使用证书提高 B2B 消息的安全性Improve security for B2B messages by using certificates

需要使 B2B 通信保持机密时,可以通过向集成帐户添加证书来提高企业集成应用(特别是逻辑应用)中 B2B 通信的安全性。When you need to keep B2B communication confidential, you can increase security for B2B communication in your enterprise integration apps, specifically logic apps, by adding certificates to your integration account. 证书是数字文档,用于在电子通信中验证参与者身份并通过以下方式保护通信安全:Certificates are digital documents that check the identities for the participants in electronic communications and help you secure communication in these ways:

  • 对消息内容进行加密。Encrypt message content.
  • 对消息进行数字签名。Digitally sign messages.

在企业集成应用中,可以使用以下证书:You can use these certificates in your enterprise integration apps:

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

上传公用证书Upload a public certificate

要在具有 B2B 功能的逻辑应用中使用“公用证书”,必须首先将证书上传到集成帐户中。To use a public certificate in logic apps that have B2B capabilities, you must first upload the certificate to your integration account. 在你创建的协议中定义属性后,可以使用证书来帮助你保护 B2B 消息。After you define the properties in the agreements that you create, the certificate is available to help you secure your B2B messages.

  1. 登录到 Azure 门户Sign in to the Azure portal. 在 Azure 主菜单中,选择“所有资源”。On the main Azure menu, select All resources. 在搜索框中,输入你的集成帐户名称,然后选择所需的集成帐户。In the search box, enter your integration account name, and then select the integration account you want.

    查找并选择你的集成帐户

  2. 在“组件”下,选择“证书”磁贴。Under Components, choose the Certificates tile.

    选择“证书”

  3. 在“证书”下,选择“添加”。 Under Certificates, choose Add. 在“添加证书”下,提供证书的这些详细信息。Under Add Certificate, provide these details for your certificate. 完成后,选择“确定”。When you're done, choose OK.

    属性Property ValueValue 说明Description
    名称Name <证书名称><certificate-name> 你的证书的名称,在本例中为“publicCert”Your certificate's name, which is "publicCert" in this example
    证书类型Certificate Type 公共Public 你的证书的类型Your certificate's type
    证书Certificate <证书文件名><certificate-file-name> 若要查找并选择要上传的证书文件,请选择“证书”框旁边的文件夹图标。To find and select the certificate file you want to upload, choose the folder icon next to the Certificate box.

    选择“添加”,提供证书详细信息

    在 Azure 验证你的选择后,Azure 会上传你的证书。After Azure validates your selection, Azure uploads your certificate.

    Azure 显示新证书

上传私有证书Upload a private certificate

要在具有 B2B 功能的逻辑应用中使用“私有证书”,必须首先将证书上传到集成帐户中。To use a private certificate in logic apps that have B2B capabilities, you must first upload the certificate to your integration account. 还需要有一个私钥,需要首先将其添加到 Azure Key VaultYou also need to have a private key that you first add to Azure Key Vault.

在你创建的协议中定义属性后,可以使用证书来帮助你保护 B2B 消息。After you define the properties in the agreements that you create, the certificate is available to help you secure your B2B messages.

备注

对于专用证书,请确保添加相应的公共证书(出现在 AS2 协议的“发送和接收”设置中),用于对消息进行签名和加密。For private certificates, make sure that you add a corresponding public certificate that appears in the AS2 agreement's Send and Receive settings for signing and encrypting messages.

  1. 将私钥添加到 Azure Key Vault 并提供密钥名称Add your private key to Azure Key Vault and provide a Key Name.

  2. 授权 Azure 逻辑应用对 Azure Key Vault 执行操作。Authorize Azure Logic Apps to perform operations on Azure Key Vault. 若要向逻辑应用服务主体授予访问权限,请使用 PowerShell 命令 Set-AzKeyVaultAccessPolicy,例如:To grant access to the Logic Apps service principal, use the PowerShell command, Set-AzKeyVaultAccessPolicy, for example:

    Set-AzKeyVaultAccessPolicy -VaultName 'TestcertKeyVault' -ServicePrincipalName '7cd684f4-8a78-49b0-91ec-6a35d38739ba' -PermissionsToKeys decrypt, sign, get, list

  3. 登录到 Azure 门户Sign in to the Azure portal. 在 Azure 主菜单中,选择“所有资源”。On the main Azure menu, select All resources. 在搜索框中,输入你的集成帐户名称,然后选择所需的集成帐户。In the search box, enter your integration account name, and then select the integration account you want.

    查找集成帐户

  4. 在“组件”下,选择“证书”磁贴。Under Components, choose the Certificates tile.

    选择“证书”磁贴

  5. 在“证书”下,选择“添加”。 Under Certificates, choose Add. 在“添加证书”下,提供证书的这些详细信息。Under Add Certificate, provide these details for your certificate. 完成后,选择“确定”。When you're done, choose OK.

    属性Property ValueValue 说明Description
    名称Name <证书名称><certificate-name> 你的证书的名称,在本例中为“privateCert”Your certificate's name, which is "privateCert" in this example
    证书类型Certificate Type 专用Private 你的证书的类型Your certificate's type
    证书Certificate <证书文件名><certificate-file-name> 若要查找并选择要上传的证书文件,请选择“证书”框旁边的文件夹图标。To find and select the certificate file you want to upload, choose the folder icon next to the Certificate box. 使用密钥保管库保存私钥时,上传的文件将是公共证书。When using a key vault for the private key, the uploaded file will be the public certificate.
    资源组Resource Group <集成帐户资源组><integration-account-resource-group> 你的集成帐户的资源组,在本例中为“MyResourceGroup”Your integration account's resource group, which is "MyResourceGroup" in this example
    密钥保管库Key Vault <密钥保管库名称><key-vault-name> 你的 Azure 密钥保管库的名称Your Azure key vault's name
    密钥名称Key name <key-name><key-name> 你的密钥的名称Your key's name

    选择“添加”,提供证书详细信息

    在 Azure 验证你的选择后,Azure 会上传你的证书。After Azure validates your selection, Azure uploads your certificate.

    Azure 显示新证书

后续步骤Next steps