SecurityCredentials.LoadFrom Method

Reference

Definition

Namespace:: System.Fabric

Assembly:: System.Fabric.dll

Package:: Microsoft.ServiceFabric v9.1.1833

Package:: Microsoft.ServiceFabric v8.2.1748

Important

Some information relates to prerelease product that may be substantially modified before it’s released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

Instantiate SecurityCredentials object from service configuration settings file

public static System.Fabric.SecurityCredentials LoadFrom (System.Fabric.CodePackageActivationContext codePackageActivationContext, string configPackageName, string sectionName);

static member LoadFrom : System.Fabric.CodePackageActivationContext * string * string -> System.Fabric.SecurityCredentials

Public Shared Function LoadFrom (codePackageActivationContext As CodePackageActivationContext, configPackageName As String, sectionName As String) As SecurityCredentials

Parameters

codePackageActivationContext: CodePackageActivationContext

The current code package activation context CodePackageActivationContext.

configPackageName: String

The current configuration package name.

sectionName: String

The section within the configuration file that defines all the security settings.

Returns

SecurityCredentials

The security credentials.

Remarks

The configuration settings file (settings.xml) within the service configuration folder should contain all the security settings that is needed to create SecurityCredentials object and pass to the CreateReplicator(IStateProvider, ReplicatorSettings) method. Typically, the onus is on the service author to read the settings.xml file, parse the values and appropriately construct the SecurityCredentials object.

With the current helper method, the service author can bypass the above process.

The following are the parameter names that should be provided in the service configuration "settings.xml", to be recognizable by windows fabric to perform the above parsing automatically:

CredentialType–type of credentials to use to secure communication channel: X509 (X509 certificate credentials) or Windows (Windows credentials, requires active directory)

CredentialType=X509

StoreLocation-Store location to find the certificate: CurrentUser or LocalMachine
StoreName-name of the certificate store where the certificate should be searched
FindType-Identifies the type of value provided by in the FindValue parameter: FindBySubjectName or FindByThumbPrint
FindValue-Search target for finding the certificate
AllowedCommonNames-A comma separated list of certificate common names/dns names. This list should include all certificates used by replicators, it is used to validate incoming certificate.
IssuerThumbprints-A comma separated list of issuer certificate thumbprints. When specified, the incoming certificate is validated if it is issued by one of the entries in the list, in addition to chain validation.
ApplicationIssuerStore/[IssuerCommonName]-A comma separated list of store names where issuer certificate corresponding to IssuerCommonName can be found. When specified, the incoming certificate is validated if it is issued by one of the entries in the list, in addition to chain validation.
RemoteCertThumbprints-A comma separated list of certificate thumbprints. This list should include all certificates used by replicators, it is used to validate incoming certificate.
ProtectionLevel-Indicates how the data is protected: Sign or EncryptAndSign or None.

CredentialType=Windows

ServicePrincipalName-Service Principal name registered for the service. Can be empty if the service/actor host processes runs as a machine account (e.g: NetworkService, LocalSystem etc.)
WindowsIdentities-A comma separated list of windows identities of all service/actor host processes.
ProtectionLevel-Indicates how the data is protected: Sign or EncryptAndSign or None.

X509 configuration snippet sample

<Section Name="SecurityConfig">
<Parameter Name="CredentialType" Value="X509" />
<Parameter Name="FindType" Value="FindByThumbprint" />
<Parameter Name="FindValue" Value="FB 9E A6 D4 AD D0 4B 08 BC 29 E1 EE 9C 91 E5 4E 8F 1E 08 96" />
<Parameter Name="StoreLocation" Value="LocalMachine" />
<Parameter Name="StoreName" Value="My" />
<Parameter Name="ProtectionLevel" Value="EncryptAndSign" />
<Parameter Name="AllowedCommonNames" Value="My-Test-SAN1-Alice,My-Test-SAN1-Bob" />
<Parameter Name="ApplicationIssuerStore/WinFabric-Test-TA-CA" Value="Root" />
</Section>

Windows configuration snippet sample 1: all the service/actor host processes run as NetworkService or LocalSystem.

<Section Name="SecurityConfig">
<Parameter Name="CredentialType" Value="Windows" />
<Parameter Name="ServicePrincipalName" Value="" />
<!--This machine group contains all machines in a cluster-->
<Parameter Name="WindowsIdentities" Value="redmond\ClusterMachineGroup" />
<Parameter Name="ProtectionLevel" Value="EncryptAndSign" />
</Section>

Windows configuration snippet sample 1: all service/actor host processes run as a group managed service account.

<Section Name="SecurityConfig">
<Parameter Name="CredentialType" Value="Windows" />
<Parameter Name="ServicePrincipalName" Value="servicefabric/cluster.microsoft.com" />
<--All actor/service host processes run as redmond\GroupManagedServiceAccount-->
<Parameter Name="WindowsIdentities" Value="redmond\GroupManagedServiceAccount" />
<Parameter Name="ProtectionLevel" Value="EncryptAndSign" />
</Section>

Applies to

Sdílet prostřednictvím