使用X509证书创建安全的独立服务结构群集

Question

我正在尝试使用带有X.509证书的服务结构运行时6.3.162.9494创建三个节点安全的服务结构集群。

这三台机器都是

1. 具有GUI（内部版本14393.447）的Windows Server 2016标准版本1607

2. Windows 10 Enterprise 2016 LTSB版本1607（内部版本14393.447）

3. Windows 10 Enterprise 2016 LTSB版本1607（内部版本14393.447）

我已从http://go.microsoft.com/fwlink/?LinkId=730690下载了Service Fabric软件包

我使用了ClusterConfig.X509.MultiMachine.json配置文件。

我引用了这份（https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-windows-cluster-x509-security）文档来创建集群。

首先，我创建了一个自签名证书，并安装在其中的所有计算机上

1. 本地计算机-个人

2. 本地计算机-受信任的根证书颁发机构

3. 当前用户-个人

我在配置文件中配置的属性如下：

{
    "name": "SampleCluster",
    "clusterConfigurationVersion": "1.0.0",
    "apiVersion": "10-2017",
    "nodes": [
        {
            "nodeName": "Server",
            "iPAddress": "10.140.133.171",
            "nodeTypeRef": "NodeType0",
            "faultDomain": "fd:/dc1/r0",
            "upgradeDomain": "UD0"
        },
        {
            "nodeName": "Client1",
            "iPAddress": "10.140.133.199",
            "nodeTypeRef": "NodeType0",
            "faultDomain": "fd:/dc1/r1",
            "upgradeDomain": "UD1"
        },
        {
            "nodeName": "Client2",
            "iPAddress": "10.140.133.177",
            "nodeTypeRef": "NodeType0",
            "faultDomain": "fd:/dc1/r2",
            "upgradeDomain": "UD2"
        }
    ],
    "properties": {
       "diagnosticsStore": 
        {
            "metadata":  "Please replace the diagnostics file share with an actual file share accessible from all cluster machines. For example, \\\\machine1\\DiagnosticsStore.",
            "dataDeletionAgeInDays": "21",
            "storeType": "FileShare",
            "connectionstring": "\\\\10.140.133.171\\DiagnosticsStore"
        },
        "security": {
            "metadata": "The Credential type X509 indicates this is cluster is secured using X509 Certificates. The thumbprint format is - d5 ec 42 3b 79 cb e5 07 fd 83 59 3c 56 b9 d5 31 24 25 42 64.",
            "ClusterCredentialType": "X509",
            "ServerCredentialType": "X509",
            "CertificateInformation": {
                "ClusterCertificateCommonNames": {
                  "CommonNames": [
                    {
                      "CertificateCommonName": "WindowsCertificate"
                    }
                  ],
                  "X509StoreName": "My"
                },
                "ClusterCertificateIssuerStores": [
                    {
                         "IssuerCommonName": "WindowsCertificate",
                         "X509StoreNames" : "Root"
                    }
                ],
                "ServerCertificateCommonNames": {
                  "CommonNames": [
                    {
                      "CertificateCommonName": "WindowsCertificate"
                    }
                  ],
                  "X509StoreName": "My"
                },
                "ServerCertificateIssuerStores": [
                    {
                        "IssuerCommonName": "WindowsCertificate",
                        "X509StoreNames" : "Root"
                    }
                ],
                "ReverseProxyCertificateCommonNames": {
                  "CommonNames": [
                      {
                        "CertificateCommonName": "WindowsCertificate"
                      }
                    ],
                    "X509StoreName": "My"
                },
                "ClientCertificateThumbprints": [
                    {
                        "CertificateThumbprint": "86 4d 24 ea 57 29 08 a0 4d f4 9c 6d ec f6 04 5f 82 65 01 db",
                        "IsAdmin": false
                    },
                    {
                        "CertificateThumbprint": "86 4d 24 ea 57 29 08 a0 4d f4 9c 6d ec f6 04 5f 82 65 01 db",
                        "IsAdmin": true
                    }
                ],
                "ClientCertificateCommonNames": [
                    {
                        "CertificateCommonName": "WindowsCertificate",
                        "IsAdmin": true
                    }
                ],
                "ClientCertificateIssuerStores": [
                    {
                        "IssuerCommonName": "WindowsCertificate",
                        "X509StoreNames": "Root"
                    }
                ]
            }
        },
        "nodeTypes": [
            {
                "name": "NodeType0",
                "clientConnectionEndpointPort": "19000",
                "clusterConnectionEndpointPort": "19001",
                "leaseDriverEndpointPort": "19002",
                "serviceConnectionEndpointPort": "19003",
                "httpGatewayEndpointPort": "19080",
                "reverseProxyEndpointPort": "19081",
                "applicationPorts": {
                    "startPort": "20001",
                    "endPort": "20031"
                },
                "isPrimary": true
            }
        ],
        "fabricSettings": [
            {
                "name": "Setup",
                "parameters": [
                    {
                        "name": "FabricDataRoot",
                        "value": "C:\\ProgramData\\SF"
                    },
                    {
                        "name": "FabricLogRoot",
                        "value": "C:\\ProgramData\\SF\\Log"
                    }
                ]
            }
        ]
    }
}

在创建集群时，我遇到此错误 the error i am getting

Answer 1

可能有很多原因。即使powershell错误指出无法找到证书，实际的问题也可能略有不同。 最常见的问题可能是您要从中创建集群的计算机没有与节点计算机的连接。我将从验证这一点开始。

另外，再次运行创建脚本并检查一次

  

C：\ Users \ Administrator \ Desktop \ Microsoft.Azure.ServiceFabric.WindowsServer.6.3.162.9494 \ DeploymentTraces

您将在此处找到更准确的错误说明。

如果跟踪文件中的错误相同，请检查每个节点上服务器证书的访问权限。默认情况下，Service Fabric在NETWORK SERVICE用户上运行。您应该为此用户授予访问权限。

Answer 2

从错误消息中可以很清楚地了解失败原因。

基本上-您必须确保所有服务器/群集证书：

1. 已在每个节点上安装（在创建集群之前）
2. “ WINDOWS SERVICE”帐户可以访问（如果您使用的是X509）-有关如何操作的信息，请参见MSDOC