The following forum(s) are migrating to a new home on Microsoft Q&A (Preview): Azure Service Fabric!

Ask new questions on Microsoft Q&A (Preview).
Interact with existing posts until December 13, 2019, after which content will be closed to all new and existing posts.

Learn More

 none
Secure communication of services within Service Fabric standalone cluster RRS feed

  • General discussion

  • Below is the detail explanation of the type of implementation we are trying to setup. Please assist in providing some reference information or sample implementation for the following.

    ******************

    Current Scenario:

    ******************

    Secured Service Fabric cluster

    I already have setup secured Service Fabric cluster using the following reference doc

    https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-cluster-security

      • Client to Node Security:

    1.1   Windows Authentication

    Using the reference doc from (https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-windows-cluster-windows-security) I was able to successfully test the Client to Node security

    "security": {

                "ServerCredentialType": "Windows",

                "WindowsIdentities": {

                    "ClientIdentities": [{

                        "Identity": "[domain\username]",

                        "IsAdmin": true

                    }]

                }

            }

    The above setup secures the access to Service Fabric Explorer and even the PowerShell commands for working with the SF cluster. I could not implement the Windows Security using gMSA, as we do not have this setup within RBC.

    1.2   X.509 certificates

    Using reference doc from (https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-windows-cluster-x509-security) I was able to successfully test Client to Node security

    "security": {

        "metadata": "The Credential type X509 indicates this is cluster is secured using X509 Certificates. The thumbprint format is - d5 ec 42 3b 79 cb e5 07 fd 83 59 3c 56 b9 d5 31 24 25 42 64.",

        "ServerCredentialType": "X509",

        "CertificateInformation": {

            "ServerCertificate": {

                "Thumbprint": "[Thumbprint]",

                "ThumbprintSecondary": "[Thumbprint]",

                "X509StoreName": "My"

            },

            "ClientCertificateThumbprints": [

                {

                    "CertificateThumbprint": "[Thumbprint]",

                    "IsAdmin": false

                },

                {

                    "CertificateThumbprint": "[Thumbprint]",

                    "IsAdmin": true

                }

            ]

        }

    }

    1. Node to Node Security:

    2.1   Windows Authentication

    As there is no gMSA setup with RBC I was not able to do Node to Node security using Windows Security. I am looking into the option of using Machine Group.

    2.2   X.509 certificates

    Was successfully able to secure the Node to Node cluster using the certificate.

    ******************

    Following is the Asks

    ******************

    I need to get some help on setting up Application Level Security in Service Fabric Cluster Standalone (on Premise).

    Following are the three different scenarios under considerations:

    Scenario 1:


    Scenario 2:

    Scenario 3:

     

    Questions:

    1. What is the best practice to get user authentication in the above scenarios (OAuth 2.0, Windows Auth etc.)
    2. Is there a support for Delegated calls (Impersonation) , similar to the one in IIS
    3. How to Secure the Communication between each microservice inside the SF Cluster Standalone (on premise), for example in the scenarios above
      1. Calls going from Service A2 to A3, Service A3 to A5 etc.
        We are mainly looking for Windows Integrated Authentication (Kerberos) option if any

    Friday, May 19, 2017 9:44 PM

All replies