连接到安全的 Azure Service Fabric 集群时出现问题
Problem Connecting to a Secure Azure Service Fabric Cluster
我正在尝试连接到成功创建的单节点集群,但目前无法从节点本身或单独的客户端计算机连接。
设置是单节点集群,其中集群与 server/node 相同。我使用的是自签名证书,并且(理论上)在 cluster/server 上安装了主证书和辅助证书,在客户端计算机上安装了管理员证书和标准客户端证书。
如果我在机器上安装了一个不安全的集群,我可以通过浏览器成功导航到它,但是当我创建一个安全的集群时,我无法连接。
尝试通过具有 "Failed to authenticate server" 身份的 PowerShell 错误进行连接。
使用 Chrome 浏览服务器失败。
集群JSON配置如下:
{
"name": "SomeFancyCluster",
"clusterConfigurationVersion": "1.0.0",
"apiVersion": "10-2017",
"nodes": [
{
"nodeName": "vm0",
"iPAddress": "some.server.name",
"nodeTypeRef": "NodeType0",
"faultDomain": "fd:/dc1/r0",
"upgradeDomain": "UD0"
}
],
"properties": {
"diagnosticsStore": {
"metadata": "Please replace the diagnostics file share with an actual file share accessible from all cluster machines.",
"dataDeletionAgeInDays": "21",
"storeType": "FileShare",
"connectionstring": "c:\ProgramData\SF\DiagnosticsStore"
},
"security": {
"metadata": "The Credential type X509 indicates this is cluster is secured using X509 Certificates. The thumbprint format is - d5 ec 42 3b 79 cb e5 07 fd 83 59 3c 56 b9 d5 31 24 25 42 64.",
"ClusterCredentialType": "Windows",
"ServerCredentialType": "X509",
"WindowsIdentities": {
"ClusterIdentity": "some.server"
},
"CertificateInformation": {
"ClusterCertificate": {
"Thumbprint": "ab123456789123456789123456789123456789cd",
"ThumbprintSecondary": "ef123456789123456789123456789123456789gh",
"X509StoreName": "My"
},
"ServerCertificate": {
"Thumbprint": "ab123456789123456789123456789123456789cd",
"ThumbprintSecondary": "ef123456789123456789123456789123456789gh",
"X509StoreName": "My"
},
"ClientCertificateThumbprints": [{
"CertificateThumbprint": "ab123456789123456789123456789123456789ef",
"IsAdmin": false
}, {
"CertificateThumbprint": "ab123456789123456789123456789123456789gh",
"IsAdmin": true
}]
}
},
"nodeTypes": [
{
"name": "NodeType0",
"clientConnectionEndpointPort": "19000",
"clusterConnectionEndpointPort": "19001",
"leaseDriverEndpointPort": "19002",
"serviceConnectionEndpointPort": "19003",
"httpGatewayEndpointPort": "19080",
"reverseProxyEndpointPort": "30000",
"applicationPorts": {
"startPort": "20001",
"endPort": "20031"
},
"ephemeralPorts": {
"startPort": "20032",
"endPort": "20287"
},
"isPrimary": true
}
],
"fabricSettings": [
{
"name": "Setup",
"parameters": [
{
"name": "FabricDataRoot",
"value": "C:\ProgramData\SF"
},
{
"name": "FabricLogRoot",
"value": "C:\ProgramData\SF\Log"
}
]
}
]
}
}
然后我尝试根据文档使用以下 PowerShell 命令进行连接
Connect-ServiceFabricCluster -ConnectionEndpoint some.server.name:19000 -KeepAliveIntervalInSec 10 -X509Credential -ServerCertThumbprint <Server Thumbprint> -FindType FindByThumbprint -FindValue <Client Thumbprint> -StoreLocation CurrentUser -StoreName My
我将客户端证书安装到 'Certificates - Current User/Personal/Certificates'
在服务器上,证书都在'Certificates (Local Computer)/Personal/Certificates'
主 server/cluster 证书也在 'Certificates (Local Computer)/Trusted Root Certification Authorities' 中,CN 等于 some.server.name。
关于上面 missing/wrong 的内容有什么想法吗?
我感觉这与配置中的 ClusterIdentity 字段有关。你能告诉我你为什么添加它吗?
您正在通过证书进行身份验证,因此如果您想通过证书连接到集群,请完全删除 WindowsIdentities 部分并将 ClusterCredentialType 更改为 X509。更新集群配置,您应该可以连接。
否则在连接时提供 -WindowsCredential 参数而不是证书。
我正在尝试连接到成功创建的单节点集群,但目前无法从节点本身或单独的客户端计算机连接。
设置是单节点集群,其中集群与 server/node 相同。我使用的是自签名证书,并且(理论上)在 cluster/server 上安装了主证书和辅助证书,在客户端计算机上安装了管理员证书和标准客户端证书。
如果我在机器上安装了一个不安全的集群,我可以通过浏览器成功导航到它,但是当我创建一个安全的集群时,我无法连接。
尝试通过具有 "Failed to authenticate server" 身份的 PowerShell 错误进行连接。
使用 Chrome 浏览服务器失败。
集群JSON配置如下:
{
"name": "SomeFancyCluster",
"clusterConfigurationVersion": "1.0.0",
"apiVersion": "10-2017",
"nodes": [
{
"nodeName": "vm0",
"iPAddress": "some.server.name",
"nodeTypeRef": "NodeType0",
"faultDomain": "fd:/dc1/r0",
"upgradeDomain": "UD0"
}
],
"properties": {
"diagnosticsStore": {
"metadata": "Please replace the diagnostics file share with an actual file share accessible from all cluster machines.",
"dataDeletionAgeInDays": "21",
"storeType": "FileShare",
"connectionstring": "c:\ProgramData\SF\DiagnosticsStore"
},
"security": {
"metadata": "The Credential type X509 indicates this is cluster is secured using X509 Certificates. The thumbprint format is - d5 ec 42 3b 79 cb e5 07 fd 83 59 3c 56 b9 d5 31 24 25 42 64.",
"ClusterCredentialType": "Windows",
"ServerCredentialType": "X509",
"WindowsIdentities": {
"ClusterIdentity": "some.server"
},
"CertificateInformation": {
"ClusterCertificate": {
"Thumbprint": "ab123456789123456789123456789123456789cd",
"ThumbprintSecondary": "ef123456789123456789123456789123456789gh",
"X509StoreName": "My"
},
"ServerCertificate": {
"Thumbprint": "ab123456789123456789123456789123456789cd",
"ThumbprintSecondary": "ef123456789123456789123456789123456789gh",
"X509StoreName": "My"
},
"ClientCertificateThumbprints": [{
"CertificateThumbprint": "ab123456789123456789123456789123456789ef",
"IsAdmin": false
}, {
"CertificateThumbprint": "ab123456789123456789123456789123456789gh",
"IsAdmin": true
}]
}
},
"nodeTypes": [
{
"name": "NodeType0",
"clientConnectionEndpointPort": "19000",
"clusterConnectionEndpointPort": "19001",
"leaseDriverEndpointPort": "19002",
"serviceConnectionEndpointPort": "19003",
"httpGatewayEndpointPort": "19080",
"reverseProxyEndpointPort": "30000",
"applicationPorts": {
"startPort": "20001",
"endPort": "20031"
},
"ephemeralPorts": {
"startPort": "20032",
"endPort": "20287"
},
"isPrimary": true
}
],
"fabricSettings": [
{
"name": "Setup",
"parameters": [
{
"name": "FabricDataRoot",
"value": "C:\ProgramData\SF"
},
{
"name": "FabricLogRoot",
"value": "C:\ProgramData\SF\Log"
}
]
}
]
}
}
然后我尝试根据文档使用以下 PowerShell 命令进行连接
Connect-ServiceFabricCluster -ConnectionEndpoint some.server.name:19000 -KeepAliveIntervalInSec 10 -X509Credential -ServerCertThumbprint <Server Thumbprint> -FindType FindByThumbprint -FindValue <Client Thumbprint> -StoreLocation CurrentUser -StoreName My
我将客户端证书安装到 'Certificates - Current User/Personal/Certificates'
在服务器上,证书都在'Certificates (Local Computer)/Personal/Certificates'
主 server/cluster 证书也在 'Certificates (Local Computer)/Trusted Root Certification Authorities' 中,CN 等于 some.server.name。
关于上面 missing/wrong 的内容有什么想法吗?
我感觉这与配置中的 ClusterIdentity 字段有关。你能告诉我你为什么添加它吗?
您正在通过证书进行身份验证,因此如果您想通过证书连接到集群,请完全删除 WindowsIdentities 部分并将 ClusterCredentialType 更改为 X509。更新集群配置,您应该可以连接。
否则在连接时提供 -WindowsCredential 参数而不是证书。