如何允許您的服務應用程式使用雲端式 RMSHow-to: enable your service application to work with cloud based RMS

重要

2020年3月之前發行的 Microsoft Rights Management Service SDK 版本已被取代;使用舊版的應用程式必須更新為使用2020年3月版本。Versions of the Microsoft Rights Management Service SDK released prior to March 2020 are deprecated; applications using earlier versions must be updated to use the March 2020 release. 如需完整的詳細資訊,請參閱淘汰 通知For full details, see the deprecation notice.

Microsoft Rights Management Service SDK 尚未規劃任何進一步的增強功能。No further enhancements are planned for the Microsoft Rights Management Service SDK. 我們強烈建議採用 Microsoft 資訊保護 SDK 來進行分類、標記和保護服務。We strongly recommend adoption of the Microsoft Information Protection SDK for classification, labeling, and protection services.

本主題概述設定服務應用程式以使用 Azure Rights Management 的步驟。This topic outlines steps for setting up your service application to use Azure Rights Management. 如需詳細資訊,請參閱開始使用 Azure Rights ManagementFor more information, see Getting started with Azure Rights Management.

重要Important
若要搭配 Azure RMS 使用 Rights Management Services SDK 2.1 服務應用程式,您必須建立自己的租用戶。In order to use your Rights Management Services SDK 2.1 service application with Azure RMS, you'll need to create your own tenants. 如需詳細資訊,請參閱 Azure RMS 需求:支援 Azure RMS 的雲端訂閱For more information, see Azure RMS requirements: Cloud subscriptions that support Azure RMS

必要條件Prerequisites

連接到 Azure Rights Management 服務Connecting to the Azure Rights Management Service

注意:由於探索服務的現有條件,如果您不在北美洲,因為不接受其他地區的對稱金鑰認證,所以您必須直接指定您的租用戶 URL。Note - Due to an existing condition with our discovery service, if you are not in North America, symmetric key credentials are not accepted from other regions therefore, you must specify your tenant URLs directly. 這可透過 IpcGetTemplateListIpcGetTemplateIssuerList 函數的 IPC_CONNECTION_INFO 類型的 pConnectionInfo 參數完成。This is done through the pConnectionInfo parameter, type IPC_CONNECTION_INFO, on functions IpcGetTemplateList or IpcGetTemplateIssuerList.

產生對稱金鑰,並收集所需的資訊Generate a symmetric key and collect the needed information

產生對稱金鑰的指示Instructions to generate a symmetric key

注意:您必須是租用戶系統管理員才能使用 Powershell Cmdlet。Note - You must be a tenant administrator to use the Powershell cmdlets.

  • 啟動 Powershell 並執行下列命令來產生金鑰Start Powershell and run the following commands to generate a key

    Import-Module MSOnline

    Connect-MsolService(請輸入您的系統管理員認證)Connect-MsolService (type-in your admin credentials)

    New-MsolServicePrincipal(請輸入顯示名稱)New-MsolServicePrincipal (type-in a display name)

  • 在它產生對稱金鑰之後,它會輸出金鑰相關資訊,包含金鑰本身和 AppPrincipalIdAfter it generates a symmetric key, it will output information about the key including the key itself and an AppPrincipalId.

    The following symmetric key was created as one was not supplied
    ZYbF/lTtwE28qplQofCpi2syWd11D83+A3DRlb2Jnv8=
    
    DisplayName : RMSTestApp
    ServicePrincipalNames : {7d9c1f38-600c-4b4d-8249-22427f016963}
    ObjectId : 0ee53770-ec86-409e-8939-6d8239880518
    AppPrincipalId : 7d9c1f38-600c-4b4d-8249-22427f016963
    

找出 TenantBposIdUrls 的指示Instructions to find out TenantBposId and Urls

  • 安裝 Azure RMS PowerShell 模組Install Azure RMS powershell module.

  • 啟動 Powershell 並執行下列命令來取得租用戶的 RMS 組態。Start Powershell and run the following commands to get the RMS configuration of the tenant.

    Import-Module AIPService

    Connect-AipService(請輸入您的系統管理員認證)Connect-AipService (type-in your admin credentials)

    Get-AipServiceConfiguration

  • 建立 IPC _ 認證 _ 對稱 _ 金鑰 的實例,並設定一些成員。Create an instance of an IPC_CREDENTIAL_SYMMETRIC_KEY and set a few members.

    // Create a key structure.
    IPC_CREDENTIAL_SYMMETRIC_KEY symKey = {0};
    
    // Set each member with information from service creation.
    symKey.wszBase64Key = "your service principal key";
    symKey.wszAppPrincipalId = "your app principal identifier";
    symKey.wszBposTenantId = "your tenant identifier";
    

如需詳細資訊,請參閱 IPC _ 認證 _ 對稱 _ 金鑰For more information see, IPC_CREDENTIAL_SYMMETRIC_KEY.

  • 建立 ipc _ 認證 結構的實例,其中包含您的 ipc _ 認證 _ 對稱 _ 金鑰 實例。Create an instance of an IPC_CREDENTIAL structure containing your IPC_CREDENTIAL_SYMMETRIC_KEY instance.

    注意  - ConnectionInfo 成員會使用來自上一個呼叫的 url 進行設定 Get-AipServiceConfiguration ,並在此處記下這些功能變數名稱。Note - The connectionInfo members are set with URLs from the previous call to Get-AipServiceConfiguration and noted here with those field names.

    // Create a credential structure.
    IPC_CREDENTIAL cred = {0};
    
    IPC_CONNECTION_INFO connectionInfo = {0};
    connectionInfo.wszIntranetUrl = LicensingIntranetDistributionPointUrl;
    connectionInfo.wszExtranetUrl = LicensingExtranetDistributionPointUrl;
    
    // Set each member.
    cred.dwType = IPC_CREDENTIAL_TYPE_SYMMETRIC_KEY;
    cred.pcCertContext = (PCCERT_CONTEXT)&symKey;
    
    // Create your prompt control.
    IPC_PROMPT_CTX promptCtx = {0};
    
    // Set each member.
    promptCtx.cbSize = sizeof(IPC_PROMPT_CTX);
    promptCtx.hwndParent = NULL;
    promptCtx.dwflags = IPC_PROMPT_FLAG_SILENT;
    promptCtx.hCancelEvent = NULL;
    promptCtx.pcCredential = &cred;
    

找出範本,然後加密Identify a template and then encrypt

  • 選取用於加密的範本Select a template to use for your encryption. 呼叫 >ipcgettemplatelist 傳入相同的 IPC _ 提示 _ CTX實例。Call IpcGetTemplateList passing in the same instance of IPC_PROMPT_CTX.

    PCIPC_TIL pTemplates = NULL;
    IPC_TEMPLATE_ISSUER templateIssuer = (pTemplateIssuerList->aTi)[0];
    
    hr = IpcGetTemplateList(&(templateIssuer.connectionInfo),
           IPC_GTL_FLAG_FORCE_DOWNLOAD,
           0,
           &promptCtx,
           NULL,
           &pTemplates);
    
  • 使用本主題稍早的範本,呼叫 >ipcfencrcyptfile,傳入相同的 IPC _ 提示 _ CTX實例。With the template from earlier in this topic, call IpcfEncrcyptFile, passing in the same instance of IPC_PROMPT_CTX.

    使用 IpcfEncrcyptFile 的範例:Example use of IpcfEncrcyptFile:

    LPCWSTR wszContentTemplateId = pTemplates->aTi[0].wszID;
    hr = IpcfEncryptFile(wszInputFilePath,
           wszContentTemplateId,
           IPCF_EF_TEMPLATE_ID,
           IPC_EF_FLAG_KEY_NO_PERSIST,
           &promptCtx,
           NULL,
           &wszOutputFilePath);
    

    使用 IpcfDecryptFile 的範例:Example use of IpcfDecryptFile:

    hr = IpcfDecryptFile(wszInputFilePath,
           IPCF_DF_FLAG_DEFAULT,
           &promptCtx,
           NULL,
           &wszOutputFilePath);
    

您現在已完成啟用應用程式以使用 Azure Rights Management 所需的步驟。You have now completed the steps needed to enable your application to use Azure Rights Management.