後 Post-Deployment 步驟 Network ControllerPost-Deployment Steps for Network Controller

當您安裝網路控制器時,因此您可以選擇 Kerberos 或非 Kerberos 部署。When you install Network Controller, you can choose Kerberos or non-Kerberos deployments.

針對 non-Kerberos 部署,您必須設定的憑證。For non-Kerberos deployments, you must configure certificates.

設定適用於非 Kerberos 部署憑證Configure certificates for non-Kerberos deployments

如果 Network Controller and 管理 client 的電腦或虛擬機器 (VMs) 不 domain\ 加入,您必須完成下列步驟來設定 certificate\ 為基礎的驗證。If the computers or virtual machines (VMs) for Network Controller and the management client are not domain-joined, you must configure certificate-based authentication by completing the following steps.

  • 建立驗證電腦網路控制器上的憑證。Create a certificate on the Network Controller for Computer authentication. 憑證主體名稱必須是相同的網路控制器電腦或 VM 的 DNS 名稱。The certificate subject name must be same as the DNS name of the Network Controller computer or VM.

  • 在 [管理 client 建立憑證。Create a certificate on the management client. 此憑證的必須信任網路控制器。This certificate must be trusted by the Network Controller.

  • 註冊 Network Controller 的電腦上 VM 的憑證。Enroll a certificate on the Network Controller computer or VM. 憑證必須符合下列需求。The certificate must meet the following requirements.

    • 必須設定伺服器的驗證目的和 Client 驗證目的增強金鑰使用方法 (EKU) 或應用程式原則擴充功能。Both the Server Authentication purpose and the Client Authentication purpose must be configured in Enhanced Key Usage (EKU) or Application Policies extensions. 伺服器驗證的物件識別碼是 1.3.6.1.5.5.7.3.1。The object identifier for Server Authentication is 1.3.6.1.5.5.7.3.1. Client 驗證的物件識別碼是 1.3.6.1.5.5.7.3.2。The object identifier for Client Authentication is 1.3.6.1.5.5.7.3.2.

    • 憑證主體名稱解析應:The certificate subject name should resolve to:

      • Network Controller 的電腦或 VM 部電腦上 VM 部署 Network Controller 的 IP 位址。The IP address of the Network Controller computer or VM, if Network Controller is deployed on a single computer or VM.

      • 如果在多部電腦,多個 Vm 中,或兩者部署 Network Controller 的其餘 IP 位址。The REST IP address, if Network Controller is deployed on multiple computers, multiple VMs, or both.

    • 這個憑證必須信任用所有其他部分。This certificate must be trusted by all the REST clients. 也必須軟體負載平衡 (SLB) 多工器 (MUX) 由 Network Controller southbound 主機電腦的受信任的憑證。The certificate must also be trusted by the Software Load Balancing (SLB) Multiplexer (MUX) and the southbound host computers that are managed by Network Controller.

    • 憑證可以將退出的憑證授權單位或可能會自動簽署的憑證。The certificate can be enrolled by a Certification Authority (CA) or can be a self-signed certificate. 自動簽署的憑證會建議您不要 production 部署,但接受實驗室測試環境中。Self-signed certificates are not recommended for production deployments, but are acceptable for test lab environments.

    • 必須所有網路控制器節點上提供相同的憑證。The same certificate must be provisioned on all the Network Controller nodes. 一個節點上建立的憑證之後, 您可以憑證匯出(的私密金鑰)並將它匯入其他節點。After creating the certificate on one node, you can export the certificate (with private key) and import it on the other nodes.

如需詳細資訊,請查看Network ControllerFor more information, see Network Controller.