在 Azure Stack Hub 中輪替使用祕密Rotate secrets in Azure Stack Hub

本文提供執行秘密輪替的指引,以協助維護與 Azure Stack Hub 基礎結構資源和服務的安全通訊。This article provides guidance for performing secret rotation, to help maintain secure communication with Azure Stack Hub infrastructure resources and services.

概觀Overview

Azure Stack Hub 使用秘密來維護與基礎結構資源和服務的安全通訊。Azure Stack Hub uses secrets to maintain secure communication with infrastructure resources and services. 為了維持 Azure Stack Hub 基礎結構的完整性,操作員必須能夠以與其組織的安全性需求一致的頻率來輪替秘密。To maintain the integrity of the Azure Stack Hub infrastructure, operators need the ability to rotate secrets at frequencies that are consistent with their organization's security requirements.

當秘密即將到期時,系統管理員入口網站中會產生下列警示。When secrets are nearing expiration, the following alerts are generated in the administrator portal. 完成秘密輪替將會解決這些警示:Completing secret rotation will resolve these alerts:

  • 擱置的服務帳戶密碼到期Pending service account password expiration
  • 擱置的內部憑證到期Pending internal certificate expiration
  • 擱置的外部憑證到期Pending external certificate expiration

警告

系統管理員入口網站在到期前觸發了2個階段的警示:There are 2 phases of alerts triggered in the administrator portal prior to expiration:

  • 到期前的90天會產生警告警示。90 days before expiration a warning alert is generated.
  • 在到期前30天產生重大警示。30 days before expiration a critical alert is generated.

如果您收到這些 通知,請 務必完成秘密輪替。若未這麼做,可能會導致工作負載遺失,且可能會有您自己的費用 Azure Stack Hub 重新部署!It's critical that you complete secret rotation if you receive these notifications. Failure to do so can cause the loss of workloads and possible Azure Stack Hub redeployment at your own expense!

如需有關警示監視和補救的詳細資訊,請參閱 Azure Stack Hub 中的監視健康情況和警示For more information on alert monitoring and remediation, refer to Monitor health and alerts in Azure Stack Hub.

注意

在 1811 之前版本的 Azure Stack Hub 環境中,可能會看到擱置中的內部憑證或祕密到期警示。Azure Stack Hub environments on pre-1811 versions may see alerts for pending internal certificate or secret expirations. 這些是不正確的警示,應該予以忽略而不需執行內部祕密輪替。These alerts are inaccurate and should be ignored without running internal secret rotation. 不正確的內部祕密到期警示是 1811 中已解決的已知問題。Inaccurate internal secret expiration alerts are a known issue that's resolved in 1811. 內部秘密會在環境啟用兩年後才到期。Internal secrets won't expire unless the environment has been active for two years.

必要條件Prerequisites

  1. 強烈建議您先將 Azure Stack Hub 實例更新為 最新版本It's highly recommended that you first update your Azure Stack Hub instance to the latest version.

    重要

    針對1811之前的版本:For pre-1811 versions:

    • 如果已執行過秘密輪替,您必須先更新至1811版或更新版本,再重新執行秘密輪替。If secret rotation has already been performed, you must update to version 1811 or later before you perform secret rotation again. 執行「祕密輪替」時,必須透過具有特殊權限的端點,且必須要有「Azure Stack Hub 操作員」認證。Secret Rotation must be executed via the Privileged Endpoint and requires Azure Stack Hub Operator credentials. 如果您不知道您的環境上是否已執行秘密輪替,請在執行秘密輪替之前更新為1811。If you don't know whether secret rotation has been run on your environment, update to 1811 before performing secret rotation.
    • 您無須輪替秘密,即可新增延伸主機憑證。You don't need to rotate secrets to add extension host certificates. 您應該依照 Azure Stack Hub 的延伸主機準備一文中的指示,來新增延伸主機憑證。You should follow the instructions in the article Prepare for extension host for Azure Stack Hub to add extension host certificates.
  2. 通知使用者已規劃的維護作業。Notify your users of planned maintenance operations. 排程一般維護期間,盡可能排在非上班時間。Schedule normal maintenance windows, as much as possible, during non-business hours. 維護作業會影響使用者工作負載和入口網站作業。Maintenance operations may affect both user workloads and portal operations.

  3. 在輪替秘密期間,操作員可能會注意到開啟並自動關閉警示。During rotation of secrets, operators may notice alerts open and automatically close. 這是可預期的行為,可以忽略這類警示。This behavior is expected and the alerts can be ignored. 操作員可以使用 AzureStack PowerShell Cmdlet來驗證這些警示的有效性。Operators can verify the validity of these alerts using the Test-AzureStack PowerShell cmdlet. 針對使用 System Center Operations Manager 來監視 Azure Stack Hub 系統的操作員,將系統置於維護模式會使這些警示無法抵達其 ITSM 系統,但如果 Azure Stack Hub 系統無法連線,將會繼續發出警示。For operators using System Center Operations Manager to monitor Azure Stack Hub systems, placing a system in maintenance mode will prevent these alerts from reaching their ITSM systems, but will continue to alert if the Azure Stack Hub system becomes unreachable.

輪替外部秘密Rotate external secrets

重要

外部秘密輪替:External secret rotation for:

本節涵蓋用來保護對外服務之憑證的輪替。This section covers rotation of certificates used to secure external-facing services. 這些憑證是由 Azure Stack Hub 操作員提供,適用于下列服務:These certificates are provided by the Azure Stack Hub Operator, for the following services:

  • 系統管理員入口網站Administrator portal
  • 公用入口網站Public portal
  • 系統管理員 Azure Resource ManagerAdministrator Azure Resource Manager
  • 全域 Azure Resource ManagerGlobal Azure Resource Manager
  • 系統管理員 Key VaultAdministrator Key Vault
  • Key VaultKey Vault
  • 管理員延伸主機Admin Extension Host
  • ACS (包含 Blob、資料表和佇列儲存體)ACS (including blob, table, and queue storage)
  • ADFS*ADFS*
  • *Graph*

*適用于使用 Active Directory 同盟服務時 (AD FS) 。*Applicable when using Active Directory Federated Services (AD FS).

準備Preparation

在輪替外部秘密之前:Prior to rotation of external secrets:

  1. Test-AzureStack 使用參數執行 PowerShell Cmdlet -group SecretRotationReadiness ,以確認所有測試輸出都狀況良好,再輪替秘密。Run the Test-AzureStack PowerShell cmdlet using the -group SecretRotationReadiness parameter, to confirm all test outputs are healthy before rotating secrets.

  2. 準備一組新的取代外部憑證:Prepare a new set of replacement external certificates:

    • 新的設定組必須符合 AZURE STACK HUB PKI 憑證需求中所述的憑證規格。The new set must match the certificate specifications outlined in the Azure Stack Hub PKI certificate requirements.

    • 產生憑證簽署要求 (CSR) 提交至您的憑證授權單位單位) (CA。Generate a certificate signing request (CSR) to submit to your Certificate Authority (CA). 使用「準備 PKI 憑證」中的步驟,使用 [產生憑證簽署要求] 中所述的步驟,並將它們準備好用於您的 Azure Stack Hub 環境。Use the steps outlined in Generate certificate signing requests and prepare them for use in your Azure Stack Hub environment using the steps in Prepare PKI certificates. Azure Stack Hub 支援下列內容中的新憑證授權單位單位 (CA) 之外部憑證的秘密輪替:Azure Stack Hub supports secret rotation for external certificates from a new Certificate Authority (CA) in the following contexts:

      從 CA 旋轉Rotate from CA 輪替至 CARotate to CA Azure Stack Hub 版本支援Azure Stack Hub version support
      Self-SignedSelf-Signed EnterpriseEnterprise 1903 & 更新版本1903 & later
      Self-SignedSelf-Signed Self-SignedSelf-Signed 不支援Not Supported
      Self-SignedSelf-Signed 公共*Public* 1803 & 更新版本1803 & later
      EnterpriseEnterprise EnterpriseEnterprise 1803 & 更新版本;如果在部署時使用相同的企業 CA,則為1803-19031803 & later; 1803-1903 if SAME enterprise CA as used at deployment
      EnterpriseEnterprise Self-SignedSelf-Signed 不支援Not Supported
      EnterpriseEnterprise 公共*Public* 1803 & 更新版本1803 & later
      公共*Public* EnterpriseEnterprise 1903 & 更新版本1903 & later
      公共*Public* Self-SignedSelf-Signed 不支援Not Supported
      公共*Public* 公共*Public* 1803 & 更新版本1803 & later

      *Windows 受根信任程式的一部分。*Part of the Windows Trusted Root Program.

    • 請務必使用 [驗證 PKI 憑證] 中所述的步驟來驗證您準備的憑證Be sure to validate the certificates you prepare with the steps outlined in Validate PKI Certificates

    • 請確定密碼中沒有特殊字元,例如 *)Make sure there are no special characters in the password, like * or ).

    • 確定 PFX 加密是 TripleDES-SHA1Make sure the PFX encryption is TripleDES-SHA1. 如果發生問題,請參閱修復 Azure Stack Hub PKI 憑證的常見問題If you run into an issue, see Fix common issues with Azure Stack Hub PKI certificates.

  3. 將用於輪替的憑證備份儲存在安全的備份位置。Store a backup to the certificates used for rotation in a secure backup location. 如果執行輪替時發生失敗,您可以使用備份副本取代檔案共用中的憑證,然後再重新執行輪替。If your rotation runs and then fails, replace the certificates in the file share with the backup copies before you rerun the rotation. 請將備份副本保存在安全的備份位置。Keep backup copies in the secure backup location.

  4. 建立可以從 ERCS VM 存取的檔案共用。Create a fileshare you can access from the ERCS VMs. 檔案共用必須為 CloudAdmin 身分識別的可讀取和寫入。The file share must be readable and writable for the CloudAdmin identity.

  5. 從您可存取檔案共用的電腦中開啟 PowerShell ISE 主控台。Open a PowerShell ISE console from a computer where you have access to the fileshare. 流覽至您的檔案共用,您可以在其中建立目錄以放置您的外部憑證。Navigate to your fileshare, where you create directories to place your external certificates.

  6. 下載 CertDirectoryMaker.ps1 到您的網路檔案共用,然後執行腳本。Download CertDirectoryMaker.ps1 to your network fileshare, and run the script. 腳本會 根據您的身分識別提供者,建立符合 .\Certificates\AAD_ 或 _.\Certificates\ADFS _ 的資料夾結構 。您的資料夾結構必須以 _ \ 憑證資料夾開頭,後面接著只有 \ AAD\ ADFS 資料夾。The script will create a folder structure that adheres to .\Certificates\AAD_ or _.\Certificates\ADFS_, depending on your identity provider. Your folder structure must begin with a _\Certificates folder, followed by ONLY an \AAD or \ADFS folder. 所有剩餘的子目錄都會包含在上述結構內。All remaining subdirectories are contained within the preceding structure. 例如:For example:

    • 檔案共用 = \\<IPAddress>\<ShareName>File share = \\<IPAddress>\<ShareName>
    • Azure AD 提供者的憑證根資料夾 = \ Certificates\AADCertificate root folder for Azure AD provider = \Certificates\AAD
    • 完整路徑 = \ \ <IPAddress> \ <ShareName> \Certificates\AADFull path = \\<IPAddress>\<ShareName>\Certificates\AAD

    重要

    當您稍後執行時 Start-SecretRotation ,它會驗證資料夾結構。When you run Start-SecretRotation later, it will validate the folder structure. 不符合規範的資料夾結構將會擲回下列錯誤:A folder structure that is not compliant will throw the following error:

    Cannot bind argument to parameter 'Path' because it is null.
    + CategoryInfo          : InvalidData: (:) [Test-Certificate], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Test-Certificate
    + PSComputerName        : xxx.xxx.xxx.xxx
    
  7. 將在步驟 #2 中建立的一組新取代外部憑證複製到步驟 #6 中所建立的 \Certificates \ <IdentityProvider> 目錄。Copy the new set of replacement external certificates created in step #2, to the \Certificates\<IdentityProvider> directory created in step #6. 請務必遵循的 cert.<regionName>.<externalFQDN> 格式 <CertName> 。Be sure to follow the cert.<regionName>.<externalFQDN> format for <CertName>.

    以下是 Azure AD 識別提供者的資料夾結構範例:Here's an example of a folder structure for the Azure AD Identity Provider:

        <ShareName>
            │
            └───Certificates
                  └───AAD
                      ├───ACSBlob
                      │       <CertName>.pfx
                      │
                      ├───ACSQueue
                      │       <CertName>.pfx
                      │
                      ├───ACSTable
                      │       <CertName>.pfx
                      │
                      ├───Admin Extension Host
                      │       <CertName>.pfx
                      │
                      ├───Admin Portal
                      │       <CertName>.pfx
                      │
                      ├───ARM Admin
                      │       <CertName>.pfx
                      │
                      ├───ARM Public
                      │       <CertName>.pfx
                      │
                      ├───KeyVault
                      │       <CertName>.pfx
                      │
                      ├───KeyVaultInternal
                      │       <CertName>.pfx
                      │
                      ├───Public Extension Host
                      │       <CertName>.pfx
                      │
                      └───Public Portal
                              <CertName>.pfx
    
    

旋轉Rotation

請完成下列步驟來輪替外部秘密:Complete the following steps to rotate external secrets:

  1. 使用下列 PowerShell 腳本來輪替秘密。Use the following PowerShell script to rotate the secrets. 腳本需要存取具特殊許可權的端點 (PEP) 會話。The script requires access to a Privileged EndPoint (PEP) session. PEP 可透過裝載 PEP (VM) 的虛擬機器上的遠端 PowerShell 會話來存取。The PEP is accessed through a remote PowerShell session on the virtual machine (VM) that hosts the PEP. 如果您使用的是整合系統,則會有三個 PEP 實例,每個都在 VM 內執行,並在不同的主機上 (前置 >-ERCS01、首碼->-ERCS02 或首碼 >-ERCS03) 。If you're using an integrated system, there are three instances of the PEP, each running inside a VM (Prefix-ERCS01, Prefix-ERCS02, or Prefix-ERCS03) on different hosts. 如果您使用的是 ASDK,此 VM 的名稱為 Az->-ERCS01。If you're using the ASDK, this VM is named AzS-ERCS01. 執行之前,請先更新這些 <placeholder> 值:Update the <placeholder> values before running:

    # Create a PEP Session
    winrm s winrm/config/client '@{TrustedHosts= "<IP_address_of_ERCS>"}'
    $PEPCreds = Get-Credential
    $PEPSession = New-PSSession -ComputerName <IP_address_of_ERCS_Machine> -Credential $PEPCreds -ConfigurationName "PrivilegedEndpoint"
    
    # Run Secret Rotation
    $CertPassword = ConvertTo-SecureString "<Cert_Password>" -AsPlainText -Force
    $CertShareCreds = Get-Credential
    $CertSharePath = "<Network_Path_Of_CertShare>"
    Invoke-Command -Session $PEPSession -ScriptBlock {
        Start-SecretRotation -PfxFilesPath $using:CertSharePath -PathAccessCredential $using:CertShareCreds -CertificatePassword $using:CertPassword
    }
    Remove-PSSession -Session $PEPSession
    

    指令碼會執行下列步驟:The script performs the following steps:

    • 使用 CloudAdmin 帳戶建立具有具特殊 許可權端點的 PowerShell 會話,並將會話儲存為變數。Creates a PowerShell Session with the Privileged endpoint using the CloudAdmin account, and stores the session as a variable. 在下一個步驟中,此變數會用來做為參數。This variable is used as a parameter in the next step.

    • 執行 Invoke 命令,並傳遞 PEP 會話變數作為 -Session 參數。Runs Invoke-Command, passing the PEP session variable as the -Session parameter.

    • Start-SecretRotation使用下列參數,在 PEP 會話中執行:Runs Start-SecretRotation in the PEP session, using the following parameters:

      • -PfxFilesPath:您稍早建立的憑證目錄的網路路徑。-PfxFilesPath: The network path to your Certificates directory created earlier.
      • -PathAccessCredential:共用認證的 PSCredential 物件。-PathAccessCredential: The PSCredential object for credentials to the share.
      • -CertificatePassword:用來建立所有 pfx 憑證檔案的密碼安全字串。-CertificatePassword: A secure string of the password used for all of the pfx certificate files created.
  2. 外部祕密輪替需要大約一小時的時間。External secret rotation takes approximately one hour. 成功完成之後,您的主控台會顯示一則 ActionPlanInstanceID ... CurrentStatus: Completed 訊息,後面接著 DONEAfter successful completion, your console will display a ActionPlanInstanceID ... CurrentStatus: Completed message, followed by DONE. 從 [準備] 區段中建立的共用移除憑證,並將其儲存在安全的備份位置。Remove your certificates from the share created in the Preparation section and store them in their secure backup location.

    注意

    如果秘密輪替失敗,請依照錯誤訊息中的指示操作,並 Start-SecretRotation 使用參數重新執行 -ReRunIf secret rotation fails, follow the instructions in the error message and re-run Start-SecretRotation with the -ReRun parameter.

    Start-SecretRotation -ReRun
    

    如果秘密輪替重複失敗,請聯絡支援人員。Contact support if you experience repeated secret rotation failures.

輪替內部秘密Rotate internal secrets

內部秘密包括憑證、密碼、安全字串,以及 Azure Stack Hub 基礎結構所使用的金鑰,而不需要 Azure Stack Hub 操作員介入。Internal secrets include certificates, passwords, secure strings, and keys used by the Azure Stack Hub infrastructure, without intervention of the Azure Stack Hub Operator. 只有當您懷疑某個密碼已遭入侵,或您已收到到期警示時,才需要內部秘密輪替。Internal secret rotation is only required if you suspect one has been compromised, or you've received an expiration alert.

1811之前的部署可能會看到擱置中的內部憑證或秘密到期的警示。Pre-1811 deployments may see alerts for pending internal certificate or secret expirations. 這些警示不正確,應予以忽略,而且是1811中已解決的已知問題。These alerts are inaccurate and should be ignored, and are a known issue resolved in 1811.

請完成下列步驟來輪替內部秘密:Complete the following steps to rotate internal secrets:

  1. 執行下列 PowerShell 指令碼。Run the following PowerShell script. 請注意,對於內部秘密輪替,「執行秘密輪替」區段只會使用 -Internal >start-secretrotation 指令 程式的參數:Notice for internal secret rotation, the "Run Secret Rotation" section uses only the -Internal parameter to the Start-SecretRotation cmdlet:

    # Create a PEP Session
    winrm s winrm/config/client '@{TrustedHosts= "<IP_address_of_ERCS>"}'
    $PEPCreds = Get-Credential
    $PEPSession = New-PSSession -ComputerName <IP_address_of_ERCS_Machine> -Credential $PEPCreds -ConfigurationName "PrivilegedEndpoint"
    
    # Run Secret Rotation
    Invoke-Command -Session $PEPSession -ScriptBlock {
        Start-SecretRotation -Internal
    }
    Remove-PSSession -Session $PEPSession
    

    注意

    1811之前的版本不需要 -Internal 旗標。Pre-1811 versions don't require the -Internal flag.

  2. 成功完成之後,您的主控台會顯示一則 ActionPlanInstanceID ... CurrentStatus: Completed 訊息,後面接著 DONEAfter successful completion, your console will display a ActionPlanInstanceID ... CurrentStatus: Completed message, followed by DONE.

    注意

    如果秘密輪替失敗,請遵循錯誤訊息中的指示,然後 Start-SecretRotation 使用 -Internal 和參數重新執行 -ReRunIf secret rotation fails, follow the instructions in the error message and rerun Start-SecretRotation with the -Internal and -ReRun parameters.

    Start-SecretRotation -Internal -ReRun
    

    如果秘密輪替重複失敗,請聯絡支援人員。Contact support if you experience repeated secret rotation failures.

更新 BMC 認證Update the BMC credential

基礎板管理控制器會監視您伺服器的實體狀態。The baseboard management controller monitors the physical state of your servers. 請洽詢您的原始設備製造商 (OEM) 硬體廠商,以取得更新 BMC 的使用者帳戶名稱和密碼的指示。Refer to your original equipment manufacturer (OEM) hardware vendor for instructions to update the user account name and password of the BMC.

注意

您的 OEM 可能會提供額外的管理應用程式。Your OEM may provide additional management apps. 更新其他管理應用程式的使用者名稱或密碼並不會影響 BMC 的使用者名稱或密碼。Updating the user name or password for other management apps has no effect on the BMC user name or password.

  1. 依照您的 OEM 指示,更新 Azure Stack Hub 實體伺服器上的 BMC。Update the BMC on the Azure Stack Hub physical servers by following your OEM instructions. 您環境中每個 BMC 的使用者名稱與密碼都必須相同。The user name and password for each BMC in your environment must be the same. BMC 使用者名稱不能超過 16 個字元。The BMC user names can't exceed 16 characters.
  1. 您不再需要依照您的 OEM 指示,先更新 Azure Stack Hub 實體伺服器上的 BMC 認證。It's no longer required that you first update the BMC credentials on the Azure Stack Hub physical servers by following your OEM instructions. 您環境中每個 BMC 的使用者名稱和密碼必須相同,且不能超過16個字元。The user name and password for each BMC in your environment must be the same, and can't exceed 16 characters.
  1. 在 Azure Stack Hub 工作階段中開啟具有特殊權限的端點。Open a privileged endpoint in Azure Stack Hub sessions. 如需相關指示,請參閱使用 Azure Stack Hub 中具有特殊權限的端點For instructions, see Using the privileged endpoint in Azure Stack Hub.

  2. 開啟具有特殊許可權的端點會話之後,請執行下列其中一個 PowerShell 腳本,該腳本會使用 Invoke-Command 來執行 BmcCredential。After opening a privileged endpoint session, run one of the PowerShell scripts below, which use Invoke-Command to run Set-BmcCredential. 如果您使用選擇性-BypassBMCUpdate 參數搭配 BMCCredential,則不會更新 BMC 中的認證。If you use the optional -BypassBMCUpdate parameter with Set-BMCCredential, credentials in the BMC aren't updated. 只會更新 Azure Stack Hub 內部資料存放區。將具特殊許可權的端點會話變數作為參數傳遞。Only the Azure Stack Hub internal datastore is updated.Pass your privileged endpoint session variable as a parameter.

    以下是範例 PowerShell 腳本,會提示輸入使用者名稱和密碼:Here's an example PowerShell script that will prompt for user name and password:

    # Interactive Version
    $PEPIp = "<Privileged Endpoint IP or Name>" # You can also use the machine name instead of IP here.
    $PEPCreds = Get-Credential "<Domain>\CloudAdmin" -Message "PEP Credentials"
    $NewBmcPwd = Read-Host -Prompt "Enter New BMC password" -AsSecureString
    $NewBmcUser = Read-Host -Prompt "Enter New BMC user name"
    
    $PEPSession = New-PSSession -ComputerName $PEPIp -Credential $PEPCreds -ConfigurationName "PrivilegedEndpoint"
    
    Invoke-Command -Session $PEPSession -ScriptBlock {
        # Parameter BmcPassword is mandatory, while the BmcUser parameter is optional.
        Set-BmcCredential -BmcPassword $using:NewBmcPwd -BmcUser $using:NewBmcUser
    }
    Remove-PSSession -Session $PEPSession
    

    您也可以在變數中編碼使用者名稱和密碼,這可能比較不安全:You can also encode the user name and password in variables, which may be less secure:

    # Static Version
    $PEPIp = "<Privileged Endpoint IP or Name>" # You can also use the machine name instead of IP here.
    $PEPUser = "<Privileged Endpoint user for example Domain\CloudAdmin>"
    $PEPPwd = ConvertTo-SecureString "<Privileged Endpoint Password>" -AsPlainText -Force
    $PEPCreds = New-Object System.Management.Automation.PSCredential ($PEPUser, $PEPPwd)
    $NewBmcPwd = ConvertTo-SecureString "<New BMC Password>" -AsPlainText -Force
    $NewBmcUser = "<New BMC User name>"
    
    $PEPSession = New-PSSession -ComputerName $PEPIp -Credential $PEPCreds -ConfigurationName "PrivilegedEndpoint"
    
    Invoke-Command -Session $PEPSession -ScriptBlock {
        # Parameter BmcPassword is mandatory, while the BmcUser parameter is optional.
        Set-BmcCredential -BmcPassword $using:NewBmcPwd -BmcUser $using:NewBmcUser
    }
    Remove-PSSession -Session $PEPSession
    

參考: Start-SecretRotation CmdletReference: Start-SecretRotation cmdlet

>start-secretrotation Cmdlet 會輪替 Azure Stack Hub 系統的基礎結構秘密。Start-SecretRotation cmdlet rotates the infrastructure secrets of an Azure Stack Hub system. 此 Cmdlet 只能針對 Azure Stack Hub 具特殊許可權的端點執行,方法是使用在 Invoke-Command 參數中傳遞 PEP 會話的腳本區塊 -SessionThis cmdlet can only be executed against the Azure Stack Hub privileged endpoint, by using an Invoke-Command script block passing the PEP session in the -Session parameter. 根據預設,其只會輪替所有外部網路基礎結構端點的憑證。By default, it rotates only the certificates of all external network infrastructure endpoints.

參數Parameter 類型Type 必要Required 位置Position 預設Default 描述Description
PfxFilesPath StringString FalseFalse 已命名Named NoneNone \Certificates 目錄的檔案共用路徑包含所有外部網路端點的憑證。The fileshare path to the \Certificates directory containing all external network endpoint certificates. 僅在輪替外部密碼時才需要。Only required when rotating external secrets. 結尾目錄必須是 \CertificatesEnd directory must be \Certificates.
CertificatePassword SecureStringSecureString FalseFalse 已命名Named NoneNone -PfXFilesPath 中所提供所有憑證的密碼。The password for all certificates provided in the -PfXFilesPath. 如果 PfxFilesPath 是在輪替外部密碼時提供,則為必要值。Required value if PfxFilesPath is provided when external secrets are rotated.
Internal StringString FalseFalse 已命名Named NoneNone 每當 Azure Stack Hub 操作員想要輪替內部基礎結構祕密時,都必須使用 Internal 旗標。Internal flag must be used anytime an Azure Stack Hub operator wishes to rotate internal infrastructure secrets.
PathAccessCredential PSCredentialPSCredential FalseFalse 已命名Named NoneNone \Certificates 目錄檔案共用的 PowerShell 認證包含所有外部網路端點的憑證。The PowerShell credential for the fileshare of the \Certificates directory containing all external network endpoint certificates. 僅在輪替外部密碼時才需要。Only required when rotating external secrets.
ReRun SwitchParameterSwitchParameter FalseFalse 已命名Named NoneNone 在嘗試失敗後 rerun 秘密輪替時,必須使用。Must be used anytime secret rotation is reattempted after a failed attempt.

語法Syntax

針對外部祕密輪替For external secret rotation

Start-SecretRotation [-PfxFilesPath <string>] [-PathAccessCredential <PSCredential>] [-CertificatePassword <SecureString>]  

針對內部祕密輪替For internal secret rotation

Start-SecretRotation [-Internal]  

針對外部祕密輪替的重新執行For external secret rotation rerun

Start-SecretRotation [-ReRun]

針對內部祕密輪替的重新執行For internal secret rotation rerun

Start-SecretRotation [-ReRun] [-Internal]

範例Examples

僅輪替內部基礎結構祕密Rotate only internal infrastructure secrets

此命令必須透過您 Azure Stack Hub 環境的具特殊權限端點來執行。This command must be run via your Azure Stack Hub environment's privileged endpoint.

PS C:\> Start-SecretRotation -Internal

此命令會輪替對 Azure Stack Hub 內部網路公開的所有基礎結構秘密。This command rotates all of the infrastructure secrets exposed to the Azure Stack Hub internal network.

僅輪替外部基礎結構祕密Rotate only external infrastructure secrets

# Create a PEP Session
winrm s winrm/config/client '@{TrustedHosts= "<IP_address_of_ERCS>"}'
$PEPCreds = Get-Credential
$PEPSession = New-PSSession -ComputerName <IP_address_of_ERCS> -Credential $PEPCreds -ConfigurationName "PrivilegedEndpoint"

# Create Credentials for the fileshare
$CertPassword = ConvertTo-SecureString "<CertPasswordHere>" -AsPlainText -Force
$CertShareCreds = Get-Credential
$CertSharePath = "<NetworkPathOfCertShare>"
# Run Secret Rotation
Invoke-Command -Session $PEPSession -ScriptBlock {  
    Start-SecretRotation -PfxFilesPath $using:CertSharePath -PathAccessCredential $using:CertShareCreds -CertificatePassword $using:CertPassword
}
Remove-PSSession -Session $PEPSession

此命令會輪替用於 Azure Stack Hub 外部網路基礎結構端點的 TLS 憑證。This command rotates the TLS certificates used for Azure Stack Hub's external network infrastructure endpoints.

輪替內部和外部基礎結構密碼 (僅限 1811 之前的版本)Rotate internal and external infrastructure secrets (pre-1811 only)

重要

這個命令僅適用於 Azure Stack Hub 1811 之前的版本,因為已為內部和外部憑證分割輪替。This command only applies to Azure Stack Hub pre-1811 as the rotation has been split for internal and external certificates.

從 1811+ 版開始,您無法再同時輪替內部和外部憑證!From 1811+ you can't rotate both internal and external certificates anymore!

# Create a PEP Session
winrm s winrm/config/client '@{TrustedHosts= "<IP_address_of_ERCS>"}'
$PEPCreds = Get-Credential
$PEPSession = New-PSSession -ComputerName <IP_address_of_ERCS> -Credential $PEPCreds -ConfigurationName "PrivilegedEndpoint"

# Create Credentials for the fileshare
$CertPassword = ConvertTo-SecureString "<CertPasswordHere>" -AsPlainText -Force
$CertShareCreds = Get-Credential
$CertSharePath = "<NetworkPathOfCertShare>"
# Run Secret Rotation
Invoke-Command -Session $PEPSession -ScriptBlock {
    Start-SecretRotation -PfxFilesPath $using:CertSharePath -PathAccessCredential $using:CertShareCreds -CertificatePassword $using:CertPassword
}
Remove-PSSession -Session $PEPSession

此命令會輪替公開給 Azure Stack Hub 內部網路的基礎結構秘密,以及用於 Azure Stack Hub 的外部網路基礎結構端點的 TLS 憑證。This command rotates the infrastructure secrets exposed to Azure Stack Hub internal network, and the TLS certificates used for Azure Stack Hub's external network infrastructure endpoints. Start-SecretRotation 會輪替所有堆疊產生的秘密,且因為有提供認證,外部端點憑證也會輪替。Start-SecretRotation rotates all stack-generated secrets, and because there are provided certificates, external endpoint certificates will also be rotated.

後續步驟Next steps

深入了解 Azure Stack Hub 安全性Learn more about Azure Stack Hub security