Azure API 管理未获得相互 TLS 的客户端证书

Azure API Management not getting Client Certificate for Multual TLS

我正在尝试验证 Azure API 管理中的客户端证书。我创建了一个新实例并使用默认 Echo API。 我遵循了这个文档 https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-mutual-certificates-for-clients 这个是用 Postman https://medium.com/@jkewley/testing-client-certificate-authentication-to-azure-api-management-with-postman-e1cfae52fc35

测试的

我在 Echo 中使用以下策略 API 所有入站操作仅检查是否存在任何证书:

<policies>
    <inbound>
        <choose>
            <when condition="@(context.Request.Certificate == null)">
                <return-response>
                    <set-status code="403" reason="Missing client certificate" />
                </return-response>
            </when>
        </choose>
        <base />
    </inbound>
    <backend>
        <base />
    </backend>
    <outbound>
        <base />
    </outbound>
    <on-error>
        <base />
    </on-error>
</policies>

在“自定义域”选项卡中,我的端点网关启用了协商客户端证书和默认 SSL 绑定。

在没有策略的情况下进行测试时它工作正常。根据政策,我得到“403 - 缺少客户端证书”。

我的 PostMan 日志显示正在发送我的本地 pfx 文件。我已将同一个 CA 证书成功地用于我要复制的 Apigee 设置。

Postman Console

APIM Trace 没有显示该证书的迹象

{
  "traceId": "1e2950a4-7ae9-4489-9175-dd6b7a8e6872",
  "traceEntries": {
    "inbound": [
      {
        "source": "api-inspector",
        "timestamp": "2021-03-08T16:45:36.1300291Z",
        "elapsed": "00:00:00.0002376",
        "data": {
          "request": {
            "method": "POST",
            "url": "https://xxxxxx-poc-apim.azure-api.net/echo/resource",
            "headers": [
              {
                "name": "Ocp-Apim-Subscription-Key",
                "value": "20c7x7x22xa5xdxc8a1x857bb651000a"
              },
              {
                "name": "X-Forwarded-For",
                "value": "76.98.XX.XXX"
              },
              {
                "name": "Connection",
                "value": "keep-alive"
              },
              {
                "name": "Content-Length",
                "value": "102"
              },
              {
                "name": "Content-Type",
                "value": "text/plain"
              },
              {
                "name": "Accept",
                "value": "*/*"
              },
              {
                "name": "Accept-Encoding",
                "value": "gzip,deflate,br"
              },
              {
                "name": "Host",
                "value": "xxxxxxx-poc-apim.azure-api.net"
              },
              {
                "name": "User-Agent",
                "value": "PostmanRuntime/7.26.10"
              }
            ]
          }
        }
      },
      {
        "source": "api-inspector",
        "timestamp": "2021-03-08T16:45:36.1300291Z",
        "elapsed": "00:00:00.0002401",
        "data": {
          "configuration": {
            "api": {
              "from": "/echo",
              "to": {
                "scheme": "http",
                "host": "echoapi.cloudapp.net",
                "port": 80,
                "path": "/api",
                "queryString": "",
                "query": {
                  
                },
                "isDefaultPort": true
              },
              "version": null,
              "revision": "1"
            },
            "operation": {
              "method": "POST",
              "uriTemplate": "/resource"
            },
            "user": "-",
            "product": "-"
          }
        }
      },
      {
        "source": "cors",
        "timestamp": "2021-03-08T16:45:36.1300291Z",
        "elapsed": "00:00:00.0002602",
        "data": "Origin header was missing or empty and the request was classified as not cross-domain. CORS policy was not applied."
      },
      {
        "source": "choose",
        "timestamp": "2021-03-08T16:45:36.1300291Z",
        "elapsed": "00:00:00.0002753",
        "data": {
          "message": "Expression was successfully evaluated.",
          "expression": "context.Request.Certificate == null",
          "value": true
        }
      },
      {
        "source": "set-status",
        "timestamp": "2021-03-08T16:45:36.1300291Z",
        "elapsed": "00:00:00.0002817",
        "data": {
          "message": [
            "Response status code was set to 403",
            "Response status reason was set to 'Missing client certificate'"
          ]
        }
      },
      {
        "source": "return-response",
        "timestamp": "2021-03-08T16:45:36.1300291Z",
        "elapsed": "00:00:00.0002863",
        "data": {
          "message": "Return response was applied",
          "response": {
            "status": {
              "code": "Forbidden",
              "reason": "Missing client certificate"
            },
            "headers": [
              
            ]
          }
        }
      }
    ],
    "outbound": [
      {
        "source": "transfer-response",
        "timestamp": "2021-03-08T16:45:36.1300291Z",
        "elapsed": "00:00:00.0003120",
        "data": {
          "message": "Response headers have been sent to the caller."
        }
      }
    ]
  }
}

我尝试了很多东西。我尝试使用 SoapUI 而不是 Postman 我尝试使用另一个 CA 证书。 我尝试了另一个具有 CA 证书但位于 App Gateway 后面的 APIM。总是相同的结果。 我没主意了。

我发现了问题。我的公司正在使用 Netskope 进行网络流量控制,但它会弄乱证书​​。 我是通过在我的家用电脑上测试它而发现它的,它工作正常。 从我的工作笔记本电脑连接到 APIM URL 时,我的 Web 浏览器没有显示默认的 .azure-api.net 证书,而是一个证书 .goskope.com。 我们添加了 *.azure-api.net 域来绕过 Netskope 检查并解决了这个问题。