1

在 Windows Azure 管理门户的“操作日志”中,我看到了操作“AddCertificates”。详细来说,我可以看到 base64 格式的 pfx 证书和纯文本密码。

我认为在日志中存储证书和密码是不对的。

如何禁用此功能?

UPD:来自操作日志的日志条目

<SubscriptionOperation xmlns="http://schemas.microsoft.com/windowsazure" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
    <OperationId>7b52fbab-3cfe-40b4-9910-02d26d575503</OperationId>
    <OperationObjectId>/094cc12d-f8f7-4f5f-804a-57b16bc87f1b/services/hostedservices/MyServiceName</OperationObjectId>
    <OperationName>AddCertificates</OperationName>
    <OperationParameters xmlns:d2p1="http://schemas.datacontract.org/2004/07/Microsoft.WindowsAzure.ServiceManagement">
        <OperationParameter>
            <d2p1:Name>subscriptionID</d2p1:Name>
            <d2p1:Value>094cc12d-f8f7-4f5f-804a-57b16bc87f1b</d2p1:Value>
        </OperationParameter>
        <OperationParameter>
            <d2p1:Name>serviceName</d2p1:Name>
            <d2p1:Value>MyServiceName</d2p1:Value>
        </OperationParameter>
        <OperationParameter>
            <d2p1:Name>input</d2p1:Name>
            <d2p1:Value><?xml version="1.0" encoding="utf-16"?><CertificateFile xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/windowsazure">
                <Data>**BASE64CertificateData**</Data>
                <CertificateFormat>pfx</CertificateFormat>
                <Password>**PLAIN_PASSWORD**</Password></CertificateFile></d2p1:Value>
        </OperationParameter>
    </OperationParameters>
    <OperationCaller>
        <UsedServiceManagementApi>true</UsedServiceManagementApi>
        <SubscriptionCertificateThumbprint>THUMBPRINT</SubscriptionCertificateThumbprint>
        <ClientIP>95.221.82.19</ClientIP>
    </OperationCaller>
    <OperationStatus>
        <ID>7b52fbab-3cfe-40b4-9910-02d26d575503</ID>
        <Status>Succeeded</Status>
        <HttpStatusCode>200</HttpStatusCode>
    </OperationStatus>
    <OperationStartedTime>2013-03-16T04:45:41Z</OperationStartedTime>
    <OperationCompletedTime>2013-03-16T04:45:44Z</OperationCompletedTime>
</SubscriptionOperation>
4

2 回答 2

1

Alexey,您写道,操作日志确实以明文形式显示 PFX 密码,即使在通过 PS 部署证书时,密码也是明文形式,即使通信通道通过 SSL 加密,如下所示:

HTTP Method:
POST

Absolute Uri:
https://management.core.windows.net/*****/services/hostedservices/avkashnewpass/certificates

Headers:
x-ms-version                  : 2012-12-01
x-ms-client-id                : ***********
User-Agent                    : Windows Azure Powershell/v.0.6.11

Body:
 <?xml version="1.0" encoding="utf-16"?>
 <CertificateFile xmlns="http://schemas.microsoft.com/windowsazure"
    xmlns:i="http://www.w3.org/2001/XMLSchema-instance">

   <Data>*************************************</Data>
   <CertificateFormat>pfx</CertificateFormat>
   <Password>clear_text_password</Password>
 </CertificateFile>

我已经接受了您的反馈,并将其提供给能够正确解决问题的适当人员。

于 2013-03-15T21:39:24.270 回答
0

在新版本的管理门户中,Azure 团队已经修复了这个错误。

现在日志条目看起来像

<SubscriptionOperation xmlns="http://schemas.microsoft.com/windowsazure" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
    <OperationId>7e28942a-457b-4362-8fb5-f671e415cb4f</OperationId>
    <OperationObjectId>/094cc12d-f8f7-4f5f-804a-57b16bc87f1b/services/hostedservices/MyServiceName</OperationObjectId>
    <OperationName>AddCertificates</OperationName>
    <OperationParameters xmlns:d2p1="http://schemas.datacontract.org/2004/07/Microsoft.WindowsAzure.ServiceManagement">
        <OperationParameter>
            <d2p1:Name>subscriptionID</d2p1:Name>
            <d2p1:Value>094cc12d-f8f7-4f5f-804a-57b16bc87f1b</d2p1:Value>
        </OperationParameter>
        <OperationParameter>
            <d2p1:Name>serviceName</d2p1:Name>
            <d2p1:Value>MyServiceName</d2p1:Value>
        </OperationParameter>
        <OperationParameter>
            <d2p1:Name>input</d2p1:Name>
            <d2p1:Value i:nil="true" />
        </OperationParameter>
    </OperationParameters>
    <OperationCaller>
        <UsedServiceManagementApi>true</UsedServiceManagementApi>
        <SubscriptionCertificateThumbprint>1B1745A3F688994E4310025E6AC8502319142D0E</SubscriptionCertificateThumbprint>
        <ClientIP>91.103.66.206</ClientIP>
    </OperationCaller>
    <OperationStatus>
        <ID>7e28942a-457b-4362-8fb5-f671e415cb4f</ID>
        <Status>Succeeded</Status>
        <HttpStatusCode>200</HttpStatusCode>
    </OperationStatus>
    <OperationStartedTime>2013-03-18T02:24:50Z</OperationStartedTime>
    <OperationCompletedTime>2013-03-18T02:24:53Z</OperationCompletedTime>
</SubscriptionOperation>

谢谢!

于 2013-03-18T19:03:11.860 回答