Jaa


Post-installation best practices

 

Applies To: Windows Azure Pack

After you install the Windows Azure Pack for Windows Server, perform the following best practices.

Replace untrusted self-signed certificates with trusted certificates

Each Windows Azure Pack component is installed on an Internet Information Services (IIS) website that, by default, is configured with a self-signed certificate. Because these self-signed certificates are not issued by any of the trusted root certification authorities that your browser loads on startup, your browser displays a security warning when you attempt to connect to any of the sites. To avoid this experience, we recommend that you replace the self-signed certificates that are used by the MgmtSvc-TenantSite (management portal for tenants) and MgmtSvc-TenantPublicAPI as publicly facing services with certificates that are issued by a trusted root certification authority. The MgmtSvc-AdminSite (management portal for administrators) can also benefit from a replacement of the self-signed certificate.

Note

By default, services that are not accessed by users, such as the APIs and resource providers, ignore certificate validation errors. Services are accessed via the ServicePointManager.ServerCertificateValidationCallback Property. If this action presents a security concern, you can replace the untrusted self-signed certificates with a valid certificate that is issued by a recognized certification authority and turn the validation override off, or set the value to false.

The configuration settings that govern this validation override are in each website’s Web.config file as follows:

  • For the management portal for administrators and for the management portal for tenants, MgmtSvc-AdminSite and MgmtSvc-TenantSite:

    <configuration>

      <appSettings>

        <add key="Microsoft.Azure.Portal.Configuration.AppManagementConfiguration.Rdfe2DisableCertificateValidation" value="false" />

      </appSettings>

    </configuration>

  • For the Service Management API websites, MgmtSvc-AdminAPI, MgmtSvc-TenantAPI, and MgmtSvc-TenantPublicAPI:

    <configuration>

      <appSettings>

        <add key="DisableSslCertValidation" value="false" />

      </appSettings>

    </configuration>

For each of these keys, the default value is true. It grants permission to use untrusted certificates, so when the value is set to false, the use of untrusted certificates is disallowed.

Important

The </appSettings> section of the Web.config files are encrypted by default. To modify the </appSettings> section of the Web.config files, you must decrypt the file, apply changes, and then re-encrypt the files. To decrypt and re-encrypt the Web.config files, run the following Windows PowerShell cmdlets on the computer where the Web.config file is located:

  • To decrypt: Unprotect-MgmtSvcConfiguration –Namespace <namespace>

  • To re-encrypt: Protect-MgmtSvcConfiguration –Namespace <namespace>

Where <namespace> is one of the following:

  • TenantPublicAPI

  • TenantAPI

  • AdminAPI

  • AdminSite

  • TenantSite