轮换 Azure Stack Hub 上的应用服务的机密和证书Rotate App Service on Azure Stack Hub secrets and certificates

本文中的说明仅适用于 Azure Stack Hub 上的 Azure 应用服务。These instructions only apply to Azure App Service on Azure Stack Hub. Azure Stack Hub 的集中式机密轮换过程不包括 Azure Stack Hub 上的 Azure 应用服务机密轮换。Rotation of Azure App Service on Azure Stack Hub secrets is not included in the centralized secret rotation procedure for Azure Stack Hub. 操作员可以监视系统中机密的有效性、上次更新日期,以及机密过期之前的剩余时间。Operators can monitor the validity of secrets within the system, the date on which they were last updated, and the time remaining until the secrets expire.

重要

操作员不会在 Azure Stack Hub 仪表板上收到机密过期警报,因为 Azure Stack Hub 上的 Azure 应用服务未与 Azure Stack Hub 警报服务集成。Operators won't receive alerts for secret expiration on the Azure Stack Hub dashboard as Azure App Service on Azure Stack Hub is not integrated with the Azure Stack Hub alerting service. 操作员必须在 Azure Stack Hub 管理员门户中使用 Azure Stack Hub 上的 Azure 应用服务管理体验定期监视其机密。Operators must regularly monitor their secrets using the Azure App Service on Azure Stack Hub administration experience in the Azure Stack Hub administrator portal.

本文档包含轮换以下机密的过程:This document contains the procedure for rotating the following secrets:

  • Azure Stack Hub 上的 Azure 应用服务中使用的加密密钥。Encryption keys used within Azure App Service on Azure Stack Hub.
  • Azure Stack Hub 上的 Azure 应用服务用来与宿主数据库和计量数据库交互的数据库连接凭据。Database connection credentials used by Azure App Service on Azure Stack Hub to interact with the hosting and metering databases.
  • Azure Stack Hub 上的 Azure 应用服务使用的证书,用于确保终结点的安全,以及确保在 Azure Active Directory (Azure AD) 或 Active Directory 联合身份验证服务 (AD FS) 中安全地轮换标识应用程序证书。Certificates used by Azure App Service on Azure Stack Hub to secure endpoints and rotation of identity application certificates in Azure Active Directory (Azure AD) or Active Directory Federation Services (AD FS).
  • Azure Stack Hub 上的 Azure 应用服务基础结构角色的系统凭据。System credentials for Azure App Service on Azure Stack Hub infrastructure roles.

轮换加密密钥Rotate encryption keys

若要轮换 Azure Stack Hub 上的 Azure 应用服务中使用的加密密钥,请执行以下步骤:To rotate the encryption keys used within Azure App Service on Azure Stack Hub, take the following steps:

  1. 在 Azure Stack Hub 管理员门户中转到“应用服务管理”体验。Go to the App Service administration experience in the Azure Stack Hub administrator portal.

  2. 转到“机密”菜单选项。Go to the Secrets menu option.

  3. 选择“加密密钥”部分中的“轮换”按钮。Select the Rotate button in the Encryption Keys section.

  4. 选择“确定”以启动轮换过程。Select OK to start the rotation procedure.

  5. 加密密钥将会轮换,所有角色实例将会更新。The encryption keys are rotated and all role instances are updated. 操作员可以使用“状态”按钮来查看该过程的状态。Operators can check the status of the procedure using the Status button.

轮换连接字符串Rotate connection strings

若要更新应用服务宿主数据库和计量数据库的数据库连接字符串凭据,请执行以下步骤:To update the credentials for the database connection string for the App Service hosting and metering databases, take the following steps:

  1. 在 Azure Stack Hub 管理员门户中转到“应用服务管理”体验。Go to the App Service administration experience in the Azure Stack Hub administrator portal.

  2. 转到“机密”菜单选项。Go to the Secrets menu option.

  3. 选择“连接字符串”部分中的“轮换”按钮。Select the Rotate button in the Connection Strings section.

  4. 提供 SQL SA 用户名密码,然后选择“确定”以启动轮换过程。Provide the SQL SA Username and Password and select OK to start the rotation procedure.

  5. 凭据会在整个 Azure 应用服务角色实例中轮换。The credentials are rotated throughout the Azure App Service role instances. 操作员可以使用“状态”按钮来查看该过程的状态。Operators can check the status of the procedure using the Status button.

轮换证书Rotate certificates

若要轮换 Azure Stack Hub 上的 Azure 应用服务中使用的证书,请执行以下步骤:To rotate the certificates used within Azure App Service on Azure Stack Hub, take the following steps:

  1. 在 Azure Stack Hub 管理员门户中转到“应用服务管理”体验。Go to the App Service administration experience in the Azure Stack Hub administrator portal.

  2. 转到“机密”菜单选项。Go to the Secrets menu option.

  3. 选择“证书”部分中的“轮换”按钮Select the Rotate button in the Certificates section

  4. 为要轮换的证书提供证书文件和关联的密码,然后选择“确定”。Provide the certificate file and associated password for the certificates you wish to rotate and select OK.

  5. 这些证书会按照要求在 Azure Stack Hub 上的整个 Azure 应用服务角色实例中轮换。The certificates are rotated as required throughout the Azure App Service on Azure Stack Hub role instances. 操作员可以使用“状态”按钮来查看该过程的状态。Operators can check the status of the procedure using the Status button.

轮换标识应用程序证书后,还必须使用新证书来更新 Azure AD 或 AD FS 中的相应应用。When the identity application certificate is rotated, the corresponding app in Azure AD or AD FS must also be updated with the new certificate.

重要

如果在轮换后没有使用新证书更新标识应用程序,则会影响 Azure Functions 的用户门户体验,妨碍用户使用 KUDU 开发人员工具,并且使管理员无法使用应用服务管理体验来管理辅助角色层规模集。Failure to update the identity application with the new certificate after rotation will break the user portal experience for Azure Functions, prevent users from being able to use the KUDU developer tools, and prevent admins from managing worker tier scale sets from the App Service administration experience.

轮换 Azure AD 标识应用程序的凭据Rotate credential for the Azure AD identity application

标识应用程序由操作员在 Azure Stack Hub 上部署 Azure 应用服务之前创建。The identity application is created by the operator before deployment of Azure App Service on Azure Stack Hub. 如果应用程序 ID 未知,请按照以下步骤来发现它:If the application ID is unknown, follow these steps to discover it:

  1. 转到“Azure Stack Hub 管理员门户”。Go to the Azure Stack Hub administrator portal.

  2. 转到“订阅”,选择“默认提供商订阅”。 Go to Subscriptions and select Default Provider Subscription.

  3. 选择“访问控制(IAM)”,然后选择“应用服务”应用程序。Select Access Control (IAM) and select the App Service application.

  4. 记下应用 ID,此值是必须在 Azure AD 中更新的标识应用程序的应用程序 ID。Take a note of the APP ID, this value is the application ID of the identity application that must be updated in Azure AD.

若要在 Azure AD 中轮换应用程序的证书,请执行以下步骤:To rotate the certificate for the application in Azure AD, follow these steps:

  1. 转到 Azure 门户,并使用用于部署 Azure Stack Hub 的全局管理员身份登录。Go to the Azure portal and sign in using the Global Admin used to deploy Azure Stack Hub.

  2. 转到“Azure Active Directory”,然后浏览到“应用注册”。Go to Azure Active Directory and browse to App Registrations.

  3. 搜索“应用程序 ID”,然后指定标识应用程序 ID。Search for the Application ID, then specify the identity Application ID.

  4. 选择应用程序,然后转到“证书和机密”。Select the application and then go to Certificates & Secrets.

  5. 选择“上传证书”,然后使用以下文件类型之一上传标识应用程序的新证书:.cer、.pem、.crt。Select Upload certificate and upload the new certificate for the identity application with one of the following file types: .cer, .pem, .crt.

  6. 确认指纹与 Azure Stack Hub 管理员门户的应用服务管理体验中列出的指纹匹配。Confirm the thumbprint matches that listed in the App Service administration experience in the Azure Stack Hub administrator portal.

  7. 删除旧证书。Delete the old certificate.

轮换 AD FS 标识应用程序的证书Rotate certificate for AD FS identity application

标识应用程序由操作员在 Azure Stack Hub 上部署 Azure 应用服务之前创建。The identity application is created by the operator before deployment of Azure App Service on Azure Stack Hub. 如果应用程序的对象 ID 未知,请按照以下步骤来发现它:If the application's object ID is unknown, follow these steps to discover it:

  1. 转到“Azure Stack Hub 管理员门户”。Go to the Azure Stack Hub administrator portal.

  2. 转到“订阅”,选择“默认提供商订阅”。 Go to Subscriptions and select Default Provider Subscription.

  3. 选择“访问控制(IAM)”,然后选择 AzureStack-AppService- 应用程序。Select Access Control (IAM) and select the AzureStack-AppService- application.

  4. 记下对象 ID,此值是必须在 AD FS 中更新的服务主体的 ID。Take a note of the Object ID, this value is the ID of the Service Principal that must be updated in AD FS.

若要轮换 AD FS 中的应用程序的证书,需要访问特权终结点 (PEP)。To rotate the certificate for the application in AD FS, you need to have access to the privileged endpoint (PEP). 然后,使用 PowerShell 更新证书凭据,将以下占位符替换为你自己的值:Then you update the certificate credential using PowerShell, replacing your own values for the following placeholders:

占位符Placeholder 说明Description 示例Example
<PepVM> Azure Stack Hub 实例上特权终结点 VM 的名称。The name of the privileged endpoint VM on your Azure Stack Hub instance. "AzS-ERCS01""AzS-ERCS01"
<CertificateFileLocation> X509 证书在磁盘上的位置。The location of your X509 certificate on disk. "d:\certs\sso.cer""d:\certs\sso.cer"
<ApplicationObjectId> 分配给标识应用程序的标识符。The identifier assigned to the identity application. "S-1-5-21-401916501-2345862468-1451220656-1451""S-1-5-21-401916501-2345862468-1451220656-1451"
  1. 打开权限提升的 Windows PowerShell 会话,运行以下脚本:Open an elevated Windows PowerShell session and run the following script:

    # Sign in to PowerShell interactively, using credentials that have access to the VM running the Privileged Endpoint
    $Creds = Get-Credential
    
    # Create a new Certificate object from the identity application certificate exported as .cer file
    $Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("<CertificateFileLocation>")
    
    # Create a new PSSession to the PrivelegedEndpoint VM
    $Session = New-PSSession -ComputerName "<PepVm>" -ConfigurationName PrivilegedEndpoint -Credential $Creds
    
    # Use the privileged endpoint to update the certificate thumbprint, used by the service principal associated with the App Service identity application
    $SpObject = Invoke-Command -Session $Session -ScriptBlock {Set-GraphApplication -ApplicationIdentifier "<ApplicationObjectId>" -ClientCertificates $using:Cert}
    $Session | Remove-PSSession
    
    # Output the updated service principal details
    $SpObject
    
    
  2. 脚本完成后,会显示更新后的应用注册信息,包括证书的指纹值。After the script finishes, it displays the updated app registration info, including the thumbprint value for the certificate.

    ApplicationIdentifier : S-1-5-21-401916501-2345862468-1451220656-1451
    ClientId              : 
    Thumbprint            : FDAA679BF9EDDD0CBB581F978457A37BFD73CA3B
    ApplicationName       : Azurestack-AppService-d93601c2-1ec0-4cac-8d1c-8ccde63ef308
    ClientSecret          : 
    PSComputerName        : AzS-ERCS01
    RunspaceId            : cb471c79-a0d3-40ec-90ba-89087d104510
    

轮换系统凭据Rotate system credentials

若要轮换 Azure Stack Hub 上的 Azure 应用服务中使用的系统凭据,请执行以下步骤:To rotate the system credentials used within Azure App Service on Azure Stack Hub, take the following steps:

  1. 在 Azure Stack Hub 管理员门户中转到“应用服务管理”体验。Go to the App Service administration experience in the Azure Stack Hub administrator portal.

  2. 转到“机密”菜单选项。Go to the Secrets menu option.

  3. 选择“系统凭据”部分的“轮换”按钮。Select the Rotate button in the System Credentials section.

  4. 选择要轮换的系统凭据的“范围”。Select the Scope of the System Credential you're rotating. 操作员可以选择轮换所有角色或单个角色的系统凭据。Operators can choose to rotate the system credentials for all roles or individual roles.

  5. 指定新的本地管理员用户名和新密码Specify a new Local Admin User Name and a new Password. 然后确认密码并选择“确定”。Then confirm the Password and select OK.

  6. 这些凭据会按照要求在 Azure Stack Hub 上对应的整个 Azure 应用服务角色实例中轮换。The credential(s) are rotated as required throughout the corresponding Azure App Service on Azure Stack Hub role instance. 操作员可以使用“状态”按钮来查看该过程的状态。Operators can check the status of the procedure using the Status button.