Service Fabric: How to Setup a Secure Cluster

This article is talking about how to setup a service fabric secure cluster. It is important to secure your cluster when it’s on production from anonymous whom aim for stealing your credential information or use your cluster illegal ways.

Let’s Start

  1. Open PowerShell ISE as Administrator

  2. Go to Service Fabric SDK path. In my case is

    C:\Program Files\Microsoft SDKs\Service Fabric\ClusterSetup


    The setup file is “DevClusterSetup.ps1”

  3. This is just a script file. If you tap the F5 button to run this script. It will setup an un-secure cluster as it is a default of this script. So if you want to setup a secure cluster you have to insert some parameter. To do that, a command line area at the below of the PowerShell ISE type cd “C:\Program Files\Microsoft SDKs\Service Fabric\ClusterSetup”
  4. For the command is

    .\DevClusterSetup.ps1 -PathToClusterDataRoot “C:\SfDevCluster\Data” -PathToClusterLogRoot “C:\SfDevCluster\Log” -AsSecureCluster


    Command Parameters

    1. -PathToClusterDataRoot is a path for a cluster. Default path is “C:\SfDevCluster\Data”. As a path in this article is a default path so you can skip this parameter or you can change it as well.
    2. -PathToClusterLogRoot is a path for cluster logging. Again “C:\SfDevCluster\Log” is a default path so you’re free to skip this parameter or change it.
    3. -AsSecureCluster is a parameter that tells the script to setup the cluster as a secure cluster.
  5. Now you’re ready to go. Press an enter button and there you go. A secure cluster is set up.
    Furthermore, as you can see in the red rectangle in the image above. Setting up a secure cluster, a script will automatically install a certification (common name is “ServiceFabricDevClusterCert” by default). A certificate setup script is located in the following.

    C:\Program Files\Microsoft SDKs\Service Fabric\ClusterSetup\Secure\CertSetup.ps1

    It is also no password for an installed certificate by default. But, we can modify CertSetup script or we can make in on our own so, I’ll talk about it in the next article.

  6. Open a service fabric explorer which is located in the bottom right icons as shown in a below picture.

    Or you can open a web browser with a URL.

    https://localhost:19080/Explorer/

    This time a web browser will immediately pop up a certificate picking dialog as shown in a below picture.

    As you see, a certificate with the common name “ServiceFabricDevClusterCert” from a previous step appears in the list. This dialog is shown because your cluster now is a secure cluster so, it has to use a certificate to connect to them.

  7. Finally, your cluster is a secure cluster now. If you go to a cluster manifest, you’ll see that every node in your cluster has a certificate to communicate with.

Next Step

This is just a beginning of how to secure your cluster but maybe not enough for a real production. The next articles, I’ll talk about the following.

  • How to connect your client application to a secure cluster with a certificate.
  • Reverse proxy certification
  • Securing your client-service communication with SSL certification.
  • Service Fabric WCF Identity.

Leave a Reply

Your email address will not be published. Required fields are marked *