我正在尝试验证Azure API管理中的客户端证书。我创建了一个新实例,并使用默认的Echo API。我遵循这个文档https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-mutual-certificates-for-clients和这个测试邮差https://medium.com/@jkewley/testing-client-certificate-authentication-to-azure-api-management-with-postman-e1cfae52fc35
我在Echo API所有入站操作中使用以下策略,仅检查是否存在任何证书:
<policies>
<inbound>
<choose>
<when condition="@(context.Request.Certificate == null)">
<return-response>
<set-status code="403" reason="Missing client certificate" />
</return-response>
</when>
</choose>
<base />
</inbound>
<backend>
<base />
</backend>
<outbound>
<base />
</outbound>
<on-error>
<base />
</on-error>
</policies>
在自定义域选项卡中,我的端点网关启用了协商客户端证书和默认SSL绑定。
在没有策略的情况下进行测试时,它工作得很好。有了这个策略,我得到了"403 -丢失的客户端证书"。
我的PostMan日志显示我的本地pfx文件正在发送。我已经成功地在Apigee设置中使用了相同的CA证书,我正在尝试复制。
邮差控制台
APIM Trace没有显示该证书的迹象
{
"traceId": "1e2950a4-7ae9-4489-9175-dd6b7a8e6872",
"traceEntries": {
"inbound": [
{
"source": "api-inspector",
"timestamp": "2021-03-08T16:45:36.1300291Z",
"elapsed": "00:00:00.0002376",
"data": {
"request": {
"method": "POST",
"url": "https://xxxxxx-poc-apim.azure-api.net/echo/resource",
"headers": [
{
"name": "Ocp-Apim-Subscription-Key",
"value": "20c7x7x22xa5xdxc8a1x857bb651000a"
},
{
"name": "X-Forwarded-For",
"value": "76.98.XX.XXX"
},
{
"name": "Connection",
"value": "keep-alive"
},
{
"name": "Content-Length",
"value": "102"
},
{
"name": "Content-Type",
"value": "text/plain"
},
{
"name": "Accept",
"value": "*/*"
},
{
"name": "Accept-Encoding",
"value": "gzip,deflate,br"
},
{
"name": "Host",
"value": "xxxxxxx-poc-apim.azure-api.net"
},
{
"name": "User-Agent",
"value": "PostmanRuntime/7.26.10"
}
]
}
}
},
{
"source": "api-inspector",
"timestamp": "2021-03-08T16:45:36.1300291Z",
"elapsed": "00:00:00.0002401",
"data": {
"configuration": {
"api": {
"from": "/echo",
"to": {
"scheme": "http",
"host": "echoapi.cloudapp.net",
"port": 80,
"path": "/api",
"queryString": "",
"query": {
},
"isDefaultPort": true
},
"version": null,
"revision": "1"
},
"operation": {
"method": "POST",
"uriTemplate": "/resource"
},
"user": "-",
"product": "-"
}
}
},
{
"source": "cors",
"timestamp": "2021-03-08T16:45:36.1300291Z",
"elapsed": "00:00:00.0002602",
"data": "Origin header was missing or empty and the request was classified as not cross-domain. CORS policy was not applied."
},
{
"source": "choose",
"timestamp": "2021-03-08T16:45:36.1300291Z",
"elapsed": "00:00:00.0002753",
"data": {
"message": "Expression was successfully evaluated.",
"expression": "context.Request.Certificate == null",
"value": true
}
},
{
"source": "set-status",
"timestamp": "2021-03-08T16:45:36.1300291Z",
"elapsed": "00:00:00.0002817",
"data": {
"message": [
"Response status code was set to 403",
"Response status reason was set to 'Missing client certificate'"
]
}
},
{
"source": "return-response",
"timestamp": "2021-03-08T16:45:36.1300291Z",
"elapsed": "00:00:00.0002863",
"data": {
"message": "Return response was applied",
"response": {
"status": {
"code": "Forbidden",
"reason": "Missing client certificate"
},
"headers": [
]
}
}
}
],
"outbound": [
{
"source": "transfer-response",
"timestamp": "2021-03-08T16:45:36.1300291Z",
"elapsed": "00:00:00.0003120",
"data": {
"message": "Response headers have been sent to the caller."
}
}
]
}
}
我已经尝试了很多事情。我尝试使用SoapUI而不是Postman,我尝试使用另一个CA证书。我尝试了另一个具有CA证书但位于应用程序网关后面的APIM。结果总是一样的。我没主意了。
我发现了这个问题。我的公司正在使用Netskope进行网络流量控制,它把证书弄乱了。我在家用电脑上进行测试时发现了这个问题。当从我的工作笔记本电脑连接到APIM URL时,我的Web浏览器没有显示默认的。azureapi.net证书,而是显示证书。goskope.com。我们添加了*.azure-api.net域名来绕过Netskope检查,这就解决了问题。