API 管理 (APIM) 是一種為現有後端服務建立一致且現代化的 API 閘道器的方法。
問題描述
在設定了APIM客戶端證書,使用者保護後端API,讓請求更安全。 但是,最近發現使用客戶端證書的API全部出現錯誤,無法收到客戶端證書,通過瀏覽器中檢視,發現證書也是無效的。
在API請求的Trace中,錯誤訊息為:
{ "source": "client-certificate-handler", "timestamp": "2021-07-13T12:23:51.8172847Z", "elapsed": "00:00:00.00053", "data": "Requesting client certificate because next handler requires access to it." }, { "source": "client-certificate-handler", "timestamp": "2021-07-13T12:23:51.8172847Z", "elapsed": "00:00:00.00048", "data": "No client certificate received." }
在瀏覽器中檢視證書發現無效:
問題驗證
根據訊息提示,第一反應檢查APIM的客戶端證書是否有效,是否過期
第二步當證書並無異常(沒有過期)時,則調查APIM是否有變動,通過配置的Git儲存庫(APIM Repository), Clone最新的檔案後發現版本有變動。發現前後有版本變動()
第三步:從APIM的證書設定入手,發現有新功能 ”協商客戶端證書(Negotiate client certificate)“ 功能,在通過啟用它之後,APIM的"No client certificate received" 問題消失
問題原因
因為在設定APIM時候,有一句提示訊息為:”若要在開發人員層、基本層、標準層或高階層中通過 HTTP/2 接收和驗證客戶端證書,必須在“自定義域”邊欄選項卡上啟用“協商客戶端證書”設定“” 。也就是說:如果不使用HTTP/2則不用啟用"協商客戶端證書"設定。這也是為什麼在最初設定時,沒有啟用該功能的原因。
但是現在驗證了問題的關鍵就是APIM升級後,必須啟用"協商客戶端證書", 通過對APIM的版本改動所釋出的Release Notification(新版通知)看,是因為:
附錄一:使用APIM Repository獲取當前APIM中的所有檔案,包含根目錄的configuration.json檔案
第一步:在APIM中啟用Repository
第二步:通過 git clone https://username:password@{name}.scm.azure-api.cn/ 下載APIM所有檔案到本地
第三步:檢視configuration.json檔案 IntegrationModuleBitsVersion 資訊
{ "settings": { "RegistrationEnabled": "True", "UserRegistrationTerms": null, "UserRegistrationTermsEnabled": "False", "UserRegistrationTermsConsentRequired": "False", "DelegationEnabled": "False", "DelegationUrl": "", "DelegatedSubscriptionEnabled": "False" }, "$ref-policy": "api-management/policies/global.xml", "IntegrationModuleVersion": "17", "IntegrationModuleBitsVersion": "0.20.1220.0", "ExportDate": "2021-06-09T22:08:15.530921Z" }
參考文件
如何使用 API 管理中的客戶端證書身份驗證確保 API 安全:https://docs.azure.cn/zh-cn/api-management/api-management-howto-mutual-certificates-for-clients
APIM Release: https://github.com/Azure/API-Management/releases/tag/release-service-2021-05
A regular Azure API Management service update was started on May 5, 2021, and included the following new features, bug fixes, and other improvements. It may take several weeks for your API Management service to receive the update.
Featured
- Open-source API Portal is now generally available.
- Azure API Management's support for Availability Zones is now generally available.
- Request and response validation policies are now generally available.
New
- You can now validate the client certificate with the new
<validate-client-certificate>policy. Documentation and support in the Azure portal are coming soon.- The Visual Studio Code extension now supports policy debugging for self-hosted gateways running locally.
- The Visual Studio Code extension now supports Dapr and validation policies.
- The developer portal now supports resource owner password grant flow.
- The new Ciphers + Protocols page in the Azure portal lets you manage API gateways' cipher and protocol configuration and displays a warning if a weak cipher or protocol is enabled.
- The Locations page in the Azure portal lets you now configure Availability Zones.
- You can now apply validation policies with the visual policy editors in the Azure portal, without writing any policy code.
- The
timeoutattribute of thesend-requestpolicy now supports policy expressions.Fixed
- Caching issues, which might have resulted in a broken developer portal's administrative interface, are now resolved.
Changed
- The client certificate renegotiation feature is now disabled for all new and existing API Management services, except for the services that relied on it in the last 30 days (services with at least one API call that resulted in a client certificate request from a policy, not as part of an initial TLS handshake). The API gateway will request a client certificate only if
HostnameConfiguration's propertynegotiateClientCertificateis set totrue. If the property is set tofalse, the client certificate won't be available in thecontext.Request.Certificateproperty.
【END】