通过 Azure IoT 中心对下游设备进行身份验证Authenticate a downstream device to Azure IoT Hub

在透明网关方案中,与任何其他设备一样,下游设备(有时称为叶设备或子设备)需要在 IoT 中心内拥有标识。In a transparent gateway scenario, downstream devices (sometimes called leaf devices or child devices) need identities in IoT Hub like any other device. 本文将会逐步介绍用于在 IoT 中心对下游设备进行身份验证的选项,然后演示如何声明网关连接。This article walks through the options for authenticating a downstream device to IoT Hub, and then demonstrates how to declare the gateway connection.

成功设置透明网关连接需要完成三个常规步骤。There are three general steps to set up a successful transparent gateway connection. 本文将介绍其中的第二个步骤:This article covers the second step:

  1. 网关设备需要能够安全连接到下游设备,从下游设备接收通信,并将消息路由到正确的目标。The gateway device needs to be able to securely connect to downstream devices, receive communications from downstream devices, and route messages to the proper destination. 有关详细信息,请参阅将 IoT Edge 设备配置为充当透明网关For more information, see Configure an IoT Edge device to act as a transparent gateway.
  2. 下游设备需有一个设备标识,才能在 IoT 中心进行身份验证并知道要通过其网关设备进行通信。The downstream device needs to have a device identity to be able to authenticate with IoT Hub, and know to communicate through its gateway device.
  3. 下游设备需安全连接到其网关设备。The downstream device needs to connect to its gateway device securely. 有关详细信息,请参阅将下游设备连接到 Azure IoT Edge 网关For more information, see Connect a downstream device to an Azure IoT Edge gateway.

下游设备可以使用以下三种方法之一在 IoT 中心进行身份验证:对称密钥(有时称为共享访问密钥)、X.509 自签名证书,或 X.509 证书颁发机构 (CA) 签名的证书。Downstream devices can authenticate with IoT Hub using one of three methods: symmetric keys (sometimes referred to as shared access keys), X.509 self-signed certificates, or X.509 certificate authority (CA) signed certificates. 身份验证步骤用于在 IoT 中心设置任何非 IoT Edge 设备的步骤类似,只是在声明网关关系方面有细微的差别。The authentication steps are similar to the steps used to set up any non-IoT-Edge device with IoT Hub, with small differences to declare the gateway relationship.

本文中的步骤与手动设备预配相关,而与使用 Azure IoT 中心设备预配服务 (DPS) 进行的自动预配无关。The steps in this article show manual device provisioning, not automatic provisioning with the Azure IoT Hub Device Provisioning Service (DPS). 不支持通过 DPS 预配下游设备。Provisioning downstream devices with DPS is not supported.

必备条件Prerequisites

完成配置 IoT Edge 设备以充当透明网关中的步骤。Complete the steps in Configure an IoT Edge device to act as a transparent gateway. 如果要对下游设备使用 X.509 身份验证,则需要使用在透明网关文章中设置的相同的证书生成脚本。If you're using X.509 authentication for your downstream device, you need to use the same certificate generating script that you set up in the transparent gateway article.

本文在多个位置提到了“网关主机名” 。This article refers to the gateway hostname at several points. 网关主机名在 IoT Edge 网关设备上的 config.yaml 文件的 hostname 参数中声明。The gateway hostname is declared in the hostname parameter of the config.yaml file on the IoT Edge gateway device. 下游设备的连接字符串中引用了它。It's referred to in the connection string of the downstream device. 网关主机名必须能够解析成 IP 地址,不管是使用 DNS 还是主机文件条目。The gateway hostname needs to be resolvable to an IP Address, either using DNS or a host file entry.

注册设备(对称密钥)Register device (Symmetric key)

对称密钥身份验证(也称为共享访问密钥身份验证)是在 IoT 中心进行身份验证的最简单方法。Symmetric key authentication, or shared access key authentication, is the simplest way to authenticate with IoT Hub. 使用对称密钥身份验证时,某个 base64 密钥将与 IoT 中心内的 IoT 设备 ID 相关联。With symmetric key authentication, a base64 key is associated with your IoT device ID in IoT Hub. 需将该密钥包含在 IoT 应用程序中,使设备在连接到 IoT 中心时可以出示该密钥。You include that key in your IoT applications so that your device can present it when it connects to IoT Hub.

创建设备标识Create the device identity

使用 Azure 门户、Azure CLI 或适用于 Visual Studio Code 的 IoT 扩展在 IoT 中心添加新的 IoT 设备。Add a new IoT device in your IoT hub, using either the Azure portal, Azure CLI, or the IoT extension for Visual Studio Code. 请记住,需要在 IoT 中心将下游设备标识为常规 IoT 设备,而不是 IoT Edge 设备。Remember that downstream devices need to be identified in IoT Hub as regular IoT devices, not IoT Edge devices.

创建新的设备标识时,请提供以下信息:When you create the new device identity, provide the following information:

  • 创建设备的 ID。Create an ID for your device.

  • 选择“对称密钥”作为身份验证类型。 Select Symmetric key as the authentication type.

  • (可选)选择“设置父设备”,并选择下游设备用来建立连接的 IoT Edge 网关设备。 Optionally, choose to Set a parent device and select the IoT Edge gateway device that this downstream device will connect through. 对于对称密钥身份验证,此步骤是可选的,但建议执行此步骤,因为设置父设备可为下游设备启用脱机功能This step is optional for symmetric key authentication, but it's recommended because setting a parent device enables offline capabilities for your downstream device. 以后始终可以更新设备详细信息来添加或更改父设备。You can always update the device details to add or change the parent later.

    在门户中使用对称密钥身份验证创建设备 ID

可以使用适用于 Azure CLI 的 IoT 扩展来完成相同的操作。You can use the IoT extension for Azure CLI to complete the same operation. 以下示例使用对称密钥身份验证创建新的 IoT 设备,并分配父设备:The following example creates a new IoT device with symmetric key authentication and assigns a parent device:

az iot hub device-identity create -n {iothub name} -d {new device ID} --pd {existing gateway device ID}

有关用于创建设备和管理父/子设备的 Azure CLI 命令的详细信息,请参阅 az iot hub device-identity 命令的参考内容。For more information about Azure CLI commands for device creation and parent/child management, see the reference content for az iot hub device-identity commands.

接下来,检索并修改连接字符串,从而使设备知道通过其网关进行连接。Next, Retrieve and modify the connection string so that your device knows to connect via its gateway.

注册设备(X.509 自签名)Register device (X.509 self-signed)

对于 X.509 自签名身份验证(有时称为指纹身份验证),需要创建新证书并将其放在 IoT 设备上。For X.509 self-signed authentication, sometimes referred to as thumbprint authentication, you need to create new certificates to place on your IoT device. 这些证书包含一个指纹,你可以与 IoT 中心共享该指纹以完成身份验证。These certificates have a thumbprint in them that you share with IoT Hub for authentication.

如果没有用于创建 X.509 证书的证书颁发机构,可创建演示证书以测试 IoT Edge 设备功能If you don't have a certificate authority to create X.509 certificates, you can Create demo certificates to test IoT Edge device features. 为下游设备生成测试证书时,使用为网关设备生成证书所用的根 CA 证书。When generating test certificates for your downstream device, use the same root CA certificate that generated the certificates for your gateway device.

  1. 使用 CA 证书,为下游设备创建两个设备证书(主要和辅助)。Using your CA certificate, create two device certificates (primary and secondary) for the downstream device.

    设备证书必须将“使用者名称”设置为在 Azure IoT 中心注册 IoT 设备时将使用的设备 ID。The device certificate must have the Subject Name set to the Device ID that you will use when registering the IoT device in the Azure IoT Hub. 身份验证需要此设置。This setting is required for authentication.

  2. 检索每个证书的 SHA1 指纹 - 包含 40 个十六进制字符的字符串。Retrieve the SHA1 fingerprint (called a thumbprint in the IoT Hub interface) from each certificate, which is a 40 hexadecimal character string. 使用以下 openssl 命令查看证书并查找指纹:Use the following openssl command to view the certificate and find the fingerprint:

    openssl x509 -in <primary device certificate>.cert.pem -text -fingerprint | sed 's/[:]//g'
    

    运行此命令两次,一次针对主要证书,另一次针对辅助证书。Run this command twice, once for the primary certificate and once for the secondary certificate. 使用自签名的 X.509 证书注册新 IoT 设备时,为这两个证书提供指纹。You provide fingerprints for both certificates when you register a new IoT device using self-signed X.509 certificates.

  3. 在 Azure 门户中导航到你的 IoT 中心,并使用以下值创建新的 IoT 设备标识:Navigate to your IoT hub in the Azure portal and create a new IoT device identity with the following values:

    • 提供与设备证书的使用者名称匹配的设备 ID 。Provide the Device ID that matches the subject name of your device certificates.
    • 选择“X.509 自签名”作为身份验证类型。 Select X.509 Self-Signed as the authentication type.
    • 粘贴从设备的主要和辅助证书中复制的十六进制字符串。Paste the hexadecimal strings that you copied from your device's primary and secondary certificates.
    • 选择“设置父设备”,并选择下游设备用来建立连接的 IoT Edge 网关设备。 Select Set a parent device and choose the IoT Edge gateway device that this downstream device will connect through. 对下游设备进行 X.509 身份验证时,需要使用父设备。A parent device is required for X.509 authentication of a downstream device.

    在门户中使用 X.509 自签名身份验证创建设备 ID

  4. 将设备证书和密钥复制到下游设备上的任何位置。Copy the device certificate and keys to any location on the downstream device. 此外,移动生成网关设备证书和下游设备证书的共享根 CA 证书的副本。Also move a copy of the shared root CA certificate that generated both the gateway device certificate and the downstream device certificates.

    你将在连接到 IoT 中心的叶设备应用程序中引用这些文件。You'll reference these files in the leaf device applications that connect to IoT Hub. 可以使用 Azure Key Vault 之类的服务或安全复制协议之类的功能来移动证书文件。You can use a service like Azure Key Vault or a function like Secure copy protocol to move the certificate files.

  5. 根据首选语言,查看在 IoT 应用程序中引用 X.509 证书的示例:Depending on your preferred language, review samples of how X.509 certificates can be referenced in IoT applications:

可以使用适用于 Azure CLI 的 IoT 扩展来完成相同的设备创建操作。You can use the IoT extension for Azure CLI to complete the same device creation operation. 以下示例使用 X.509 自签名身份验证创建新的 IoT 设备,并分配父设备:The following example creates a new IoT device with X.509 self-signed authentication and assigns a parent device:

az iot hub device-identity create -n {iothub name} -d {device ID} --pd {gateway device ID} --am x509_thumbprint --ptp {primary thumbprint} --stp {secondary thumbprint}

有关用于创建设备、生成证书和管理父/子设备的 Azure CLI 命令的详细信息,请参阅 az iot hub device-identity 命令的参考内容。For more information about Azure CLI commands for device creation, certificate generation, and parent and child management, see the reference content for az iot hub device-identity commands.

接下来,检索并修改连接字符串,从而使设备知道通过其网关进行连接。Next, Retrieve and modify the connection string so that your device knows to connect via its gateway.

注册设备(X.509 CA 签名)Register device (X.509 CA signed)

对于 X.509 证书颁发机构 (CA) 签名的身份验证,需要在 IoT 中心注册一个用来为 IoT 设备证书签名的根 CA 证书。For X.509 certificate authority (CA) signed authentication, you need a root CA certificate registered in IoT Hub that you use to sign certificates for your IoT device. 使用根 CA 证书或其任何中间证书颁发的证书的任何设备都可进行身份验证。Any device using a certificate that was issues by the root CA certificate or any of its intermediate certificates will be permitted to authenticate.

本部分基于 IoT 中心文章在 Azure IoT 中心设置 X.509 安全性中详述的说明。This section is based on the instructions detailed in the IoT Hub article Set up X.509 security in your Azure IoT hub. 请遵循本部分所述的步骤了解要使用哪些值来设置通过网关进行连接的下游设备。Follow the steps in this section to know which values to use to set up a downstream device that connects through a gateway.

如果没有用于创建 X.509 证书的证书颁发机构,可创建演示证书以测试 IoT Edge 设备功能If you don't have a certificate authority to create X.509 certificates, you can Create demo certificates to test IoT Edge device features. 为下游设备生成测试证书时,使用为网关设备生成证书所用的根 CA 证书。When generating test certificates for your downstream device, use the same root CA certificate that generated the certificates for your gateway device.

  1. 请遵照“在 Azure IoT 中心设置 X.509 安全性”的将 X.509 CA 证书注册到 IoT 中心部分中的说明操作。 Follow the instructions in the Register X.509 CA certificates to your IoT hub section of Set up X.509 security in your Azure IoT hub. 在本部分,你将执行以下步骤:In that section, you perform the following steps:

    1. 上传根 CA 证书。Upload a root CA certificate. 如果使用演示证书,则根 CA 为 <path>/certs/azure-iot-test-only.root.ca.cert.pem 。If you're using the demo certificates, the root CA is <path>/certs/azure-iot-test-only.root.ca.cert.pem.

    2. 验证你是否拥有该根 CA 证书。Verify that you own that root CA certificate.

  2. 请遵照“在 Azure IoT 中心设置 X.509 安全性”的为 IoT 中心创建 X.509 设备部分中的说明操作。 Follow the instructions in the Create an X.509 device for your IoT hub section of Set up X.509 security in your Azure IoT hub. 在本部分,你将执行以下步骤:In that section, you perform the following steps:

    1. 添加新设备。Add a new device. 设备 ID 提供小写名称,并选择身份验证类型“X.509 CA 签名”。 Provide a lowercase name for device ID, and choose the authentication type X.509 CA Signed.
    2. 设置父设备。Set a parent device. 对于下游设备,请选择“设置父设备”,并选择用来与 IoT 中心建立连接的 IoT Edge 网关设备。 For downstream devices, select Set a parent device and choose the IoT Edge gateway device that will provide the connection to IoT Hub.
  3. 创建下游设备的证书链。Create a certificate chain for your downstream device. 使用上传到 IoT 中心的同一根 CA 证书来建立此链。Use the same root CA certificate that you uploaded to IoT Hub to make this chain. 使用在门户中提供给设备标识的相同小写设备 ID。Use the same lowercase device ID that you gave to your device identity in the portal.

  4. 将设备证书和密钥复制到下游设备上的任何位置。Copy the device certificate and keys to any location on the downstream device. 此外,移动生成网关设备证书和下游设备证书的共享根 CA 证书的副本。Also move a copy of the shared root CA certificate that generated both the gateway device certificate and the downstream device certificates.

    你将在连接到 IoT 中心的叶设备应用程序中引用这些文件。You'll reference these files in the leaf device applications that connect to IoT Hub. 可以使用 Azure Key Vault 之类的服务或安全复制协议之类的功能来移动证书文件。You can use a service like Azure Key Vault or a function like Secure copy protocol to move the certificate files.

  5. 根据首选语言,查看在 IoT 应用程序中引用 X.509 证书的示例:Depending on your preferred language, review samples of how X.509 certificates can be referenced in IoT applications:

可以使用适用于 Azure CLI 的 IoT 扩展来完成相同的设备创建操作。You can use the IoT extension for Azure CLI to complete the same device creation operation. 以下示例使用 X.509 CA 签名身份验证创建新的 IoT 设备,并分配父设备:The following example creates a new IoT device with X.509 CA signed authentication and assigns a parent device:

az iot hub device-identity create -n {iothub name} -d {device ID} --pd {gateway device ID} --am x509_ca

有关详细信息,请参阅 az iot hub device-identity 命令的 Azure CLI 参考内容。For more information, see the Azure CLI reference content for az iot hub device-identity commands.

接下来,检索并修改连接字符串,从而使设备知道通过其网关进行连接。Next, Retrieve and modify the connection string so that your device knows to connect via its gateway.

检索并修改连接字符串Retrieve and modify connection string

在门户中创建 IoT 设备标识后,可以检索其主要密钥或辅助密钥。After creating an IoT device identity in the portal, you can retrieve its primary or secondary keys. 这些密钥中的一个需要包含在应用程序用于与 IoT 中心通信的连接字符串中。One of these keys needs to be included in the connection string that applications use to communicate with IoT Hub. 对于对称密钥身份验证,出于方便,IoT 中心将在设备详细信息中提供完整格式的连接字符串。For symmetric key authentication, IoT Hub provides the fully formed connection string in the device details for your convenience. 你需要将有关网关设备的附加信息添加到该连接字符串。You need to add extra information about the gateway device to the connection string.

下游设备的连接字符串需要包含以下组成部分:Connection strings for downstream devices need the following components:

  • 设备连接到的 IoT 中心:Hostname={iothub name}.azure-devices.netThe IoT hub that the device connects to: Hostname={iothub name}.azure-devices.net
  • 已注册到中心的设备 ID:DeviceID={device ID}The device ID registered with the hub: DeviceID={device ID}
  • 主要密钥或辅助密钥:SharedAccessKey={key}Either the primary or secondary key: SharedAccessKey={key}
  • 设备用来建立连接的网关设备。The gateway device that the device connects through. 请提供 IoT Edge 网关设备 config.yaml 文件中的 hostname 值:GatewayHostName={gateway hostname}Provide the hostname value from the IoT Edge gateway device's config.yaml file: GatewayHostName={gateway hostname}

所有这些组成部分共同构成了如下所示的完整连接字符串:All together, a complete connection string looks like:

HostName=myiothub.azure-devices.net;DeviceId=myDownstreamDevice;SharedAccessKey=xxxyyyzzz;GatewayHostName=myGatewayDevice

如果你为此下游设备建立了父/子关系,则可以通过直接调用充当连接主机的网关来简化连接字符串。If you established a parent/child relationship for this downstream device, then you can simplify the connection string by calling the gateway directly as the connection host. 父/子关系对于 X.509 身份验证是必需的,但对于对称密钥身份验证是可选的。Parent/child relationships are required for X.509 authentication but optional for symmetric key authentication. 例如:For example:

HostName=myGatewayDevice;DeviceId=myDownstreamDevice;SharedAccessKey=xxxyyyzzz

此时,你应已注册了一个 IoT Edge 设备并已将其配置为网关。At this point, you should have an IoT Edge device registered and configured as a gateway. 还注册了一个下游 IoT 设备,并将其指向其网关设备。You also have a downstream IoT device registered and pointing to its gateway device. 最后一步是将证书置于下游设备上,使其可安全地连接到网关。The final step is to place certificates on your downstream device so that it can securely connect to the gateway.

继续阅读网关系列的下一篇文章:将下游设备连接到 Azure IoT Edge 网关Continue on to the next article in the gateway series, Connect a downstream device to an Azure IoT Edge gateway.

后续步骤Next steps

完成本文后,你应已获得一个充当透明网关的 IoT Edge 设备,以及一个已注册到 IoT 中心的下游设备。By completing this article, you should have an IoT Edge device working as a transparent gateway and a downstream device registered with an IoT hub. 接下来,需要配置下游设备,以信任网关设备并安全地连接到该设备。Next, you need to configure your downstream devices to trust the gateway device and connect to it securely. 有关详细信息,请参阅将下游设备连接到 Azure IoT Edge 网关For more information, see Connect a downstream device to an Azure IoT Edge gateway.