PowerShell MVP Max Trinidad, had posted a blog about setting up and managing Windows Azure SQL Database using SMO. While I was going through his post there were a couple of things I had to read-up on a few things efore I understood what I was doing. This post is the essence of all the learning I did while going through his post.
First things first, we need a Windows Azure subscription. Presently, you can register for a free trail at www.windowsazure.com.
Note: If you would like to use the management portal for Windows Azure to create the database, you can use the following tutorial.
We need a few tools and a little bit of setup on the management portal before we can start with the automation part.
- We need to rename our Windows Azure subscription from the default name it has. This makes it easier to manage your subscriptions, if you have multiple services.
- We need to upload a certificate to the windows azure subscription.
- Download latest version of Windows Azure PowerShell, from here. The link points to the standalone installer.
- Download the latest Windows Azure SDK for .NET from here.
1. Renaming the subscription
The Windows Azure services have two kinds of accounts.
- Windows Azure Account, through which resource usage is reported and services are billed. Each account is identified by an email account, and is associated with at least one subscription. The account owner monitors usage and manages billings through the Windows Azure Account Center.
- Subscriptions, which governs access to and use of Windows Azure subscribed service. The subscription holder uses the Management Portal to manage services.
The reason for this kind of setup is because in a corporate enrollment, an account owner might create multiple subscriptions to give IT folk’s access to services. Since resource usage within an account is reported for each subscription, an organization can use subscriptions to track expenses for projects, departments, regional offices, and so forth.
This is explained in detail here.
You change your subscription details by using the following steps:
- Sign into the Windows Azure Management Portal.
- Click on ‘Account’ → ‘View my bill’; you maybe prompted to login as you will be accessing sensitive details.
- Click on ‘Edit Subscription Details’, to change the name of your subscription.
2. Creating and uploading a management certificate
Certificates used in Windows Azure are x.509 v3 certificates and can be signed by another trusted certificate or they can be self-signed. For the purposes of this blog we will be creating a self-signed certificate using ‘makecert.exe’. Before we go further, let us check how different certificates are used in Windows Azure.
Windows Azure has 3 types of certificates:
- Management certificates – Stored at the subscription level, these certificates are used to enable Windows Azure using various tools. These certificates are independent of any hosted service or deployment.
- Service certificates – Stored at the hosted service level, these certificates are used by your deployed services.
- SSH Keys – Stored on the Linux virtual machine, SSH keys are used to authenticate remote connections to the virtual machine.
Windows Azure uses certificates to identify a trust relationship i.e. the party to be trusted has the private key. Here is how the certificates are used:
- Management certificates (.cer certificate files): the client connecting the service needs to be trusted and has the private key. These permit clients access to resources in your Windows Azure subscription.
- Service certificates (.pfx certificate files): the service needs to be trusted by the client connecting to the service. For example, in an SSL secured service scenario they provide secure interactions for users of your web application or service.
Enough talk, let us start by creating a self-signed certificate. To create your own self-signed management certificates, open a Visual Studio command prompt as an administrator, and then run the following command:
makecert -sky exchange -r -n "CN=" -pe -a sha1 -len 2048 -ss My ".cer"
If you are like me, you would get a doubt about what the parameters mean. Especially what ‘pe’ and ‘sky’ mean?
To put simply, unless we specify the -pe command line option to MakeCert, the certificate created can only be used to decrypt data on that machine. This is not an ideal scenario because, this would prevent any other machine from being able to decrypt the payload encrypted using the public key.
The option ‘sky’ specifies the type of the subject key. It accepts two arguments (signature|exchange). What these arguments mean is:
- ‘signature’ the certificate can only be used to sign a payload.
- ‘exchange’ the certificate can be used to sign AND/OR encrypt a payload.
Now that we have created our certificate, we need to export it in order to be able to upload the file to Azure. We can do this in a few easy steps:
- Start / run / certmgr.msc
- Navigate the tree hierarchy until you find the certificate you just created. (usually under Personal→Certificates).
- On the left pane right click on the certificate and select / all tasks / export.
- Select “No, do not export the private key”
- Click on next until you are asked for the Export path. Enter the desired export path.
- Follow the prompts and finish the export.
Uploading the certificate:
Management and service certificates can be uploaded through the Windows Azure Management Portal.
3. Download latest version of Windows Azure PowerShell, from here. The link points to the standalone installer.
Please download and install from the link given above.
4. Download the latest Windows Azure SDK for .NET from here.
Please download and install from the link given above.
This is it. We are now setup to work with our azure subscription from within PowerShell.
- SQL Database – Documentation.
- Manage Certificates in Windows Azure.
- Create and upload a certificate for Windows Azure.
- makecert option -pe.
- makecert option -sky.