教程:使用 Azure IoT 中心设备预配服务将设备预配到 IoT 中心Tutorial: Provision the device to an IoT hub using the Azure IoT Hub Device Provisioning Service

前面的教程介绍了设置设备以连接到设备预配服务的方法。In the previous tutorial, you learned how to set up a device to connect to your Device Provisioning service. 本教程介绍如何通过此服务使用自动预配和 注册列表 将设备预配到单一 IoT 中心。In this tutorial, you learn how to use this service to provision your device to a single IoT hub, using auto-provisioning and enrollment lists. 本教程演示如何:This tutorial shows you how to:

  • 注册设备Enroll the device
  • 启动设备Start the device
  • 验证设备已注册Verify the device is registered

先决条件Prerequisites

继续之前,请确保已按使用 Azure IoT 中心设备预配服务设置要预配的设备教程所述配置设备。Before you proceed, make sure to configure your device as discussed in the tutorial Setup a device to provision using Azure IoT Hub Device Provisioning Service.

如果不熟悉自动预配过程,请务必在继续操作之前查看自动预配概念If you're unfamiliar with the process of auto-provisioning, be sure to review Auto-provisioning concepts before continuing.

注册设备Enroll the device

此步骤需要将设备的唯一安全项目添加到设备预配服务。This step involves adding the device's unique security artifacts to the Device Provisioning Service. 这些安全项目基于设备的证明机制,如下所示:These security artifacts are based on the device's Attestation mechanism as follows:

  • 对于基于 TPM 的设备,你需要提供:For TPM-based devices you need:

    • 特定于每个 TPM 芯片或模拟的“认可密钥” ,可以从 TPM 芯片制造商处获得。The Endorsement Key that is unique to each TPM chip or simulation, which is obtained from the TPM chip manufacturer. 请阅读了解 TPM 认可密钥获取详细信息。Read the Understand TPM Endorsement Key for more information.

    • 注册 ID,用于在命名空间/作用域内唯一标识设备 。The Registration ID that is used to uniquely identify a device in the namespace/scope. 此 ID 可能与设备 ID 相同或不同。This ID may or may not be the same as the device ID. 此 ID 是每台设备的必备项。The ID is mandatory for every device. 对于基于 TPM 的设备,可能从 TPM 本身派生注册 ID,例如 TPM 认可密钥的 SHA-256 哈希。For TPM-based devices, the registration ID may be derived from the TPM itself, for example, an SHA-256 hash of the TPM Endorsement Key.

      门户中有关 TPM 的注册信息Enrollment information for TPM in the portal

  • 对于基于 X.509 的设备,你需要提供:For X.509 based devices you need:

    • 颁发给 X.509(芯片或模拟)的证书 采用 .pem 或 .cer 文件的格式 。The certificate issued to the X.509 chip or simulation, in the form of either a .pem or a .cer file. 对于单独注册,需要对 X.509 系统使用基于设备的“签名证书”;而对于注册组,则需要使用“根证书” 。For individual enrollment, you need to use the per-device signed certificate for your X.509 system, while for enrollment groups, you need to use the root certificate.

      在门户中为 X.509 证明添加单个注册Add individual enrollment for X.509 attestation in the portal

可通过两种方法向设备预配服务注册设备:There are two ways to enroll the device to the Device Provisioning Service:

  • 注册组 表示共享特定证明机制的一组设备。Enrollment Groups This represents a group of devices that share a specific attestation mechanism. 对于共享所需初始配置的大量设备,或者全部转到同一租户的设备,建议使用注册组。We recommend using an enrollment group for a large number of devices, which share a desired initial configuration, or for devices all going to the same tenant. 有关注册组的标识认证的详细信息,请参阅安全性For more information on Identity attestation for enrollment groups, see Security.

    在门户中为 X.509 证明添加组注册Add group enrollment for X.509 attestation in the portal

  • 单独注册 表示可使用设备预配服务进行注册的单一设备条目。Individual Enrollments This represents an entry for a single device that may register with the Device Provisioning Service. 单独注册可使用 x509 证书或 SAS 令牌(在真实或虚拟 TPM 中)作为证明机制。Individual enrollments may use either x509 certificates or SAS tokens (in a real or virtual TPM) as attestation mechanisms. 建议对需要唯一初始配置的设备以及仅能通过 TPM 或虚拟 TPM 使用 SAS 令牌作为证明机制的设备使用单独注册。We recommend using individual enrollments for devices that require unique initial configurations, and devices that can only use SAS tokens via TPM or virtual TPM as the attestation mechanism. 单独注册可能会指定所需 IoT 中心设备 ID。Individual enrollments may have the desired IoT hub device ID specified.

现在,请使用所需的安全项目根据设备的证明机制将设备注册到设备预配服务实例:Now you enroll the device with your Device Provisioning Service instance, using the required security artifacts based on the device's attestation mechanism:

  1. 登录到 Azure 门户,单击左侧菜单上的“所有资源”按钮,打开设备预配服务 。Sign in to the Azure portal, click on the All resources button on the left-hand menu and open your Device Provisioning service.

  2. 在“设备预配服务摘要”边栏选项卡上,选择“管理注册” 。On the Device Provisioning Service summary blade, select Manage enrollments. 根据设备设置选择“单独注册”选项卡或“注册组”选项卡 。Select either Individual Enrollments tab or the Enrollment Groups tab as per your device setup. 单击顶部的“添加”按钮 。Click the Add button at the top. 选择“TPM”或“X.509”作为标识证明机制,并按前文所述输入适当的安全项目 。Select TPM or X.509 as the identity attestation Mechanism, and enter the appropriate security artifacts as discussed previously. 可以输入新的“IoT 中心设备 ID” 。You may enter a new IoT Hub device ID. 完成后,单击“保存”按钮 。Once complete, click the Save button.

  3. 成功注册后,设备应显示在门户中,如下所示:When the device is successfully enrolled, you should see it displayed in the portal as follows:

    门户中成功的 TPM 注册

注册后,预配服务会等待设备启动并随后与其连接。After enrollment, the provisioning service then waits for the device to boot and connect with it at any later point in time. 设备首次启动时,客户端 SDK 库将与芯片交互以提取设备中的安全项目,并验证是否已向设备预配服务注册。When your device boots for the first time, the client SDK library interacts with your chip to extract the security artifacts from the device, and verifies registration with your Device Provisioning service.

启动 IoT 设备Start the IoT device

IoT 设备可以是真实设备,也可以是模拟设备。Your IoT device can be a real device, or a simulated device. 因为 IoT 设备现在已向设备预配服务实例进行了注册,设备现在可以启动,并且可以调用预配服务,以便该服务使用认证机制来识别此设备。Since the IoT device has now been enrolled with a Device Provisioning Service instance, the device can now boot up, and call the provisioning service to be recognized using the attestation mechanism. 在预配服务识别设备后,设备将被分配给一个 IoT 中心。Once the provisioning service has recognized the device, it will be assigned to an IoT hub.

针对 C、Java、C#、Node.js 和 Python 提供了模拟设备示例(使用 TPM 和 X.509 认证)。Simulated device examples, using both TPM and X.509 attestation, are included for C, Java, C#, Node.js, and Python. 例如,使用 TPM 和 Azure IoT C SDK 的模拟设备将遵循模拟设备的首次引导顺序部分中介绍的流程。For example, a simulated device using TPM and the Azure IoT C SDK would follow the process covered in the Simulate first boot sequence for a device section. 使用 X.509 证书认证的相同设备将参考此引导顺序部分。The same device using X.509 certificate attestation would refer to this boot sequence section.

有关适用于真实设备的示例,请参阅 MXChip IoT DevKit 操作指南Refer to the How-to guide for the MXChip Iot DevKit as an example for a real device.

启动该设备可以让设备的客户端应用程序开始注册到设备预配服务。Start the device to allow your device's client application to start the registration with your Device Provisioning service.

验证设备已注册Verify the device is registered

设备启动后,应进行以下操作:Once your device boots, the following actions should take place:

  1. 设备会向设备预配服务发送注册请求。The device sends a registration request to your Device Provisioning service.

  2. 对于 TPM 设备,设备预配服务将回复注册质询,设备需对此进行答复。For TPM devices, the Device Provisioning Service sends back a registration challenge to which your device responds.

  3. 注册成功后,设备预配服务会向设备发送 IoT 中心 URI、设备 ID 和加密密钥。On successful registration, the Device Provisioning Service sends the IoT hub URI, device ID, and the encrypted key back to the device.

  4. 设备上的 IoT 中心客户端应用程序随后会连接到你的中心。The IoT Hub client application on the device then connects to your hub.

  5. 成功连接到中心后,设备应当会出现在 IoT 中心的 IoT 设备资源管理器中。On successful connection to the hub, you should see the device appear in the IoT hub's IoT Devices explorer.

    成功连接到门户中的中心

有关详细信息,请参阅预配设备客户端示例 prov_dev_client_sample.cFor more information, see the provisioning device client sample, prov_dev_client_sample.c. 此示例演示了如何使用 TPM、X.509 证书和对称密钥预配模拟设备。The sample demonstrates provisioning a simulated device using TPM, X.509 certificates and symmetric keys. 请回头参阅 TPMX.509对称密钥证明快速入门,了解有关如何使用示例的分步说明。Refer back to the TPM, X.509, and Symmetric key attestation quickstarts for step-by-step instructions on using the sample.

后续步骤Next steps

在本教程中,你了解了如何执行以下操作:In this tutorial, you learned how to:

  • 注册设备Enroll the device
  • 启动设备Start the device
  • 验证设备已注册Verify the device is registered

前往下一教程,了解如何跨负载均衡的中心预配多台设备。Advance to the next tutorial to learn how to provision multiple devices across load-balanced hubs.