How to use EndpointCertificate with proper ACL for Network Service in Service Fabric

Presentiments: your Service Fabric cluster must be of version 7.1. Since the automatic rollout was postponed, you would need to temporarily switch to the manual mode, select the latest version, and then switch back once the upgrade is complete. To me it took just a few minutes.

undefinedundefined

Before I had the following configuration for a SSL certificate in my application manifest. The endpoint certificate was configured as regular certificate because Service Fabric was not supporting loading it by SNI, and now it does. I also had manually to ACL it to Network Service.

  <Principals>
    <Users>
      <User Name="NetworkServiceUser" AccountType="NetworkService" />
    </Users>
  </Principals>
  <Policies>
    <SecurityAccessPolicies>
      <SecurityAccessPolicy ResourceRef="SSLCert" PrincipalRef="NetworkServiceUser" GrantRights="Full" ResourceType="Certificate" />
    </SecurityAccessPolicies>
  </Policies>
  <Certificates>
    <SecretsCertificate X509FindType="FindBySubjectName" X509FindValue="[SSL_Certificate_SubjectName]" Name="SSLCert" />
  </Certificates>

Now it looks like this:

<ServiceManifestImport>
  <Policies>
    <EndpointBindingPolicy EndpointRef="ServiceTypeEndpoint_Secure" CertificateRef="SSLCert" />
  </Policies>
</ServiceManifestImport>
<Certificates>
  <EndpointCertificate X509FindType="FindBySubjectName" X509FindValue="[SSL_Certificate_SubjectName]" Name="SSLCert" />
</Certificates>

Once the application is deployed, Service Fabric will start looking for a new certificate by SNI every 1 minutes and ACL it to Network Service (grant it access to the private key) automatically.

This entry was posted in Programming and tagged . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.