教學課程:使用 Azure IoT 中樞裝置佈建服務將裝置佈建到 IoT 中樞Tutorial: Provision the device to an IoT hub using the Azure IoT Hub Device Provisioning Service

在上一個教學課程中,您已了解如何將裝置設定為連線到裝置佈建服務。In the previous tutorial, you learned how to set up a device to connect to your Device Provisioning service. 在本教學課程中,您會了解如何使用這項服務,以透過自動佈建和 註冊清單 將裝置佈建到單一 IoT 中樞。In this tutorial, you learn how to use this service to provision your device to a single IoT hub, using auto-provisioning and enrollment lists. 本教學課程說明如何:This tutorial shows you how to:

  • 註冊裝置Enroll the device
  • 啟動裝置Start the device
  • 確認裝置已註冊Verify the device is registered

PrerequisitesPrerequisites

在繼續之前,請務必依照將裝置設定為使用 Azure IoT 中樞裝置佈建服務來進行佈建教學課程所討論的方法來設定裝置。Before you proceed, make sure to configure your device as discussed in the tutorial Setup a device to provision using Azure IoT Hub Device Provisioning Service.

如果您不熟悉自動佈建程序,請先檢閱佈建概觀,再繼續作業。If you're unfamiliar with the process of auto-provisioning, review the provisioning overview before continuing.

註冊裝置Enroll the device

此步驟涉及將裝置的唯一安全性構件新增至裝置佈建服務。This step involves adding the device's unique security artifacts to the Device Provisioning Service. 這些安全性成品是以裝置的證明機制為基礎,如下所示:These security artifacts are based on the device's Attestation mechanism as follows:

  • 對於以 TPM 為基礎的裝置,您需要:For TPM-based devices you need:

    • 「簽署金鑰」 是每個 TPM 晶片或模擬從 TMP 晶片製造商取得唯一的簽署金鑰。The Endorsement Key that is unique to each TPM chip or simulation, which is obtained from the TPM chip manufacturer. 如需詳細資訊,請參閱了解 TPM 簽署金鑰Read the Understand TPM Endorsement Key for more information.

    • 註冊識別碼 ,用來唯一識別命名空間/範圍中的裝置。The Registration ID that is used to uniquely identify a device in the namespace/scope. 此識別碼與裝置識別碼不一定相同。This ID may or may not be the same as the device ID. 每個裝置都必須有註冊識別碼。The ID is mandatory for every device. 若為 TPM 架構的裝置,註冊識別碼可能會衍生自該 TPM 自身,例如,TPM 簽署金鑰的 SHA-256 雜湊。For TPM-based devices, the registration ID may be derived from the TPM itself, for example, an SHA-256 hash of the TPM Endorsement Key.

      入口網站中的 TPM 註冊資訊Enrollment information for TPM in the portal

  • 對於以 X.509 為基礎的裝置,您需要:For X.509 based devices you need:

    • 核發給 X.509 晶片或模擬的憑證,格式為 .pem 或 .cer 檔案。The certificate issued to the X.509 chip or simulation, in the form of either a .pem or a .cer file. 若要進行個別註冊,您必須對 X.509 系統使用每一裝置的「簽署憑證」 ,若要進行群組註冊,則必須使用「根憑證」 。For individual enrollment, you need to use the per-device signed certificate for your X.509 system, while for enrollment groups, you need to use the root certificate.

      在入口網站中新增 X.509 證明的個別註冊Add individual enrollment for X.509 attestation in the portal

有兩種方式可向裝置佈建服務註冊裝置:There are two ways to enroll the device to the Device Provisioning Service:

  • 註冊群組 這代表一組共用特定證明機制的裝置。Enrollment Groups This represents a group of devices that share a specific attestation mechanism. 對於共用所需初始設定的大量裝置,或是全都要進入同一個租用戶的裝置,建議您使用註冊群組。We recommend using an enrollment group for a large number of devices, which share a desired initial configuration, or for devices all going to the same tenant. 如需與註冊群組的身分識別證明有關的詳細資訊,請參閱安全性For more information on Identity attestation for enrollment groups, see Security.

    在入口網站中新增 X.509 證明的群組註冊Add group enrollment for X.509 attestation in the portal

  • 個別註冊 這代表可能會向裝置佈建服務註冊的單一裝置項目。Individual Enrollments This represents an entry for a single device that may register with the Device Provisioning Service. 個別註冊可使用 x509 憑證或 SAS 權杖 (在實際或虛擬的 TPM 中) 來作為證明機制。Individual enrollments may use either x509 certificates or SAS tokens (in a real or virtual TPM) as attestation mechanisms. 對於需要唯一初始設定的裝置,以及只能透過 TPM 或虛擬 TPM 使用 SAS 權杖作為證明機制的裝置,我們建議您使用個別申請。We recommend using individual enrollments for devices that require unique initial configurations, and devices that can only use SAS tokens via TPM or virtual TPM as the attestation mechanism. 個別申請可能會指定所需的 IoT 中樞裝置識別碼。Individual enrollments may have the desired IoT hub device ID specified.

現在使用以裝置的證明機制為基礎的必要安全性成品,向您的裝置佈建服務執行個體註冊裝置:Now you enroll the device with your Device Provisioning Service instance, using the required security artifacts based on the device's attestation mechanism:

  1. 登入 Azure 入口網站,按一下左側功能表上的 [所有資源] 按鈕,然後開啟您的裝置佈建服務。Sign in to the Azure portal, click on the All resources button on the left-hand menu and open your Device Provisioning service.

  2. 在裝置佈建服務摘要刀鋒視窗上,選取 [管理註冊] 。On the Device Provisioning Service summary blade, select Manage enrollments. 根據您的裝置設定選取 [個別註冊] 索引標籤或 [註冊群組] 索引標籤。Select either Individual Enrollments tab or the Enrollment Groups tab as per your device setup. 按一下位於頂端的 [新增] 按鈕。Click the Add button at the top. 選取 [TPM] 或 [X.509] 來作為識別證明「機制」 ,然後如先前所討論的輸入適當的安全性構件。Select TPM or X.509 as the identity attestation Mechanism, and enter the appropriate security artifacts as discussed previously. 您可以輸入新的 [IoT 中樞裝置識別碼] 。You may enter a new IoT Hub device ID. 完成後,按一下 [儲存] 按鈕。Once complete, click the Save button.

  3. 在成功註冊裝置後,您應該會看到它顯示在入口網站中,如下所示:When the device is successfully enrolled, you should see it displayed in the portal as follows:

    入口網站中的成功 TPM 註冊

註冊之後,佈建服務會等候裝置開機,並於稍後的任何時間點與裝置連線。After enrollment, the provisioning service then waits for the device to boot and connect with it at any later point in time. 裝置第一次開機時,用戶端 SDK 程式庫會與晶片互動以從裝置擷取安全構件,並向裝置佈建服務確認註冊情形。When your device boots for the first time, the client SDK library interacts with your chip to extract the security artifacts from the device, and verifies registration with your Device Provisioning service.

啟動 IoT 裝置Start the IoT device

您的 IoT 裝置可以是實際裝置,或是模擬裝置。Your IoT device can be a real device, or a simulated device. 由於 IoT 裝置已向裝置佈建服務執行個體註冊,因此裝置現在可以開啟,並使用證明機制呼叫要辨識的佈建服務。Since the IoT device has now been enrolled with a Device Provisioning Service instance, the device can now boot up, and call the provisioning service to be recognized using the attestation mechanism. 在佈建服務已辨識裝置後,裝置即會指派給 IoT 中樞。Once the provisioning service has recognized the device, it will be assigned to an IoT hub.

針對 C、Java、C#、Node.js 和 Python,都會包含使用 TPM 和 X.509 證明的模擬裝置範例。Simulated device examples, using both TPM and X.509 attestation, are included for C, Java, C#, Node.js, and Python. 例如,使用 TPM 和 Azure IoT C SDK 的模擬裝置會遵循模擬裝置的第一個開機順序一節中說明的程序。For example, a simulated device using TPM and the Azure IoT C SDK would follow the process covered in the Simulate first boot sequence for a device section. 使用 X.509 憑證證明的相同裝置也會參考這個開機順序小節。The same device using X.509 certificate attestation would refer to this boot sequence section.

如需實際裝置的範例,請參閱 MXChip Iot DevKit 的操作說明指南Refer to the How-to guide for the MXChip Iot DevKit as an example for a real device.

請啟動裝置,讓裝置的用戶端應用程式開始向裝置佈建服務進行註冊。Start the device to allow your device's client application to start the registration with your Device Provisioning service.

確認裝置已註冊Verify the device is registered

在您的裝置開機後,應該會發生下列動作:Once your device boots, the following actions should take place:

  1. 裝置會向裝置佈建服務傳送註冊要求。The device sends a registration request to your Device Provisioning service.

  2. 若為 TPM 裝置,裝置佈建服務會回傳註冊挑戰供您的裝置回應。For TPM devices, the Device Provisioning Service sends back a registration challenge to which your device responds.

  3. 註冊成功後,裝置佈建服務會對裝置回傳 IoT 中樞 URI、裝置識別碼和加密金鑰。On successful registration, the Device Provisioning Service sends the IoT hub URI, device ID, and the encrypted key back to the device.

  4. 裝置上的 IoT 中樞用戶端應用程式接著會連線到您的中樞。The IoT Hub client application on the device then connects to your hub.

  5. 成功連線至中樞後,您應該會看到裝置出現在 IoT 中樞的 IoT 裝置 總管中。On successful connection to the hub, you should see the device appear in the IoT hub's IoT Devices explorer.

    在入口網站中成功連線至中樞

如需詳細資訊,請參閱佈建裝置用戶端範例 prov_dev_client_sample.cFor more information, see the provisioning device client sample, prov_dev_client_sample.c. 此範例示範如何使用 TPM、X.509 憑證和對稱金鑰來佈建模擬裝置。The sample demonstrates provisioning a simulated device using TPM, X.509 certificates and symmetric keys. 回頭參考 TPMX.509對稱金鑰證明快速入門,以取得使用此範例的逐步指示。Refer back to the TPM, X.509, and Symmetric key attestation quickstarts for step-by-step instructions on using the sample.

後續步驟Next steps

在本教學課程中,您已了解如何:In this tutorial, you learned how to:

  • 註冊裝置Enroll the device
  • 啟動裝置Start the device
  • 確認裝置已註冊Verify the device is registered

前進到下一個教學課程,以瞭解如何在負載平衡的中樞內布建多個裝置Advance to the next tutorial to learn how to provision multiple devices across load-balanced hubs