened.
Step 4: configure the cluster security
We can return to the Service Fabric cluster creation wizard. In the step 3 we will assign the primary certificate.
- From Key Vault’s properties, copy RESOURCE ID to Source Key Vault.
- From Secret Version’s properties, copy Secret Identifier to Certificate URL.
- From Console window, copy the line to Certificate thumbprint.
You may see an unexpected error telling you that certificate thumbprint is invalid. It may happen when the thumbprint starts with an invisible left-to-right mark character. Navigate the cursor after the first letter of the thumbprint, press Backspace two times and type the first letter again.
Management & application deployment
The certificate is the username and password for our cluster. It must be installed on the computer used to monitor or deploy applications to the cluster. Double click to certificate’s file icon to install it. You can install the certificate to the location automatically determined by the Import certificate wizard.
Deploying applications
You can create an empty Service Fabric application to test the deployment. From the Start Page click to Create a new project… → Installed → Templates → Visual C# → Cloud → Service Fabric Application → OK → Stateless Service → OK. In Solution Explorer, right click to the Application1 project and choose Publish…
In the Publish Service Fabric Application dialog, set StoreLocation to CurrentUser and StoreName to My.
Accessing Service Fabric Explorer
We can navigate to https://contoso.westeurope.cloudapp.azure.com:19080/Explorer. The browser will alert you that the certificate is invalid. This is normal, because the certificate is self-signed. Continue and choose the appropriate certificate. Service Fabric Explorer will show up. The computer which is missing the certificate cannot access cluster’s Service Fabric Explorer.
Certificate renewal
You can add a second certificate and swap the primary with secondary certificate to renew the certificate. However, this currently cannot be done without PowerShell.