Rotate the SSL Certificates for Your PMC Environment

Prior to your certificates expiring, you need to rotate them. This section details how to achieve this with on-premises deployments.

To rotate your SSL certificate, please first copy it to your deployment machine.

Install the New Certificates on the Nodes

  1. On the deployment machine, run PowerShell.exe with admin privileges.
  2. In PowerShell, navigate to the \Upgrades\SSLCertRotation\OnPrem folder in the deployment kit and run InstallCerts.ps1. You are asked for the following parameters:
    • newSslCertPath: This is the absolute path to the new SSL certificate *.pfx portion on the deployment machine.
    • newSslCertPassword: This is the password of the new SSL certificate.
    • newSslThumbprint: This is the thumbprint of the new SSL certificate.
    • adminUsername: This is the user name required to access to each node. It is the same as the username for deployment. Please include domain if relevant.
    • adminPassword: This is the password required to access to each node using the adminUsername account.
    • domainBasedInstall: Choose Y or N, depending on whether or not your deployment is domain-joined.
    • nodes: You are prompted for the each of the nodes where the certificate needs to be installed. If your deployment is domain-joined, then you need to provide the computer names; otherwise, you need to provide IP address. If this is a three node deployment, please press Enter to proceed past the remaining node parameters.

 

The nodes and the deployment machine must all be domain joined, or not at all. You cannot have a mix of non-domain joined and domain joined machines or the scripts will fail.

Configure Internet Information Services (IIS)

  1. Log on to the jump box and remote onto your portal VM, and then navigate to Internet Information Services (IIS).
  2. Locate the PMC portal site, right-click on it, and select Bindings.
  3. Select the single binding for port 9443 and click Edit.
  4. Select the new SSL certificate. You can identify it from the expiration date that is farthest away. Click OK.
  5. Click OK to confirm the new binding.

Upgrade the Service Fabric Cluster

This process takes approximately 20 minutes.

  1. On the deployment machine, run PowerShell.exe with admin privileges.
  2. Navigate to the following folder in the deployment kit \Upgrades\SSLCertRotation\OnPrem in PowerShell and run UpdateClusterConfig.ps1. You will be asked for the following parameters:
    • newSslThumbprint: This is the thumbprint of the new SSL certificate.
    • clusterConfigPath: This defaults to C:\ProgramData\SF\ClusterConfig.json on node 0 of the Service Fabric cluster. If the clusterConfigPath is the default, this can be left blank.
    • clusterAddress: This is the address of the Service Fabric cluster, for example, $dns$:19000.
    • adminUsername: This is the username required to access each node. It is the same as the username for deployment. Please include domain, if relevant.
    • adminPassword: This is the password required to access to each node using the adminUsername account.
    • node0ComputerName: This is the name of node 0 for domain-joined deployments, or the IP address of node 0 if your deployment is non-domain joined.
    • domainJoinedInstall: Choose Y or N, depending on whether or not your deployment is domain-joined.

The CheckClusterUpgradProgress.ps1 script, with an "X509 thumbprint specified is invalid" error.

  1. The script will exit when the upgrade is started. You can check the upgrade process by running CheckClusterUpgradeProgress.ps1. If this script shows a X509 thumbprint specified is invalid warning as depicted in the screenshot, you can disregard it. This is expected when rotating the SSL certificate.

 

  1. Once the certificate expiry warnings have gone from each node you can see if the upgrade was successful. The nodes should appear without any warnings once the upgrade has completed.

Make the PMC Application Configuration Changes

  1. On the deployment machine, run PowerShell.exe with admin privileges.
  2. The setting for the SSL thumpbrint must be updated using this script first, rather than input as a script parameter. You can also use this method to allow multiple configuration settings to be updated.
.\UpdateServiceFabricAppSetting.ps1 -UpdateConfigParameters @{"Avecto.IC3.Certificates.SSL.Thumbprint" = "newthumbprint"}.
  1. In PowerShell, navigate to the \Upgrades\ folder in the deployment kit and run UpdateServiceFabricAppSetting.ps1. You are asked for the following parameters:
    • clusterAddress: This is the address of the Service Fabric cluster. For example, $dns$:19000.
    • ServerCertThumbprint: This is the thumbprint of the new SSL certificate.
    • ClusterAdminThumbprint: The thumbprint of the Cluster Admin certificate setting.
    • NewValue: The thumbprint of the new SSL certificate.

The Service Fabric Explorer.

This will perform a rolling upgrade on the service fabric cluster. You can check the status of this using the Service Fabric Explorer, which shows Upgrades in progress. Click this link to view the progress.

 

For more information on how to use the Service Fabric Explorer, please see View Service Fabric Explorer at View the Health of Your Service Fabric Cluster.