角色和操作Roles and operations

由于制造时间、交货、报关等生产因素,开发 IoT 解决方案的阶段可能会跨数周或数月。此外,如果涉及到多种实体,这些阶段可能需要经历多个角色的活动。The phases of developing an IoT solution can span weeks or months, due to production realities like manufacturing time, shipping, customs process, etc. In addition, they can span activities across multiple roles given the various entities involved. 本主题更深入地探讨与每个阶段相关的各种角色和操作,然后在顺序示意图中演示流程。This topic takes a deeper look at the various roles and operations related to each phase, then illustrates the flow in a sequence diagram.

预配还对设备制造商施加启用证明机制方面的要求。Provisioning also places requirements on the device manufacturer, specific to enabling the attestation mechanism. 制造操作也可以独立于自动预配阶段的时间发生,尤其是在建立自动预配后采购新设备的情况下。Manufacturing operations can also occur independent of the timing of auto-provisioning phases, especially in cases where new devices are procured after auto-provisioning has already been established.

左侧目录中提供了快速入门系列教程,旨在帮助通过实践解释自动预配。A series of Quickstarts are provided in the table of contents to the left, to help explain auto-provisioning through hands-on experience. 为了促进/简化学习过程,我们将使用软件来模拟用于登记和注册的物理设备。In order to facilitate/simplify the learning process, software is used to simulate a physical device for enrollment and registration. 某些快速入门要求完成多个角色的操作,包括不存在的角色的操作(因为快速入门中所述的设备是模拟性的)。Some Quickstarts require you to fulfill operations for multiple roles, including operations for non-existent roles, due to the simulated nature of the Quickstarts.

角色Role 操作Operation 说明Description
制造商Manufacturer 为标识和注册 URL 编码Encode identity and registration URL 根据所用的认证机制,制造商需负责为设备标识信息和设备预配服务注册 URL 编码。Based on the attestation mechanism used, the manufacturer is responsible for encoding the device identity info, and the Device Provisioning Service registration URL.

快速入门:由于设备是模拟的,因此不存在制造商角色。Quickstarts: since the device is simulated, there is no Manufacturer role. 有关如何获取这些信息以便在编写示例注册应用程序代码时使用的详细信息,请参阅“开发人员角色”。See the Developer role for details on how you get this information, which is used in coding a sample registration application.
提供设备标识Provide device identity 作为设备标识信息的发起者,制造商需负责通信向操作员(或指定的代理)传递这些信息,或者通过 API 将其直接登记到设备预配服务。As the originator of the device identity info, the manufacturer is responsible for communicating it to the operator (or a designated agent), or directly enrolling it to the Device Provisioning Service via APIs.

快速入门:由于设备是模拟的,因此不存在制造商角色。Quickstarts: since the device is simulated, there is no Manufacturer role. 有关如何获取在设备预配服务实例中登记模拟设备时所用的设备标识的详细信息,请参阅“操作员角色”。See the Operator role for details on how you get the device identity, which is used to enroll a simulated device in your Device Provisioning Service instance.
运算符Operator 配置自动预配Configure auto-provisioning 此操作对应于自动预配的第一阶段。This operation corresponds with the first phase of auto-provisioning.

快速入门:你需要履行操作员角色,在 Azure 订阅中配置设备预配服务和 IoT 中心实例。Quickstarts: You perform the Operator role, configuring the Device Provisioning Service and IoT Hub instances in your Azure subscription.
登记设备标识Enroll device identity 此操作对应于自动预配的第二个阶段。This operation corresponds with the second phase of auto-provisioning.

快速入门:你需要履行操作员角色,在设备预配服务实例中登记模拟设备。Quickstarts: You perform the Operator role, enrolling your simulated device in your Device Provisioning Service instance. 设备标识由快速入门中模拟的认证方法(TPM 或 X.509)确定。The device identity is determined by the attestation method being simulated in the Quickstart (TPM or X.509). 有关认证详细信息,请参阅“开发人员角色”。See the Developer role for attestation details.
设备预配服务Device Provisioning Service,
IoT 中心IoT Hub
<all operations> 对于使用物理设备的生产实现和使用模拟设备的快速入门,需要通过 Azure 订阅中配置的 IoT 服务履行这些角色。For both a production implementation with physical devices, and Quickstarts with simulated devices, these roles are fulfilled via the IoT services you configure in your Azure subscription. 角色/操作的功能完全相同,因为 IoT 服务预配物理设备和模拟设备的方式没有差别。The roles/operations function exactly the same, as the IoT services are indifferent to provisioning of physical vs. simulated devices.
开发人员Developer 生成/部署注册软件Build/Deploy registration software 此操作对应于自动预配的第三个阶段。This operation corresponds with the third phase of auto-provisioning. 开发人员负责使用相应的 SDK 生成注册软件并将其部署到设备。The Developer is responsible for building and deploying the registration software to the device, using the appropriate SDK.

快速入门:生成的示例注册应用程序模拟适用于所选平台/语言的、在工作站中运行的真实设备(而不是将其部署到物理设备)。Quickstarts: The sample registration application you build simulates a real device, for your platform/language of choice, which runs on your workstation (instead of deploying it to a physical device). 注册应用程序执行的操作与部署到物理设备的应用程序相同。The registration application performs the same operations as one deployed to a physical device. 需要指定认证方法(TPM 或 X.509 证书),以及设备预配服务实例的注册 URL 和“ID 范围”。You specify the attestation method (TPM or X.509 certificate), plus the registration URL and "ID Scope" of your Device Provisioning Service instance. 设备标识由 SDK 认证逻辑在运行时根据指定的方法确定:The device identity is determined by the SDK attestation logic at runtime, based on the method you specify:
  • TPM 认证 - 开发工作站运行 TPM 模拟器应用程序TPM attestation - your development workstation runs a TPM simulator application. 运行后,将使用单独的应用程序来提取 TPM 的“认可密钥”和“注册 ID”用于登记设备标识。Once running, a separate application is used to extract the TPM's "Endorsement Key" and "Registration ID" for use in enrolling the device identity. SDK 认证逻辑在注册期间也使用模拟器来提供签名的 SAS 令牌用于身份验证和登记验证。The SDK attestation logic also uses the simulator during registration, to present a signed SAS token for authentication and enrollment verification.
  • X509 认证 - 使用工具生成证书X509 attestation - you use a tool to generate a certificate. 生成后,需创建用于登记的证书文件。Once generated, you create the certificate file required for use in enrollment. SDK 认证逻辑在注册期间也使用该证书来提供身份验证和登记验证。The SDK attestation logic also uses the certificate during registration, to present for authentication and enrollment verification.
设备Device 启动和注册Bootup and register 此操作对应于自动预配的第三个阶段,由开发人员生成的设备注册软件执行。This operation corresponds with the third phase of auto-provisioning, fulfilled by the device registration software built by the Developer. 有关详细信息,请参阅“开发人员角色”。See the Developer role for details. 首次启动时:Upon first boot:
  1. 应用程序根据开发期间指定的全局 URL 和服务“ID 范围”,与设备预配服务实例建立连接。The application connects with the Device Provisioning Service instance, per the global URL and service "ID Scope" specified during development.
  2. 连接后,将会根据登记期间指定的认证方法和标识对设备进行身份验证。Once connected, the device is authenticated against the attestation method and identity specified during enrollment.
  3. 完成身份验证后,设备将注册到预配服务实例指定的 IoT 中心实例。Once authenticated, the device is registered with the IoT Hub instance specified by the provisioning service instance.
  4. 注册成功后,向注册应用程序返回唯一的设备 ID 和 IoT 中心终结点,以便与 IoT 中心通信。Upon successful registration, a unique device ID and IoT Hub endpoint are returned to the registration application for communicating with IoT Hub.
  5. 从此时起,设备可以提取用于配置的初始设备孪生状态,并开始执行报告遥测数据的过程。From there, the device can pull down its initial device twin state for configuration, and begin the process of reporting telemetry data.
快速入门:由于设备是模拟的,因此注册软件在开发工作站上运行。Quickstarts: since the device is simulated, the registration software runs on your development workstation.

下图汇总了设备自动预配期间的角色和操作顺序:The following diagram summarizes the roles and sequencing of operations during device auto-provisioning:

设备的自动预配顺序Auto-provisioning sequence for a device

备注

(可选)制造商还可以使用设备预配服务 API(而不是通过操作员)执行“登记设备标识”操作。Optionally, the manufacturer can also perform the "Enroll device identity" operation using Device Provisioning Service APIs (instead of via the Operator).

角色和 Azure 帐户Roles and Azure accounts

每个角色映射到 Azure 帐户的方式取决于方案,而涉及的方案可能有很多。How each role is mapped to an Azure account is scenario-dependent, and there are quite a few scenarios that can be involved. 可以通过下面的常见模式大致了解角色通常情况下是如何映射到 Azure 帐户的。The common patterns below should help provide a general understanding regarding how roles are generally mapped to an Azure account.

芯片制造商提供安全服务Chip manufacturer provides security services

在此方案中,制造商为一级客户管理安全。In this scenario, the manufacturer manages security for level-one customers. 一级客户可能首选此方案,因为不需管理详细的安全性。This scenario may be preferred by these level-one customers as they don't have to manage detailed security.

制造商将安全性引入硬件安全模块 (HSM)。The manufacturer introduces security into Hardware Security Modules (HSMs). 此安全性可能包括制造商从可能的客户处获取密钥、证书等,这些客户已经设置 DPS 实例和注册组。This security can include the manufacturer obtaining keys, certificates, etc. from potential customers who already have DPS instances and enrollment groups setup. 制造商也可以为其客户生成此安全信息。The manufacturer could also generate this security information for its customers.

在此方案中,可能涉及两个 Azure 帐户:In this scenario, there may be two Azure accounts involved:

  • 帐户 1:可能在操作员和开发人员角色之间存在某种程度的共享。Account #1: Likely shared across the operator and developer roles to some degree. 该方可能从制造商处购买 HSM 芯片。This party may purchase the HSM chips from the manufacturer. 这些芯片指向与帐户 1 关联的 DPS 实例。These chips are pointed to DPS instances associated with the Account #1. 使用 DPS 注册,该方可以将设备租赁给多个二级客户,只需在 DPS 中重新配置设备注册设置即可。With DPS enrollments, this party can lease devices to multiple level-two customers by reconfiguring the device enrollment settings in DPS. 该方还可能为最终用户后端系统分配了可以连接的 IoT 中心,用于访问设备遥测数据等内容。如果是后一种情况,则可能不需要第二个帐户。This party may also have IoT hubs allocated for end-user backend systems to interface with in order to access device telemetry etc. In this latter case, a second account may not be needed.

  • 帐户 2:最终用户(二级客户)可以有自己的 IoT 中心。Account #2: End users, level-two customers may have their own IoT hubs. 与帐户 1 相关联的一方可以直接将租赁的设备指向此帐户中的正确中心。The party associated with Account #1 just points leased devices to the correct hub in this account. 此配置要求跨 Azure 帐户链接 DPS 和 IoT 中心,该操作可以通过 Azure 资源管理器模板来完成。This configuration requires linking DPS and IoT hubs across Azure accounts, which can be done with Azure Resource Manager templates.

一体化 OEMAll-in-one OEM

制造商可能是“一体化 OEM”,只需一个制造商帐户。The manufacturer could be an "All-in-one OEM" where only a single manufacturer account would be needed. 制造商负责端到端的安全性和预配。The manufacturer handles security and provisioning end to end.

制造商可能为购买设备的客户提供基于云的应用程序。The manufacturer may provide a cloud-based application to customers who purchase devices. 此应用程序会与制造商分配的 IoT 中心连接。This application would interface with the IoT Hub allocated by the manufacturer.

售货机或自动咖啡机是此方案的示例。Vending machines or automated coffee machines represent examples for this scenario.

后续步骤Next steps

我们建议将本文加入书签,以便在学习相应自动预配快速入门的过程中参考。You may find it helpful to bookmark this article as a point of reference, as you work your way through the corresponding auto-provisioning Quickstarts.

首先请完成最适合你偏好的管理工具的“设置自动预配”快速入门,其中逐步讲解了“服务配置”阶段:Begin by completing a "Set up auto-provisioning" Quickstart that best suits your management tool preference, which walks you through the "Service configuration" phase:

然后继续学习最适合你的设备证明机制和设备预配服务 SDK/语言偏好的“预配设备”快速入门。Then continue with a "Provision a device" Quickstart that suits your device attestation mechanism and Device Provisioning Service SDK/language preference. 此快速入门逐步讲解“设备登记”与“设备注册和配置”阶段:In this Quickstart, you walk through the "Device enrollment" and "Device registration and configuration" phases:

设备证明机制Device attestation mechanism 快速入门 SDK/语言Quickstart SDK/Language
对称密钥Symmetric key CC
JavaJava
PythonPython
X.509 证书X.509 certificate CC
JavaJava
C#C#
Node.jsNode.js
PythonPython
模拟的受信任平台模块 (TPM)Simulated Trusted Platform Module (TPM) CC
JavaJava
C#C#
PythonPython