在 Azure Stack 中轮换机密Rotate secrets in Azure Stack

这些说明仅适用于 Azure Stack 集成系统 1803 和更高版本。 请勿在低于 1802 的 Azure Stack 版本上尝试使用机密轮换These instructions apply only to Azure Stack Integrated Systems Version 1803 and Later. Do not attempt secret rotation on pre-1802 Azure Stack Versions

Azure Stack 使用各种机密来维持 Azure Stack 基础结构资源与服务之间的安全通信。Azure Stack uses various secrets to maintain secure communication between the Azure Stack infrastructure resources and services.

  • 内部机密Internal secrets

由 Azure Stack 基础结构使用的所有证书、密码、安全字符串和密钥,无需 Azure Stack 操作员的介入。All the certificates, passwords, secure strings, and keys used by the Azure Stack infrastructure without intervention of the Azure Stack Operator.

  • 外部机密External secrets

对外服务的基础结构服务证书,由 Azure Stack 操作员提供。Infrastructure service certificates for external-facing services that are provided by the Azure Stack Operator. 外部机密包括以下服务的证书:External secrets include the certificates for the following services:

  • 管理员门户Administrator Portal
  • 公共门户Public Portal
  • 管理员 Azure 资源管理器Administrator Azure Resource Manager
  • 全局 Azure 资源管理器Global Azure Resource Manager
  • 管理员 KeyVaultAdministrator KeyVault
  • KeyVaultKeyVault
  • 管理扩展主机Admin Extension Host
  • ACS(包括 Blob、表和队列存储)ACS (including blob, table, and queue storage)
  • ADFS *ADFS *
  • Graph *Graph *

*仅当环境的标识提供者是 Active Directory 联合身份验证服务 (AD FS) 时才适用。* Only applicable if the environment's identity provider is Active Directory Federated Services (AD FS).

Note

其他所有安全密钥和字符串(包括 BMC 和交换密码以及用户和管理员帐户密码)仍然由管理员手动更新。All other secure keys and strings, including BMC and switch passwords, user and administrator account passwords are still manually updated by the administrator.

Important

从 Azure Stack 1811 版开始,内部证书和外部证书的机密轮换已分开。Starting with Azure Stack's 1811 release, secret rotation has been separated for internal and external certificates.

为保持 Azure Stack 基础结构的完整性,操作员需要能够定期轮换其基础结构的机密,轮换频率应与其组织的安全要求一致。In order to maintain the integrity of the Azure Stack infrastructure, operators need the ability to periodically rotate their infrastructure's secrets at frequencies that are consistent with their organization's security requirements.

使用新证书颁发机构颁发的外部证书轮换机密Rotating Secrets with External Certificates from a new Certificate Authority

在以下上下文中,Azure Stack 支持使用新证书颁发机构 (CA) 颁发的外部证书进行机密轮换:Azure Stack supports secret rotation with external certificates from a new Certificate Authority (CA) in the following contexts:

已安装的证书 CAInstalled Certificate CA 要轮换到的 CACA to Rotate To 支持Supported 支持的 Azure Stack 版本Azure Stack Versions Supported
从自签名From Self-Signed 到企业To Enterprise 支持Supported 1903 和更高版本1903 & Later
从自签名From Self-Signed 到自签名To Self-Signed 不支持Not Supported
从自签名From Self-Signed 到公共*To Public* 支持Supported 1803 和更高版本1803 & Later
从企业From Enterprise 到企业To Enterprise 支持。Supported. 从 1803-1903:只要客户使用与在部署时使用的相同的企业 CA,就可以支持From 1803-1903: supported so long as customers use the SAME enterprise CA as used at deployment 1803 和更高版本1803 & Later
从企业From Enterprise 到自签名To Self-Signed 不支持Not Supported
从企业From Enterprise 到公共*To Public* 支持Supported 1803 和更高版本1803 & Later
从公共*From Public* 到企业To Enterprise 支持Supported 1903 和更高版本1903 & Later
从公共*From Public* 到自签名To Self-Signed 不支持Not Supported
从公共*From Public* 到公共*To Public* 支持Supported 1803 和更高版本1803 & Later

*指示公共证书颁发机构属于 Windows 受信任根计划。*Indicates that the Public Certificate Authorities are those that are part of the Windows Trusted Root Program. 可在以下文章中找到完整列表:Microsoft 受信任根证书计划:参与者(截至 2017 年 6 月 27 日)You can find the full list in the article Microsoft Trusted Root Certificate Program: Participants (as of June 27, 2017).

警报修正Alert remediation

机密过期后的 30 天内,管理员门户中会生成以下警报:When secrets are within 30 days of expiration, the following alerts are generated in the Administrator Portal:

  • 挂起的服务帐户密码过期Pending service account password expiration
  • 挂起的内部证书过期Pending internal certificate expiration
  • 挂起的外部证书过期Pending external certificate expiration

使用以下说明运行机密轮换将会修正这些警报。Running secret rotation using the instructions below will remediate these alerts.

Note

在 1811 之前版本的 Azure Stack 环境中,可能会看到内部证书挂起或机密过期的警报。Azure Stack environments on pre-1811 versions may see alerts for pending internal certificate or secret expirations. 这些警报并不正确,应将其忽略,且不运行内部机密轮换。These alerts are inaccurate and should be ignored without running internal secret rotation. 不正确的内部机密过期警报是 1811 中解决的已知问题 - 除非环境处于活动状态的时间已达两年,否则内部机密不会过期。Inaccurate internal secret expiration alerts are a known issue that is resolved in 1811- internal secrets will not expire unless the environment has been active for two years.

机密轮换前的步骤Pre-steps for secret rotation

Important

如果已在 Azure Stack 环境中执行过机密轮换,在再次执行机密轮换之前,必须先将系统更新到 1811 或更高版本。If secret rotation has already been performed on your Azure Stack environment then you must update the system to version 1811 or later before you execute secret rotation again. 必须通过特权终结点执行机密轮换,且需要有 Azure Stack 操作员凭据。Secret Rotation must be executed by via the Privileged Endpoint and requires Azure Stack Operator credentials. 如果环境的 Azure Stack 操作员不知道是否已在环境中运行过机密轮换,请先更新到 1811,然后再次执行机密轮换。If your environment Azure Stack Operator(s) do not know whether secret rotation has been run on your environment, update to 1811 before executing secret rotation again.

  1. 强烈建议将 Azure Stack 实例更新到 1811 版。It is highly recommended that you update your Azure Stack instance to version 1811.

    Note

    对于 1811 之前的版本,无需轮换机密即可添加扩展主机证书。For pre-1811 versions you do not need to rotate secrets to add extension host certificates. 应该遵照准备 Azure Stack 的扩展主机一文中的说明添加扩展主机证书。You should follow the instructions in the article Prepare for extension host for Azure Stack to add extension host certificates.

  2. 在 Azure Stack 机密轮换期间,操作员可能会注意到警报打开并自动关闭。Operators may notice alerts open and automatically close during rotation of Azure Stack secrets. 此行为是预期行为,可以忽略警报。This behavior is expected and the alerts can be ignored. 操作员可以运行 Test-AzureStack 来验证这些警报的有效性。Operators can verify the validity of these alerts by running Test-AzureStack. 对于使用 System Center Operations Manager 监视 Azure Stack 系统的操作人员来说,将系统置于维护模式将阻止这些警报到达其 ITSM 系统,但如果 Azure Stack 系统无法访问,则将继续发出警报。For operators using System Center Operations Manager to monitor Azure Stack systems, placing a system in maintenance mode will prevent these alerts from reaching their ITSM systems but will continue to alert if the Azure Stack system becomes unreachable.

  3. 在执行任何维护操作之前通知用户。Notify your users of any maintenance operations. 将普通的维护时间段尽量安排在非营业时间。Schedule normal maintenance windows, as much as possible, during non-business hours. 维护操作可能会同时影响用户工作负荷和门户操作。Maintenance operations may affect both user workloads and portal operations.

    Note

    后续步骤仅适用于轮换 Azure Stack 外部机密。The next steps only apply when rotating Azure Stack external secrets.

  4. 在轮换机密之前,请运行 Test-AzureStack 并确认所有测试输出都正常。Run Test-AzureStack and confirm all test outputs are healthy prior to rotating secrets.

  5. 准备新的替换外部证书集。Prepare a new set of replacement external certificates. 新集与 Azure Stack PKI 证书要求中所述的证书规范匹配。The new set matches the certificate specifications outlined in the Azure Stack PKI certificate requirements. 可以使用生成 PKI 证书中概述的步骤,生成用于购买或创建新证书的证书签名请求 (CSR),然后使用准备 Azure Stack PKI 证书中的步骤来准备这些证书,以在 Azure Stack 环境中使用。You can generate a certificate signing request (CSR) for purchasing or creating new certificates using the steps outlined in Generate PKI Certificates and prepare them for use in your Azure Stack environment using the steps in Prepare Azure Stack PKI Certificates. 请务必使用验证 PKI 证书中概述的步骤来验证准备的证书。Be sure to validate the certificates you prepare with the steps outlined in Validate PKI Certificates.

  6. 将用于轮换的证书备份存储在安全的备份位置。Store a back up to the certificates used for rotation in a secure backup location. 如果运行轮换时发生失败,请使用备份副本替换文件共享中的证书,然后重新运行轮换。If your rotation runs and then fails, replace the certificates in the file share with the backup copies before you rerun the rotation. 请记得将备份副本保存在安全的备份位置。Note, keep backup copies in the secure backup location.

  7. 创建可从 ERCS VM 访问的文件共享。Create a fileshare you can access from the ERCS VMs. 该文件共享必须可供 CloudAdmin 标识读取和写入。The file share must be readable and writable for the CloudAdmin identity.

  8. 在可以访问该文件共享的计算机上打开 PowerShell ISE 控制台。Open a PowerShell ISE console from a computer where you have access to the fileshare. 导航到该文件共享。Navigate to your fileshare.

  9. 运行 CertDirectoryMaker.ps1 创建外部证书所需的目录。Run CertDirectoryMaker.ps1 to create the required directories for your external certificates.

Important

CertDirectoryMaker 脚本将创建符合以下要求的文件夹结构:The CertDirectoryMaker script will create a folder structure that will adhere to:

.\Certificates\AAD.\Certificates\ADFS,具体取决于用于 Azure Stack 的标识提供者.\Certificates\AAD or .\Certificates\ADFS depending on your Identity Provider used for Azure Stack

至关重要的是,文件夹结构以 AADADFS 文件夹结尾,并且所有子目录都在此结构中;否则,Start-SecretRotation 将会出现以下结果:It is of utmost importance that your folder structure ends with AAD or ADFS folders and all subdirectories are within this structure; otherwise, Start-SecretRotation will come up with:

Cannot bind argument to parameter 'Path' because it is null.
+ CategoryInfo          : InvalidData: (:) [Test-Certificate], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Test-Certificate
+ PSComputerName        : xxx.xxx.xxx.xxx

可以看到,错误消息指出访问文件共享时出现问题,但实际上它是此处强制实施的文件夹结构。As you can see the error massage would indicate that there is a problem accessing your fileshare but in reality it is the folder structure that is being enforced here. 在 AzureStack 就绪性检查器 - PublicCertHelper 模块中可以找到详细信息More information can be found in the AzureStack Readiness Checker - PublicCertHelper module

同样重要的是,文件共享文件夹结构以 Certificates 文件夹开头,否则验证时也会失败。It is also important that your fileshare folder structure begins with Certificates folder otherwise it will also fail on validation. 文件共享装入点应该类似于 \\<IP 地址>\<共享名称>\ ,并且应该包含文件夹 Certificates\AADCertificates\ADFSFileshare mount should look like \\<IPAddress>\<ShareName>\ and it should contain folder Certificates\AAD or Certificates\ADFS inside.

例如:For example:

  • Fileshare = \\<IP 地址>\<共享名称>\Fileshare = \\<IPAddress>\<ShareName>\
  • CertFolder = Certificates\AADCertFolder = Certificates\AAD
  • FullPath = \\<IP 地址>\<共享名称>\Certificates\AADFullPath = \\<IPAddress>\<ShareName>\Certificates\AAD

轮换外部机密Rotating external secrets

轮换外部机密:To rotate external secrets:

  1. 在前期步骤中新建的 \Certificates\<标识提供者> 目录内,根据 Azure Stack PKI 证书要求的“必需证书”部分中所述的格式,将新的替换外部证书集放入目录结构。Within the newly created \Certificates\<IdentityProvider> directory created in the Pre-steps, place the new set of replacement external certificates in the directory structure according to the format outlined in the Mandatory Certificates section of the Azure Stack PKI certificate requirements.

    AAD 标识提供者的文件夹结构示例:Example of folder structure for the AAD Identity Provider:

        <ShareName>
        │   │
        │   ├───Certificates
        │   └───AAD
        │       ├───ACSBlob
        │       │       <CertName>.pfx
        │       │
        │       ├───ACSQueue
        │       │       <CertName>.pfx
        │       │
        │       ├───ACSTable
        │       │       <CertName>.pfx
        │       │
        │       ├───Admin Extension Host
        │       │       <CertName>.pfx
        │       │
        │       ├───Admin Portal
        │       │       <CertName>.pfx
        │       │
        │       ├───ARM Admin
        │       │       <CertName>.pfx
        │       │
        │       ├───ARM Public
        │       │       <CertName>.pfx
        │       │
        │       ├───KeyVault
        │       │       <CertName>.pfx
        │       │
        │       ├───KeyVaultInternal
        │       │       <CertName>.pfx
        │       │
        │       ├───Public Extension Host
        │       │       <CertName>.pfx
        │       │
        │       └───Public Portal
        │               <CertName>.pfx
    
    
  2. 使用 CloudAdmin 帐户创建具有特权终结点的 PowerShell 会话,并将会话存储为变量。Create a PowerShell Session with the Privileged Endpoint using the CloudAdmin account and store the sessions as a variable. 在下一步骤中要使用此变量作为参数。You will use this variable as the parameter in the next step.

    Important

    请勿输入会话,而是将会话存储为变量。Do not enter the session, store the session as a variable.

  3. 运行 Invoke-CommandRun Invoke-Command. 将特权终结点 PowerShell 会话变量作为 Session 参数传递。Pass your Privileged Endpoint PowerShell session variable as the Session parameter.

  4. 结合以下参数运行 Start-SecretRotationRun Start-SecretRotation with the following parameters:

    • PfxFilesPathPfxFilesPath
      将网络路径指定为前面创建的 Certificates 目录。Specify the network path to your Certificates directory created earlier.
    • PathAccessCredentialPathAccessCredential
      用于访问共享的凭据的 PSCredential 对象。A PSCredential object for credentials to the share.
    • CertificatePasswordCertificatePassword
      创建的所有 pfx 证书文件使用的密码安全字符串。A secure string of the password used for all of the pfx certificate files created.
  5. 等待机密完成轮换。Wait while your secrets rotate. 外部机密轮换通常需要大约一小时。External secret rotation usually takes approximately one hour.

    机密轮换成功完成后,控制台会显示“总体操作状态: 成功”。 When secret rotation successfully completes, your console will display Overall action status: Success.

    Note

    如果机密轮换失败,请按照错误消息中的说明操作,并结合 -ReRun 参数重新运行 Start-SecretRotationIf secret rotation fails, follow the instructions in the error message and re-run Start-SecretRotation with the -ReRun Parameter.

    Start-SecretRotation -ReRun
    

    如果遇到反复的机密轮换失败,请联系技术支持。Contact Support if you experience repeated secret rotation failures.

  6. 成功完成机密轮换后,请从前期步骤创建的共享中删除证书,并将其存储在安全的备份位置。After successful completion of secret rotation, remove your certificates from the share created in the pre-step and store them in their secure backup location.

机密轮换的演练Walkthrough of secret rotation

以下 PowerShell 示例演示轮换机密时需要运行的 cmdlet 和参数。The following PowerShell example demonstrates the cmdlets and parameters to run in order to rotate your secrets.

# Create a PEP Session
winrm s winrm/config/client '@{TrustedHosts= "<IpOfERCSMachine>"}'
$PEPCreds = Get-Credential
$PEPSession = New-PSSession -ComputerName <IpOfERCSMachine> -Credential $PEPCreds -ConfigurationName "PrivilegedEndpoint"

# Run Secret Rotation
$CertPassword = ConvertTo-SecureString "<CertPasswordHere>" -AsPlainText -Force
$CertShareCreds = Get-Credential
$CertSharePath = "<NetworkPathOfCertShare>"
Invoke-Command -Session $PEPSession -ScriptBlock {
    Start-SecretRotation -PfxFilesPath $using:CertSharePath -PathAccessCredential $using:CertShareCreds -CertificatePassword $using:CertPassword
}
Remove-PSSession -Session $PEPSession

仅轮换内部机密Rotating only internal secrets

Note

仅当你怀疑内部机密已受到恶意实体的危害,或者收到指出内部证书即将过期的警报(在内部版本 1811 或更高版本上)时,才应该执行内部机密轮换。Internal Secret Rotation should only be done if you suspect an internal secret has been compromised by a malicious entity, or if you have received an alert (on build 1811 or later) indicating internal certificates are nearing expiration. 在 1811 之前版本的 Azure Stack 环境中,可能会看到内部证书挂起或机密过期的警报。Azure Stack environments on pre-1811 versions may see alerts for pending internal certificate or secret expirations. 这些警报并不正确,应将其忽略,且不运行内部机密轮换。These alerts are inaccurate and should be ignored without running internal secret rotation. 不正确的内部机密过期警报是 1811 中解决的已知问题 - 除非环境处于活动状态的时间已达两年,否则内部机密不会过期。Inaccurate internal secret expiration alerts are a known issue that is resolved in 1811- internal secrets will not expire unless the environment has been active for two years.

  1. 创建具有特权终结点的 PowerShell 会话。Create a PowerShell session with the Privileged Endpoint.

  2. 在特权终结点会话中,运行 Start-SecretRotation -InternalIn the Privileged Endpoint session, run Start-SecretRotation -Internal.

    Note

    1811 之前版本上的 Azure Stack 环境不需要 -Internal 标志。Azure Stack environments on pre-1811 versions will not require the -Internal flag. Start-SecretRotation 仅轮换内部机密。Start-SecretRotation will rotate only internal secrets.

  3. 等待机密完成轮换。Wait while your secrets rotate.

机密轮换成功完成后,控制台会显示“总体操作状态: 成功”。 When secret rotation successfully completes, your console will display Overall action status: Success.

Note

如果机密轮换失败,请按照错误消息中的说明操作,并使用 -Internal 和  -ReRun 参数重新运行 Start-SecretRotationIf secret rotation fails, follow the instructions in the error message and rerun Start-SecretRotation with the -Internal and -ReRun parameters.

Start-SecretRotation -Internal -ReRun

如果遇到反复的机密轮换失败,请联系技术支持。Contact Support if you experience repeated secret rotation failures.

Start-SecretRotation 参考Start-SecretRotation reference

轮换 Azure Stack 系统的机密。Rotates the secrets of an Azure Stack System. 只针对 Azure Stack 特权终结点执行。Only executed against the Azure Stack Privileged Endpoint.

语法Syntax

对于外部机密轮换For external secret rotation

Start-SecretRotation [-PfxFilesPath <string>] [-PathAccessCredential <PSCredential>] [-CertificatePassword <SecureString>]  

对于内部机密轮换For internal secret rotation

Start-SecretRotation [-Internal]  

对于外部机密轮换 rerunFor external secret rotation rerun

Start-SecretRotation [-ReRun]

对于内部机密轮换 rerunFor internal secret rotation rerun

Start-SecretRotation [-ReRun] [-Internal]

说明Description

Start-SecretRotation cmdlet 轮换 Azure Stack 系统的基础结构机密。The Start-SecretRotation cmdlet rotates the infrastructure secrets of an Azure Stack system. 默认情况下,它只轮换所有外部网络基础结构终结点的证书。By default it rotates only the certificates of all external network infrastructure endpoints. 如果与 -Internal 标志配合使用,则会轮换内部基础结构机密。If used with the -Internal flag internal infrastructure secrets will be rotated. 轮换外部网络基础结构终结点时,应结合 *Invoke-Command* 脚本块,并结合以 *Session* 参数形式传入的 Azure Stack 环境特权终结点会话,来运行 *Start-SecretRotation*。 When rotating external network infrastructure endpoints, *Start-SecretRotation* should be run with an *Invoke-Command* script block with the Azure Stack environment's privileged endpoint session passed in as the *Session* parameter.

parametersParameters

参数Parameter 类型Type 必须Required 位置Position 默认Default 说明Description
PfxFilesPath StringString FalseFalse NamedNamed NoneNone 包含所有外部网络终结点证书的 \Certificates 目录的文件共享路径。The fileshare path to the \Certificates directory containing all external network endpoint certificates. 仅当轮换外部机密时才需要。Only required when rotating external secrets. 结尾目录必须是 \CertificatesEnd directory must be \Certificates.
CertificatePassword SecureStringSecureString FalseFalse NamedNamed NoneNone -PfXFilesPath 中提供的所有证书的密码。The password for all certificates provided in the -PfXFilesPath. 如果在轮换外部机密时提供了 PfxFilesPath,则是必需的值。Required value if PfxFilesPath is provided when external secrets are rotated.
Internal StringString FalseFalse NamedNamed NoneNone 每当 Azure Stack 操作员想要轮换内部基础结构机密时,都必须使用 Internal 标志。Internal flag must be used anytime an Azure Stack operator wishes to rotate internal infrastructure secrets.
PathAccessCredential PSCredentialPSCredential FalseFalse NamedNamed NoneNone 包含所有外部网络终结点证书的 \Certificates 目录的文件共享的 PowerShell 凭据。The PowerShell credential for the fileshare of the \Certificates directory containing all external network endpoint certificates. 仅当轮换外部机密时才需要。Only required when rotating external secrets.
ReRun SwitchParameterSwitchParameter FalseFalse NamedNamed NoneNone 每当尝试失败后重新尝试机密轮换时,都必须使用 ReRun。ReRun must be used anytime secret rotation is reattempted after a failed attempt.

示例Examples

仅轮换内部基础结构机密Rotate only internal infrastructure secrets

必须通过 Azure Stack 环境的特权终结点运行。This must be run via your Azure Stack environment's privileged endpoint.

PS C:\> Start-SecretRotation -Internal

此命令轮换向 Azure Stack 内部网络公开的所有基础结构机密。This command rotates all of the infrastructure secrets exposed to Azure Stack internal network.

仅轮换外部基础结构机密Rotate only external infrastructure secrets  

# Create a PEP Session
winrm s winrm/config/client '@{TrustedHosts= "<IpOfERCSMachine>"}'
$PEPCreds = Get-Credential
$PEPSession = New-PSSession -ComputerName <IpOfERCSMachine> -Credential $PEPCreds -ConfigurationName "PrivilegedEndpoint"

# Create Credentials for the fileshare
$CertPassword = ConvertTo-SecureString "<CertPasswordHere>" -AsPlainText -Force
$CertShareCreds = Get-Credential
$CertSharePath = "<NetworkPathOfCertShare>"
# Run Secret Rotation
Invoke-Command -Session $PEPSession -ScriptBlock {  
    Start-SecretRotation -PfxFilesPath $using:CertSharePath -PathAccessCredential $using:CertShareCreds -CertificatePassword $using:CertPassword
}
Remove-PSSession -Session $PEPSession

此命令轮换用于 Azure Stack 外部网络基础结构终结点的 TLS 证书。This command rotates the TLS certificates used for Azure Stack's external network infrastructure endpoints.

轮换内部和外部基础结构机密(仅限 1811 以前的版本)Rotate internal and external infrastructure secrets (pre-1811 only)

Important

此命令仅适用于 Azure Stack 1811 以前的版本,因为轮换将会针对内部和外部证书分开进行。This command only applies to Azure Stack pre-1811 as the rotation has been split for internal and external certificates.

在 1811 以上的版本中,不再能够同时轮换内部和外部证书! From 1811+ you cannot rotate both internal and external certificates any more!!!

# Create a PEP Session
winrm s winrm/config/client '@{TrustedHosts= "<IpOfERCSMachine>"}'
$PEPCreds = Get-Credential
$PEPSession = New-PSSession -ComputerName <IpOfERCSMachine> -Credential $PEPCreds -ConfigurationName "PrivilegedEndpoint"

# Create Credentials for the fileshare
$CertPassword = ConvertTo-SecureString "<CertPasswordHere>" -AsPlainText -Force
$CertShareCreds = Get-Credential
$CertSharePath = "<NetworkPathOfCertShare>"
# Run Secret Rotation
Invoke-Command -Session $PEPSession -ScriptBlock {
    Start-SecretRotation -PfxFilesPath $using:CertSharePath -PathAccessCredential $using:CertShareCreds -CertificatePassword $using:CertPassword
}
Remove-PSSession -Session $PEPSession

此命令轮换向 Azure Stack 内部网络公开的所有基础结构机密,以及用于 Azure Stack 外部网络基础结构终结点的 TLS 证书。This command rotates all of the infrastructure secrets exposed to Azure Stack internal network as well as the TLS certificates used for Azure Stack's external network infrastructure endpoints. Start-SecretRotation 轮换堆栈生成的所有机密,由于提供了证书,因此也会轮换外部终结点证书。Start-SecretRotation rotates all stack-generated secrets, and because there are provided certificates, external endpoint certificates will also be rotated.

更新基板管理控制器 (BMC) 凭据Update the baseboard management controller (BMC) credential

基板管理控制器 (BMC) 监视服务器的物理状态。The baseboard management controller (BMC) monitors the physical state of your servers. 有关更新 BMC 用户帐户名和密码的规范和说明会根据原始设备制造商 (OEM) 硬件供应商而有所不同。The specifications and instructions on updating the user account name and password of the BMC vary based on your original equipment manufacturer (OEM) hardware vendor. 应定期更新 Azure Stack 组件的密码。You should update your passwords for Azure Stack components on a regular basis.

  1. 遵照 OEM 说明在 Azure Stack 的物理服务器上更新 BMC。Update the BMC on the Azure Stack physical servers by following your OEM instructions. 环境中每个 BMC 的用户名和密码必须相同。The user name and password for each BMC in your environment must be the same. BMC 用户名不能超过 16 个字符。The BMC user names can't exceed 16 characters.

    Note

    首先,在物理服务器的基板管理控制器上更新 BMC 凭据;否则,Azure Stack 命令将在验证期间失败。First update the BMC credentials on the base board management controller of the physical server; otherwise the Azure Stack command will fail during validation.

  2. 在 Azure Stack 会话中打开特权终结点。Open a privileged endpoint in Azure Stack sessions. 有关说明,请参阅使用 Azure Stack 中的特权终结点For instructions, see Using the privileged endpoint in Azure Stack.

  3. 在 PowerShell 提示符更改为 [IP 地址或 ERCS VM 名称]:PS>[azs-ercs01]:PS> (具体取决于环境)后,通过运行 Invoke-Command 来运行 Set-BmcCredentialAfter your PowerShell prompt has changed to [IP address or ERCS VM name]: PS> or to [azs-ercs01]: PS>, depending on the environment, run Set-BmcCredential by running Invoke-Command. 将特权终结点会话变量作为参数传递。Pass your privileged endpoint session variable as a parameter. 例如:For example:

    # Interactive Version
    $PEPIp = "<Privileged Endpoint IP or Name>" # You can also use the machine name instead of IP here.
    $PEPCreds = Get-Credential "<Domain>\CloudAdmin" -Message "PEP Credentials"
    $NewBmcPwd = Read-Host -Prompt "Enter New BMC password" -AsSecureString
    $NewBmcUser = Read-Host -Prompt "Enter New BMC user name"
    
    $PEPSession = New-PSSession -ComputerName $PEPIp -Credential $PEPCreds -ConfigurationName "PrivilegedEndpoint"
    
    Invoke-Command -Session $PEPSession -ScriptBlock {
        # Parameter BmcPassword is mandatory, while the BmcUser parameter is optional.
        Set-BmcCredential -BmcPassword $using:NewBmcPwd -BmcUser $using:NewBmcUser
    }
    Remove-PSSession -Session $PEPSession
    

    也可以将静态 PowerShell 版本与密码搭配使用,如以下代码行所示:You can also use the static PowerShell version with the Passwords as code lines:

    # Static Version
    $PEPIp = "<Privileged Endpoint IP or Name>" # You can also use the machine name instead of IP here.
    $PEPUser = "<Privileged Endpoint user for example Domain\CloudAdmin>"
    $PEPPwd = ConvertTo-SecureString "<Privileged Endpoint Password>" -AsPlainText -Force
    $PEPCreds = New-Object System.Management.Automation.PSCredential ($PEPUser, $PEPPwd)
    $NewBmcPwd = ConvertTo-SecureString "<New BMC Password>" -AsPlainText -Force
    $NewBmcUser = "<New BMC User name>"
    
    $PEPSession = New-PSSession -ComputerName $PEPIp -Credential $PEPCreds -ConfigurationName "PrivilegedEndpoint"
    
    Invoke-Command -Session $PEPSession -ScriptBlock {
        # Parameter BmcPassword is mandatory, while the BmcUser parameter is optional.
        Set-BmcCredential -BmcPassword $using:NewBmcPwd -BmcUser $using:NewBmcUser
    }
    Remove-PSSession -Session $PEPSession
    

后续步骤Next steps

详细了解 Azure Stack 安全性Learn more about Azure Stack security