Azure 带有客户端证书的自托管网关
[英]Azure Self hosted Gateway with client certificates
问题描述
how to protect the APIs on a self hosted gateway from unauthorized use with client certificates?
如何保护自托管网关上的 API 免遭未经授权使用客户端证书?
The documentation on this topic is too unclear for me:关于这个主题的文档对我来说太不清楚了:
https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-ca-certificates#create-custom-ca-for-self-hosted-gateway https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-ca-certificates#create-custom-ca-for-self-hosted-gateway
Thanks.谢谢。
1 个解决方案
解决方案1
0 2021-11-02 07:55:21
- You can validate certificates presented by the connecting client and check certificate properties against desired values using policy expressions.您可以验证连接客户端提供的证书,并使用策略表达式根据所需值检查证书属性。
- For information about securing access to the back-end service of an API using client certificates, refer How to secure back-end services using client certificate authentication有关使用客户端证书保护对 API 后端服务的访问的信息,请参阅如何使用客户端证书身份验证保护后端服务
- To receive and verify client certificates over HTTP/2 in the Developer, Basic, Standard, or Premium tiers you must turn on the "Negotiate client certificate" setting on the "Custom domains" blade.要在开发人员、基本、标准或高级层中通过 HTTP/2 接收和验证客户端证书,您必须打开“自定义域”边栏选项卡上的“协商客户端证书”设置。
- To receive and verify client certificates in the Consumption tier you must turn on the "Request client certificate" setting on the "Custom domains" blade.要接收和验证消费层中的客户端证书,您必须打开“自定义域”边栏选项卡上的“请求客户端证书”设置。
- Policy to validate client certificates - Use the validate-client-certificate policy to validate one or more attributes of a client certificate.验证客户端证书的策略- 使用validate-client-certificate策略来验证客户端证书的一个或多个属性。
- Certificate validation with context variables - You can also create policy expressions with the
contextvariable to check client certificates.与上下文变量证书验证-您也可以创建一个策略表达式context变量来检查客户端证书。 - Checking the issuer and subject检查发行人和主题
- Checking the thumbprint检查指纹
- Checking a thumbprint against certificates uploaded to API Management.根据上传到 API 管理的证书检查指纹。 For more detailed information please refer secure APIs using client certificate authentication in API Management有关更多详细信息,请参阅API 管理中使用客户端证书身份验证的安全 API
解决方案2
0 已采纳 2021-11-22 09:33:44
the solution is to give the right common name/dns name during the creation of the certificate.解决方案是在创建证书期间提供正确的通用名称/DNS 名称。 After that a gateway hostname must be created inside the gatewaypanel of the self hosted gateway and the uploaded certificate addded and check the checkbox negotiate clientcertificates.之后,必须在自托管网关的网关面板内创建网关主机名并添加上传的证书,然后选中复选框协商客户端证书。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.