管理憑證的軟體定義網路Manage Certificates for Software Defined Networking

適用於:Windows Server(以每年次管道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

若要了解如何管理 Northbound 網路控制器和 Southbound 通訊的憑證在 Windows Server 2016 Datacenter 的軟體定義網路 (SDN) 部署您正在使用 System Center 一樣 Manager (SCVMM) 為您 SDN 管理 client 時,您可以使用此主題。You can use this topic to learn how to manage certificates for Network Controller Northbound and Southbound communications when you deploy Software Defined Networking (SDN) in Windows Server 2016 Datacenter and you are using System Center Virtual Machine Manager (SCVMM) as your SDN management client.

注意

Network Controller 概觀資訊,請查看Network ControllerFor overview information about Network Controller, see Network Controller.

如果您不使用 Kerberos 保護的網路控制器通訊,您可以使用 x.509 驗證、 授權及加密。If you are not using Kerberos for securing the Network Controller communication, you can use X.509 certificates for authentication, authorization, and encryption.

在 Windows Server 2016 Datacenter SDN 支援兩 self\ 簽章和憑證授權單位 \ (CA)-簽署 x.509。SDN in Windows Server 2016 Datacenter supports both self-signed and Certification Authority (CA)-signed X.509 certificates. 本主題提供逐步指示建立這些憑證,並將其套用的安全的網路控制器 Northbound 的通訊通道與管理戶端和 Southbound 通訊網路的裝置,例如軟體負載平衡器 (SLB)。This topic provides step-by-step instructions for creating these certificates and applying them to secure Network Controller Northbound communication channels with management clients and Southbound communications with network devices, such as the Software Load Balancer (SLB). .. 當您使用 certificate\ 驗證時,您必須註冊 Network Controller 節點上一會以下列方式使用的憑證。When you are using certificate-based authentication, you must enroll one certificate on Network Controller nodes that is used in the following ways.

  1. 加密 Northbound 安全通訊端層 (SSL) Network Controller 節點和管理戶端,例如 System Center 一樣 Manager 間通訊。Encrypting Northbound Communication with Secure Sockets Layer (SSL) between Network Controller nodes and management clients, such as System Center Virtual Machine Manager.
  2. Network Controller 節點和 Southbound 裝置之間的服務,例如 HYPER-V 主機和軟體負載平衡器 (SLBs) 驗證。Authentication between Network Controller nodes and Southbound devices and services, such as Hyper-V hosts and Software Load Balancers (SLBs).

建立和註冊 X.509Creating and Enrolling an X.509 Certificate

您可以建立和註冊 self\ 簽署的憑證或 CA 發行憑證。You can create and enroll either a self-signed certificate or a certificate that is issued by a CA.

注意

當您使用 SCVMM 部署 Network Controller 時,您必須指定 X.509 憑證所使用的網路控制器服務範本設定期間加密 Northbound 通訊。When you are using SCVMM to deploy Network Controller, you must specify the X.509 certificate that is used to encrypt Northbound communications during the configuration of the Network Controller Service Template.

憑證設定必須包含下列值。The certificate configuration must include the following values.

  • 值為RestEndPoint文字方塊必須的網路控制器完整網域名稱 (FQDN) 或 IP 位址。The value for the RestEndPoint text box must either be the Network Controller Fully Qualified Domain Name (FQDN) or IP address.
  • RestEndPoint值必須符合主體名稱 \ (一般的名稱、 CN\) X.509 憑證。The RestEndPoint value must match the subject name (Common Name, CN) of the X.509 certificate.

建立 Self\ 簽署 X.509 憑證Creating a Self-Signed X.509 Certificate

您可以建立自我的 X.509 憑證,並且私密金鑰與匯出 \ (受 password\) 依照下列步驟針對 single\ 節點和 multiple\ 節點 Network Controller 的部署。You can create a self-signed X.509 certificate and export it with the private key (protected with a password) by following these steps for single-node and multiple-node deployments of Network Controller.

當您建立 self\ 簽署的憑證時,您可以使用下列指導方針。When you create self-signed certificates, you can use the following guidelines.

  • 您可以使用控制器其餘端點網路的 IP 位址 DnsName 參數-,但不是建議,因為您必須 Network Controller 節點是一個管理子網路中都位於 \ (例如在單一 rack)You can use the IP address of the Network Controller REST Endpoint for the DnsName parameter - but this is not recommended because it requires that the Network Controller nodes are all located within a single management subnet (e.g. on a single rack)
  • 對於多個節點 NC 部署,指定 DNS 名稱將會變成的網路控制器叢集 FQDN \ (DNS 主機 A 記錄會自動建立。 )For multiple node NC deployments, the DNS name that you specify will become the FQDN of the Network Controller Cluster (DNS Host A records are automatically created.)
  • 單一節點 Network Controller 部署的 DNS 名稱可能 Network Controller 的主機名稱緊接著的完整網域名稱。For single node Network Controller deployments, the DNS name can be the Network Controller’s host name followed by the full domain name.

多個節點Multiple node

您可以使用新-SelfSignedCertificate Windows PowerShell 命令來建立 self\ 簽署的憑證。You can use the New-SelfSignedCertificate Windows PowerShell command to create a self-signed certificate.

語法Syntax

New-SelfSignedCertificate -KeyUsageProperty All -Provider "Microsoft Strong Cryptographic Provider" -FriendlyName "<YourNCComputerName>" -DnsName @("<NCRESTName>")

使用範例Example usage

New-SelfSignedCertificate -KeyUsageProperty All -Provider "Microsoft Strong Cryptographic Provider" -FriendlyName "MultiNodeNC" -DnsName @("NCCluster.Contoso.com")

單一節點Single node

您可以使用新-SelfSignedCertificate Windows PowerShell 命令來建立 self\ 簽署的憑證。You can use the New-SelfSignedCertificate Windows PowerShell command to create a self-signed certificate.

語法Syntax

New-SelfSignedCertificate -KeyUsageProperty All -Provider "Microsoft Strong Cryptographic Provider" -FriendlyName "<YourNCComputerName>" -DnsName @("<NCFQDN>")

使用範例Example usage

New-SelfSignedCertificate -KeyUsageProperty All -Provider "Microsoft Strong Cryptographic Provider" -FriendlyName "SingleNodeNC" -DnsName @("SingleNodeNC.Contoso.com")

建立 CA\ 簽署 X.509 憑證Creating a CA-Signed X.509 Certificate

若要使用 CA 建立憑證,您必須已經部署 Active Directory 憑證服務 (AD CS) 公用基礎結構的 (PKI)。To create a certificate by using a CA, you must have already deployed a Public Key Infrastructure (PKI) with Active Directory Certificate Services (AD CS).

注意

您可以使用第三方 Ca 或工具,例如 openssl,以建立網路控制器,請使用的憑證不過特定 AD CS 本主題中的指示進行。You can use third party CAs or tools, such as openssl, to create a certificate for use with Network Controller, however the instructions in this topic are specific to AD CS. 了解如何使用第三方 CA 或工具,以查看您正在使用的軟體的文件。To learn how to use a third party CA or tool, see the documentation for the software you are using.

建立 CA 憑證包含下列步驟。Creating a certificate with a CA includes the following steps.

  1. 您組織的網域或安全性系統管理員可以設定憑證範本You or your organization's Domain or Security Administrator configures the certificate template
  2. 您組織的 Controller 的網路管理員或 SCVMM 系統管理員會從 CA 要求一個新的憑證。You or your organization's Network Controller Administrator or SCVMM Administrator requests a new certificate from the CA.

憑證設定需求Certificate configuration requirements

當您設定的憑證範本下一個步驟中時,請確定您所設定的範本包含下列所需的項目。While you are configuring a certificate template in the next step, ensure that the template you configure includes the following required elements.

  1. 必須 HYPER-V 主機的 FQDN 憑證主體名稱。The certificate subject name must be the FQDN of the Hyper-V host
  2. 憑證必須放在個人本機存放區 (我 – 憑證: \localmachine\my)The certificate must be placed in the local machine personal store (My – cert:\localmachine\my)
  3. 憑證必須有兩個伺服器的驗證 (EKU: 1.3.6.1.5.5.7.3.1) 和 Client 驗證 (EKU: 1.3.6.1.5.5.7.3.2) 應用程式原則。The certificate must have both Server Authentication (EKU: 1.3.6.1.5.5.7.3.1) and Client Authentication (EKU: 1.3.6.1.5.5.7.3.2) Application policies.

注意

如果個人 \ (我 – 憑證:\localmachine\my) 憑證存放區 Hyper\ HYPER-V 主機上的有一個以上 X.509 主機完整網域名稱 (FQDN) 憑證的主體名稱 (DATA-CN),請確定將會使用透過 SDN 憑證已 OID 1.3.6.1.4.1.311.95.1.1.1 與其他自訂增強鍵使用量屬性。If the Personal (My – cert:\localmachine\my) certificate store on the Hyper-V host has more than one X.509 certificate with Subject Name (CN) as the host Fully Qualified Domain Name (FQDN), ensure that the certificate that will be used by SDN has an additional custom Enhanced Key Usage property with the OID 1.3.6.1.4.1.311.95.1.1.1. 否則,網路控制器和主機間通訊可能無法運作。Otherwise, the communication between Network Controller and the host might not work.

若要設定憑證範本To configure the certificate template

注意

您可以執行此程序之前,您應該檢視憑證需求和可用的憑證範本 \ [憑證範本主控台中。Before you perform this procedure, you should review the certificate requirements and the available certificate templates in the Certificate Templates console. 您可以修改現有的範本或建立重複的現有的範本,然後修改您複製的範本。You can either modify an existing template or create a duplicate of an existing template and then modify your copy of the template. 建立現有範本一份建議。Creating a copy of an existing template is recommended.

  1. 在 [伺服器 AD CS 安裝的位置,在伺服器管理員中,按一下工具,然後按一下 [憑證授權單位On the server where AD CS is installed, in Server Manager, click Tools, and then click Certification Authority. 憑證授權單位 Microsoft Management Console (MMC) 開啟。The Certification Authority Microsoft Management Console (MMC) opens.
  2. 在 MMC 中,按兩下 [CA 名稱,以滑鼠右鍵按一下憑證範本,然後按管理In the MMC, double-click the CA name, right-click Certificate Templates, and then click Manage.
  3. [憑證範本主控台開啟。The Certificate Templates console opens. 詳細資料窗格中會顯示所有的憑證範本。All of the certificate templates are displayed in the details pane.
  4. 在詳細資料窗格中,按一下您要複製範本。In the details pane, click the template that you want to duplicate.
  5. 按一下動作,然後再按複製範本Click the Action menu, and then click Duplicate Template. 範本屬性對話方塊。The template Properties dialog box opens.
  6. 在範本屬性對話方塊中,於主體名稱索引標籤上,按一下 [中要求提供In the template Properties dialog box, on the Subject Name tab, click Supply in the request. \ (此設定是必要的網路控制器 SSL 憑證。 )(This setting is required for Network Controller SSL certificates.)
  7. 在範本屬性對話方塊中,於處理要求索引標籤時,請確定允許私密金鑰匯出選取。In the template Properties dialog box, on the Request Handling tab, ensure that Allow private key to be exported is selected. 也確保簽章和加密選取用途。Also ensure that the Signature and encryption purpose is selected.
  8. 範本中屬性對話方塊中,於擴充功能索引標籤,選取鍵使用,然後按一下編輯In the template Properties dialog box, on the Extensions tab, select Key Usage, and then click Edit.
  9. 簽章,確認數位簽章選取。In Signature, ensure that Digital Signature is selected.
  10. 範本中屬性對話方塊中,於的擴充功能索引標籤,選取應用程式原則,然後按一下編輯In the template Properties dialog box, on the Extensions tab, select Application Policies, and then click Edit.
  11. 應用程式原則,確保Client 驗證伺服器驗證優先順序。In Application Policies, ensure that Client Authentication and Server Authentication are listed.
  12. 將儲存複本憑證範本唯一名稱,例如Network Controller 範本Save the copy of the certificate template with a unique name, such as Network Controller template.

若要從 CA 憑證To request a certificate from the CA

您可以使用的憑證嵌入式管理單元要求憑證。You can use the Certificates snap-in to request certificates. 您可以要求任何預先設定並使用由系統管理員的身分處理憑證要求的 ca 憑證的類型。You can request any type of certificate that has been preconfigured and made available by an administrator of the CA that processes the certificate request.

使用者系統管理員,才能完成此程序最小群組成員資格。Users or local Administrators is the minimum group membership required to complete this procedure.

  1. 打開憑證嵌入式管理單元電腦。Open the Certificates snap-in for a computer.
  2. 主控台中,按一下 [的憑證 (Local Computer)In the console tree, click Certificates (Local Computer). 選取 [個人憑證存放區。Select the Personal certificate store.
  3. 動作功能表,指向 [* * 所有工作 * ,然後再按一下要求新的憑證以開始憑證註冊精靈。On the **Action* menu, point to** All Tasks, and then click **Request New Certificate to start the Certificate Enrollment wizard. 按一下下一步Click Next.
  4. 選取 [設定您的系統管理員的憑證註冊原則和Select the Configured by your administrator Certificate Enrollment Policy and click Next.
  5. 選取 [ Active Directory 註冊原則\ (根據您設定在上一個 section\ CA 範本)。Select the Active Directory Enrollment Policy (based on the CA template that you configured in the previous section).
  6. 展開的詳細資料區段,設定下列項目。Expand the Details section and configure the following items.
    1. 確保鍵使用量包含兩 * * 數位簽章 * * 和鍵加密Ensure that Key usage includes both Digital Signature **and **Key encipherment.
    2. 確認的應用程式原則兩者都包含伺服器驗證(1.3.6.1.5.5.7.3.1) 和Client 驗證(1.3.6.1.5.5.7.3.2)。Ensure that Application policies includes both Server Authentication (1.3.6.1.5.5.7.3.1) and Client Authentication (1.3.6.1.5.5.7.3.2).
  7. 按一下屬性Click Properties.
  8. 主旨索引標籤的主體名稱,請在輸入,選取一般名稱On the Subject tab, in Subject name, in Type, select Common name. 在 [值指定網路控制器其餘端點In Value, specify Network Controller REST Endpoint.
  9. 按一下套用,然後按[確定]Click Apply, and then click OK.
  10. 按一下註冊Click Enroll.

在憑證 MMC 中,按一下個人檢視您擁有退出從 CA 憑證存放區。In the Certificates MMC, click on the Personal store to view the certificate you have enrolled from the CA.

匯出和憑證複製到 SCVMM 媒體櫃Exporting and Copying the Certificate to the SCVMM Library

建立 self\ 簽署或 CA\ 簽署的憑證之後, 您必須使用私密金鑰匯出憑證 (in.pfx format) 私密金鑰不 \ (在 64 基本.cer format) 從 「 憑證嵌入式管理單元。After creating either a self-signed or CA-signed certificate, you must export the certificate with the private key (in .pfx format) and without the private key (in Base-64 .cer format) from the Certificates snap-in.

您必須再兩個匯出將檔案複製到ServerCertificate.crNCCertificate.cr資料夾,指定您匯入 NC 服務範本時間。You must then copy the two exported files to the ServerCertificate.cr and NCCertificate.cr folders that you specified at the time when you imported the NC Service Template.

  1. 打開憑證嵌入式管理單元 (certlm.msc),並找出的憑證在本機電腦的個人憑證存放區。Open the Certificates snap-in (certlm.msc) and locate the certificate in the Personal certificate store for the local computer.
  2. Right\ 按一下憑證,按一下 [的所有任務,然後按一下 [匯出Right-click the certificate, click All Tasks, and then click Export. 憑證匯出精靈開啟。The Certificate Export Wizard opens. 按一下下一步Click Next.
  3. 選取 [ [是]匯出私密金鑰] 選項,按下一步Select Yes, export the private key option, click Next.
  4. 選擇 [個人資訊交換-PKCS #12 (。PFX) ,並接受預設為包含所有的憑證憑證路徑中若有可能。Choose Personal Information Exchange - PKCS #12 (.PFX) and accept the default to Include all certificates in the certification path if possible.
  5. 指派使用者或群組和憑證您要匯出的密碼,請按一下下一步Assign the Users/Groups and a password for the certificate you are exporting, click Next.
  6. 若要匯出頁檔案,瀏覽您想要放置匯出的檔案的位置,它命名。On the File to export page, browse the location where you want to place the exported file, and give it a name.
  7. 同樣地,匯出中的憑證。CER 格式。Similarly, export the certificate in .CER format. 注意: 若要匯出。CER 格式,取消選取 [是,匯出私密金鑰] 選項。Note: To export to .CER format, uncheck the Yes, export the private key option.
  8. 複製。PFX ServerCertificate.cr 資料夾。Copy the .PFX to the ServerCertificate.cr folder.
  9. 複製。CER NCCertificate.cr 資料夾的檔案。Copy the .CER file to the NCCertificate.cr folder.

當您完成後時,請重新整理 SCVMM 媒體櫃中的這些資料夾,並確定您有複製這些憑證。When you are done, refresh these folders in the SCVMM Library and ensure that you have these certificates copied. 請繼續進行網路控制器服務範本設定和部署。Continue with the Network Controller Service Template Configuration and Deployment.

驗證 Southbound 裝置與服務Authenticating Southbound devices and services

網路控制器通訊主機和 SLB MUX 裝置使用驗證憑證。Network Controller communication with hosts and SLB MUX devices uses certificates for authentication. 通訊的主機是 OVSDB 通訊協定與 SLB MUX 裝置通訊時 WCF 通訊協定。Communication with the hosts is over OVSDB protocol while communication with the SLB MUX devices is over the WCF protocol.

Network Controller 的主機 HYPER-V 通訊Hyper-V Host Communication with Network Controller

透過 OVSDB HYPER-V 主機的通訊,Network Controller 需要呈現主機上的憑證。For communication with the Hyper-V hosts over OVSDB, Network Controller needs to present a certificate to the host machines. 根據預設,SCVMM 挑選設定網路控制器上的 SSL 憑證,並使用它來進行 southbound 通訊的主機。By default, SCVMM picks up the SSL certificate configured on the Network Controller and uses it for southbound communication with the hosts.

這就是為何 SSL 憑證必須 Client 驗證 EKU 設定的原因。That is the reason why the SSL certificate must have the Client Authentication EKU configured. 此憑證已設定 「 伺服器 」 的其餘資源 \ (HYPER-V 主機以在 Network Controller 伺服器 resource\),並可執行 Windows PowerShell 命令取得-NetworkControllerServerThis certificate is configured on the “Servers” REST resource (Hyper-V hosts are represented in Network Controller as a Server resource), and can be viewed by running the Windows PowerShell command Get-NetworkControllerServer.

以下是範例部分的伺服器的其餘部分資源。Following is a partial example of the server REST resource.

  "resourceId": "host31.fabrikam.com",
  "properties": {
    "connections": [
      {
        "managementAddresses": [
           "host31.fabrikam.com"
        ],
        "credential": {
          "resourceRef": "/credentials/a738762f-f727-43b5-9c50-cf82a70221fa"
        },
        "credentialType": "X509Certificate"
      }
    ],

對於互加好友的驗證,HYPER-V 主機也必須通訊 Network Controller 的憑證。For mutual authentication, the Hyper-V host must also have a certificate to communicate with Network Controller.

您可以註冊憑證授權單位 (CA) 的憑證。You can enroll the certificate from a Certification Authority (CA). 如果您在主機上找不到根據 CA 憑證,SCVMM 建立自動簽署的憑證,並 provisions 該主機上。If a CA based certificate is not found on the host machine, SCVMM creates a self-signed certificate and provisions it on the host machine.

網路控制器和 HYPER-V 主機彼此必須信任的憑證。Network Controller and the Hyper-V host certificates must be trusted by each other. 必須位於 HYPER-V 主機憑證根憑證網路控制器受信任的根憑證授權單位儲存在本機電腦,,反之亦然。The Hyper-V host certificate’s root certificate must be present in the Network Controller Trusted Root Certification Authorities store for the Local Computer, and vice versa.

當您正在使用 self\ 簽署的憑證時,可確保 SCVMM 必要的憑證的本機電腦的受信任的根憑證授權單位存放區中。When you're using self-signed certificates, SCVMM ensures that the required certificates are present in the Trusted Root Certification Authorities store for the Local Computer.

如果您使用根據 CA 憑證 HYPER-V 主機,您需要確保根憑證會出現 Network Controller 的受信任的根憑證授權單位網上商店的本機電腦上。If you are using CA based certificates for the Hyper-V hosts, you need to ensure that the CA root certificate is present on the Network Controller's Trusted Root Certification Authorities store for the Local Computer.

軟體與 Network Controller 負載平衡器 MUX 通訊Software Load Balancer MUX Communication with Network Controller

軟體負載平衡器 Multiplexor (MUX) 和 Network Controller 通訊 WCF 通訊協定進行驗證使用的憑證。The Software Load Balancer Multiplexor (MUX) and Network Controller communicate over the WCF protocol, using certificates for authentication.

根據預設,SCVMM 挑選 SSL 憑證網路控制器上的設定,以及使用它的 Mux 裝置 southbound 通訊。By default, SCVMM picks up the SSL certificate configured on the Network Controller and uses it for southbound communication with the Mux devices. 在 「 NetworkControllerLoadBalancerMux 」 上設定此憑證將資源,並可透過執行 Powershell cmdlet取得-NetworkControllerLoadBalancerMuxThis certificate is configured on the “NetworkControllerLoadBalancerMux” REST resource and can be viewed by executing the Powershell cmdlet Get-NetworkControllerLoadBalancerMux.

其他 MUX 資源 (partial) 的範例:Example of MUX REST resource (partial):

  "resourceId": "slbmux1.fabrikam.com",
  "properties": {
    "connections": [
      {
        "managementAddresses": [
           "slbmux1.fabrikam.com"
        ],
        "credential": {
          "resourceRef": "/credentials/a738762f-f727-43b5-9c50-cf82a70221fa"
        },
        "credentialType": "X509Certificate"
      }
    ],

對於互加好友的驗證,您必須同時憑證 SLB MUX 的裝置上。For mutual authentication, you must also have a certificate on the SLB MUX devices. 部署使用 SCVMM 軟體負載平衡器時,此憑證會自動設定來 SCVMM。This certificate is automatically configured by SCVMM when you deploy software load balancer using SCVMM.

重要

主機和 SLB 節點,很重要的受信任的根憑證授權單位憑證存放區中不包含任何憑證其中,「 發行至 「 不是 「 發行者 」 一樣。On the host and SLB nodes, it is critical that the Trusted Root Certification Authorities certificate store does not include any certificate where “Issued to” is not the same as “Issued by”. 發生這種情形,如果 Network Controller and southbound 裝置間通訊失敗。If this occurs, communication between Network Controller and the southbound device fails.

Network Controller 及 SLB MUX 憑證必須信任彼此 \ (SLB MUX 憑證的根憑證必須在網路控制器電腦受信任的根憑證授權單位儲存和虎鉗 versa\)。Network Controller and the SLB MUX certificates must be trusted by each other (the SLB MUX certificate’s root certificate must be present in the Network Controller machine Trusted Root Certification Authorities store and vice versa). 當您正在使用 self\ 簽署的憑證時,可確保 SCVMM 必要的憑證會出現在受信任的根憑證授權單位 」 中儲存的本機電腦。When you're using self-signed certificates, SCVMM ensures that the required certificates are present in the in the Trusted Root Certification Authorities store for the Local Computer.