0

I have the following scenario:

  1. A stateless service with a self-hosted OWIN WebApi. This provides a RESTful client-facing api.
  2. A stateful service, again with a self-hosted OWIN WebApi.
  3. After locating the correct stateful service partition, the stateless service calls into stateful service to access state. It does so via HTTP/HTTPS into the WebApi.

This configuration works fine running on the local cluster and an Azure cluster over HTTP. I'm running into problems though with HTTPS.

Using a self-signed cert I'm able to use HTTPS between the client and the stateless front-end service. However, I can't seem to get the configuration quite right to allow the stateless service to communicate with the stateful service over HTTPS.

I get an exception when the stateless service makes the request to the stateful service. "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel." That has an inner exception of "The remote certificate is invalid according to the validation procedure".

I'm a bit fuzzy on security on service fabric, but have read through several articles, SO posts, blogs, etc. on the subject.

Here are my questions:

  1. At a high level, what is the proper way to secure interservice communication in my scenario?
  2. Is a self-sign cert supported in this scenario?
KatoMan
  • 99
  • 1
  • 7

1 Answers1

0

Are the two services in the same cluster? If so, why not just call the stateful service from the stateless one using ServiceProxy?

You can use a self-signed certificate - the error you're seeing is not specific to Service Fabric. There are several ways to bypass it (although obviously it's not recommended to do that in production). Take a look at this SO question: C# Ignore certificate errors?

Community
  • 1
  • 1
charisk
  • 3,190
  • 2
  • 24
  • 18
  • The services are in the same cluster, but may not be in the future. Furthermore, I'm using custom serialization which extends beyond the stateful service. I haven't tried a ServiceProxy because everything that I've read says it's limited to DataContractSerialization. – KatoMan May 31 '16 at 23:03
  • I read the SO post linked above. The certificates were installed when the cluster was created. Does that not add the certificates as trusted? (Although I'm only in a experimental/testing phase, I'd rather not add a certificate validation handler unless necessary.) – KatoMan May 31 '16 at 23:05
  • A trusted certificate is one that is signed by a trusted Certificate Authority, in the case of self-signed certs to establish full trust, it can be imported in the trusted root authority of the local computer certificate store (windows only). This is not where the certificates are placed by Service Fabric. – mikanyg Oct 03 '16 at 21:11