Ssl Certificate Injection in Service Fabric Application

 

Here’s a short summary, all the details follow below:

 

  • Generate a self-signed root certificate and install that in the trusted root certificates store. − Refer SSL Certificate Generation Blog
  • Generate a server authentication certificate that is derived from the root certificate− Refer SSL Certificate Generation Blog
  • Modify your hosts file to match the server certificate common name.
  • Extend the service manifest with an additional named endpoint.
  • Extend the Service Fabric application manifest file with a service EndpointBindingPolicy and EndpointCertificate.
  • Modify the generated OwinCommunicationListener to take the https protocol into account.
  • Add an additional named ServiceInstanceListener (besides the one that is listening on http).
Add service endpoint to service manifest

 

  • We finished all the necessary preparations on our development machine, next step is Service Fabric configuration. In the service manifest file of the (API) service we wish to expose on https, we need to add an additional endpoint, besides the (http) endpoint that is already there.

Important note:

If you have multiple endpoints, make sure to give each one unique name. ServiceFabric won't complain but your service will not start.

 

Extend the Service Fabric Application Manifest

 

  • Next step is the application manifest file. We need two things here: a reference to the certificate and a link between our micro service, the certificate and the endpoint.

 

We added an EndpointBindingPolicy that references the https endpoint and the certificate in CertificateRef. This tells Service Fabric that for this specific service it should add a certificate to the specified endpoint.

The certificate itself has a name and a thumbprint value that is a reference to a value in an environment-specific configuration file.

 

Modify the generated OwinCommunicationListener

 

That was all the necessary Service Fabric configuration. What remains is some code changes.

 

When you add a new stateless API service to your Service Fabric project in Visual Studio, an OwinCommunicationListener class is added.

 

This class is responsible for booting a self-hosted Owin web server on the correct port number.

 

By default, this class assumes you never want to use https. So, what you need to do is replace this line of code (that has a hard-code http reference):

 

listeningAddress = string.Format(

    CultureInfo.InvariantCulture,

    "http://+:{0}/{1}",

    port,

    string.IsNullOrWhiteSpace(_appRoot)

        ? string.Empty

        : _appRoot.TrimEnd('/') + '/');

 

 with this line of code:

 

in the OpenAsync method. The serviceEndpoint variable should already be declared somewhere in the first few lines of OpenAsync.

 

Add a ServiceInstanceListener

 

Last but not least we must tell our service that it should (also) listen on the https endpoint. This happens in the StatelessService.CreateServiceInstanceListeners method that you override in your service class, which in my case looks like this:

 

 

Note that each listener references the name of the endpoint it should listen on.