Azure API管理没有获得多个TLS的客户证书
我试图在Azure管理中验证客户端证书。我创建了一个新实例,并使用默认的Echo API。我遵循了这个文档https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-mutual-certificates-for-clients和这个文档来测试邮递员https://medium.com/@jkewley/testing-client-certificate-authentication-to-azure-api-management-with-postman-e1cfae52fc35
我在Echo API中使用以下策略,所有操作都入站,只需检查是否存在任何证书:
<policies>
<inbound>
<choose>
<when condition="@(context.Request.Certificate == null)">
<return-response>
<set-status code="403" reason="Missing client certificate" />
</return-response>
</when>
</choose>
<base />
</inbound>
<backend>
<base />
</backend>
<outbound>
<base />
</outbound>
<on-error>
<base />
</on-error>
</policies>在“自定义域”选项卡中,我的端点网关启用了协商客户端证书和默认SSL绑定。
在没有策略的情况下进行测试时,它可以正常工作。有了保单,我得到了"403 -丢失的客户证书“。
我的PostMan日志显示正在发送的本地pfx文件。我已经成功地使用了相同的CA证书,并尝试复制了Apigee设置。
APIM跟踪没有显示该证书的任何迹象
{
"traceId": "1e2950a4-7ae9-4489-9175-dd6b7a8e6872",
"traceEntries": {
"inbound": [
{
"source": "api-inspector",
"timestamp": "2021-03-08T16:45:36.1300291Z",
"elapsed": "00:00:00.0002376",
"data": {
"request": {
"method": "POST",
"url": "https://xxxxxx-poc-apim.azure-api.net/echo/resource",
"headers": [
{
"name": "Ocp-Apim-Subscription-Key",
"value": "20c7x7x22xa5xdxc8a1x857bb651000a"
},
{
"name": "X-Forwarded-For",
"value": "76.98.XX.XXX"
},
{
"name": "Connection",
"value": "keep-alive"
},
{
"name": "Content-Length",
"value": "102"
},
{
"name": "Content-Type",
"value": "text/plain"
},
{
"name": "Accept",
"value": "*/*"
},
{
"name": "Accept-Encoding",
"value": "gzip,deflate,br"
},
{
"name": "Host",
"value": "xxxxxxx-poc-apim.azure-api.net"
},
{
"name": "User-Agent",
"value": "PostmanRuntime/7.26.10"
}
]
}
}
},
{
"source": "api-inspector",
"timestamp": "2021-03-08T16:45:36.1300291Z",
"elapsed": "00:00:00.0002401",
"data": {
"configuration": {
"api": {
"from": "/echo",
"to": {
"scheme": "http",
"host": "echoapi.cloudapp.net",
"port": 80,
"path": "/api",
"queryString": "",
"query": {
},
"isDefaultPort": true
},
"version": null,
"revision": "1"
},
"operation": {
"method": "POST",
"uriTemplate": "/resource"
},
"user": "-",
"product": "-"
}
}
},
{
"source": "cors",
"timestamp": "2021-03-08T16:45:36.1300291Z",
"elapsed": "00:00:00.0002602",
"data": "Origin header was missing or empty and the request was classified as not cross-domain. CORS policy was not applied."
},
{
"source": "choose",
"timestamp": "2021-03-08T16:45:36.1300291Z",
"elapsed": "00:00:00.0002753",
"data": {
"message": "Expression was successfully evaluated.",
"expression": "context.Request.Certificate == null",
"value": true
}
},
{
"source": "set-status",
"timestamp": "2021-03-08T16:45:36.1300291Z",
"elapsed": "00:00:00.0002817",
"data": {
"message": [
"Response status code was set to 403",
"Response status reason was set to 'Missing client certificate'"
]
}
},
{
"source": "return-response",
"timestamp": "2021-03-08T16:45:36.1300291Z",
"elapsed": "00:00:00.0002863",
"data": {
"message": "Return response was applied",
"response": {
"status": {
"code": "Forbidden",
"reason": "Missing client certificate"
},
"headers": [
]
}
}
}
],
"outbound": [
{
"source": "transfer-response",
"timestamp": "2021-03-08T16:45:36.1300291Z",
"elapsed": "00:00:00.0003120",
"data": {
"message": "Response headers have been sent to the caller."
}
}
]
}
}我试过很多东西。我尝试使用SoapUI而不是邮递员,我尝试使用另一个CA证书。我尝试了另一个APIM,它有一个CA证书,但在App后面。结果总是一样的。我没有主意了。
回答 1
Stack Overflow用户
发布于 2021-03-17 15:56:01
我发现了问题。我的公司正在使用Netskope进行网络流量控制,并且它正在破坏证书。我是通过在我的家用电脑上测试它发现的,这台电脑运转良好。当从我的工作笔记本电脑连接到APIM时,我的Web浏览器没有显示默认的..azure api.net证书,而是显示了一个证书.goskope.com。我们添加了*..azure api.net域来绕过Netskope检查,它解决了这个问题。
https://stackoverflow.com/questions/66534409
复制相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号