Stage AV and OAuth certificates in Skype for Business Server 2015 using -Roll in Set-CsCertificate

Skype for Business Server 2015
 

마지막으로 수정된 항목: 2016-04-01

Summary: Stage AV and OAuth certificates for 비즈니스용 Skype 서버 2015.

Audio/Video (A/V) communications is a key component of 비즈니스용 Skype 서버 2015. Features such as application sharing and audio and video conferencing rely on the certificates assigned to the A/V 에지 서비스, specifically the A/V Authentication service.

important중요:
  1. This new feature is designed to work for the A/V 에지 서비스 and the OAuthTokenIssuer certificate. Other certificate types can be provisioned along with the A/V 에지 서비스 and OAuth certificate type, but will not benefit from the coexistence behavior that the A/V 에지 서비스 certificate will.

  2. The 비즈니스용 Skype 서버 관리 쉘 PowerShell cmdlets used to manage 비즈니스용 Skype 서버 2015 certificates refers to the A/V 에지 서비스 certificate as the AudioVideoAuthentication certificate type and the OAuthServer certificate as type OAuthTokenIssuer. For the rest of this topic and to uniquely identify the certificates, they will be referred to by the same identifier type, AudioVideoAuthentication and OAuthTokenIssuer.

The A/V Authentication service is responsible for issuing tokens that are used by clients and other A/V consumers. The tokens are generated from attributes on the certificate, and when the certificate expires, loss of connection and requirement to rejoin with a new token generated by the new certificate will result. A new feature in 비즈니스용 Skype 서버 2015 will alleviate this problem – the ability to stage a new certificate in advance of the old one expiring and allowing both certificates to continue to function for a period of time. This feature uses updated functionality in the Set-CsCertificate 비즈니스용 Skype 서버 관리 쉘 cmdlet. The new parameter –Roll, with the existing parameter –EffectiveDate, will place the new AudioVideoAuthentication certificate in the certificate store. The older AudioVideoAuthentication certificate will still remain for issued tokens to be validated against. Beginning with putting the new AudioVideoAuthentication certificate in place, the following series of events will occur:

tip팁:
Using the 비즈니스용 Skype 서버 관리 쉘 cmdlets for managing certificates, you can request separate and distinct certificates for each purpose on the 에지 서버. Using the Certificate Wizard in the Lync Server 배포 마법사 assists you in creating certificates, but is typically of the default type which couples all certificate uses for the 에지 서버 onto a single certificate. The recommended practice if you are going to use the rolling certificate feature is to decouple the AudioVideoAuthentication certificate from the other certificate purposes. You can provision and stage a certificate of the Default type, but only the AudioVideoAuthentication portion of the combined certificate will benefit from the staging. A user involved in (for example) an instant messaging conversation when the certificate expires will need to log out and log back in to make use of the new certificate associated with the 액세스 에지 서비스. Similar behavior will occur for a user involved in a Web conference using the 웹 회의 에지 서비스. The OAuthTokenIssuer certificate is a specific type that is shared across all servers. You create and manage the certificate in one place and the certificate is stored in the 중앙 관리 저장소 for all other servers.

Additional detail is needed to fully understand your options and requirements when using the Set-CsCertificate cmdlet and using it to stage certificates prior to the current certificate expiring. The –Roll parameter is important, but essentially single purpose. If you define it as a parameter, you are telling Set-CsCertificate that you will be providing information about the certificate that will be affected defined by –Type (for example AudioVideoAuthentication and OAuthTokenIssuer), when the certificate will become effective defined by –EffectiveDate.

-Roll: The –Roll parameter is required and has dependencies that must be supplied along with it. Required parameters to fully define which certificates will be affected and how they will be applied:

-EffectiveDate: The parameter –EffectiveDate defines when the new certificate will become co-active with the current certificate. The –EffectiveDate can be close to the expiry time of the current certificate, or it can be a longer period of time. A recommended minimum –EffectiveDate for the AudioVideoAuthentication certificate would be 8 hours, which is the default token lifetime for AV Edge service tokens issued using the AudioVideoAuthentication certificate.

When staging OAuthTokenIssuer certificates, there are different requirements for the lead time before the certificate can become effective. The minimum time that the OAuthTokenIssuer certificate should have for its lead time is 24 hours before the expiration time of the current certificate. The extended lead time for the coexistence is because of other server roles that are dependent on the OAuthTokenIssuer certificate (Exchange Server, for example) which has a longer retention time for certificate created authentication and encryption key materials.

-Thumbprint: The thumbprint is an attribute on the certificate that is unique to that certificate. The –Thumbprint parameter is used to identify the certificate that will be affected by the actions of the Set-CsCertificate cmdlet.

-Type: The –Type parameter can accept a single certificate usage type or a comma separated list of certificate usage types. The certificate types are those that identify to the cmdlet and to the server what the purpose of the certificate is. For example, type AudioVideoAuthentication is for use by the A/V 에지 서비스 and the AV Authentication service. If you decide to stage and provision certificates of a different type at the same time, you must consider the longest required minimum effective lead time for the certificates. For example, you need to stage certificates of type AudioVideoAuthentication and OAuthTokenIssuer. Your minimum –EffectiveDate must be the greater of the two certificates, in this case the OAuthTokenIssuer, which has a minimum lead time of 24 hours. If you do not want to stage the AudioVideoAuthentication certificate with a lead time of 24 hours, stage it separately with an EffectiveDate that is more to your requirements.

  1. Administrators 그룹의 구성원으로 로컬 컴퓨터에 로그온합니다.

  2. Request a renewal or new AudioVideoAuthentication certificate with exportable private key for the existing certificate on the A/V 에지 서비스.

  3. Import the new AudioVideoAuthentication certificate to the 에지 서버 and all other 에지 서버 in your pool (if you have a pool deployed).

  4. Configure the imported certificate with the Set-CsCertificate cmdlet and use the –Roll parameter with the –EffectiveDate parameter. The effective date should be defined as the current certificate expire time (14:00:00, or 2:00:00 PM) minus token lifetime (by default eight hours). This gives us a time that the certificate must be set to active, and is the –EffectiveDate <string>: “7/22/2015 6:00:00 AM”.

    important중요:
    For an 에지 풀, you must have all AudioVideoAuthentication certificates deployed and provisioned by the date and time defined by the –EffectiveDate parameter of the first certificate deployed to avoid possible A/V communications disruption due to the older certificate expiring before all client and consumer tokens have been renewed using the new certificate.

    The Set-CsCertificate command with the –Roll and –EffectiveTime parameter:

    Set-CsCertificate -Type AudioVideoAuthentication -Thumbprint
    		  <thumb print of new certificate> -Roll -EffectiveDate <date and time
    		  for certificate to become active>
    

    An example Set-CsCertificate command:

    Set-CsCertificate -Type AudioVideoAuthentication -Thumbprint
    		  "B142918E463981A76503828BB1278391B716280987B" -Roll -EffectiveDate "7/22/2015
    		  6:00:00 AM"
    
    important중요:
    The EffectiveDate must be formatted to match your server’s region and language settings. The example uses the US English Region and Language settings

To further understand the process that Set-CsCertificate, -Roll, and –EffectiveDate use to stage a new certificate for issuing new AudioVideoAuthentication tokens while still using an existing certificate to validate AudioVideoAuthentication that are in use by consumers, a visual timeline is an effective means of understanding the process.

In the following example, the administrator determines that the A/V 에지 서비스 certificate is due to expire at 2:00:00 PM on 07/22/2015. He requests and receives a new certificate and imports it to each 에지 서버 in his pool. At 2 AM on 07/22/2015, he begins running Get-CsCertificate with –Roll, -Thumbprint equal to the thumbprint string of the new certificate, and –EffectiveTime set to 07/22/2015 6:00:00 AM. He runs this command on each 에지 서버.

Roll 및 EffectiveDate 매개 변수 사용.

 

Callout Stage

1

Start: 7/22/2015 12:00:00 AM

The current AudioVideoAuthentication certificate is due to expire at 2:00:00 PM on 7/22/2015. This is determined by the expires time stamp on the certificate. Plan your certificate replacement and rollover to account for an 8 hour overlap (default token lifetime) before the existing certificate reaches the expire time. The 2:00:00 AM lead time is used in this example to allow the administrator adequate time to place and provision the new certificates in advance of the 6:00:00 AM effective time.

2

7/22/2015 2:00:00 AM - 7/22/2015 5:59:59 AM

Set Certificates on Edge Servers with effective time of 6:00:00 AM (4 hour lead time is for this example, but can be longer) using Set-CsCertificate -Type <certificate usage type> -Thumbprint <thumbprint of new certificate> -Roll -EffectiveDate <datetime string of the effective time for new certificate>

3

7/22/2015 6:00 AM - 7/22/2015 2:00 PM

To validate tokens, the new certificate is tried first, and if the new certificate fails to validate the token, the old certificate is tried. This process is used for all tokens during the 8 hour (default token lifetime) overlap period.

4

End: 7/22/2015 2:00:01 PM

Old certificate has expired and the new certificate has taken over. Old certificate can be safely removed with Remove-CsCertificate -Type <certificate usage type> -Previous

When the effective time is reached (7/22/2015 6:00:00 AM), all new tokens are issued by the new certificate. When validating tokens, tokens will first be validated against the new certificate. If the validation fails, the old certificate is tried. The process of trying the new and falling back to the old certificate will continue until the expiry time of the old certificate. Once the old certificate has expired (7/22/2015 2:00:00 PM), tokens will only be validated by the new certificate. The old certificate can be safely removed using the Remove-CsCertificate cmdlet with the –Previous parameter.

Remove-CsCertificate -Type AudioVideoAuthentication -Previous

  1. Administrators 그룹의 구성원으로 로컬 컴퓨터에 로그온합니다.

  2. Request a renewal or new OAuthTokenIssuer certificate with exportable private key for the existing certificate on the 프런트 엔드 서버.

  3. Import the new OAuthTokenIssuer certificate to a 프런트 엔드 서버 in your pool (if you have a pool deployed). The OAuthTokenIssuer certificate is replicated globally and only needs to be updated and renewed at any server in your deployment. The 프런트 엔드 서버 is used as an example.

  4. Configure the imported certificate with the Set-CsCertificate cmdlet and use the –Roll parameter with the –EffectiveDate parameter. The effective date should be defined as the current certificate expire time (14:00:00, or 2:00:00 PM) minus a minimum of 24 hours.

    The Set-CsCertificate command with the –Roll and –EffectiveTime parameter:

    Set-CsCertificate -Type OAuthTokenIssuer -Thumbprint <thumb
    		  print of new certificate> -Roll -EffectiveDate <date and time for
    		  certificate to become active> -identity Global 
    

    An example Set-CsCertificate command:

    Set-CsCertificate -Type OAuthTokenIssuer -Thumbprint
    		  "B142918E463981A76503828BB1278391B716280987B" -Roll -EffectiveDate "7/21/2015
    		  1:00:00 PM" 
    
    important중요:
    The EffectiveDate must be formatted to match your server’s region and language settings. The example uses the US English Region and Language settings

When the effective time is reached (7/21/2015 1:00:00 AM), all new tokens are issued by the new certificate. When validating tokens, tokens will first be validated against the new certificate. If the validation fails, the old certificate is tried. The process of trying the new and falling back to the old certificate will continue until the expiry time of the old certificate. Once the old certificate has expired (7/22/2015 2:00:00 PM), tokens will only be validated by the new certificate. The old certificate can be safely removed using the Remove-CsCertificate cmdlet with the –Previous parameter.

Remove-CsCertificate -Type OAuthTokenIssuer -Previous 
 
표시: