在Windows Azure管理门户上的“操作日志”中,我看到了操作“AddCertificates”。在细节上,我可以看到base64格式的pfx证书和纯文本的密码。
我认为将证书和密码存储在日志中是不对的。
我如何禁用此功能?
UPD:操作日志中的日志条目
<SubscriptionOperation xmlns="http://schemas.microsoft.com/windowsazure" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<OperationId>7b52fbab-3cfe-40b4-9910-02d26d575503</OperationId>
<OperationObjectId>/094cc12d-f8f7-4f5f-804a-57b16bc87f1b/services/hostedservices/MyServiceName</OperationObjectId>
<OperationName>AddCertificates</OperationName>
<OperationParameters xmlns:d2p1="http://schemas.datacontract.org/2004/07/Microsoft.WindowsAzure.ServiceManagement">
<OperationParameter>
<d2p1:Name>subscriptionID</d2p1:Name>
<d2p1:Value>094cc12d-f8f7-4f5f-804a-57b16bc87f1b</d2p1:Value>
</OperationParameter>
<OperationParameter>
<d2p1:Name>serviceName</d2p1:Name>
<d2p1:Value>MyServiceName</d2p1:Value>
</OperationParameter>
<OperationParameter>
<d2p1:Name>input</d2p1:Name>
<d2p1:Value><?xml version="1.0" encoding="utf-16"?><CertificateFile xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/windowsazure">
<Data>**BASE64CertificateData**</Data>
<CertificateFormat>pfx</CertificateFormat>
<Password>**PLAIN_PASSWORD**</Password></CertificateFile></d2p1:Value>
</OperationParameter>
</OperationParameters>
<OperationCaller>
<UsedServiceManagementApi>true</UsedServiceManagementApi>
<SubscriptionCertificateThumbprint>THUMBPRINT</SubscriptionCertificateThumbprint>
<ClientIP>95.221.82.19</ClientIP>
</OperationCaller>
<OperationStatus>
<ID>7b52fbab-3cfe-40b4-9910-02d26d575503</ID>
<Status>Succeeded</Status>
<HttpStatusCode>200</HttpStatusCode>
</OperationStatus>
<OperationStartedTime>2013-03-16T04:45:41Z</OperationStartedTime>
<OperationCompletedTime>2013-03-16T04:45:44Z</OperationCompletedTime>
</SubscriptionOperation>
答案 0 :(得分:1)
Alexey,您写道操作日志确实以明文形式显示PFX密码,当通过PS部署证书时,即使通过SSL加密通信通道,密码也是纯文本,如下所示:
HTTP Method:
POST
Absolute Uri:
https://management.core.windows.net/*****/services/hostedservices/avkashnewpass/certificates
Headers:
x-ms-version : 2012-12-01
x-ms-client-id : ***********
User-Agent : Windows Azure Powershell/v.0.6.11
Body:
<?xml version="1.0" encoding="utf-16"?>
<CertificateFile xmlns="http://schemas.microsoft.com/windowsazure"
xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<Data>*************************************</Data>
<CertificateFormat>pfx</CertificateFormat>
<Password>clear_text_password</Password>
</CertificateFile>
我已经收到您的反馈并提供给能够正确解决问题的合适人员。
答案 1 :(得分:0)
在新版本的管理门户中,Azure团队已经修复了这个错误。
现在日志条目看起来像
<SubscriptionOperation xmlns="http://schemas.microsoft.com/windowsazure" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<OperationId>7e28942a-457b-4362-8fb5-f671e415cb4f</OperationId>
<OperationObjectId>/094cc12d-f8f7-4f5f-804a-57b16bc87f1b/services/hostedservices/MyServiceName</OperationObjectId>
<OperationName>AddCertificates</OperationName>
<OperationParameters xmlns:d2p1="http://schemas.datacontract.org/2004/07/Microsoft.WindowsAzure.ServiceManagement">
<OperationParameter>
<d2p1:Name>subscriptionID</d2p1:Name>
<d2p1:Value>094cc12d-f8f7-4f5f-804a-57b16bc87f1b</d2p1:Value>
</OperationParameter>
<OperationParameter>
<d2p1:Name>serviceName</d2p1:Name>
<d2p1:Value>MyServiceName</d2p1:Value>
</OperationParameter>
<OperationParameter>
<d2p1:Name>input</d2p1:Name>
<d2p1:Value i:nil="true" />
</OperationParameter>
</OperationParameters>
<OperationCaller>
<UsedServiceManagementApi>true</UsedServiceManagementApi>
<SubscriptionCertificateThumbprint>1B1745A3F688994E4310025E6AC8502319142D0E</SubscriptionCertificateThumbprint>
<ClientIP>91.103.66.206</ClientIP>
</OperationCaller>
<OperationStatus>
<ID>7e28942a-457b-4362-8fb5-f671e415cb4f</ID>
<Status>Succeeded</Status>
<HttpStatusCode>200</HttpStatusCode>
</OperationStatus>
<OperationStartedTime>2013-03-18T02:24:50Z</OperationStartedTime>
<OperationCompletedTime>2013-03-18T02:24:53Z</OperationCompletedTime>
</SubscriptionOperation>
谢谢!