Linux 群集上的证书和安全性Certificates and security on Linux clusters

本文提供有关在 Linux 群集上配置 X.509 证书的信息。This article provides information about configuring X.509 certificates on Linux clusters.

Linux 节点上的 X.509 证书的位置和格式Location and format of X.509 certificates on Linux nodes

Service Fabric 通常要求在 Linux 群集节点上的 /var/lib/sfcerts 目录中提供 X.509 证书。Service Fabric generally expects X.509 certificates to be present in the /var/lib/sfcerts directory on Linux cluster nodes. 这些证书包括群集证书、客户端证书,等等。在某些情况下,可为证书指定其他位置,而不一定要指定 var/lib/sfcerts 文件夹。This is true of cluster certificates, client certificates, etc. In some cases, you can specify a location other than the var/lib/sfcerts folder for certificates. 例如,在使用 Service Fabric Java SDK 生成的 Reliable Services 中,可以通过配置包 (Settings.xml) 为某些特定于应用程序的证书指定不同的位置。For example, with Reliable Services built using the Service Fabric Java SDK, you can specify a different location through the configuration package (Settings.xml) for some application-specific certificates. 有关详细信息,请参阅配置包 (Settings.xml) 中引用的证书To learn more, see Certificates referenced in the configuration package (Settings.xml).

对于 Linux 群集,Service Fabric 要求以包含证书和私钥的 .pem 文件形式提供证书,或者以包含证书的 .crt 文件和包含私钥的 .key 文件形式提供证书。For Linux clusters, Service Fabric expects certificates to be present as either a .pem file that contains both the certificate and private key or as a .crt file that contains the certificate and a .key file that contains the private key. 所有文件应采用 PEM 格式。All files should be in PEM format.

如果使用资源管理器模板PowerShell 命令从 Azure Key Vault 安装证书,证书将以正确的格式安装在每个节点上的 /var/lib/sfcerts 目录中。If you install your certificate from Azure Key Vault by using either a Resource Manager template or PowerShell commands, the certificate is installed in the correct format in the /var/lib/sfcerts directory on each node. 如果通过其他方法安装证书,必须确保在群集节点上正确安装证书。If you install a certificate through another method, you must make sure that the certificate is correctly installed on cluster nodes.

应用程序清单中引用的证书Certificates referenced in the application manifest

应用程序清单中指定的证书(例如,通过 SecretsCertificateEndpointCertificate 元素指定)必须位于 /var/lib/sfcerts 目录中。Certificates specified in the application manifest, for example, through the SecretsCertificate or EndpointCertificate elements, must be present in the /var/lib/sfcerts directory. 用于在应用程序清单中指定证书的元素不采用路径属性,因此证书必须位于默认目录中。The elements that are used to specify certificates in the application manifest do not take a path attribute, so the certificates must be present in the default directory. 这些元素采用可选的 X509StoreName 属性。These elements do take an optional X509StoreName attribute. 默认值为“My”,指向 Linux 节点上的 /var/lib/sfcerts 目录。The default is "My", which points to the /var/lib/sfcerts directory on Linux nodes. 其他任何值未在 Linux 群集上定义。Any other value is undefined on a Linux cluster. 对于 Linux 群集上运行的应用,我们建议省略 X509StoreName 属性。We recommend that you omit the X509StoreName attribute for apps that run on Linux clusters.

配置包 (Settings.xml) 中引用的证书Certificates referenced in the configuration package (Settings.xml)

对于某些服务,可在 ConfigPackage(默认为 Settings.xml)中配置 X.509 证书。For some services, you can configure X.509 certificates in the ConfigPackage (by default, Settings.xml). 例如,在声明用于保护通过 Service Fabric .NET Core 或 Java SDK 生成的 Reliable Services 服务的 RPC 通道时,便可以这样做。For example, this is the case when you declare certificates used to secure RPC channels for Reliable Services services built with the Service Fabric .NET Core or Java SDKs. 可在配置包中通过两种方式引用证书。There are two ways to reference certificates in the configuration package. 支持的方式根据使用的是 .NET Core 还是 Java SDK 而异。Support varies between the .NET Core and Java SDKs.

使用 X509 SecurityCredentialsTypeUsing X509 SecurityCredentialsType

使用 .NET 或 Java SDK,可为 SecurityCredentialsType 指定 X509WIth the .NET or Java SDKs, you can specify X509 for the SecurityCredentialsType. 此值对应于 SecurityCredentials (.NET/Java) 类型的 X509Credentials (.NET/Java)。This corresponds to the X509Credentials (.NET/Java) type of SecurityCredentials (.NET/Java).

X509 引用在证书存储中查找证书。The X509 reference locates the certificate in a certificate store. 以下 XML 显示用于指定证书位置的参数:The following XML shows the parameters used to specify the location of the certificate:

<Parameter Name="SecurityCredentialsType" Value="X509" />
<Parameter Name="CertificateStoreLocation" Value="LocalMachine" />
<Parameter Name="CertificateStoreName" Value="My" />

对于 Linux 上运行的服务,LocalMachine/My 指向证书的默认位置,即 /var/lib/sfcerts 目录。For a service running on Linux, LocalMachine/My points to the default location for certificates, the /var/lib/sfcerts directory. 对于 Linux,CertificateStoreLocationCertificateStoreName 的其他任何组合均未定义。For Linux, any other combinations of CertificateStoreLocation and CertificateStoreName are undefined.

请始终为 CertificateStoreLocation 参数指定 LocalMachineAlways specify LocalMachine for the CertificateStoreLocation parameter. 无需指定 CertificateStoreName 参数,因为它默认为“My”。There is no need to specify the CertificateStoreName parameter because it defaults to "My". 使用 X509 引用时,证书文件必须位于群集节点上的 /var/lib/sfcerts 目录中。With an X509 reference, the certificate files must be located in the /var/lib/sfcerts directory on the cluster node.

以下 XML 显示基于此样式的 TransportSettings 节:The following XML shows a TransportSettings section based on this style:

<Section Name="HelloWorldStatefulTransportSettings">
    <Parameter Name="MaxMessageSize" Value="10000000" />
    <Parameter Name="SecurityCredentialsType" Value="X509" />
    <Parameter Name="CertificateFindType" Value="FindByThumbprint" />
    <Parameter Name="CertificateFindValue" Value="4FEF3950642138446CC364A396E1E881DB76B48C" />
    <Parameter Name="CertificateRemoteThumbprints" Value="9FEF3950642138446CC364A396E1E881DB76B483" />
    <Parameter Name="CertificateStoreLocation" Value="LocalMachine" />
    <Parameter Name="CertificateProtectionLevel" Value="EncryptAndSign" />
    <Parameter Name="CertificateRemoteCommonNames" Value="ServiceFabric-Test-Cert" />
</Section>

使用 X509_2 SecurityCredentialsTypeUsing X509_2 SecurityCredentialsType

使用 Java SDK,可为 SecurityCredentialsType 指定 X509_2With the Java SDK, you can specify X509_2 for the SecurityCredentialsType. 此值对应于 SecurityCredentials (Java) 类型的 X509Credentials2 (Java)。This corresponds to the X509Credentials2 (Java) type of SecurityCredentials (Java).

使用 X509_2 引用时,请指定路径参数,以便可以在除 /var/lib/sfcerts 以外的目录中查找证书。With an X509_2 reference, you specify a path parameter, so you can locate the certificate in a directory other than /var/lib/sfcerts. 以下 XML 显示用于指定证书位置的参数:The following XML shows the parameters used to specify the location of the certificate:

<Parameter Name="SecurityCredentialsType" Value="X509_2" />
<Parameter Name="CertificatePath" Value="/path/to/cert/BD1C71E248B8C6834C151174DECDBDC02DE1D954.crt" />

以下 XML 显示基于此样式的 TransportSettings 节。The following XML shows a TransportSettings section based on this style.


<!--Section name should always end with "TransportSettings".-->
<!--Here we are using a prefix "HelloWorldStateless".-->
<Section Name="HelloWorldStatelessTransportSettings">
    <Parameter Name="MaxMessageSize" Value="10000000" />
    <Parameter Name="SecurityCredentialsType" Value="X509_2" />
    <Parameter Name="CertificatePath" Value="/path/to/cert/BD1C71E248B8C6834C151174DECDBDC02DE1D954.crt" />
    <Parameter Name="CertificateProtectionLevel" Value="EncryptandSign" />
    <Parameter Name="CertificateRemoteThumbprints" Value="BD1C71E248B8C6834C151174DECDBDC02DE1D954" />
</Section>

备注

在前面的 XML 中,证书指定为 .crt 文件。The certificate is specified as a .crt file in the preceding XML. 这表示在同一位置还有一个包含私钥的 .key 文件。This implies that there is also a .key file containing the private key in the same location.

配置在 Linux 群集上运行的 Reliable Services 应用Configure a Reliable Services app to run on Linux clusters

使用 Service Fabric SDK 可与 Service Fabric 运行时 API 通信,以利用平台。The Service Fabric SDKs allow you to communicate with the Service Fabric runtime APIs to leverage the platform. 在安全的 Linux 群集上运行使用此功能的任何应用程序时,需要使用一个证书来配置该应用程序,该证书可用于验证 Service Fabric 运行时。When you run any application that uses this functionality on secure Linux clusters, you need to configure your application with a certificate that it can use to validate with the Service Fabric runtime. 包含使用 .NET Core 或 Java SDK 编写的 Service Fabric Reliable Service 服务的应用程序需要此配置。Applications that contain Service Fabric Reliable Service services written using the .NET Core or Java SDKs require this configuration.

若要配置应用程序,请在 Certificates 标记(位于 ApplicationManifest.xml 文件中的 ApplicationManifest 标记下面)下面添加一个 SecretsCertificate 元素。To configure an application, add a SecretsCertificate element under the Certificates tag, which is located under the ApplicationManifest tag in the ApplicationManifest.xml file. 以下 XML 显示按证书指纹引用的证书:The following XML shows a certificate referenced by its thumbprint:

<Certificates>
   <SecretsCertificate X509FindType="FindByThumbprint" X509FindValue="0A00AA0AAAA0AAA00A000000A0AA00A0AAAA00" />
</Certificates>   

可以引用群集证书,或每个群集节点上安装的证书。You can reference either the cluster certificate or a certificate that you install on each cluster node. 在 Linux 上,证书文件必须位于 /var/lib/sfcerts 目录中。On Linux, the certificate files must be present in the /var/lib/sfcerts directory. 有关详细信息,请参阅 Linux 节点上的 X.509 证书的位置和格式To learn more, see Location and format of X.509 certificates on Linux nodes.