在 Azure Stack Hub 中轮换机密Rotate secrets in Azure Stack Hub

这些说明仅适用于 Azure Stack Hub 集成系统 1803 和更高版本。请勿在低于 1803 的版本上尝试使用机密轮换These instructions apply only to Azure Stack Hub Integrated Systems version 1803 and Later. Don't attempt secret rotation on pre-1803 versions

本文提供了用于机密轮换的指南和 PowerShell 脚本,以帮助维护与 Azure Stack Hub 基础结构资源和服务之间的安全通信。This article provides guidance and PowerShell script for secret rotation, to help maintain secure communication with Azure Stack Hub infrastructure resources and services.

概述Overview

Azure Stack Hub 使用机密来维护与基础结构资源和服务之间的安全通信。Azure Stack Hub uses secrets to maintain secure communication with infrastructure resources and services. 为维护 Azure Stack Hub 基础结构的完整性,操作员需要能够轮换机密,轮换频率应与其组织的安全要求一致。To maintain the integrity of the Azure Stack Hub infrastructure, operators need the ability to rotate secrets at frequencies that are consistent with their organization's security requirements.

内部与外部机密Internal vs external secrets

从 1811 版开始,内部证书和外部证书的机密轮换是分开的。Starting with release 1811, secret rotation is separated for internal and external certificates:

  • 内部机密:由 Azure Stack Hub 基础结构使用的证书、密码、安全字符串和密钥,无需 Azure Stack Hub 操作员的介入。Internal secrets: Certificates, passwords, secure strings, and keys used by the Azure Stack Hub infrastructure without intervention of the Azure Stack Hub Operator.

  • 外部机密:对外服务的基础结构服务证书,由 Azure Stack Hub 操作员提供。External secrets: Infrastructure service certificates for external-facing services that are provided by the Azure Stack Hub Operator. 外部机密包括以下服务的证书:External secrets include the certificates for the following services:

    • 管理员门户Administrator portal
    • 公共门户Public portal
    • 管理员 Azure 资源管理器Administrator Azure Resource Manager
    • 全局 Azure 资源管理器Global Azure Resource Manager
    • 管理员 Key VaultAdministrator Key Vault
    • 密钥保管库Key Vault
    • 管理扩展主机Admin Extension Host
    • ACS(包括 Blob、表和队列存储)ACS (including blob, table, and queue storage)
    • ADFS*ADFS*
    • Graph*Graph*

    *仅当环境的标识提供者是 Active Directory 联合身份验证服务 (AD FS) 时才适用。* Only applicable if the environment's identity provider is Active Directory Federated Services (AD FS).

重要

所有其他安全密钥和字符串都是由管理员手动更新的。All other secure keys and strings are manually updated by the administrator. 这包括用户和管理员帐户密码、网络交换机密码和权限,以及基板管理控制器 (BMC) 凭据(将在本文后面部分介绍)。This includes user and administrator account passwords, network switch passwords and permissions, and baseboard management controller (BMC) credentials which is covered later in this article.

此外,本文未介绍增值资源提供程序的机密轮换。In addition, this article does not address secret rotation for value-add resource providers. 若要轮换这些机密,请改为参阅以下文章:To rotate those secrets, refer to the following articles instead:

机密过期的警报Expiration alerts

机密过期后的 30 天内,管理员门户中会生成以下警报:When secrets are within 30 days of expiration, the following alerts are generated in the administrator portal:

  • 挂起的服务帐户密码过期Pending service account password expiration
  • 挂起的内部证书过期Pending internal certificate expiration
  • 挂起的外部证书过期Pending external certificate expiration

完成以下部分的机密轮换步骤会解决这些警报。Completing the secret rotation steps in the following sections will resolve these alerts.

备注

在 1811 之前版本的 Azure Stack Hub 环境中,可能会看到内部证书挂起或机密过期的警报。Azure Stack Hub environments on pre-1811 versions may see alerts for pending internal certificate or secret expirations. 这些警报并不正确,应将其忽略,且不运行内部机密轮换。These alerts are inaccurate and should be ignored without running internal secret rotation. 不正确的内部机密过期警报是已知问题,已在 1811 中得到解决。Inaccurate internal secret expiration alerts are a known issue that's resolved in 1811. 除非环境处于活动状态的时间已达两年,否则内部机密不会过期。Internal secrets won't expire unless the environment has been active for two years.

新的证书颁发机构颁发的外部证书External certificates from a new Certificate Authority

在以下上下文中,Azure Stack Hub 支持使用新证书颁发机构 (CA) 颁发的外部证书进行机密轮换:Azure Stack Hub supports secret rotation with external certificates from a new Certificate Authority (CA) in the following contexts:

已安装的证书 CAInstalled Certificate CA 要轮换到的 CACA to Rotate To 支持Supported 支持的 Azure Stack Hub 版本Azure Stack Hub versions supported
从自签名From Self-Signed 到企业To Enterprise 支持Supported 1903 和更高版本1903 & Later
从自签名From Self-Signed 到自签名To Self-Signed 不支持Not Supported
从自签名From Self-Signed 到公共*To Public* 支持Supported 1803 和更高版本1803 & Later
从企业From Enterprise 到企业To Enterprise Supported. 从 1803-1903:只要客户使用与在部署时使用的相同的企业 CA,就可以支持From 1803-1903: supported so long as customers use the SAME enterprise CA as used at deployment 1803 和更高版本1803 & Later
从企业From Enterprise 到自签名To Self-Signed 不支持Not Supported
从企业From Enterprise 到公共*To Public* 支持Supported 1803 和更高版本1803 & Later
从公共*From Public* 到企业To Enterprise 支持Supported 1903 和更高版本1903 & Later
从公共*From Public* 到自签名To Self-Signed 不支持Not Supported
从公共*From Public* 到公共*To Public* 支持Supported 1803 和更高版本1803 & Later

*指示公共证书颁发机构属于 Windows 受信任根计划。*Indicates that the Public Certificate Authorities are part of the Windows Trusted Root Program. 可在以下文章中找到完整列表:参与者列表 - Microsoft 受信任根计划You can find the full list in the article List of Participants - Microsoft Trusted Root Program.

先决条件Prerequisites

对于内部和外部机密的轮换:For rotation of internal and external secrets:

  1. 强烈建议你首先将 Azure Stack Hub 实例更新到最新版本。It's highly recommended that you first update your Azure Stack Hub instance to the latest version.

    重要

    对于 1811 之前的版本:For pre-1811 versions:

    • 如果已执行机密轮换,必须在再次执行机密轮换之前将版本更新为 1811 或更高版本。If secret rotation has already been performed, you must update to version 1811 or later before you perform secret rotation again. 必须通过特权终结点执行机密轮换,且需要有 Azure Stack Hub 操作员凭据。Secret Rotation must be executed via the Privileged Endpoint and requires Azure Stack Hub Operator credentials. 如果你不知道是否已在环境中运行过机密轮换,在执行机密轮换之前,请先更新到 1811。If you don't know whether secret rotation has been run on your environment, update to 1811 before performing secret rotation.
    • 无需轮换机密即可添加扩展主机证书。You don't need to rotate secrets to add extension host certificates. 应该按照准备 Azure Stack Hub 的扩展主机一文中的说明添加扩展主机证书。You should follow the instructions in the article Prepare for extension host for Azure Stack Hub to add extension host certificates.
  2. 向用户通知计划内维护操作。Notify your users of planned maintenance operations. 将普通的维护时间段尽量安排在非营业时间。Schedule normal maintenance windows, as much as possible, during non-business hours. 维护操作可能会同时影响用户工作负荷和门户操作。Maintenance operations may affect both user workloads and portal operations.

  3. 在机密轮换期间,操作员可能会注意到警报在打开后又自动关闭。During rotation of secrets, operators may notice alerts open and automatically close. 此行为是预期行为,可以忽略警报。This behavior is expected and the alerts can be ignored. 操作员可以使用 Test-AzureStack PowerShell cmdlet 来验证这些警报的有效性。Operators can verify the validity of these alerts using the Test-AzureStack PowerShell cmdlet. 对于使用 System Center Operations Manager 监视 Azure Stack Hub 系统的操作人员来说,将系统置于维护模式将阻止这些警报到达其 ITSM 系统,但如果 Azure Stack Hub 系统无法访问,则将继续发出警报。For operators using System Center Operations Manager to monitor Azure Stack Hub systems, placing a system in maintenance mode will prevent these alerts from reaching their ITSM systems but will continue to alert if the Azure Stack Hub system becomes unreachable.

若要轮换外部机密,请完成以下附加先决条件:For rotation of external secrets, complete these additional prerequisites:

  1. 在轮换机密之前使用 -group SecretRotationReadiness 参数运行 Test-AzureStack PowerShell cmdlet,以确认所有测试输出正常。Run the Test-AzureStack PowerShell cmdlet using the -group SecretRotationReadiness parameter, to confirm all test outputs are healthy before rotating secrets.

  2. 准备新的替换性的外部证书集:Prepare a new set of replacement external certificates:

  3. 将用于轮换的证书备份存储在安全的备份位置。Store a backup to the certificates used for rotation in a secure backup location. 如果运行轮换时发生失败,请使用备份副本替换文件共享中的证书,然后重新运行轮换。If your rotation runs and then fails, replace the certificates in the file share with the backup copies before you rerun the rotation. 将备份副本保存在安全的备份位置。Keep backup copies in the secure backup location.

  4. 创建可从 ERCS VM 访问的文件共享。Create a fileshare you can access from the ERCS VMs. 该文件共享必须可供 CloudAdmin 标识读取和写入。The file share must be readable and writable for the CloudAdmin identity.

  5. 在可以访问该文件共享的计算机上打开 PowerShell ISE 控制台。Open a PowerShell ISE console from a computer where you have access to the fileshare. 导航到你的文件共享,你将在其中创建目录来放置外部证书。Navigate to your fileshare, where you create directories to place your external certificates.

  6. CertDirectoryMaker.ps1 下载到在轮换期间可以访问的网络文件共享,并运行该脚本。Download CertDirectoryMaker.ps1 to a network file share that can be accessed during rotation, and run the script. 该脚本将创建一个文件夹结构,该结构遵循 .\Certificates\AAD _ 或 _ .\Certificates\ADFS _ 格式,具体取决于标识提供者。你的文件夹结构必须以 _ \Certificates 文件夹开头,后面仅跟有一个 \AAD\ADFS 文件夹。The script will create a folder structure that adheres to .\Certificates\AAD_ or _.\Certificates\ADFS_, depending on your identity provider. Your folder structure must begin with a _\Certificates folder, followed by ONLY an \AAD or \ADFS folder. 所有其他子目录都包含在前面的结构中。All additional subdirectories are contained within the preceding structure. 例如:For example:

    • 文件共享 = \\<IPAddress>\<ShareName>File share = \\<IPAddress>\<ShareName>
    • Azure AD 提供程序的证书根文件夹 = \Certificates\AADCertificate root folder for Azure AD provider = \Certificates\AAD
    • 完整路径 = \\<IPAddress>\<ShareName>\Certificates\AADFull path = \\<IPAddress>\<ShareName>\Certificates\AAD

    重要

    稍后运行 Start-SecretRotation 时,它会验证文件夹结构。When you run Start-SecretRotation later, it will validate the folder structure. 不符合标准的文件夹结构会引发以下错误:A folder structure that is not compliant will throw the following error:

    Cannot bind argument to parameter 'Path' because it is null.
    + CategoryInfo          : InvalidData: (:) [Test-Certificate], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Test-Certificate
    + PSComputerName        : xxx.xxx.xxx.xxx
    
  7. 将在步骤 2 中创建的一组新的替换性的外部证书复制到在步骤 6 中创建的 \Certificates\<IdentityProvider> 目录。Copy the new set of replacement external certificates created in step #2, to the \Certificates\<IdentityProvider> directory created in step #6. 对于 <CertName>,请务必遵循 cert.<regionName>.<externalFQDN> 格式。Be sure to follow the cert.<regionName>.<externalFQDN> format for <CertName>.

    下面是 Azure AD 标识提供者的文件夹结构示例:Here's an example of a folder structure for the Azure AD Identity Provider:

        <ShareName>
            │
            └───Certificates
                  └───AAD
                      ├───ACSBlob
                      │       <CertName>.pfx
                      │
                      ├───ACSQueue
                      │       <CertName>.pfx
                      │
                      ├───ACSTable
                      │       <CertName>.pfx
                      │
                      ├───Admin Extension Host
                      │       <CertName>.pfx
                      │
                      ├───Admin Portal
                      │       <CertName>.pfx
                      │
                      ├───ARM Admin
                      │       <CertName>.pfx
                      │
                      ├───ARM Public
                      │       <CertName>.pfx
                      │
                      ├───KeyVault
                      │       <CertName>.pfx
                      │
                      ├───KeyVaultInternal
                      │       <CertName>.pfx
                      │
                      ├───Public Extension Host
                      │       <CertName>.pfx
                      │
                      └───Public Portal
                              <CertName>.pfx
    
    

轮换外部机密Rotate external secrets

完成以下步骤来轮换外部机密:Complete the following steps to rotate external secrets:

  1. 使用以下 PowerShell 脚本来轮换机密。Use the following PowerShell script to rotate the secrets. 此脚本要求访问特权终结点 (PEP) 会话。The script requires access to a Privileged EndPoint (PEP) session. 可在托管 PEP 的虚拟机 (VM) 上通过远程 PowerShell 会话来访问 PEP。The PEP is accessed through a remote PowerShell session on the virtual machine (VM) that hosts the PEP. 如果使用集成系统,则有三个 PEP 实例,每个实例在不同主机上的 VM(Prefix-ERCS01、Prefix-ERCS02 或 Prefix-ERCS03)中运行。If you're using an integrated system, there are three instances of the PEP, each running inside a VM (Prefix-ERCS01, Prefix-ERCS02, or Prefix-ERCS03) on different hosts. 如果你使用的是 ASDK,则此 VM 名为 AzS-ERCS01。If you're using the ASDK, this VM is named AzS-ERCS01. 在运行之前更新 <placeholder> 值:Update the <placeholder> values before running:

    # Create a PEP Session
    winrm s winrm/config/client '@{TrustedHosts= "<IP_address_of_ERCS>"}'
    $PEPCreds = Get-Credential
    $PEPSession = New-PSSession -ComputerName <IP_address_of_ERCS_Machine> -Credential $PEPCreds -ConfigurationName "PrivilegedEndpoint"
    
    # Run Secret Rotation
    $CertPassword = ConvertTo-SecureString "<Cert_Password>" -AsPlainText -Force
    $CertShareCreds = Get-Credential
    $CertSharePath = "<Network_Path_Of_CertShare>"
    Invoke-Command -Session $PEPSession -ScriptBlock {
        Start-SecretRotation -PfxFilesPath $using:CertSharePath -PathAccessCredential $using:CertShareCreds -CertificatePassword $using:CertPassword
    }
    Remove-PSSession -Session $PEPSession
    

    此脚本执行以下步骤:The script performs the following steps:

    • 使用 CloudAdmin 帐户创建具有 特权终结点的 PowerShell 会话,并将会话存储为变量。Creates a PowerShell Session with the Privileged endpoint using the CloudAdmin account, and stores the session as a variable. 此变量在下一步用作参数。This variable is used as a parameter in the next step.

    • 运行 Invoke-Command,将 PEP 会话变量作为 -Session 参数传递。Runs Invoke-Command, passing the PEP session variable as the -Session parameter.

    • 使用以下参数在 PEP 会话中运行 Start-SecretRotationRuns Start-SecretRotation in the PEP session, using the following parameters:

      • -PfxFilesPath:之前创建的 Certificates 目录的网络路径。-PfxFilesPath: The network path to your Certificates directory created earlier.
      • -PathAccessCredential:针对共享的凭据的 PSCredential 对象。-PathAccessCredential: The PSCredential object for credentials to the share.
      • -CertificatePassword:创建的所有 pfx 证书文件使用的密码安全字符串。-CertificatePassword: A secure string of the password used for all of the pfx certificate files created.
  2. 外部机密轮换需要大约一小时。External secret rotation takes approximately one hour. 成功完成后,控制台会显示 ActionPlanInstanceID ... CurrentStatus: Completed,后跟 DONEAfter successful completion, your console will display ActionPlanInstanceID ... CurrentStatus: Completed, followed by a DONE. 从共享(在先决条件部分创建)中删除证书,将其存储在安全的备份位置。Remove your certificates from the share created in the prerequisites section and store them in their secure backup location.

    备注

    如果机密轮换失败,请按照错误消息中的说明操作,结合 -ReRun 参数重新运行 Start-SecretRotationIf secret rotation fails, follow the instructions in the error message and re-run Start-SecretRotation with the -ReRun parameter.

    Start-SecretRotation -ReRun
    

    如果遇到反复的机密轮换失败,请联系技术支持。Contact support if you experience repeated secret rotation failures.

轮换内部机密Rotate internal secrets

仅当你怀疑某个机密已泄露或收到机密过期的警报时,才需要轮换内部机密。Internal secret rotation is only required if you suspect one has been compromised, or you've received an expiration alert. 在 1811 之前的版本中,你可能会看到内部证书挂起或机密过期的警报。Pre-1811 versions may see alerts for pending internal certificate or secret expirations. 这些警报不准确,应该将其忽略,这是 1811 中已解决的已知问题。These alerts are inaccurate and should be ignored, and are a known issue resolved in 1811. 除非环境处于活动状态的时间已达两年,否则内部机密不会过期。Internal secrets won't expire unless the environment has been active for two years.

请参考轮换外部机密的步骤 2 中的 PowerShell 脚本。Reference the PowerShell script in step 2 of Rotate external secrets. 此脚本提供了一个示例。你可以通过进行一些更改来运行以下步骤,以便改编该示例,使其适合内部机密轮换:The script provides an example you can adapt for internal secret rotation, by making a few changes to run the following steps:

  1. 在“运行机密轮换”部分,将 -Internal 参数添加到 Start-SecretRotation cmdlet,例如:In the "Run Secret Rotation" section, add the -Internal parameter to the Start-SecretRotation cmdlet, for example:

    # Run Secret Rotation
    ...
    Invoke-Command -Session $PEPSession -ScriptBlock {
        Start-SecretRotation -Internal
    }
    ...
    

    备注

    1811 之前的版本不需要 -Internal 标志。Pre-1811 versions don't require the -Internal flag.

  2. 成功完成后,控制台会显示 ActionPlanInstanceID ... CurrentStatus: Completed,后跟 DONEAfter successful completion, your console will display ActionPlanInstanceID ... CurrentStatus: Completed, followed by a DONE

    备注

    如果机密轮换失败,请按照错误消息中的说明操作,并使用 -Internal-ReRun 参数重新运行 Start-SecretRotationIf secret rotation fails, follow the instructions in the error message and rerun Start-SecretRotation with the -Internal and -ReRun parameters.

    Start-SecretRotation -Internal -ReRun
    

    如果遇到反复的机密轮换失败,请联系技术支持。Contact support if you experience repeated secret rotation failures.

更新 BMC 凭据Update the BMC credential

基板管理控制器监视服务器的物理状态。The baseboard management controller monitors the physical state of your servers. 请咨询原始设备制造商 (OEM) 硬件供应商,以获取有关更新 BMC 的用户帐户名和密码的说明。Refer to your original equipment manufacturer (OEM) hardware vendor for instructions to update the user account name and password of the BMC.

备注

OEM 可能提供附加的管理应用。Your OEM may provide additional management apps. 更新其他管理应用的用户名或密码不会影响 BMC 用户名或密码。Updating the user name or password for other management apps has no effect on the BMC user name or password.

  1. 按照 OEM 说明在 Azure Stack Hub 的物理服务器上更新 BMC。Update the BMC on the Azure Stack Hub physical servers by following your OEM instructions. 环境中每个 BMC 的用户名和密码必须相同。The user name and password for each BMC in your environment must be the same. BMC 用户名不能超过 16 个字符。The BMC user names can't exceed 16 characters.

  2. 不再需要按照 OEM 的说明先在 Azure Stack Hub 物理服务器上更新 BMC 凭据。It's no longer required that you first update the BMC credentials on the Azure Stack Hub physical servers by following your OEM instructions. 环境中每个 BMC 的用户名和密码必须相同,并且不能超过 16 个字符。The user name and password for each BMC in your environment must be the same, and can't exceed 16 characters.

  3. 在 Azure Stack Hub 会话中打开特权终结点。Open a privileged endpoint in Azure Stack Hub sessions. 有关说明,请参阅使用 Azure Stack Hub 中的特权终结点For instructions, see Using the privileged endpoint in Azure Stack Hub.

  4. 打开特权终结点会话后,运行下面的 PowerShell 脚本之一,这些脚本使用 Invoke-Command 来运行 Set-BmcCredential。After opening a privileged endpoint session, run one of the PowerShell scripts below, which use Invoke-Command to run Set-BmcCredential. 如果你将可选的 -BypassBMCUpdate 参数用于 Set-BMCCredential,则 BMC 中的凭据不会更新。If you use the optional -BypassBMCUpdate parameter with Set-BMCCredential, credentials in the BMC aren't updated. 只有 Azure Stack Hub 内部数据存储会更新。请将特权终结点会话变量作为参数进行传递。Only the Azure Stack Hub internal datastore is updated.Pass your privileged endpoint session variable as a parameter.

    下面是一个示例 PowerShell 脚本,它会提示你输入用户名和密码:Here's an example PowerShell script that will prompt for user name and password:

    # Interactive Version
    $PEPIp = "<Privileged Endpoint IP or Name>" # You can also use the machine name instead of IP here.
    $PEPCreds = Get-Credential "<Domain>\CloudAdmin" -Message "PEP Credentials"
    $NewBmcPwd = Read-Host -Prompt "Enter New BMC password" -AsSecureString
    $NewBmcUser = Read-Host -Prompt "Enter New BMC user name"
    
    $PEPSession = New-PSSession -ComputerName $PEPIp -Credential $PEPCreds -ConfigurationName "PrivilegedEndpoint"
    
    Invoke-Command -Session $PEPSession -ScriptBlock {
        # Parameter BmcPassword is mandatory, while the BmcUser parameter is optional.
        Set-BmcCredential -BmcPassword $using:NewBmcPwd -BmcUser $using:NewBmcUser
    }
    Remove-PSSession -Session $PEPSession
    

    你还可以在变量中对用户名和密码进行编码,这可能会降低安全性:You can also encode the user name and password in variables, which may be less secure:

    # Static Version
    $PEPIp = "<Privileged Endpoint IP or Name>" # You can also use the machine name instead of IP here.
    $PEPUser = "<Privileged Endpoint user for example Domain\CloudAdmin>"
    $PEPPwd = ConvertTo-SecureString "<Privileged Endpoint Password>" -AsPlainText -Force
    $PEPCreds = New-Object System.Management.Automation.PSCredential ($PEPUser, $PEPPwd)
    $NewBmcPwd = ConvertTo-SecureString "<New BMC Password>" -AsPlainText -Force
    $NewBmcUser = "<New BMC User name>"
    
    $PEPSession = New-PSSession -ComputerName $PEPIp -Credential $PEPCreds -ConfigurationName "PrivilegedEndpoint"
    
    Invoke-Command -Session $PEPSession -ScriptBlock {
        # Parameter BmcPassword is mandatory, while the BmcUser parameter is optional.
        Set-BmcCredential -BmcPassword $using:NewBmcPwd -BmcUser $using:NewBmcUser
    }
    Remove-PSSession -Session $PEPSession
    

参考:Start-SecretRotation cmdletReference: Start-SecretRotation cmdlet

Start-SecretRotation cmdlet 轮换 Azure Stack Hub 系统的基础结构机密。Start-SecretRotation cmdlet rotates the infrastructure secrets of an Azure Stack Hub system. 仅可通过使用 Invoke-Command 脚本块在 -Session 参数中传递 PEP 会话,对 Azure Stack Hub 特权终结点执行此 cmdlet。This cmdlet can only be executed against the Azure Stack Hub privileged endpoint, by using an Invoke-Command script block passing the PEP session in the -Session parameter. 默认情况下,它只轮换所有外部网络基础结构终结点的证书。By default, it rotates only the certificates of all external network infrastructure endpoints.

参数Parameter 类型Type 必须Required 位置Position 默认Default 说明Description
PfxFilesPath StringString FalseFalse 名为Named None 包含所有外部网络终结点证书的 \Certificates 目录的文件共享路径。The fileshare path to the \Certificates directory containing all external network endpoint certificates. 仅当轮换外部机密时才需要。Only required when rotating external secrets. 结尾目录必须是 \CertificatesEnd directory must be \Certificates.
CertificatePassword SecureStringSecureString FalseFalse 名为Named None -PfXFilesPath 中提供的所有证书的密码。The password for all certificates provided in the -PfXFilesPath. 如果在轮换外部机密时提供了 PfxFilesPath,则是必需的值。Required value if PfxFilesPath is provided when external secrets are rotated.
Internal StringString FalseFalse 名为Named None 每当 Azure Stack Hub 操作员想要轮换内部基础结构机密时,都必须使用 Internal 标志。Internal flag must be used anytime an Azure Stack Hub operator wishes to rotate internal infrastructure secrets.
PathAccessCredential PSCredentialPSCredential FalseFalse 名为Named None 包含所有外部网络终结点证书的 \Certificates 目录的文件共享的 PowerShell 凭据。The PowerShell credential for the fileshare of the \Certificates directory containing all external network endpoint certificates. 仅当轮换外部机密时才需要。Only required when rotating external secrets.
ReRun SwitchParameterSwitchParameter FalseFalse 名为Named None 每当机密轮换尝试失败后重新进行尝试时,都必须使用此项。Must be used anytime secret rotation is reattempted after a failed attempt.

语法Syntax

对于外部机密轮换For external secret rotation

Start-SecretRotation [-PfxFilesPath <string>] [-PathAccessCredential <PSCredential>] [-CertificatePassword <SecureString>]  

对于内部机密轮换For internal secret rotation

Start-SecretRotation [-Internal]  

对于外部机密轮换 rerunFor external secret rotation rerun

Start-SecretRotation [-ReRun]

对于内部机密轮换 rerunFor internal secret rotation rerun

Start-SecretRotation [-ReRun] [-Internal]

示例Examples

仅轮换内部基础结构机密Rotate only internal infrastructure secrets

此命令必须通过 Azure Stack Hub 环境的特权终结点运行。This command must be run via your Azure Stack Hub environment's privileged endpoint.

PS C:\> Start-SecretRotation -Internal

此命令轮换向 Azure Stack Hub 内部网络公开的所有基础结构机密。This command rotates all of the infrastructure secrets exposed to the Azure Stack Hub internal network.

仅轮换外部基础结构机密Rotate only external infrastructure secrets

# Create a PEP Session
winrm s winrm/config/client '@{TrustedHosts= "<IP_address_of_ERCS>"}'
$PEPCreds = Get-Credential
$PEPSession = New-PSSession -ComputerName <IP_address_of_ERCS> -Credential $PEPCreds -ConfigurationName "PrivilegedEndpoint"

# Create Credentials for the fileshare
$CertPassword = ConvertTo-SecureString "<CertPasswordHere>" -AsPlainText -Force
$CertShareCreds = Get-Credential
$CertSharePath = "<NetworkPathOfCertShare>"
# Run Secret Rotation
Invoke-Command -Session $PEPSession -ScriptBlock {  
    Start-SecretRotation -PfxFilesPath $using:CertSharePath -PathAccessCredential $using:CertShareCreds -CertificatePassword $using:CertPassword
}
Remove-PSSession -Session $PEPSession

此命令轮换用于 Azure Stack Hub 外部网络基础结构终结点的 TLS 证书。This command rotates the TLS certificates used for Azure Stack Hub's external network infrastructure endpoints.

轮换内部和外部基础结构机密(仅限 1811 以前 的版本)Rotate internal and external infrastructure secrets (pre-1811 only)

重要

此命令仅适用于 Azure Stack Hub 1811 以前 的版本,因为轮换将会针对内部和外部证书分开进行。This command only applies to Azure Stack Hub pre-1811 as the rotation has been split for internal and external certificates.

在 1811 以上的版本中,不再能够同时轮换内部和外部证书! From 1811+ you can't rotate both internal and external certificates anymore!

# Create a PEP Session
winrm s winrm/config/client '@{TrustedHosts= "<IP_address_of_ERCS>"}'
$PEPCreds = Get-Credential
$PEPSession = New-PSSession -ComputerName <IP_address_of_ERCS> -Credential $PEPCreds -ConfigurationName "PrivilegedEndpoint"

# Create Credentials for the fileshare
$CertPassword = ConvertTo-SecureString "<CertPasswordHere>" -AsPlainText -Force
$CertShareCreds = Get-Credential
$CertSharePath = "<NetworkPathOfCertShare>"
# Run Secret Rotation
Invoke-Command -Session $PEPSession -ScriptBlock {
    Start-SecretRotation -PfxFilesPath $using:CertSharePath -PathAccessCredential $using:CertShareCreds -CertificatePassword $using:CertPassword
}
Remove-PSSession -Session $PEPSession

此命令轮换向 Azure Stack Hub 内部网络公开的基础结构机密,以及用于 Azure Stack Hub 的外部网络基础结构终结点的 TLS 证书。This command rotates the infrastructure secrets exposed to Azure Stack Hub internal network, and the TLS certificates used for Azure Stack Hub's external network infrastructure endpoints. Start-SecretRotation 轮换堆栈生成的所有机密,由于提供了证书,因此也会轮换外部终结点证书。Start-SecretRotation rotates all stack-generated secrets, and because there are provided certificates, external endpoint certificates will also be rotated.

后续步骤Next steps

详细了解 Azure Stack Hub 安全性Learn more about Azure Stack Hub security