How-To: Serie Deploy Secure ASF with ARM – Step 06 – Adjust the SF Application settings

This step 6 of 10 in the post-serie “How-To: How installing a secure Service Azure Fabric Cluster (ASF) with Azure Resource Management (ARM) Template”.

In this step we prepare the settings of a SF Application in Visual Studio 2017. The Application is registered in AAD, this way we can control which application is allowed or not to access another applicatie. To make this possible the AppId and AppKey of the calling application is needed. With this combination we authenticate to the other application we are calling. Besides the information we also need some AAD information, such as AAD-Instance, TenantId & AAD-Uri, these are stored in the Key Vault Application Secrets. An example of an application can be found on mine GitHub over here.

Overview of the steps
01. Create and import the certificates
02. Register SF Application in AAD and create AppKey
03. Generate encrypted AppKey
04. Lookup the service principles
05. Create the Key Vaults with ARM
06. [CURRENT] Adjust the SF Application settings
07. Upload certificates to Key Vault
08. Register the Service Fabric System Applications
09. Install SF Cluster with ARM
10. Coming soon!
Step 06: ADD settings in the config of the SF Applications

Add address of the Key Vault with Application Secrets

  • To extract variables from the KeyVault you have to know the address of the Key Vault, The address can be found in the Azure Portal when you have created the Key Vaults. In mine case: https://blog-akv-as-kv-d.vault.azure.net/secrets.

Edit Application Manifest

  • Go to the service fabric project and open ApplicationManifest.xml
  • Reproduce the settings like show above
  • Below the node “DefaultService” add the following:
<Principals>
 <Users>
 <User Name="sfclusteradmin" AccountType="NetworkService" />
 </Users>
</Principals>
<Policies>
 <SecurityAccessPolicies>
 <SecurityAccessPolicy ResourceRef="[DataCertificateName]" PrincipalRef="sfclusteradmin" ResourceType="Certificate" />
 </SecurityAccessPolicies>
</Policies>
<Certificates>
 <SecretsCertificate X509FindValue="[DataCertificateThumbprint]" Name="[DataCertificateName]" />
</Certificates>

Add Application Parameter file to project

  • Go to the service fabric project and open one of the XML files. I assume you know the meanings of the different ApplicationParameters XML files.
  • Earlier you have written the encrypted appkey down. Use that value in application parameter file. We also need to put the thumbprint of the certificate in this file.

Next step: Step 07 – Upload certificates to Key Vault