通过 Azure IoT 中心对下游设备进行身份验证Authenticate a downstream device to Azure IoT Hub

在透明网关方案中,与任何其他设备一样,下游设备(有时称为叶设备或子设备)需要在 IoT 中心内拥有标识。In a transparent gateway scenario, downstream devices (sometimes called leaf devices or child devices) need identities in IoT Hub like any other device. 本文将会逐步介绍用于在 IoT 中心对下游设备进行身份验证的选项,然后演示如何声明网关连接。This article walks through the options for authenticating a downstream device to IoT Hub, and then demonstrates how to declare the gateway connection.

成功设置透明网关连接需要完成三个常规步骤。There are three general steps to set up a successful transparent gateway connection. 本文将介绍其中的第二个步骤:This article covers the second step:

  1. 将网关设备配置为服务器,以便下游设备能够安全地连接到该设备。Configure the gateway device as a server so that downstream devices can connect to it securely. 设置网关以接收来自下游设备的消息,并将其路由到适当的目标。Set up the gateway to receive messages from downstream devices and route them to the proper destination. 有关详细信息,请参阅将 IoT Edge 设备配置为充当透明网关For more information, see Configure an IoT Edge device to act as a transparent gateway.
  2. 为下游设备创建设备标识,以便它可以通过 IoT 中心进行身份验证。配置下游设备,使其通过网关设备发送消息。Create a device identity for the downstream device so that it can authenticate with IoT Hub. Configure the downstream device to send messages through the gateway device.
  3. 将下游设备连接到网关设备并开始发送消息。Connect the downstream device to the gateway device and start sending messages. 有关详细信息,请参阅将下游设备连接到 Azure IoT Edge 网关For more information, see Connect a downstream device to an Azure IoT Edge gateway.

下游设备可以使用以下三种方法之一在 IoT 中心进行身份验证:对称密钥(有时称为共享访问密钥)、X.509 自签名证书,或 X.509 证书颁发机构 (CA) 签名的证书。Downstream devices can authenticate with IoT Hub using one of three methods: symmetric keys (sometimes referred to as shared access keys), X.509 self-signed certificates, or X.509 certificate authority (CA) signed certificates. 身份验证步骤用于在 IoT 中心设置任何非 IoT Edge 设备的步骤类似,只是在声明网关关系方面有细微的差别。The authentication steps are similar to the steps used to set up any non-IoT-Edge device with IoT Hub, with small differences to declare the gateway relationship.

本文中的步骤说明了手动设备预配。The steps in this article show manual device provisioning. 不支持自动预配装有 Azure IoT 中心设备预配服务 (DPS) 的下游设备。Automatic provisioning downstream devices with the Azure IoT Hub Device Provisioning Service (DPS) is not supported.

先决条件Prerequisites

完成配置 IoT Edge 设备以充当透明网关中的步骤。Complete the steps in Configure an IoT Edge device to act as a transparent gateway.

如果使用的是 X.509 身份验证,你将为下游设备生成证书。If you're using X.509 authentication, you will generate certificates for your downstream device. 准备再次使用在透明网关文章中使用的根 CA 证书和证书生成脚本。Have the same root CA certificate and the certificate generating script that you used for the transparent gateway article available to use again.

本文在多个位置提到了“网关主机名”。This article refers to the gateway hostname at several points. 网关主机名在 IoT Edge 网关设备上的 config.yaml 文件的 hostname 参数中声明。The gateway hostname is declared in the hostname parameter of the config.yaml file on the IoT Edge gateway device. 下游设备的连接字符串中引用了它。It's referred to in the connection string of the downstream device. 网关主机名必须能够解析为 IP 地址,不管是使用 DNS 还是使用下游设备上的主机文件条目。The gateway hostname needs to be resolvable to an IP Address, either using DNS or a host file entry on the downstream device.

将设备注册到 IoT 中心Register device with IoT Hub

选择你希望下游设备如何向 IoT 中心进行身份验证:Choose how you want your downstream device to authenticate with IoT Hub:

  • 对称密钥身份验证:IoT 中心会创建一个你放置在下游设备上的密钥。Symmetric key authentication: IoT Hub creates a key that you put on the downstream device. 当设备进行身份验证时,IoT 中心会检查两个密钥是否匹配。When the device authenticates, IoT Hub checks that the two keys match. 不需创建其他证书便可使用对称密钥身份验证。You don't need to create additional certificates to use symmetric key authentication.
  • X.509 自签名身份验证:有时称为指纹身份验证,因为你与 IoT 中心共享来自设备的 X.509 证书的指纹。X.509 self-signed authentication: Sometimes called thumbprint authentication, because you share the thumbprint from the device's X.509 certificate with IoT Hub.
  • X.509 CA 签名的身份验证:将根 CA 证书上传到 IoT 中心。X.509 CA-signed authentication: Upload the root CA certificate to IoT Hub. 当设备提供其 x.509 证书进行身份验证时,IoT 中心会检查它是否属于由同一根 CA 证书签名的信任链。When devices present their X.509 certificate for authentication, IoT Hub checks that it belongs to a chain of trust signed by the same root CA certificate.

使用这三种方法之一注册设备后,请转到下一部分来检索和修改连接字符串(用于下游设备)。After you register your device with one of these three methods, continue to the next section to Retrieve and modify the connection string for your downstream device.

对称密钥身份验证Symmetric key authentication

对称密钥身份验证(也称为共享访问密钥身份验证)是在 IoT 中心进行身份验证的最简单方法。Symmetric key authentication, or shared access key authentication, is the simplest way to authenticate with IoT Hub. 使用对称密钥身份验证时,某个 base64 密钥将与 IoT 中心内的 IoT 设备 ID 相关联。With symmetric key authentication, a base64 key is associated with your IoT device ID in IoT Hub. 需将该密钥包含在 IoT 应用程序中,使设备在连接到 IoT 中心时可以出示该密钥。You include that key in your IoT applications so that your device can present it when it connects to IoT Hub.

使用 Azure 门户、Azure CLI 或适用于 Visual Studio Code 的 IoT 扩展在 IoT 中心添加新的 IoT 设备。Add a new IoT device in your IoT hub, using either the Azure portal, Azure CLI, or the IoT extension for Visual Studio Code. 请记住,需要在 IoT 中心将下游设备标识为常规 IoT 设备,而不是 IoT Edge 设备。Remember that downstream devices need to be identified in IoT Hub as regular IoT devices, not IoT Edge devices.

创建新的设备标识时,请提供以下信息:When you create the new device identity, provide the following information:

  • 创建设备的 ID。Create an ID for your device.

  • 选择“对称密钥”作为身份验证类型。Select Symmetric key as the authentication type.

  • (可选)选择“设置父设备”,并选择下游设备用来建立连接的 IoT Edge 网关设备。Optionally, choose to Set a parent device and select the IoT Edge gateway device that this downstream device will connect through. 对于对称密钥身份验证,此步骤是可选的,但建议执行此步骤,因为设置父设备可为下游设备启用脱机功能This step is optional for symmetric key authentication, but it's recommended because setting a parent device enables offline capabilities for your downstream device. 以后始终可以更新设备详细信息来添加或更改父设备。You can always update the device details to add or change the parent later.

    在门户中使用对称密钥身份验证创建设备 ID

还可以使用适用于 Azure CLI 的 IoT 扩展来完成相同的操作。You also can use the IoT extension for Azure CLI to complete the same operation. 以下示例使用对称密钥身份验证创建新的 IoT 设备,并分配父设备:The following example creates a new IoT device with symmetric key authentication and assigns a parent device:

az iot hub device-identity create -n {iothub name} -d {new device ID} --pd {existing gateway device ID}

有关用于创建设备和管理父/子设备的 Azure CLI 命令的详细信息,请参阅 az iot hub device-identity 命令的参考内容。For more information about Azure CLI commands for device creation and parent/child management, see the reference content for az iot hub device-identity commands.

接下来,检索并修改连接字符串,从而使设备知道通过其网关进行连接。Next, Retrieve and modify the connection string so that your device knows to connect via its gateway.

X.509 CA 自签名身份验证X.509 self-signed authentication

对于 X.509 自签名身份验证(有时称为指纹身份验证),你需要创建证书并将其放在下游设备上。For X.509 self-signed authentication, sometimes referred to as thumbprint authentication, you need to create certificates to place on your downstream device. 这些证书包含一个指纹,你可以与 IoT 中心共享该指纹以完成身份验证。These certificates have a thumbprint in them that you share with IoT Hub for authentication.

  1. 使用 CA 证书,为下游设备创建两个设备证书(主要和辅助)。Using your CA certificate, create two device certificates (primary and secondary) for the downstream device.

    如果你没有用于创建 X.509 证书的证书颁发机构,可以使用 IoT Edge 演示证书脚本创建下游设备证书If you don't have a certificate authority to create X.509 certificates, you can use the IoT Edge demo certificate scripts to Create downstream device certificates. 请按照创建自签名证书的步骤进行操作。Follow the steps for creating self-signed certificates. 请使用已为网关设备生成证书的同一根 CA 证书。Use the same root CA certificate that generated the certificates for your gateway device.

    如果你创建自己的证书,请确保将设备证书的使用者名称设置为你在 Azure IoT 中心注册 IoT 设备时使用的设备 ID。If you create your own certificates, make sure that the device certificate's subject name is set to the device ID that you use when registering the IoT device in the Azure IoT Hub. 身份验证需要此设置。This setting is required for authentication.

  2. 检索每个证书的 SHA1 指纹 - 包含 40 个十六进制字符的字符串。Retrieve the SHA1 fingerprint (called a thumbprint in the IoT Hub interface) from each certificate, which is a 40 hexadecimal character string. 使用以下 openssl 命令查看证书并查找指纹:Use the following openssl command to view the certificate and find the fingerprint:

    • Windows:Windows:

      openssl x509 -in <path to primary device certificate>.cert.pem -text -fingerprint
      
    • Linux:Linux:

      openssl x509 -in <path to primary device certificate>.cert.pem -text -fingerprint | sed 's/[:]//g'
      

    运行此命令两次,一次针对主要证书,另一次针对辅助证书。Run this command twice, once for the primary certificate and once for the secondary certificate. 使用自签名的 X.509 证书注册新 IoT 设备时,为这两个证书提供指纹。You provide fingerprints for both certificates when you register a new IoT device using self-signed X.509 certificates.

  3. 在 Azure 门户中导航到你的 IoT 中心,并使用以下值创建新的 IoT 设备标识:Navigate to your IoT hub in the Azure portal and create a new IoT device identity with the following values:

    • 提供与设备证书的使用者名称匹配的设备 ID。Provide the Device ID that matches the subject name of your device certificates.
    • 选择“X.509 自签名”作为身份验证类型。Select X.509 Self-Signed as the authentication type.
    • 粘贴从设备的主要和辅助证书中复制的十六进制字符串。Paste the hexadecimal strings that you copied from your device's primary and secondary certificates.
    • 选择“设置父设备”,并选择下游设备用来建立连接的 IoT Edge 网关设备。Select Set a parent device and choose the IoT Edge gateway device that this downstream device will connect through. 对下游设备进行 X.509 身份验证时,需要使用父设备。A parent device is required for X.509 authentication of a downstream device.

    在门户中使用 X.509 自签名身份验证创建设备 ID

  4. 将主要和辅助设备证书及其密钥复制到下游设备上的任何位置。Copy both the primary and secondary device certificates and their keys to any location on the downstream device. 此外,移动生成网关设备证书和下游设备证书的共享根 CA 证书的副本。Also move a copy of the shared root CA certificate that generated both the gateway device certificate and the downstream device certificates.

    你将在下游设备上连接到 IoT 中心的任何应用程序中引用这些证书文件。You'll reference these certificate files in any applications on the downstream device that connect to IoT Hub. 可以使用 Azure Key Vault 之类的服务或安全复制协议之类的功能来移动证书文件。You can use a service like Azure Key Vault or a function like Secure copy protocol to move the certificate files.

  5. 根据首选语言,查看在 IoT 应用程序中引用 X.509 证书的示例:Depending on your preferred language, review samples of how X.509 certificates can be referenced in IoT applications:

还可以使用适用于 Azure CLI 的 IoT 扩展来完成相同的设备创建操作。You also can use the IoT extension for Azure CLI to complete the same device creation operation. 以下示例使用 X.509 自签名身份验证创建新的 IoT 设备,并分配父设备:The following example creates a new IoT device with X.509 self-signed authentication and assigns a parent device:

az iot hub device-identity create -n {iothub name} -d {device ID} --pd {gateway device ID} --am x509_thumbprint --ptp {primary thumbprint} --stp {secondary thumbprint}

有关用于创建设备、生成证书和管理父/子设备的 Azure CLI 命令的详细信息,请参阅 az iot hub device-identity 命令的参考内容。For more information about Azure CLI commands for device creation, certificate generation, and parent and child management, see the reference content for az iot hub device-identity commands.

接下来,检索并修改连接字符串,从而使设备知道通过其网关进行连接。Next, Retrieve and modify the connection string so that your device knows to connect via its gateway.

X.509 CA 签名的身份验证X.509 CA-signed authentication

对于 X.509 证书颁发机构 (CA) 签名的身份验证,你需要在 IoT 中心注册一个用来为下游设备的证书签名的根 CA 证书。For X.509 certificate authority (CA) signed authentication, you need a root CA certificate registered in IoT Hub that you use to sign certificates for your downstream device. 使用根 CA 证书或其任何中间证书颁发的证书的任何设备都可进行身份验证。Any device using a certificate that was issues by the root CA certificate or any of its intermediate certificates will be permitted to authenticate.

本部分基于 IoT 中心文章在 Azure IoT 中心设置 X.509 安全性中详述的说明。This section is based on the instructions detailed in the IoT Hub article Set up X.509 security in your Azure IoT hub.

  1. 使用 CA 证书,为下游设备创建两个设备证书(主要和辅助)。Using your CA certificate, create two device certificates (primary and secondary) for the downstream device.

    如果你没有用于创建 X.509 证书的证书颁发机构,可以使用 IoT Edge 演示证书脚本创建下游设备证书If you don't have a certificate authority to create X.509 certificates, you can use the IoT Edge demo certificate scripts to Create downstream device certificates. 请按照创建 CA 签名的证书的步骤进行操作。Follow the steps for creating CA-signed certificates. 请使用已为网关设备生成证书的同一根 CA 证书。Use the same root CA certificate that generated the certificates for your gateway device.

  2. 请遵照“在 Azure IoT 中心设置 X.509 安全性”的将 X.509 CA 证书注册到 IoT 中心部分中的说明操作。Follow the instructions in the Register X.509 CA certificates to your IoT hub section of Set up X.509 security in your Azure IoT hub. 在本部分,你将执行以下步骤:In that section, you perform the following steps:

    1. 上传根 CA 证书。Upload a root CA certificate. 如果使用演示证书,则根 CA 为 <path>/certs/azure-iot-test-only.root.ca.cert.pemIf you're using the demo certificates, the root CA is <path>/certs/azure-iot-test-only.root.ca.cert.pem.

    2. 验证你是否拥有该根 CA 证书。Verify that you own that root CA certificate.

  3. 请遵照“在 Azure IoT 中心设置 X.509 安全性”的为 IoT 中心创建 X.509 设备部分中的说明操作。Follow the instructions in the Create an X.509 device for your IoT hub section of Set up X.509 security in your Azure IoT hub. 在本部分,你将执行以下步骤:In that section, you perform the following steps:

    1. 添加新设备。Add a new device. 设备 ID 提供小写名称,并选择身份验证类型“X.509 CA 签名”。Provide a lowercase name for device ID, and choose the authentication type X.509 CA Signed.

    2. 设置父设备。Set a parent device. 对于下游设备,请选择“设置父设备”,并选择用来与 IoT 中心建立连接的 IoT Edge 网关设备。For downstream devices, select Set a parent device and choose the IoT Edge gateway device that will provide the connection to IoT Hub.

  4. 创建下游设备的证书链。Create a certificate chain for your downstream device. 使用上传到 IoT 中心的同一根 CA 证书来建立此链。Use the same root CA certificate that you uploaded to IoT Hub to make this chain. 使用在门户中提供给设备标识的相同小写设备 ID。Use the same lowercase device ID that you gave to your device identity in the portal.

  5. 将设备证书和密钥复制到下游设备上的任何位置。Copy the device certificate and keys to any location on the downstream device. 此外,移动生成网关设备证书和下游设备证书的共享根 CA 证书的副本。Also move a copy of the shared root CA certificate that generated both the gateway device certificate and the downstream device certificates.

    你将在下游设备上连接到 IoT 中心的任何应用程序中引用这些文件。You'll reference these files in any applications on the downstream device that connect to IoT Hub. 可以使用 Azure Key Vault 之类的服务或安全复制协议之类的功能来移动证书文件。You can use a service like Azure Key Vault or a function like Secure copy protocol to move the certificate files.

  6. 根据首选语言,查看在 IoT 应用程序中引用 X.509 证书的示例:Depending on your preferred language, review samples of how X.509 certificates can be referenced in IoT applications:

还可以使用适用于 Azure CLI 的 IoT 扩展来完成相同的设备创建操作。You also can use the IoT extension for Azure CLI to complete the same device creation operation. 以下示例使用 X.509 CA 签名身份验证创建新的 IoT 设备,并分配父设备:The following example creates a new IoT device with X.509 CA signed authentication and assigns a parent device:

az iot hub device-identity create -n {iothub name} -d {device ID} --pd {gateway device ID} --am x509_ca

有关详细信息,请参阅 az iot hub device-identity 命令的 Azure CLI 参考内容。For more information, see the Azure CLI reference content for az iot hub device-identity commands.

接下来,检索并修改连接字符串,从而使设备知道通过其网关进行连接。Next, Retrieve and modify the connection string so that your device knows to connect via its gateway.

检索并修改连接字符串Retrieve and modify connection string

在门户中创建 IoT 设备标识后,可以检索其主要密钥或辅助密钥。After creating an IoT device identity in the portal, you can retrieve its primary or secondary keys. 这些密钥中的一个需要包含在应用程序用于与 IoT 中心通信的连接字符串中。One of these keys needs to be included in the connection string that applications use to communicate with IoT Hub. 对于对称密钥身份验证,出于方便,IoT 中心将在设备详细信息中提供完整格式的连接字符串。For symmetric key authentication, IoT Hub provides the fully formed connection string in the device details for your convenience. 你需要将有关网关设备的附加信息添加到该连接字符串。You need to add extra information about the gateway device to the connection string.

下游设备的连接字符串需要包含以下组成部分:Connection strings for downstream devices need the following components:

  • 设备连接到的 IoT 中心:Hostname={iothub name}.azure-devices.cnThe IoT hub that the device connects to: Hostname={iothub name}.azure-devices.cn
  • 已注册到中心的设备 ID:DeviceID={device ID}The device ID registered with the hub: DeviceID={device ID}
  • 主要密钥或辅助密钥:SharedAccessKey={key}Either the primary or secondary key: SharedAccessKey={key}
  • 设备用来建立连接的网关设备。The gateway device that the device connects through. 请提供 IoT Edge 网关设备 config.yaml 文件中的 hostname 值:GatewayHostName={gateway hostname}Provide the hostname value from the IoT Edge gateway device's config.yaml file: GatewayHostName={gateway hostname}

所有这些组成部分共同构成了如下所示的完整连接字符串:All together, a complete connection string looks like:

HostName=myiothub.azure-devices.cn;DeviceId=myDownstreamDevice;SharedAccessKey=xxxyyyzzz;GatewayHostName=myGatewayDevice

如果你为此下游设备建立了父/子关系,则可以通过直接调用充当连接主机的网关来简化连接字符串。If you established a parent/child relationship for this downstream device, then you can simplify the connection string by calling the gateway directly as the connection host. 父/子关系对于 X.509 身份验证是必需的,但对于对称密钥身份验证是可选的。Parent/child relationships are required for X.509 authentication but optional for symmetric key authentication. 例如:For example:

HostName=myGatewayDevice;DeviceId=myDownstreamDevice;SharedAccessKey=xxxyyyzzz

你将在透明网关系列的下一篇文章中使用此修改后的连接字符串。You'll use this modified connection string in the next article of the transparent gateway series.

后续步骤Next steps

此时,你已向 IoT 中心注册了一个 IoT Edge 设备并已将其配置为透明网关。At this point, you have an IoT Edge device registered with your IoT hub and configured as a transparent gateway. 你还向 IoT 中心注册了一个下游设备,并将其指向其网关设备。You also have a downstream device registered with your IoT hub and pointing to its gateway device.

本文中的步骤将下游设备设置为向 IoT 中心进行身份验证。The steps in this article set up your downstream device to authenticate to IoT Hub. 接下来,你需要将下游设备配置为信任网关设备并安全地连接到该设备。Next, you need to configure your downstream device to trust the gateway device and connect to it securely. 继续阅读透明网关系列的下一篇文章:将下游设备连接到 Azure IoT Edge 网关Continue on to the next article in the transparent gateway series, Connect a downstream device to an Azure IoT Edge gateway.