Active directory 关于prem-SF集群Kerberos安全性(gMSA)和服务器证书
我们成功地创建了不安全且基于证书的集群。我们正在通过使用gMSA进行节点到节点通信来测试一个域安全集群。下面的群集配置代码段显示了有问题的部分:Active directory 关于prem-SF集群Kerberos安全性(gMSA)和服务器证书,active-directory,config,x509certificate,azure-service-fabric,Active Directory,Config,X509certificate,Azure Service Fabric,我们成功地创建了不安全且基于证书的集群。我们正在通过使用gMSA进行节点到节点通信来测试一个域安全集群。下面的群集配置代码段显示了有问题的部分: "security": { "ClusterCredentialType": "Windows", "ServerCredentialType": "Windows", "WindowsIdentities": { "ClustergMSAIdentity": "{{ env_domain }}\\{{ clus
"security": {
"ClusterCredentialType": "Windows",
"ServerCredentialType": "Windows",
"WindowsIdentities": {
"ClustergMSAIdentity": "{{ env_domain }}\\{{ cluster_gmsa_identity }}",
"ClusterSPN": "{{ cluster_gmsa_spn }}",
"ClientIdentities": [
{
"Identity": "{{ env_domain_short }}\\ServiceFabricAdmins",
"IsAdmin": true
},
{
"Identity": "{{ env_domain_short }}\\ServiceFabricReadOnly",
"IsAdmin": false
}
]
},
"CertificateInformation": {
"ServerCertificate": {
"Thumbprint": "{{ primary_server_certificate_thumbprint }}",
"X509StoreName": "My"
},
"ReverseProxyCertificate": {
"Thumbprint": "{{ primary_server_certificate_thumbprint }}",
"X509StoreName": "My"
}
}
}
如果我们提供如上所示的ServerCertificate属性,集群创建过程会抛出许多异常(其中没有一个异常似乎指向证书配置问题),如果我删除ServerCertificate部分(但保留反向代理提供的证书),集群创建过程将成功
我希望那里的服务器证书能够保护管理端点的http通信通道。需要考虑的几点:
感谢您的评论@leonid lapshin,设置
ServerCredentialType=X509
的想法确实表明您将使用提供的ServerCertificate
,绝对正确!但是,这也意味着出于身份验证目的需要客户端证书,即使填充了WindowsIdentifications
部分,这不是理想的结果。我们需要的是整个节点到节点和客户端到节点通信的AD安全性。但是允许通过https进行通信,它似乎不能一起配置。日志中未出现错误,并且管理端口19080从未绑定到服务器上。后台群集工作人员似乎更喜欢使用gmsa,但现代应用程序(例如traefik)应该使用证书进行身份验证,因此您应该使用cetificates.hi qmarc。我有完全相同的要求。我在这里补充了一个问题。你终于找到答案了吗?
{
"name": "yosfcl",
"clusterConfigurationVersion": "1.0.1",
"apiVersion": "10-2017",
"nodes": [
{
"NodeName": "yv1-sf",
"NodeTypeRef": "NodeType0",
"IPAddress": "yv1-sf",
"FaultDomain": "fd:/dc1/r1",
"UpgradeDomain": "UD1"
},
{
"NodeName": "yv2-sf",
"NodeTypeRef": "NodeType0",
"IPAddress": "yv2-sf",
"FaultDomain": "fd:/dc1/r2",
"UpgradeDomain": "UD2"
},
{
"NodeName": "yv3-sf",
"NodeTypeRef": "NodeType0",
"IPAddress": "yv3-sf",
"FaultDomain": "fd:/dc1/r3",
"UpgradeDomain": "UD3"
}
],
"properties": {
"diagnosticsStore":
{
"metadata": "Please replace the diagnostics file share with an actual file share accessible from all cluster machines. For example, \\\\machine1\\DiagnosticsStore.",
"dataDeletionAgeInDays": "21",
"storeType": "FileShare",
"connectionstring": "c:\\ProgramData\\SF\\DiagnosticsStore"
}, "reverseProxyCertificate": {
"thumbprint": "[parameters('76************************8A2')]",
"x509StoreName": "[parameters('My')]"
},
"security": {
"ClusterCredentialType": "Windows",
"ServerCredentialType": "X509",
"WindowsIdentities": {
"ClustergMSAIdentity": "gmsaSF@domain.lan",
"ClusterSPN": "http/yosfcl.domain.lan",
"ClientIdentities": [
{
"Identity": "domain\\my.name",
"IsAdmin": true
}
]
},
"CertificateInformation": {
"ServerCertificate": {
"Thumbprint": "76***********************************8A2",
"X509StoreName": "My"
},
"ReverseProxyCertificate": {
"Thumbprint": "76*************************************48A2",
"X509StoreName": "My"
},
"ClientCertificateThumbprints": [
{
"CertificateThumbprint": "94***********************************2D",
"IsAdmin": true
}
]
}
},
"nodeTypes": [
{
"name": "NodeType0",
"clientConnectionEndpointPort": "19000",
"clusterConnectionEndpointPort": "19001",
"leaseDriverEndpointPort": "19002",
"serviceConnectionEndpointPort": "19003",
"httpGatewayEndpointPort": "19080",
"reverseProxyEndpointPort": "19081",
"applicationPorts": {
"startPort": "20001",
"endPort": "20500"
},
"ephemeralPorts": {
"startPort": "20501",
"endPort": "20700"
},
"isPrimary": true
}
],
"fabricSettings": [
{
"name": "Setup",
"parameters": [
{
"name": "FabricDataRoot",
"value": "D:\\SF"
},
{
"name": "FabricLogRoot",
"value": "D:\\SF\\Logs"
}
]
}, {
"name": "ApplicationGateway/Http",
"parameters": [
{
"name": "SecureOnlyMode",
"value": true
},
{
"name": "ApplicationCertificateValidationPolicy",
"value": "None"
}
]
}
]
} }