Updating scripts used by VMM SLB and GW templates

microsoft · Oct 11, 2018 · 4b30d92 · 4b30d92
1 parent 4475ce1
commit 4b30d92
Show file tree

Hide file tree

Showing 2 changed files with 95 additions and 41 deletions.
diff --git a/VMM/Templates/NC/EdgeDeployment.cr/ConfigureDns.ps1 b/VMM/Templates/NC/EdgeDeployment.cr/ConfigureDns.ps1
@@ -1,5 +1,6 @@
 # Exit Codes
 $ErrorCode_Success = 0;
+$ErrorCode_Reboot = 1641;
 
 
 #------------------------------------------
@@ -75,6 +76,18 @@ try
 
     Log "Enabling DNS Registration for management of gateway..."
     EnableDnsRegistrationForGatewayMgmtNic;
+
+	Log "Enabling VM Gateway Perf enhancement if available..."
+    $service = Get-Service -Name "GatewayService" -ErrorAction SilentlyContinue;
+    if ($service -ne $null)
+    {
+        Log "Set Gateway Service to Automatic"
+        Set-Service -Name $service.Name -StartupType Automatic -ErrorAction SilentlyContinue;
+
+        Log "The VM will be rebooted due to the exit code returned"
+        Exit $ErrorCode_Reboot;
+
+    }
 
 }
 catch 

diff --git a/VMM/Templates/NC/EdgeDeployment.cr/ProcessCertificate.ps1 b/VMM/Templates/NC/EdgeDeployment.cr/ProcessCertificate.ps1
@@ -48,6 +48,7 @@ function GenerateSelfSignedCertificate([string] $subjectName)
     $cryptographicProviderName = "Microsoft Base Cryptographic Provider v1.0";
     [int] $privateKeyLength = 1024;
     $sslServerOidString = "1.3.6.1.5.5.7.3.1";
+	$SslNetworkControllerOidString = "1.3.6.1.4.1.311.95.1.1.1";
     [int] $validityPeriodInYear = 5;
 
     $name = new-object -com "X509Enrollment.CX500DistinguishedName.1"
@@ -68,9 +69,12 @@ function GenerateSelfSignedCertificate([string] $subjectName)
 
     #Configure Eku
     $serverauthoid = new-object -com "X509Enrollment.CObjectId.1"
-    $serverauthoid.InitializeFromValue($sslServerOidString)
+	$serverauthoid.InitializeFromValue($sslServerOidString)
+	$networkcontrollerauthoid = new-object -com "X509Enrollment.CObjectId.1"
+	$networkcontrollerauthoid.InitializeFromValue($SslNetworkControllerOidString)
     $ekuoids = new-object -com "X509Enrollment.CObjectIds.1"
     $ekuoids.add($serverauthoid)
+	$ekuoids.add($networkcontrollerauthoid)
     $ekuext = new-object -com "X509Enrollment.CX509ExtensionEnhancedKeyUsage.1"
     $ekuext.InitializeEncode($ekuoids)
 
@@ -110,6 +114,30 @@ function GivePermissionToNetworkService($targetCert)
     Set-Acl $privKeyCertFile.FullName $privKeyAcl
 }
 
+#------------------------------------------
+# Get the Certificate Chain based on below logic
+# Find certificate havinf Network Controller EKU OID 1.3.6.1.4.1.311.95.1.1.1 and fqdn as subject name
+# Prefer certificates that have a longer validity period (the expiration date is later.)
+# If multiple certificates have same expiration date, prefer certificates that were issued more recently.
+# If there is a tie, prefer shorter chains.
+# If certificate with EKU OID not found then go for subject name
+#------------------------------------------
+Function GetCertChain
+{
+$hostFqdn = [System.Net.Dns]::GetHostByName(($env:computerName)).HostName;
+$certSubjectName = "CN="+$hostFqdn;
+try
+{
+	[Reflection.Assembly]::LoadFile("C:\Program Files\Microsoft System Center\Virtual Machine Manager Guest Agent\bin\GuestAgent.Common.dll") | Out-Null
+	[Microsoft.VirtualManager.GuestAgent.Common.CertUtils]::CertificateChain($certSubjectName)
+}
+catch
+{
+	Log "Failed to get cert Chain.  Find certificates on the basis of subject name."
+}
+}
+
+
 #------------------------------------------
 # Adds the certificate at the given path to the local machine into the specified store.
 #------------------------------------------
@@ -181,6 +209,7 @@ $gpUpdateSleepSec = 5 * 60
 
 $certName = GetSubjectName($UseManagementAddress);
 $certName = $certName.ToLower()
+$certSubjectName = "CN="+$certName
 $folderPath = 'C:\Temp\'
 $certPath = $folderPath + $certName + '.cer'
 
@@ -198,28 +227,21 @@ if (!([System.Boolean]::TryParse($selfSignedSetup, [ref] $selfSigned)))
 if ($selfSigned)
 {
     Log "Creating self signed certificate if not exists...";
+
+	# Check if certificate with Oid Exist or not
+	$certThumbprint = GetCertChain
+    $cert = Get-ChildItem -Path Cert:\LocalMachine\My | Where { $_.Thumbprint -eq $certThumbprint }
 
-    $cert = $null
-    $certServerUsageCount = 0
-    $certs = Get-ChildItem -Path Cert:\LocalMachine\My | Where {$_.Subject.ToLower().Contains($certName) -and $_.Issuer.ToLower().Contains($certName)}
-
-    foreach ($c in $certs)
-    {
-        foreach ($usage in $c.EnhancedKeyUsageList)
-        {
-            if ($usage.ObjectId -eq "1.3.6.1.5.5.7.3.1")
-            {
-                $cert = $c
-                $certServerUsageCount ++
-            }
-        }
-    }
+	if ($cert -eq $null)
+	{
+		Log "certificate with NC Oid does not exists... Looking with subject Name";
+		$certs = Get-ChildItem -Path Cert:\LocalMachine\My | Where {$_.Subject.ToLower() -eq $certSubjectName.ToLower() -and $_.Issuer.ToLower().Contains($certName)}
+		if($certs -ne $null)
+		{
+			$cert = $certs[0];
+		}
 
-    if ($certServerUsageCount -gt 1)
-    {
-        Log "More than one certificate with ServerAuthentication usage found."
-        Exit $ErrorCode_Failed;
-    }
+	}
 
     if ($cert -eq $null)
     {
@@ -228,8 +250,30 @@ if ($selfSigned)
         #New-SelfSignedCertificate -DnsName $certName -CertStoreLocation Cert:LocalMachine\My
         GenerateSelfSignedCertificate $certName;
 		Start-Sleep -Seconds 180
-        $cert = Get-ChildItem -Path Cert:\LocalMachine\My | Where {$_.Subject.ToLower().Contains($certName) -and $_.Issuer.ToLower().Contains($certName)}
-    }
+		# Add the self signed certifictate to trusted root store
+		$certificates = Get-ChildItem -Path Cert:\LocalMachine\My | Where {$_.Subject.ToLower() -eq $certSubjectName.ToLower() -and $_.Issuer.ToLower().Contains($certName)}
+		foreach ($c in $certificates)
+		{
+			$store = new-object System.Security.Cryptography.X509Certificates.X509Store("ROOT", "LocalMachine")
+			$store.open("MaxAllowed")
+			$store.add($c)
+			$store.close()
+		}    	
+		# Check if certificate with Oid Exist or not
+		$certThumbprint = GetCertChain
+		$cert = Get-ChildItem -Path Cert:\LocalMachine\My | Where { $_.Thumbprint -eq $certThumbprint }
+
+	    if ($cert -eq $null)
+		{
+			Log "certificate with NC Oid does not exists... Looking with subject Name";
+			$certs = Get-ChildItem -Path Cert:\LocalMachine\My | Where {$_.Subject.ToLower() -eq $certSubjectName.ToLower() -and $_.Issuer.ToLower().Contains($certName)}
+			if($certs -ne $null)
+			{
+				$cert = $certs[0];
+			}
+		}
+
+	}
 
     if ($cert -eq $null) 
     {
@@ -243,34 +287,31 @@ else
 
     $certName = (Get-WmiObject win32_computersystem).DNSHostName+"."+(Get-WmiObject win32_computersystem).Domain
     $certName = $certName.ToLower()
-    $cert = $null
-    $certServerUsageCount = 0
 
     for ($i = 0; $i -lt $gpUpdateCount; $i ++)
     {
-        $certs = Get-ChildItem -Path Cert:\LocalMachine\My
+        $certThumbprint = GetCertChain
+		$cert = Get-ChildItem -Path Cert:\LocalMachine\My | Where { $_.Thumbprint -eq $certThumbprint }
 
-        foreach ($c in $certs)
-        {
-            foreach ($usage in $c.EnhancedKeyUsageList)
-            {
-                if ($usage.ObjectId -eq "1.3.6.1.5.5.7.3.1")
-                {
-                    $cert = $c
-                    $certServerUsageCount ++
-                }
-            }
-        }
-        if ($cert -ne $null)
-        {
-            break
-        }
+		 if ($cert -ne $null) 
+		 {
+			break
+		 }
 
         GPUpdate
         Start-Sleep -Seconds $gpUpdateSleepSec
     }
 
     if ($cert -eq $null) 
+    {
+			Log "certificate with NC Oid does not exists... Looking with subject Name";
+			$certs = Get-ChildItem -Path Cert:\LocalMachine\My | Where {$_.Subject.ToLower() -eq $certSubjectName.ToLower()}
+			if($certs -ne $null)
+			{
+				$cert = $certs[0];
+			}
+    }
+	if ($cert -eq $null) 
     {
         Log "CA Certificate cannot be located."
         Exit $ErrorCode_Failed;