SecurityCredentials.LoadFrom Method
Definition
Important
Some information relates to prerelease product that may be substantially modified before it’s released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Instantiate SecurityCredentials object from service configuration settings file
public static System.Fabric.SecurityCredentials LoadFrom (System.Fabric.CodePackageActivationContext codePackageActivationContext, string configPackageName, string sectionName);static member LoadFrom : System.Fabric.CodePackageActivationContext * string * string -> System.Fabric.SecurityCredentialsPublic Shared Function LoadFrom (codePackageActivationContext As CodePackageActivationContext, configPackageName As String, sectionName As String) As SecurityCredentialsParameters
- codePackageActivationContext
- CodePackageActivationContext
The current code package activation context CodePackageActivationContext.
- configPackageName
- String
The current configuration package name.
- sectionName
- String
The section within the configuration file that defines all the security settings.
Returns
The security credentials.
Remarks
The configuration settings file (settings.xml) within the service configuration folder should contain all the security settings that is needed to create SecurityCredentials object and pass to the CreateReplicator(IStateProvider, ReplicatorSettings) method. Typically, the onus is on the service author to read the settings.xml file, parse the values and appropriately construct the SecurityCredentials object.
With the current helper method, the service author can bypass the above process.
The following are the parameter names that should be provided in the service configuration "settings.xml", to be recognizable by windows fabric to perform the above parsing automatically:
CredentialType–type of credentials to use to secure communication channel: X509 (X509 certificate credentials) or Windows (Windows credentials, requires active directory)
CredentialType=X509
StoreLocation-Store location to find the certificate: CurrentUser or LocalMachine
StoreName-name of the certificate store where the certificate should be searched
FindType-Identifies the type of value provided by in the FindValue parameter: FindBySubjectName or FindByThumbPrint
FindValue-Search target for finding the certificate
AllowedCommonNames-A comma separated list of certificate common names/dns names. This list should include all certificates used by replicators, it is used to validate incoming certificate.
IssuerThumbprints-A comma separated list of issuer certificate thumbprints. When specified, the incoming certificate is validated if it is issued by one of the entries in the list, in addition to chain validation.
ApplicationIssuerStore/[IssuerCommonName]-A comma separated list of store names where issuer certificate corresponding to IssuerCommonName can be found. When specified, the incoming certificate is validated if it is issued by one of the entries in the list, in addition to chain validation.
RemoteCertThumbprints-A comma separated list of certificate thumbprints. This list should include all certificates used by replicators, it is used to validate incoming certificate.
ProtectionLevel-Indicates how the data is protected: Sign or EncryptAndSign or None.
CredentialType=Windows
ServicePrincipalName-Service Principal name registered for the service. Can be empty if the service/actor host processes runs as a machine account (e.g: NetworkService, LocalSystem etc.)
WindowsIdentities-A comma separated list of windows identities of all service/actor host processes.
ProtectionLevel-Indicates how the data is protected: Sign or EncryptAndSign or None.
X509 configuration snippet sample
<Section Name="SecurityConfig">
<Parameter Name="CredentialType" Value="X509" />
<Parameter Name="FindType" Value="FindByThumbprint" />
<Parameter Name="FindValue" Value="FB 9E A6 D4 AD D0 4B 08 BC 29 E1 EE 9C 91 E5 4E 8F 1E 08 96" />
<Parameter Name="StoreLocation" Value="LocalMachine" />
<Parameter Name="StoreName" Value="My" />
<Parameter Name="ProtectionLevel" Value="EncryptAndSign" />
<Parameter Name="AllowedCommonNames" Value="My-Test-SAN1-Alice,My-Test-SAN1-Bob" />
<Parameter Name="ApplicationIssuerStore/WinFabric-Test-TA-CA" Value="Root" />
</Section>
Windows configuration snippet sample 1: all the service/actor host processes run as NetworkService or LocalSystem.
<Section Name="SecurityConfig">
<Parameter Name="CredentialType" Value="Windows" />
<Parameter Name="ServicePrincipalName" Value="" />
<!--This machine group contains all machines in a cluster-->
<Parameter Name="WindowsIdentities" Value="redmond\ClusterMachineGroup" />
<Parameter Name="ProtectionLevel" Value="EncryptAndSign" />
</Section>
Windows configuration snippet sample 1: all service/actor host processes run as a group managed service account.
<Section Name="SecurityConfig">
<Parameter Name="CredentialType" Value="Windows" />
<Parameter Name="ServicePrincipalName" Value="servicefabric/cluster.microsoft.com" />
<--All actor/service host processes run as redmond\GroupManagedServiceAccount-->
<Parameter Name="WindowsIdentities" Value="redmond\GroupManagedServiceAccount" />
<Parameter Name="ProtectionLevel" Value="EncryptAndSign" />
</Section>
Applies to
Azure SDK for .NET
Geri Bildirim
Çok yakında: 2024 boyunca, içerik için geri bildirim mekanizması olarak GitHub Sorunları’nı kullanımdan kaldıracak ve yeni bir geri bildirim sistemiyle değiştireceğiz. Daha fazla bilgi için bkz. https://aka.ms/ContentUserFeedback.
Gönderin ve geri bildirimi görüntüleyin