连接到安全群集Connect to a secure cluster

当客户端连接到 Service Fabric 群集节点时,可以使用证书安全性或 Azure Active Directory (AAD) 与客户端建立经过身份验证的安全通信。When a client connects to a Service Fabric cluster node, the client can be authenticated and secure communication established using certificate security or Azure Active Directory (AAD). 此身份验证可确保只有经过授权的用户才能访问该群集和部署的应用程序,以及执行管理任务。This authentication ensures that only authorized users can access the cluster and deployed applications and perform management tasks. 创建群集时,必须事先在该群集上启用证书或 AAD 安全性。Certificate or AAD security must have been previously enabled on the cluster when the cluster was created. 有关群集安全方案的详细信息,请参阅群集安全性For more information on cluster security scenarios, see Cluster security. 如果要连接到使用证书保护的群集,请在连接到群集的计算机上设置客户端证书If you are connecting to a cluster secured with certificates, set up the client certificate on the computer that connects to the cluster.

使用 Azure Service Fabric CLI (sfctl) 连接到安全群集Connect to a secure cluster using Azure Service Fabric CLI (sfctl)

可以通过多种不同方式使用 Service Fabric CLI (sfctl) 连接到安全群集。There are a few different ways to connect to a secure cluster using the Service Fabric CLI (sfctl). 使用客户端证书进行身份验证时,证书详细信息必须与部署到群集节点的证书匹配。When using a client certificate for authentication, the certificate details must match a certificate deployed to the cluster nodes. 如果证书具有证书颁发机构 (CA),则需要另外指定受信任的 CA。If your certificate has Certificate Authorities (CAs), you need to additionally specify the trusted CAs.

可以使用 sfctl cluster select 命令连接到群集。You can connect to a cluster using the sfctl cluster select command.

可以通过两种不同方式指定客户端证书:作为证书和密钥对,或作为单个 PFX 文件。Client certificates can be specified in two different fashions, either as a cert and key pair, or as a single PFX file. 对于受密码保护的 PEM 文件,系统将自动提示你输入密码。For password protected PEM files, you will be prompted automatically to enter the password. 如果将客户端证书作为 PFX 文件获取,请先使用以下命令将 PFX 文件转换为 PEM 文件。If you obtained the client certificate as a PFX file, first convert the PFX file to a PEM file using the following command.

openssl pkcs12 -in your-cert-file.pfx -out your-cert-file.pem -nodes -passin pass:your-pfx-password

如果 .pfx 文件不受密码保护,请使用“-passin pass:”最后一个参数。If your .pfx file is not password protected, use -passin pass: for the last parameter.

若要将客户端证书指定为 pem 文件,请在 --pem 参数中指定文件路径。To specify the client certificate as a pem file, specify the file path in the --pem argument. 例如:For example:

sfctl cluster select --endpoint https://testsecurecluster.com:19080 --pem ./client.pem

在运行任何命令之前,受密码保护的 pem 文件将提示用户输入密码。Password protected pem files will prompt for password prior to running any command.

若要指定证书、密钥对,请使用 --cert--key 参数指定每个相应文件的文件路径。To specify a cert, key pair use the --cert and --key arguments to specify the file paths to each respective file.

sfctl cluster select --endpoint https://testsecurecluster.com:19080 --cert ./client.crt --key ./keyfile.key

有时用于保护测试或开发群集的证书未通过证书验证。Sometimes certificates used to secure test or dev clusters fail certificate validation. 若要绕过证书验证,请指定 --no-verify 选项。To bypass certificate verification, specify the --no-verify option. 例如:For example:

警告

连接到生产 Service Fabric 群集时,不要使用 no-verify 选项。Do not use the no-verify option when connecting to production Service Fabric clusters.

sfctl cluster select --endpoint https://testsecurecluster.com:19080 --pem ./client.pem --no-verify

此外,可以指定受信任 CA 证书或单个证书的目录的路径。In addition, you can specify paths to directories of trusted CA certs, or individual certs. 若要指定这些路径,请使用 --ca 参数。To specify these paths, use the --ca argument. 例如:For example:

sfctl cluster select --endpoint https://testsecurecluster.com:19080 --pem ./client.pem --ca ./trusted_ca

连接后,应能够运行其他 sfctl 命令与群集进行交互。After you connect, you should be able to run other sfctl commands to interact with the cluster.

使用 PowerShell 连接到群集Connect to a cluster using PowerShell

在通过 PowerShell 对群集执行操作之前,请首先建立与群集的连接。Before you perform operations on a cluster through PowerShell, first establish a connection to the cluster. 群集连接用于给定 PowerShell 会话中的所有后续命令。The cluster connection is used for all subsequent commands in the given PowerShell session.

连接到不安全的群集Connect to an unsecure cluster

若要连接到不安全群集,请向 Connect-ServiceFabricCluster 命令提供群集终结点地址:To connect to an unsecure cluster, provide the cluster endpoint address to the Connect-ServiceFabricCluster command:

Connect-ServiceFabricCluster -ConnectionEndpoint <Cluster FQDN>:19000 

使用 Azure Active Directory 连接到安全群集Connect to a secure cluster using Azure Active Directory

若要连接到使用 Azure Active Directory 授权群集管理员访问权限的安全集群,请提供群集证书指纹,并使用 AzureActiveDirectory 标志。To connect to a secure cluster that uses Azure Active Directory to authorize cluster administrator access, provide the cluster certificate thumbprint and use the AzureActiveDirectory flag.

Connect-ServiceFabricCluster -ConnectionEndpoint <Cluster FQDN>:19000 `
-ServerCertThumbprint <Server Certificate Thumbprint> `
-AzureActiveDirectory

使用客户端证书连接到安全群集Connect to a secure cluster using a client certificate

运行以下 PowerShell 命令以连接到使用客户端证书授权管理员访问权限的安全群集。Run the following PowerShell command to connect to a secure cluster that uses client certificates to authorize administrator access.

使用证书公用名称连接Connect using certificate common name

提供群集证书公用名称,以及已被授予群集管理权限的客户端证书的公用名称。Provide the cluster certificate common name and the common name of the client certificate that has been granted permissions for cluster management. 证书详细信息必须与群集节点上的证书匹配。The certificate details must match a certificate on the cluster nodes.

Connect-serviceFabricCluster -ConnectionEndpoint $ClusterName -KeepAliveIntervalInSec 10 `
    -X509Credential `
    -ServerCommonName <certificate common name>  `
    -FindType FindBySubjectName `
    -FindValue <certificate common name> `
    -StoreLocation CurrentUser `
    -StoreName My 

ServerCommonName 是群集节点上安装的服务器证书的公用名称 。ServerCommonName is the common name of the server certificate installed on the cluster nodes. FindValue 是管理客户端证书的公用名称 。FindValue is the common name of the admin client certificate. 填充参数时,命令如以下示例所示:When the parameters are filled in, the command looks like the following example:

$ClusterName= "sf-commonnametest-scus.chinaeast.cloudapp.chinacloudapi.cn:19000"
$certCN = "sfrpe2eetest.chinaeast.cloudapp.chinacloudapi.cn"

Connect-serviceFabricCluster -ConnectionEndpoint $ClusterName -KeepAliveIntervalInSec 10 `
    -X509Credential `
    -ServerCommonName $certCN  `
    -FindType FindBySubjectName `
    -FindValue $certCN `
    -StoreLocation CurrentUser `
    -StoreName My 

使用证书指纹连接Connect using certificate thumbprint

提供群集证书指纹以及已授予群集管理权限的客户端证书的指纹。Provide the cluster certificate thumbprint and the thumbprint of the client certificate that has been granted permissions for cluster management. 证书详细信息必须与群集节点上的证书匹配。The certificate details must match a certificate on the cluster nodes.

Connect-ServiceFabricCluster -ConnectionEndpoint <Cluster FQDN>:19000 `  
          -KeepAliveIntervalInSec 10 `  
          -X509Credential -ServerCertThumbprint <Certificate Thumbprint> `  
          -FindType FindByThumbprint -FindValue <Certificate Thumbprint> `  
          -StoreLocation CurrentUser -StoreName My

ServerCertThumbprint 是群集节点上安装的服务器证书的指纹。ServerCertThumbprint is the thumbprint of the server certificate installed on the cluster nodes. FindValue 是管理客户端证书的指纹。FindValue is the thumbprint of the admin client certificate. 填充参数时,命令如以下示例所示:When the parameters are filled in, the command looks like the following example:

Connect-ServiceFabricCluster -ConnectionEndpoint clustername.chinanorth.cloudapp.chinacloudapi.cn:19000 `  
          -KeepAliveIntervalInSec 10 `  
          -X509Credential -ServerCertThumbprint A8136758F4AB8962AF2BF3F27921BE1DF67F4326 `  
          -FindType FindByThumbprint -FindValue 71DE04467C9ED0544D021098BCD44C71E183414E `  
          -StoreLocation CurrentUser -StoreName My 

使用 Windows Active Directory 连接到安全群集Connect to a secure cluster using Windows Active Directory

如果独立群集是使用 AD 安全部署的,请通过追加开关“WindowsCredential”连接到群集。If your standalone cluster is deployed using AD security, connect to the cluster by appending the switch "WindowsCredential".

Connect-ServiceFabricCluster -ConnectionEndpoint <Cluster FQDN>:19000 `
          -WindowsCredential

使用 FabricClient API 连接到群集Connect to a cluster using the FabricClient APIs

Service Fabric SDK 为群集管理提供 FabricClient 类。The Service Fabric SDK provides the FabricClient class for cluster management. 若要使用 FabricClient API,请获取 Microsoft.ServiceFabric NuGet 包。To use the FabricClient APIs, get the Microsoft.ServiceFabric NuGet package.

连接到不安全的群集Connect to an unsecure cluster

若要连接到远程不安全群集,请创建一个 FabricClient 实例并提供群集地址:To connect to a remote unsecured cluster, create a FabricClient instance and provide the cluster address:

FabricClient fabricClient = new FabricClient("clustername.chinanorth.cloudapp.chinacloudapi.cn:19000");

对于在群集内运行的代码(例如,在可靠服务中),请创建 FabricClient ,无需指定群集地址。For code that is running from within a cluster, for example, in a Reliable Service, create a FabricClient without specifying the cluster address. FabricClient 连接到代码当前正在运行的节点上的本地管理网关,从而避免额外的网络跃点。FabricClient connects to the local management gateway on the node the code is currently running on, avoiding an extra network hop.

FabricClient fabricClient = new FabricClient();

使用客户端证书连接到安全群集Connect to a secure cluster using a client certificate

群集中的节点必须具有有效的证书,在 SAN 中,这些证书的公用名或 DNS 名出现在 FabricClient 上设置的 RemoteCommonNames 属性中。The nodes in the cluster must have valid certificates whose common name or DNS name in SAN appears in the RemoteCommonNames property set on FabricClient. 按照此流程操作可在客户端与群集节点之间进行相互身份验证。Following this process enables mutual authentication between the client and the cluster nodes.

using System.Fabric;
using System.Security.Cryptography.X509Certificates;

string clientCertThumb = "71DE04467C9ED0544D021098BCD44C71E183414E";
string serverCertThumb = "A8136758F4AB8962AF2BF3F27921BE1DF67F4326";
string CommonName = "www.clustername.chinanorth.chinacloudapi.cn";
string connection = "clustername.chinanorth.cloudapp.chinacloudapi.cn:19000";

var xc = GetCredentials(clientCertThumb, serverCertThumb, CommonName);
var fc = new FabricClient(xc, connection);

try
{
    var ret = fc.ClusterManager.GetClusterManifestAsync().Result;
    Console.WriteLine(ret.ToString());
}
catch (Exception e)
{
    Console.WriteLine("Connect failed: {0}", e.Message);
}

static X509Credentials GetCredentials(string clientCertThumb, string serverCertThumb, string name)
{
    X509Credentials xc = new X509Credentials();
    xc.StoreLocation = StoreLocation.CurrentUser;
    xc.StoreName = "My";
    xc.FindType = X509FindType.FindByThumbprint;
    xc.FindValue = clientCertThumb;
    xc.RemoteCommonNames.Add(name);
    xc.RemoteCertThumbprints.Add(serverCertThumb);
    xc.ProtectionLevel = ProtectionLevel.EncryptAndSign;
    return xc;
}

使用 Azure Active Directory 以交互方式连接到安全群集Connect to a secure cluster interactively using Azure Active Directory

以下示例使用 Azure Active Directory 作为客户端标识,使用服务器证书作为服务器标识。The following example uses Azure Active Directory for client identity and server certificate for server identity.

连接到群集时,对话框窗口自动弹出,以便进行交互式登录。A dialog window automatically pops up for interactive sign-in upon connecting to the cluster.

string serverCertThumb = "A8136758F4AB8962AF2BF3F27921BE1DF67F4326";
string connection = "clustername.chinanorth.cloudapp.chinacloudapi.cn:19000";

var claimsCredentials = new ClaimsCredentials();
claimsCredentials.ServerThumbprints.Add(serverCertThumb);

var fc = new FabricClient(claimsCredentials, connection);

try
{
    var ret = fc.ClusterManager.GetClusterManifestAsync().Result;
    Console.WriteLine(ret.ToString());
}
catch (Exception e)
{
    Console.WriteLine("Connect failed: {0}", e.Message);
}

使用 Azure Active Directory 以非交互方式连接到安全群集Connect to a secure cluster non-interactively using Azure Active Directory

以下示例依赖于 Microsoft.IdentityModel.Clients.ActiveDirectory,版本:2.19.208020213。The following example relies on Microsoft.IdentityModel.Clients.ActiveDirectory, Version: 2.19.208020213.

有关 AAD 令牌获取的详细信息,请参阅 Microsoft.IdentityModel.Clients.ActiveDirectoryFor more information on AAD token acquisition, see Microsoft.IdentityModel.Clients.ActiveDirectory.

string tenantId = "C15CFCEA-02C1-40DC-8466-FBD0EE0B05D2";
string clientApplicationId = "118473C2-7619-46E3-A8E4-6DA8D5F56E12";
string webApplicationId = "53E6948C-0897-4DA6-B26A-EE2A38A690B4";

string token = GetAccessToken(
    tenantId,
    webApplicationId,
    clientApplicationId,
    "urn:ietf:wg:oauth:2.0:oob");

string serverCertThumb = "A8136758F4AB8962AF2BF3F27921BE1DF67F4326";
string connection = "clustername.chinanorth.cloudapp.chinacloudapi.cn:19000";

var claimsCredentials = new ClaimsCredentials();
claimsCredentials.ServerThumbprints.Add(serverCertThumb);
claimsCredentials.LocalClaims = token;

var fc = new FabricClient(claimsCredentials, connection);

try
{
    var ret = fc.ClusterManager.GetClusterManifestAsync().Result;
    Console.WriteLine(ret.ToString());
}
catch (Exception e)
{
    Console.WriteLine("Connect failed: {0}", e.Message);
}

...

static string GetAccessToken(
    string tenantId,
    string resource,
    string clientId,
    string redirectUri)
{
    string authorityFormat = @"https://login.chinacloudapi.cn/{0}";
    string authority = string.Format(CultureInfo.InvariantCulture, authorityFormat, tenantId);
    var authContext = new AuthenticationContext(authority);

    var authResult = authContext.AcquireToken(
        resource,
        clientId,
        new UserCredential("TestAdmin@clustenametenant.partner.onmschina.cn", "TestPassword"));
    return authResult.AccessToken;
}

无需事先了解元数据,即可使用 Azure Active Directory 连接到安全群集Connect to a secure cluster without prior metadata knowledge using Azure Active Directory

以下示例使用非交互式令牌获取,但可以使用相同的方法营造自定义交互式令牌获取体验。The following example uses non-interactive token acquisition, but the same approach can be used to build a custom interactive token acquisition experience. 从群集配置中读取令牌获取所需的 Azure Active Directory 元数据。The Azure Active Directory metadata needed for token acquisition is read from cluster configuration.

string serverCertThumb = "A8136758F4AB8962AF2BF3F27921BE1DF67F4326";
string connection = "clustername.chinanorth.cloudapp.chinacloudapi.cn:19000";

var claimsCredentials = new ClaimsCredentials();
claimsCredentials.ServerThumbprints.Add(serverCertThumb);

var fc = new FabricClient(claimsCredentials, connection);

fc.ClaimsRetrieval += (o, e) =>
{
    return GetAccessToken(e.AzureActiveDirectoryMetadata);
};

try
{
    var ret = fc.ClusterManager.GetClusterManifestAsync().Result;
    Console.WriteLine(ret.ToString());
}
catch (Exception e)
{
    Console.WriteLine("Connect failed: {0}", e.Message);
}

...

static string GetAccessToken(AzureActiveDirectoryMetadata aad)
{
    var authContext = new AuthenticationContext(aad.Authority);

    var authResult = authContext.AcquireToken(
        aad.ClusterApplication,
        aad.ClientApplication,
        new UserCredential("TestAdmin@clustenametenant.partner.onmschina.cn", "TestPassword"));
    return authResult.AccessToken;
}

使用 Service Fabric Explorer 连接到安全群集Connect to a secure cluster using Service Fabric Explorer

若要访问给定群集的 Service Fabric Explorer,请将浏览器指向:To reach Service Fabric Explorer for a given cluster, point your browser to:

http://<your-cluster-endpoint>:19080/Explorer

Azure 门户的群集基本信息窗格中也提供了完整 URL。The full URL is also available in the cluster essentials pane of the Azure portal.

若要使用浏览器连接到 Windows 或 OS X 上的安全群集,可以导入客户端证书,浏览器将提示你提供要用于连接群集的证书。For connecting to a secure cluster on Windows or OS X using a browser, you can import the client certificate, and the browser will prompt you for the certificate to use for connecting to the cluster. 在 Linux 计算机上,需要使用高级浏览器设置(每个浏览器具有不同的机制)导入证书并将其指向磁盘上的证书位置。On Linux machines, the certificate will have to be imported using advanced browser settings (each browser has different mechanisms) and point it to the certificate location on disk. 有关详细信息,请阅读设置客户端证书Read Set up a client certificate for more information.

使用 Azure Active Directory 连接到安全群集Connect to a secure cluster using Azure Active Directory

要连接到用 AAD 保护的群集,请将浏览器指向:To connect to a cluster that is secured with AAD, point your browser to:

https://<your-cluster-endpoint>:19080/Explorer

系统会自动提示使用 AAD 登录。You are automatically be prompted to sign in with AAD.

使用客户端证书连接到安全群集Connect to a secure cluster using a client certificate

要连接到使用证书保护的群集,请将浏览器指向:To connect to a cluster that is secured with certificates, point your browser to:

https://<your-cluster-endpoint>:19080/Explorer

系统自动提示选择客户端证书。You are automatically be prompted to select a client certificate.

在远程计算机上设置客户端证书Set up a client certificate on the remote computer

至少应有两个证书用于保护群集,一个用于保护群集和服务器证书,另一个用于保护客户端访问。At least two certificates should be used for securing the cluster, one for the cluster and server certificate and another for client access. 建议还使用其他辅助证书和客户端访问证书。We recommend that you also use additional secondary certificates and client access certificates. 若要使用证书安全性来保护客户端与群集节点之间的通信,首先需要获取和安装客户端证书。To secure the communication between a client and a cluster node using certificate security, you first need to obtain and install the client certificate. 证书可以安装到本地计算机或当前用户的个人(我的)存储。The certificate can be installed into the Personal (My) store of the local computer or the current user. 还需要服务器证书的指纹,以便客户端可以对群集进行身份验证。You also need the thumbprint of the server certificate so that the client can authenticate the cluster.

  • 在 Windows 上:双击 PFX 文件,并按照提示在个人存储 Certificates - Current User\Personal\Certificates 中安装证书。On Windows: Double-click the PFX file and follow the prompts to install the certificate in your personal store, Certificates - Current User\Personal\Certificates. 或者,可以使用 PowerShell 命令:Alternatively, you can use the PowerShell command:

    Import-PfxCertificate -Exportable -CertStoreLocation Cert:\CurrentUser\My `
            -FilePath C:\docDemo\certs\DocDemoClusterCert.pfx `
            -Password (ConvertTo-SecureString -String test -AsPlainText -Force)
    

    如果它是自签名证书,则需要将其导入计算机的“受信任人”存储中才能使用此证书连接到安全群集。If it is a self-signed certificate, you need to import it to your machine's "trusted people" store before you can use this certificate to connect to a secure cluster.

    Import-PfxCertificate -Exportable -CertStoreLocation Cert:\CurrentUser\TrustedPeople `
    -FilePath C:\docDemo\certs\DocDemoClusterCert.pfx `
    -Password (ConvertTo-SecureString -String test -AsPlainText -Force)
    
  • 在 Mac 上:双击 PFX 文件,并按照提示在 Keychain 中安装证书。On Mac: Double-click the PFX file and follow the prompts to install the certificate in your Keychain.

后续步骤Next steps