如何解决Azure API 管理未获得多 TLS 的客户端证书
我正在尝试在 Azure API 管理中验证客户端证书。我创建了一个新实例,并使用默认的 Echo API。 我遵循了这个文档 https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-mutual-certificates-for-clients 和这个用于测试 Postman https://medium.com/@jkewley/testing-client-certificate-authentication-to-azure-api-management-with-postman-e1cfae52fc35
我在 Echo API 中使用以下策略所有入站操作仅检查是否存在任何证书:
<policies>
<inbound>
<choose>
<when condition="@(context.Request.Certificate == null)">
<return-response>
<set-status code="403" reason="Missing client certificate" />
</return-response>
</when>
</choose>
<base />
</inbound>
<backend>
<base />
</backend>
<outbound>
<base />
</outbound>
<on-error>
<base />
</on-error>
</policies>
在自定义域选项卡中,我的端点网关启用了协商客户端证书和默认 SSL 绑定。
在没有政策的情况下进行测试时,它工作正常。根据政策,我收到“403 - 缺少客户端证书”。
我的 PostMan 日志显示正在发送我的本地 pfx 文件。我在尝试复制的 Apigee 设置中成功使用了相同的 CA 证书。
APIM 跟踪没有显示该证书的迹象
{
"traceId": "1e2950a4-7ae9-4489-9175-dd6b7a8e6872","traceEntries": {
"inbound": [
{
"source": "api-inspector","timestamp": "2021-03-08T16:45:36.1300291Z","elapsed": "00:00:00.0002376","data": {
"request": {
"method": "POST","url": "https://xxxxxx-poc-apim.azure-api.net/echo/resource","headers": [
{
"name": "Ocp-Apim-Subscription-Key","value": "20c7x7x22xa5xdxc8a1x857bb651000a"
},{
"name": "X-Forwarded-For","value": "76.98.XX.XXX"
},{
"name": "Connection","value": "keep-alive"
},{
"name": "Content-Length","value": "102"
},{
"name": "Content-Type","value": "text/plain"
},{
"name": "Accept","value": "*/*"
},{
"name": "Accept-Encoding","value": "gzip,deflate,br"
},{
"name": "Host","value": "xxxxxxx-poc-apim.azure-api.net"
},{
"name": "User-Agent","value": "PostmanRuntime/7.26.10"
}
]
}
}
},{
"source": "api-inspector","elapsed": "00:00:00.0002401","data": {
"configuration": {
"api": {
"from": "/echo","to": {
"scheme": "http","host": "echoapi.cloudapp.net","port": 80,"path": "/api","queryString": "","query": {
},"isDefaultPort": true
},"version": null,"revision": "1"
},"operation": {
"method": "POST","uriTemplate": "/resource"
},"user": "-","product": "-"
}
}
},{
"source": "cors","elapsed": "00:00:00.0002602","data": "Origin header was missing or empty and the request was classified as not cross-domain. CORS policy was not applied."
},{
"source": "choose","elapsed": "00:00:00.0002753","data": {
"message": "Expression was successfully evaluated.","expression": "context.Request.Certificate == null","value": true
}
},{
"source": "set-status","elapsed": "00:00:00.0002817","data": {
"message": [
"Response status code was set to 403","Response status reason was set to 'Missing client certificate'"
]
}
},{
"source": "return-response","elapsed": "00:00:00.0002863","data": {
"message": "Return response was applied","response": {
"status": {
"code": "Forbidden","reason": "Missing client certificate"
},"headers": [
]
}
}
}
],"outbound": [
{
"source": "transfer-response","elapsed": "00:00:00.0003120","data": {
"message": "Response headers have been sent to the caller."
}
}
]
}
}
我尝试了很多东西。我尝试使用 SoapUI 而不是 Postman 我尝试使用另一个 CA 证书。 我尝试了另一个具有 CA 证书但位于应用程序网关后面的 APIM。总是相同的结果。 我没有想法了。
解决方法
我发现了这个问题。我的公司正在使用 Netskope 进行网络流量控制,但它弄乱了证书。 我是通过在我的家用电脑上测试它发现的,它工作正常。 从我的工作笔记本电脑连接到 APIM URL 时,我的 Web 浏览器没有显示默认的 .azure-api.net 证书,而是一个证书 .goskope.com。 我们添加了 *.azure-api.net 域以绕过 Netskope 检查并解决了问题。
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。