拆分/合并安全配置Split-merge security configuration

若要使用拆分/合并服务,必须正确配置安全性。To use the Split/Merge service, you must correctly configure security. 该服务是 Azure SQL 数据库弹性缩放功能的一部分。The service is part of the Elastic Scale feature of Azure SQL Database. 有关详细信息,请参阅弹性缩放拆分和合并服务教程For more information, see Elastic Scale Split and Merge Service Tutorial.

配置证书Configuring certificates

通过两种方式配置证书。Certificates are configured in two ways.

  1. 配置 SSL 证书To Configure the SSL Certificate
  2. 配置客户端证书To Configure Client Certificates

获取证书To obtain certificates

可从公共证书颁发机构 (CA) 或 Windows 证书服务获取证书。Certificates can be obtained from public Certificate Authorities (CAs) or from the Windows Certificate Service. 这些方法是获取证书的首选方法。These are the preferred methods to obtain certificates.

如果这些选项不可用,可以生成 自签名证书If those options are not available, you can generate self-signed certificates.

用于生成证书的工具Tools to generate certificates

运行工具To run the tools

配置 SSL 证书To configure the SSL certificate

若要对通信进行加密并对服务器进行身份验证,需要使用 SSL 证书。An SSL certificate is required to encrypt the communication and authenticate the server. 从下面的三个方案中选择最适合的方案,并执行其所有步骤:Choose the most applicable of the three scenarios below, and execute all its steps:

创建新的自签名证书Create a new self-signed certificate

  1. 创建自签名证书Create a Self-Signed Certificate
  2. 为自签名 SSL 证书创建 PFX 文件Create PFX file for Self-Signed SSL Certificate
  3. 将 SSL 证书上传到云服务Upload SSL Certificate to Cloud Service
  4. 在服务配置文件中更新 SSL 证书Update SSL Certificate in Service Configuration File
  5. 导入 SSL 证书颁发机构Import SSL Certification Authority

使用证书存储中的现有证书To use an existing certificate from the certificate store

  1. 从证书存储中导出 SSL 证书Export SSL Certificate From Certificate Store
  2. 将 SSL 证书上传到云服务Upload SSL Certificate to Cloud Service
  3. 在服务配置文件中更新 SSL 证书Update SSL Certificate in Service Configuration File

在 PFX 文件中使用现有证书To use an existing certificate in a PFX file

  1. 将 SSL 证书上传到云服务Upload SSL Certificate to Cloud Service
  2. 在服务配置文件中更新 SSL 证书Update SSL Certificate in Service Configuration File

配置客户端证书To configure client certificates

若要对服务请求进行身份验证,需要使用客户端证书。Client certificates are required in order to authenticate requests to the service. 从下面的三个方案中选择最适合的方案,并执行其所有步骤:Choose the most applicable of the three scenarios below, and execute all its steps:

关闭客户端证书Turn off client certificates

  1. 关闭基于客户端证书的身份验证Turn Off Client Certificate-Based Authentication

颁发新的自签名客户端证书Issue new self-signed client certificates

  1. 创建自签名证书颁发机构Create a Self-Signed Certification Authority
  2. 将 CA 证书上传到云服务Upload CA Certificate to Cloud Service
  3. 在服务配置文件中更新 CA 证书Update CA Certificate in Service Configuration File
  4. 颁发客户端证书Issue Client Certificates
  5. 为客户端证书创建 PFX 文件Create PFX files for Client Certificates
  6. 导入客户端证书Import Client Certificate
  7. 复制客户端证书指纹Copy Client Certificate Thumbprints
  8. 在服务配置文件中配置允许的客户端Configure Allowed Clients in the Service Configuration File

使用现有客户端证书Use existing client certificates

  1. 查找 CA 公钥Find CA Public Key
  2. 将 CA 证书上传到云服务Upload CA Certificate to Cloud Service
  3. 在服务配置文件中更新 CA 证书Update CA Certificate in Service Configuration File
  4. 复制客户端证书指纹Copy Client Certificate Thumbprints
  5. 在服务配置文件中配置允许的客户端Configure Allowed Clients in the Service Configuration File
  6. 配置客户端证书吊销检查Configure Client Certificate Revocation Check

允许的 IP 地址Allowed IP addresses

可将对服务终结点的访问限制为特定范围的 IP 地址。Access to the service endpoints can be restricted to specific ranges of IP addresses.

为存储配置加密To configure encryption for the store

若要加密存储在元数据存储中的凭据,需要使用证书。A certificate is required to encrypt the credentials that are stored in the metadata store. 从下面的三个方案中选择最适合的方案,并执行其所有步骤:Choose the most applicable of the three scenarios below, and execute all its steps:

使用新的自签名证书Use a new self-signed certificate

  1. 创建自签名证书Create a Self-Signed Certificate
  2. 为自签名加密证书创建 PFX 文件Create PFX file for Self-Signed Encryption Certificate
  3. 将加密证书上传到云服务Upload Encryption Certificate to Cloud Service
  4. 在服务配置文件中更新加密证书Update Encryption Certificate in Service Configuration File

使用证书存储中的现有证书Use an existing certificate from the certificate store

  1. 从证书存储中导出加密证书Export Encryption Certificate From Certificate Store
  2. 将加密证书上传到云服务Upload Encryption Certificate to Cloud Service
  3. 在服务配置文件中更新加密证书Update Encryption Certificate in Service Configuration File

在 PFX 文件中使用现有证书Use an existing certificate in a PFX file

  1. 将加密证书上传到云服务Upload Encryption Certificate to Cloud Service
  2. 在服务配置文件中更新加密证书Update Encryption Certificate in Service Configuration File

默认配置The default configuration

默认配置拒绝对 HTTP 终结点的所有访问。The default configuration denies all access to the HTTP endpoint. 这是推荐的设置,因为对这些终结点的请求可能包含敏感信息,如数据库凭据。This is the recommended setting, since the requests to these endpoints may carry sensitive information like database credentials. 默认配置允许对 HTTPS 终结点的所有访问。The default configuration allows all access to the HTTPS endpoint. 可能会进一步限制此设置。This setting may be restricted further.

更改配置Changing the Configuration

所应用的访问控制规则的组和终结点是在服务配置文件<EndpointAcls> 部分中配置的。The group of access control rules that apply to and endpoint are configured in the <EndpointAcls> section in the service configuration file.

<EndpointAcls>
    <EndpointAcl role="SplitMergeWeb" endPoint="HttpIn" accessControl="DenyAll" />
    <EndpointAcl role="SplitMergeWeb" endPoint="HttpsIn" accessControl="AllowAll" />
</EndpointAcls>

访问控制组中的规则是在服务配置文件的 <AccessControl name=""> 部分中配置的。The rules in an access control group are configured in a <AccessControl name=""> section of the service configuration file.

在网络访问控制列表文档中对格式进行了说明。The format is explained in Network Access Control Lists documentation. 例如,要仅允许范围 100.100.0.0 到 100.100.255.255 中的 IP 访问 HTTPS 终结点,规则如下所示:For example, to allow only IPs in the range 100.100.0.0 to 100.100.255.255 to access the HTTPS endpoint, the rules would look like this:

<AccessControl name="Retricted">
    <Rule action="permit" description="Some" order="1" remoteSubnet="100.100.0.0/16"/>
    <Rule action="deny" description="None" order="2" remoteSubnet="0.0.0.0/0" />
</AccessControl>
<EndpointAcls>
    <EndpointAcl role="SplitMergeWeb" endPoint="HttpsIn" accessControl="Restricted" />
</EndpointAcls>

防止拒绝服务Denial of service prevention

可使用两种受支持的不同机制检测和防止拒绝服务攻击:There are two different mechanisms supported to detect and prevent Denial of Service attacks:

  • 限制每台远程主机的并发请求数(默认为禁用)Restrict number of concurrent requests per remote host (off by default)
  • 限制每台远程主机的访问率(默认为启用)Restrict rate of access per remote host (on by default)

这些机制还基于在 IIS 的动态 IP 安全中记录的功能。These are based on the features further documented in Dynamic IP Security in IIS. 更改此配置时,请注意以下因素:When changing this configuration beware of the following factors:

  • 通过远程主机信息的代理和网络地址转换设备的行为The behavior of proxies and Network Address Translation devices over the remote host information
  • 考虑对 Web 角色中任何资源的每个请求(例如,加载脚本、图像等)Each request to any resource in the web role is considered (for example, loading scripts, images, etc)

限制并发访问数Restricting number of concurrent accesses

配置此行为的设置如下:The settings that configure this behavior are:

<Setting name="DynamicIpRestrictionDenyByConcurrentRequests" value="false" />
<Setting name="DynamicIpRestrictionMaxConcurrentRequests" value="20" />

将 DynamicIpRestrictionDenyByConcurrentRequests 更改为 true 以启用此保护。Change DynamicIpRestrictionDenyByConcurrentRequests to true to enable this protection.

限制访问率Restricting rate of access

配置此行为的设置如下:The settings that configure this behavior are:

<Setting name="DynamicIpRestrictionDenyByRequestRate" value="true" />
<Setting name="DynamicIpRestrictionMaxRequests" value="100" />
<Setting name="DynamicIpRestrictionRequestIntervalInMilliseconds" value="2000" />

配置对拒绝请求的响应Configuring the response to a denied request

以下设置将配置对拒绝请求的响应:The following setting configures the response to a denied request:

<Setting name="DynamicIpRestrictionDenyAction" value="AbortRequest" />

有关其他受支持的值,请参考 IIS 中动态 IP 安全文档。Refer to the documentation for Dynamic IP Security in IIS for other supported values.

用于配置服务证书的操作Operations for configuring service certificates

本主题仅供参考。This topic is for reference only. 请遵循以下部分中概括的配置步骤:Follow the configuration steps outlined in:

  • 配置 SSL 证书Configure the SSL certificate
  • 配置客户端证书Configure client certificates

创建自签名证书Create a self-signed certificate

执行:Execute:

makecert ^
  -n "CN=myservice.chinacloudapp.cn" ^
  -e MM/DD/YYYY ^
  -r -cy end -sky exchange -eku "1.3.6.1.5.5.7.3.1" ^
  -a sha256 -len 2048 ^
  -sv MySSL.pvk MySSL.cer

自定义:To customize:

  • -n,带有服务 URL。-n with the service URL. 支持通配符 ("CN=*.chinacloudapp.cn") 和备用名称 ("CN=myservice1.chinacloudapp.cn, CN=myservice2.chinacloudapp.cn")。Wildcards ("CN=*.chinacloudapp.cn") and alternative names ("CN=myservice1.chinacloudapp.cn, CN=myservice2.chinacloudapp.cn") are supported.
  • -e,带有证书过期日期 创建强密码并在提示时指定它。-e with the certificate expiration date Create a strong password and specify it when prompted.

为自签名 SSL 证书创建 PFX 文件Create PFX file for self-signed SSL certificate

执行:Execute:

    pvk2pfx -pvk MySSL.pvk -spc MySSL.cer

输入密码,并使用以下选项导出证书:Enter password and then export certificate with these options:

  • 是,导出私钥Yes, export the private key
  • 导出所有扩展属性Export all extended properties

从证书存储中导出 SSL 证书Export SSL certificate from certificate store

  • 查找证书Find certificate
  • 依次单击“操作”->“所有任务”->“导出...”Click Actions -> All tasks -> Export…
  • 使用以下选项将证书导出到 .PFX 文件中:Export certificate into a .PFX file with these options:
    • 是,导出私钥Yes, export the private key
    • 包括证书路径中的所有证书(如果可能)*导出所有扩展属性Include all certificates in the certification path if possible *Export all extended properties

将 SSL 证书上传到云服务Upload SSL certificate to cloud service

使用带有 SSL 密钥对的现有或生成的 .PFX 文件上传证书:Upload certificate with the existing or generated .PFX file with the SSL key pair:

  • 输入用于保护私钥信息的密码Enter the password protecting the private key information

在服务配置文件中更新 SSL 证书Update SSL certificate in service configuration file

在服务配置文件中,使用已上传到云服务的证书指纹更新以下设置的指纹值:Update the thumbprint value of the following setting in the service configuration file with the thumbprint of the certificate uploaded to the cloud service:

<Certificate name="SSL" thumbprint="" thumbprintAlgorithm="sha1" />

导入 SSL 证书颁发机构Import SSL certification authority

在将与该服务通信的所有帐户/计算机中,按照以下步骤进行操作:Follow these steps in all account/machine that will communicate with the service:

  • 在 Windows 资源管理器中,双击 .CER 文件Double-click the .CER file in Windows Explorer
  • 在“证书”对话框中,单击“安装证书...”In the Certificate dialog, click Install Certificate…
  • 将证书导入到“受信任的根证书颁发机构”存储中Import certificate into the Trusted Root Certification Authorities store

关闭基于客户端证书的身份验证Turn off client certificate-based authentication

仅支持基于客户端证书的身份验证,禁用它即可公开访问服务终结点,除非使用了其他机制(例如 Azure 虚拟网络)。Only client certificate-based authentication is supported and disabling it will allow for public access to the service endpoints, unless other mechanisms are in place (for example, Azure Virtual Network).

在服务配置文件中,将这些设置更改为 false 以关闭该功能:Change these settings to false in the service configuration file to turn off the feature:

<Setting name="SetupWebAppForClientCertificates" value="false" />
<Setting name="SetupWebserverForClientCertificates" value="false" />

然后,复制与 CA 证书设置中 SSL 证书相同的指纹:Then, copy the same thumbprint as the SSL certificate in the CA certificate setting:

<Certificate name="CA" thumbprint="" thumbprintAlgorithm="sha1" />

创建自签名证书颁发机构Create a self-signed certification authority

执行以下步骤来创建自签名证书,以充当证书颁发机构:Execute the following steps to create a self-signed certificate to act as a Certification Authority:

makecert ^
-n "CN=MyCA" ^
-e MM/DD/YYYY ^
 -r -cy authority -h 1 ^
 -a sha256 -len 2048 ^
  -sr localmachine -ss my ^
  MyCA.cer

对其进行自定义To customize it

  • -e,带有证书到期日期-e with the certification expiration date

查找 CA 公钥Find CA public key

所有客户端证书都必须由服务信任的证书颁发机构颁发。All client certificates must have been issued by a Certification Authority trusted by the service. 为了将证书上传到云服务,需要查找颁发了客户端证书(将用于身份验证)的证书颁发机构提供的公钥。Find the public key to the Certification Authority that issued the client certificates that are going to be used for authentication in order to upload it to the cloud service.

如果具有公钥的文件不可用,则将其从证书存储中导出:If the file with the public key is not available, export it from the certificate store:

  • 查找证书Find certificate
    • 搜索同一证书颁发机构颁发的客户端证书Search for a client certificate issued by the same Certification Authority
  • 双击该证书。Double-click the certificate.
  • 在“证书”对话框中选择“证书路径”选项卡。Select the Certification Path tab in the Certificate dialog.
  • 双击路径中的 CA 条目。Double-click the CA entry in the path.
  • 记下证书属性。Take notes of the certificate properties.
  • 关闭“证书” 对话框。Close the Certificate dialog.
  • 查找证书Find certificate
    • 搜索前面记下的 CA。Search for the CA noted above.
  • 依次单击“操作”->“所有任务”->“导出...”Click Actions -> All tasks -> Export…
  • 使用以下选项将证书导出到 .CER 中:Export certificate into a .CER with these options:
    • 否,不导出私钥No, do not export the private key
    • 包括证书路径中的所有证书(如果可能)。Include all certificates in the certification path if possible.
    • 导出所有扩展属性。Export all extended properties.

将 CA 证书上传到云服务Upload CA certificate to cloud service

使用带有 CA 公钥的现有或生成的 .CER 文件上传证书。Upload certificate with the existing or generated .CER file with the CA public key.

在服务配置文件中更新 CA 证书Update CA certificate in service configuration file

在服务配置文件中,使用已上传到云服务的证书指纹更新以下设置的指纹值:Update the thumbprint value of the following setting in the service configuration file with the thumbprint of the certificate uploaded to the cloud service:

<Certificate name="CA" thumbprint="" thumbprintAlgorithm="sha1" />

使用同一指纹更新以下设置的值:Update the value of the following setting with the same thumbprint:

<Setting name="AdditionalTrustedRootCertificationAuthorities" value="" />

颁发客户端证书Issue client certificates

授予了访问服务权限的每个用户都应具有一个颁发的客户端证书供其独占使用,并且应选择自己的强密码来保护其私钥。Each individual authorized to access the service should have a client certificate issued for their exclusive use and should choose their own strong password to protect its private key.

必须在生成和存储了自签名 CA 证书的同一计算机上执行以下步骤:The following steps must be executed in the same machine where the self-signed CA certificate was generated and stored:

makecert ^
  -n "CN=My ID" ^
  -e MM/DD/YYYY ^
  -cy end -sky exchange -eku "1.3.6.1.5.5.7.3.2" ^
  -a sha256 -len 2048 ^
  -in "MyCA" -ir localmachine -is my ^
  -sv MyID.pvk MyID.cer

自定义:Customizing:

  • -n,带有将使用此证书进行身份验证的客户端的 ID-n with an ID for to the client that will be authenticated with this certificate
  • -e,带有证书到期日期-e with the certificate expiration date
  • MyID.pvk 和 MyID.cer,带有用于此客户端证书的唯一文件名MyID.pvk and MyID.cer with unique filenames for this client certificate

此命令将提示创建密码,并使用一次该密码。This command will prompt for a password to be created and then used once. 使用强密码。Use a strong password.

为客户端证书创建 PFX 文件Create PFX files for client certificates

针对每个生成的客户端证书,执行:For each generated client certificate, execute:

pvk2pfx -pvk MyID.pvk -spc MyID.cer

自定义:Customizing:

MyID.pvk and MyID.cer with the filename for the client certificate

输入密码,并使用以下选项导出证书:Enter password and then export certificate with these options:

  • 是,导出私钥Yes, export the private key
  • 导出所有扩展属性Export all extended properties
  • 将向其颁发此证书的单个用户应选择导出密码The individual to whom this certificate is being issued should choose the export password

导入客户端证书Import client certificate

为其颁发了客户端证书的每个用户都应将密钥对导入到用于与服务通信的计算机中:Each individual for whom a client certificate has been issued should import the key pair in the machines they will use to communicate with the service:

  • 在 Windows 资源管理器中,双击 .PFX 文件Double-click the .PFX file in Windows Explorer
  • 至少使用以下选项将证书导入到个人存储中:Import certificate into the Personal store with at least this option:
    • 包括选中的所有扩展属性Include all extended properties checked

复制客户端证书指纹Copy client certificate thumbprints

每个已颁发客户端证书的用户都必须遵循以下步骤,才能获取将添加到服务配置文件的证书的指纹:Each individual for whom a client certificate has been issued must follow these steps in order to obtain the thumbprint of their certificate, which will be added to the service configuration file:

  • 运行 certmgr.exeRun certmgr.exe
  • 选择“个人”选项卡Select the Personal tab
  • 双击要用于身份验证的客户端证书Double-click the client certificate to be used for authentication
  • 在打开的“证书”对话框中,选择“详细信息”选项卡In the Certificate dialog that opens, select the Details tab
  • 确保“显示”可显示全部内容Make sure Show is displaying All
  • 选择列表中名为“Thumbprint”的字段Select the field named Thumbprint in the list
  • 复制指纹的值Copy the value of the thumbprint
    • 删除第一个数字前的不可见 Unicode 字符Delete non-visible Unicode characters in front of the first digit
    • 删除所有空格Delete all spaces

在服务配置文件中配置允许的客户端Configure Allowed clients in the service configuration file

在服务配置文件中,使用以逗号分隔的客户端证书(允许访问服务)的指纹列表更新以下设置的值:Update the value of the following setting in the service configuration file with a comma-separated list of the thumbprints of the client certificates allowed access to the service:

<Setting name="AllowedClientCertificateThumbprints" value="" />

配置客户端证书吊销检查Configure client certificate revocation check

默认设置不会通过证书颁发机构检查客户端证书吊销状态。The default setting does not check with the Certification Authority for client certificate revocation status. 若要启用检查,请在颁发了客户端证书的证书颁发机构支持此类检查时,使用在 X509RevocationMode 枚举中定义的值之一更改以下设置:To turn on the checks, if the Certification Authority that issued the client certificates supports such checks, change the following setting with one of the values defined in the X509RevocationMode Enumeration:

<Setting name="ClientCertificateRevocationCheck" value="NoCheck" />

为自签名加密证书创建 PFX 文件Create PFX file for self-signed encryption certificates

对于加密证书,请执行:For an encryption certificate, execute:

pvk2pfx -pvk MyID.pvk -spc MyID.cer

自定义:Customizing:

MyID.pvk and MyID.cer with the filename for the encryption certificate

输入密码,并使用以下选项导出证书:Enter password and then export certificate with these options:

  • 是,导出私钥Yes, export the private key
  • 导出所有扩展属性Export all extended properties
  • 将证书上传到云服务时,你将需要密码。You will need the password when uploading the certificate to the cloud service.

从证书存储中导出加密证书Export encryption certificate from certificate store

  • 查找证书Find certificate
  • 依次单击“操作”->“所有任务”->“导出...”Click Actions -> All tasks -> Export…
  • 使用以下选项将证书导出到 .PFX 文件中:Export certificate into a .PFX file with these options:
    • 是,导出私钥Yes, export the private key
    • 包括证书路径中的所有证书(如果可能)Include all certificates in the certification path if possible
  • 导出所有扩展属性Export all extended properties

将加密证书上传到云服务Upload encryption certificate to cloud service

使用带有加密密钥对的现有或生成的 .PFX 文件上传证书:Upload certificate with the existing or generated .PFX file with the encryption key pair:

  • 输入用于保护私钥信息的密码Enter the password protecting the private key information

在服务配置文件中更新加密证书Update encryption certificate in service configuration file

在服务配置文件中,使用已上传到云服务的证书指纹更新以下设置的指纹值:Update the thumbprint value of the following settings in the service configuration file with the thumbprint of the certificate uploaded to the cloud service:

<Certificate name="DataEncryptionPrimary" thumbprint="" thumbprintAlgorithm="sha1" />

公用证书操作Common certificate operations

  • 配置 SSL 证书Configure the SSL certificate
  • 配置客户端证书Configure client certificates

查找证书Find certificate

执行以下步骤:Follow these steps:

  1. 运行 mmc.exe。Run mmc.exe.
  2. “文件”->“添加/删除管理单元...”File -> Add/Remove Snap-in…
  3. 选择“证书” 。Select Certificates.
  4. 单击“添加” 。Click Add.
  5. 选择证书存储位置。Choose the certificate store location.
  6. 单击“完成” 。Click Finish.
  7. 单击 “确定”Click OK.
  8. 展开“证书” 。Expand Certificates.
  9. 展开证书存储节点。Expand the certificate store node.
  10. 展开证书子节点。Expand the Certificate child node.
  11. 在列表中选择某个证书。Select a certificate in the list.

导出证书Export certificate

在“证书导出向导” 中:In the Certificate Export Wizard:

  1. 单击“下一步”。Click Next.
  2. 选择“是”,然后选择“导出私钥”。Select Yes, then Export the private key.
  3. 单击“下一步”。Click Next.
  4. 选择所需的输出文件格式。Select the desired output file format.
  5. 选中所需的选项。Check the desired options.
  6. 选中“密码” 。Check Password.
  7. 输入强密码并进行确认。Enter a strong password and confirm it.
  8. 单击“下一步”。Click Next.
  9. 在证书的存储位置键入或浏览文件名(使用 .PFX 扩展名)。Type or browse a filename where to store the certificate (use a .PFX extension).
  10. 单击“下一步”。Click Next.
  11. 单击“完成” 。Click Finish.
  12. 单击 “确定”Click OK.

导入证书Import certificate

在“证书导入向导”中:In the Certificate Import Wizard:

  1. 选择存储位置。Select the store location.

    • 如果只有在当前用户下运行的进程将访问该服务,请选择“当前用户”Select Current User if only processes running under current user will access the service
    • 如果此计算机中的其他进程将访问该服务,请选择“本地计算机”Select Local Machine if other processes in this computer will access the service
  2. 单击“下一步”。Click Next.

  3. 如果要从文件中导入,请确认文件路径。If importing from a file, confirm the file path.

  4. 如果要导入 .PFX 文件,请执行以下操作:If importing a .PFX file:

    1. 输入用于保护私钥的密码Enter the password protecting the private key
    2. 选择导入选项Select import options
  5. 选择“将证书放入以下存储”Select "Place" certificates in the following store

  6. 单击“浏览”。Click Browse.

  7. 选择所需的存储。Select the desired store.

  8. 单击“完成” 。Click Finish.

    • 如果已选中“受信任的根证书颁发机构”存储,请单击“是” 。If the Trusted Root Certification Authority store was chosen, click Yes.
  9. 在所有对话框窗口上单击“确定” 。Click OK on all dialog windows.

上传证书Upload certificate

Azure 门户In the Azure portal

  1. 选择“云服务” 。Select Cloud Services.
  2. 选择云服务。Select the cloud service.
  3. 在顶部菜单上,单击“证书” 。On the top menu, click Certificates.
  4. 在底部栏上,单击“上传” 。On the bottom bar, click Upload.
  5. 选择证书文件。Select the certificate file.
  6. 如果是 .PFX 文件,则输入私钥密码。If it is a .PFX file, enter the password for the private key.
  7. 完成操作后,从列表中的新条目复制证书指纹。Once completed, copy the certificate thumbprint from the new entry in the list.

其他安全注意事项Other security considerations

使用 HTTPS 终结点时,本文档中介绍的 SSL 设置对服务及其客户端之间的通信进行加密。The SSL settings described in this document encrypt communication between the service and its clients when the HTTPS endpoint is used. 这一点很重要,因为该通信中包含了数据库访问凭据以及其他可能的敏感信息。This is important since credentials for database access and potentially other sensitive information are contained in the communication. 但是,请注意,该服务会将内部状态(包括凭据)保存在其内部表中,该表位于在 Azure 订阅中为元数据存储提供的 Azure SQL 数据库中。Note, however, that the service persists internal status, including credentials, in its internal tables in the Azure SQL database that you have provided for metadata storage in your Azure subscription. 在服务配置文件(.CSCFG 文件)中,该数据库已定义为以下设置的一部分:That database was defined as part of the following setting in your service configuration file (.CSCFG file):

<Setting name="ElasticScaleMetadata" value="Server=…" />

对此数据库中存储的凭据进行加密。Credentials stored in this database are encrypted. 但是,最佳实践是,确保服务部署的 Web 角色和辅助角色保持最新且是安全的,因为它们都有权访问元数据数据库和用于加密和解密存储凭据的证书。However, as a best practice, ensure that both web and worker roles of your service deployments are kept up to date and secure as they both have access to the metadata database and the certificate used for encryption and decryption of stored credentials.

其他资源Additional resources

尚未使用弹性数据库工具?Not using elastic database tools yet? 请查看入门指南Check out our Getting Started Guide.