IoT 中心设备预配服务 (DPS) 术语IoT Hub Device Provisioning Service (DPS) terminology

IoT 中心设备预配服务是一项 IoT 中心帮助程序服务,该服务用于将零接触设备预配到指定 IoT 中心。IoT Hub Device Provisioning Service is a helper service for IoT Hub that you use to configure zero-touch device provisioning to a specified IoT hub. 使用设备预配服务,可以通过安全且可缩放的方式预配数百万台设备。With the Device Provisioning Service, you can provision millions of devices in a secure and scalable manner.

设备预配是一个两部分过程。Device provisioning is a two part process. 第一部分是通过注册设备来建立设备和 IoT 解决方案之间的初始连接 。The first part is establishing the initial connection between the device and the IoT solution by registering the device. 第二部分是根据解决方案的具体要求将适当的配置应用于设备 。The second part is applying the proper configuration to the device based on the specific requirements of the solution. 在这两个步骤都完成后,设备已完全预配 。Once both steps have been completed, the device has been fully provisioned. 设备预配服务自动执行这两个步骤,为设备提供无缝的预配体验。Device Provisioning Service automates both steps to provide a seamless provisioning experience for the device.

本文概述了最适用于管理服务的预配概念 。This article gives an overview of the provisioning concepts most applicable to managing the service. 本文与设备部署准备工作的云设置步骤中提及的角色最为相关。This article is most relevant to personas involved in the cloud setup step of getting a device ready for deployment.

服务操作终结点Service operations endpoint

服务操作终结点是用于管理服务设置和维护注册列表的终结点。The service operations endpoint is the endpoint for managing the service settings and maintaining the enrollment list. 此终结点仅由服务管理员使用,设备不使用它。This endpoint is only used by the service administrator; it is not used by devices.

设备预配终结点Device provisioning endpoint

设备预配终结点是单一终结点,所有设备都使用它进行自动预配。The device provisioning endpoint is the single endpoint all devices use for auto-provisioning. 此 URL 对于所有预配服务实例都是相同 ,因而无需使用供应链方案中的新连接信息来刷新设备。The URL is the same for all provisioning service instances, to eliminate the need to reflash devices with new connection information in supply chain scenarios. ID 范围可确保租户隔离。The ID scope ensures tenant isolation.

链接 IoT 中心Linked IoT hubs

设备预配服务只能将设备预配到已链接到它的 IoT 中心。The Device Provisioning Service can only provision devices to IoT hubs that have been linked to it. 将 IoT 中心链接到设备预配服务实例可以为 IoT 中心的设备注册表提供服务读/写权限;通过该链接,设备预配服务可以注册设备 ID 并在设备孪生中设置初始配置。Linking an IoT hub to an instance of the Device Provisioning service gives the service read/write permissions to the IoT hub's device registry; with the link, a Device Provisioning service can register a device ID and set the initial configuration in the device twin. 链接 IoT 中心可能位于任何 Azure 区域。Linked IoT hubs may be in any Azure region. 可将其他订阅中的中心链接到预配服务。You may link hubs in other subscriptions to your provisioning service.

分配策略Allocation policy

用于确定设备预配服务如何将设备分配给 IoT 中心的服务级别设置。The service-level setting that determines how Device Provisioning Service assigns devices to an IoT hub. 支持三种分配策略:There are three supported allocation policies:

  • 均匀加权分发:链接的 IoT 中心等可能地获得预配到它们的设备。Evenly weighted distribution: linked IoT hubs are equally likely to have devices provisioned to them. 默认设置。The default setting. 如果只将设备预配到一个 IoT 中心,则可以保留此设置。If you are provisioning devices to only one IoT hub, you can keep this setting.

  • 最低延迟:将设备预配到具有最低延迟的 IoT 中心。Lowest latency: devices are provisioned to an IoT hub with the lowest latency to the device. 如果多个链接 IoT 中心提供相同的最低延迟,则预配服务将在这些中心上散列设备If multiple linked IoT hubs would provide the same lowest latency, the provisioning service hashes devices across those hubs

  • 通过注册列表进行静态配置:注册列表中所需 IoT 中心的规范优先于服务级别分配策略。Static configuration via the enrollment list: specification of the desired IoT hub in the enrollment list takes priority over the service-level allocation policy.

  • 自定义(使用 Azure 函数) :自定义分配策略让你能够对设备分配到 IoT 中心的方式进行更多地控制。Custom (Use Azure Function): A custom allocation policy gives you more control over how devices are assigned to an IoT hub. 它是通过使用 Azure 函数中的自定义代码将设备分配到 IoT 中心来实现的。This is accomplished by using custom code in an Azure Function to assign devices to an IoT hub. 设备预配服务将调用 Azure 函数代码,向代码提供有关设备和注册的所有相关信息。The device provisioning service calls your Azure Function code providing all relevant information about the device and the enrollment to your code. 将执行函数代码并返回用于预配设备的 IoT 中心信息。Your function code is executed and returns the IoT hub information used to provisioning the device.

注册Enrollment

注册是指可以通过自动预配注册的设备或设备组的记录。An enrollment is the record of devices or groups of devices that may register through auto-provisioning. 注册记录包含有关设备或设备组的信息,包括:The enrollment record contains information about the device or group of devices, including:

  • 设备使用的证明机制the attestation mechanism used by the device
  • 可选的初始所需配置the optional initial desired configuration
  • 所需的 IoT 中心desired IoT hub
  • 所需的设备 IDthe desired device ID

设备预配服务支持两种类型的注册:There are two types of enrollments supported by Device Provisioning Service:

注册组Enrollment group

注册组是一组共享特定证明机制的设备。An enrollment group is a group of devices that share a specific attestation mechanism. 注册组支持 X.509 和对称。Enrollment groups support both X.509 as well as symmetric. X.509 注册组中的所有设备都提供已由同一根或中间证书颁发机构 (CA) 签名的 X.509 证书。All devices in the X.509 enrollment group present X.509 certificates that have been signed by the same root or intermediate Certificate Authority (CA). 对称密钥注册组中的每个设备都提供派生自组对称密钥的 SAS 令牌。Each device in the symmetric key enrollment group present SAS tokens derived from the group symmetric key. 注册组名称和证书名称必须是小写的字母数字,并可包含连字符。The enrollment group name and certificate name must be alphanumeric, lowercase, and may contain hyphens.

提示

建议对共享所需初始配置的大量设备,或者全部转到同一租户的设备使用注册组。We recommend using an enrollment group for a large number of devices that share a desired initial configuration, or for devices all going to the same tenant.

单独注册Individual enrollment

单独注册是用于可注册的单一设备的条目。An individual enrollment is an entry for a single device that may register. 个人注册可使用 X.509 叶证书或 SAS 令牌(来自物理或虚拟 TPM)作为证明机制。Individual enrollments may use either X.509 leaf certificates or SAS tokens (from a physical or virtual TPM) as attestation mechanisms. 单独注册中的注册 ID 是小写的字母数字,并且可包含连字符。The registration ID in an individual enrollment is alphanumeric, lowercase, and may contain hyphens. 单独注册可能会指定所需 IoT 中心设备 ID。Individual enrollments may have the desired IoT hub device ID specified.

提示

对于需要唯一初始配置的设备或仅能通过 TPM 证明使用 SAS 令牌进行身份验证的设备,建议为其使用个人注册。We recommend using individual enrollments for devices that require unique initial configurations, or for devices that can only authenticate using SAS tokens via TPM attestation.

证明机制Attestation mechanism

证明机制是用于确认设备标识的方法。An attestation mechanism is the method used for confirming a device's identity. 证明机制在注册项上进行配置,会在注册期间验证设备的标识时告知预配服务要使用哪一种方法。The attestation mechanism is configured on an enrollment entry and tells the provisioning service which method to use when verifying the identity of a device during registration.

备注

IoT 中心将该服务中类似的概念称为“身份验证方案”。IoT Hub uses "authentication scheme" for a similar concept in that service.

设备预配服务支持以下证明形式:The Device Provisioning Service supports the following forms of attestation:

  • 基于标准 X.509 证书身份验证流的 X.509 证书****。X.509 certificates based on the standard X.509 certificate authentication flow. 有关详细信息,请参阅 X.509 证明For more information, see X.509 attestation.
  • 基于 nonce 质询的受信任平台模块 (TPM),使用密钥的 TPM 标准显示已签名的共享访问签名 (SAS) 令牌****。Trusted Platform Module (TPM) based on a nonce challenge, using the TPM standard for keys to present a signed Shared Access Signature (SAS) token. 这不需要设备上的物理 TPM,但是服务要求按照 TPM 规范使用认可密钥来证明。有关详细信息,请参阅 TPM 证明This does not require a physical TPM on the device, but the service expects to attest using the endorsement key per the TPM spec. For more information, see TPM attestation.
  • 基于共享访问签名 (SAS) 安全令牌的“对称密钥”,包括哈希签名和嵌入的到期期限。Symmetric Key based on shared access signature (SAS) Security tokens, which include a hashed signature and an embedded expiration. 有关详细信息,请参阅对称密钥证明For more information, see Symmetric key attestation.

硬件安全模块Hardware security module

硬件安全模块(或称 HSM)用于安全的、基于硬件的设备机密存储,是最安全的机密存储形式。The hardware security module, or HSM, is used for secure, hardware-based storage of device secrets, and is the most secure form of secret storage. X.509 证书和 SAS 令牌都可以存储在 HSM 中。Both X.509 certificates and SAS tokens can be stored in the HSM. HSM 可以与预配服务支持的证明机制一起使用。HSMs can be used with both attestation mechanisms the provisioning service supports.

提示

我们强烈建议将 HSM 用于设备,以便安全地存储设备上的机密。We strongly recommend using an HSM with devices to securely store secrets on your devices.

设备机密也可以存储在软件(内存)中,但它是比 HSM 更不安全的存储形式。Device secrets may also be stored in software (memory), but it is a less secure form of storage than an HSM.

ID 范围ID scope

ID 范围在由用户创建时分配给设备预配服务,用于唯一标识设备将通过其注册的特定预配服务。The ID scope is assigned to a Device Provisioning Service when it is created by the user and is used to uniquely identify the specific provisioning service the device will register through. ID 范围由服务生成且不可变,这保证了唯一性。The ID scope is generated by the service and is immutable, which guarantees uniqueness.

备注

唯一性对于长期运行的部署操作以及合并和收购方案而言非常重要。Uniqueness is important for long-running deployment operations and merger and acquisition scenarios.

注册Registration

注册是设备通过设备预配服务成功注册/预配到 IoT 中心的记录。A registration is the record of a device successfully registering/provisioning to an IoT Hub via the Device Provisioning Service. 注册记录自动创建,可以删除,但不能更新。Registration records are created automatically; they can be deleted, but they cannot be updated.

注册 IDRegistration ID

注册 ID 用于在设备预配服务中以独一无二的方式标识设备注册。The registration ID is used to uniquely identify a device registration with the Device Provisioning Service. 设备 ID 在预配服务 ID范围中必须是唯一的。The device ID must be unique in the provisioning service ID scope. 每个设备必须具有注册 ID。Each device must have a registration ID. 注册 ID 是字母数字、不区分大小写,并可以包含特殊字符(包括冒号、句点、下划线和连字符)。The registration ID is alphanumeric, case insensitive, and may contain special characters including colon, period, underscore and hyphen.

  • 对于使用 TPM 的情况,注册 ID 由 TPM 本身提供。In the case of TPM, the registration ID is provided by the TPM itself.
  • 对于使用基于 X.509 证明的情况,提供注册 ID 作为证书的使用者名称。In the case of X.509-based attestation, the registration ID is provided as the subject name of the certificate.

设备 IDDevice ID

设备 ID 是设备在 IoT 中心中显示的 ID。The device ID is the ID as it appears in IoT Hub. 可以在注册项目中设置所需的设备 ID,但不需要进行设置。The desired device ID may be set in the enrollment entry, but it is not required to be set. 设置所需设备 ID 仅在单独注册中受支持。Setting the desired device ID is only supported in individual enrollments. 如果注册列表中未指定所需设备 ID,注册设备时将使用注册 ID 作为设备 ID。If no desired device ID is specified in the enrollment list, the registration ID is used as the device ID when registering the device. 详细了解 IoT 中心中的设备 IDLearn more about device IDs in IoT Hub.

操作Operations

操作是设备预配服务的计费单位。Operations are the billing unit of the Device Provisioning Service. 成功完成到服务的一条指令即为一次操作。One operation is the successful completion of one instruction to the service. 操作包括设备注册和重新注册,还包括服务侧更改(例如添加注册列表条目和更新注册列表条目)。Operations include device registrations and re-registrations; operations also include service-side changes such as adding enrollment list entries, and updating enrollment list entries.