Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into public-ip-graphic

asudbring · asudbring · commit 8cc4580f4188 · 2024-03-08T12:15:30.000-08:00
diff --git a/articles/api-management/validate-jwt-policy.md b/articles/api-management/validate-jwt-policy.md
@@ -6,7 +6,7 @@ author: dlepow
 
 ms.service: api-management
 ms.topic: article
-ms.date: 01/08/2024
+ms.date: 03/05/2024
 ms.author: danlep
 ---
 
@@ -83,8 +83,8 @@ The `validate-jwt` policy enforces existence and validity of a supported JSON we
 | Element             | Description                                                                                                                                                                                                                                                                                                                                           | Required |
 | ------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- |
 | openid-config       |Add one or more of these elements to specify a compliant OpenID configuration endpoint URL from which signing keys and issuer can be obtained.<br/><br/>Configuration including the JSON Web Key Set (JWKS) is pulled from the endpoint every 1 hour and cached. If the token being validated references a validation key (using `kid` claim) that is missing in cached configuration, or if retrieval fails, API Management pulls from the endpoint at most once per 5 min. These intervals are subject to change without notice.                                                                                                                                              <br/><br/>The response should be according to specs as defined at URL: `https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata`. <br/><br/>For Microsoft Entra ID use the OpenID Connect [metadata endpoint](../active-directory/develop/v2-protocols-oidc.md#find-your-apps-openid-configuration-document-uri) configured in your app registration such as:<br/>- v2 `https://login.microsoftonline.com/{tenant-name}/v2.0/.well-known/openid-configuration`<br/>- v2 Multi-Tenant ` https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration`<br/>- v1 `https://login.microsoftonline.com/{tenant-name}/.well-known/openid-configuration` <br/>- Customer tenant (preview) `https://{tenant-name}.ciamlogin.com/{tenant-id}/v2.0/.well-known/openid-configuration` <br/><br/> Substituting your directory tenant name or ID, for example `contoso.onmicrosoft.com`, for `{tenant-name}`.                                                                                                                                                                                            | No       |
-| issuer-signing-keys | A list of Base64-encoded security keys, in [`key`](#key-attributes) subelements, used to validate signed tokens. If multiple security keys are present, then each key is tried until either all are exhausted (in which case validation fails) or one succeeds (useful for token rollover). <br/><br/>Optionally specify a key by using the `id` attribute to match a `kid` claim. To validate an RS256 signed token, optionally specify the public key using a `certificate-id` attribute with value the identifier of a certificate uploaded to API Management, or the RSA modulus `n` and exponent `e` pair of the RS256 signing key-in Base64url-encoded format.               | No       |
-| decryption-keys     | A list of Base64-encoded keys, in [`key`](#key-attributes) subelements, used to decrypt the tokens. If multiple security keys are present, then each key is tried until either all keys are exhausted (in which case validation fails) or a key succeeds.<br/><br/>Optionally specify a key by using the `id` attribute to match a `kid` claim. To decrypt an RS256 signed token, optionally specify the public key using a `certificate-id` attribute with value the identifier of a certificate uploaded to API Management.         | No       |
+| issuer-signing-keys | A list of Base64-encoded security keys, in [`key`](#key-attributes) subelements, used to validate signed tokens. If multiple security keys are present, then each key is tried until either all are exhausted (in which case validation fails) or one succeeds (useful for token rollover). <br/><br/>Optionally specify a key by using the `id` attribute to match a `kid` claim. To validate an token signed with an asymmetric key, optionally specify the public key using a `certificate-id` attribute with value the identifier of a certificate uploaded to API Management, or the RSA modulus `n` and exponent `e` pair of the signing key in Base64url-encoded format.               | No       |
+| decryption-keys     | A list of Base64-encoded keys, in [`key`](#key-attributes) subelements, used to decrypt the tokens. If multiple security keys are present, then each key is tried until either all keys are exhausted (in which case validation fails) or a key succeeds.<br/><br/>Optionally specify a key by using the `id` attribute to match a `kid` claim. To decrypt a token encrypted with an asymmetric key, optionally specify the public key using a `certificate-id` attribute with value the identifier of a certificate uploaded to API Management, or the RSA modulus `n` and exponent `e` pair of the key in Base64url-encoded format.         | No       |
 | audiences           | A list of acceptable audience claims, in `audience` subelements, that can be present on the token. If multiple audience values are present, then each value is tried until either all are exhausted (in which case validation fails) or until one succeeds. At least one audience must be specified.                                                                     | No       |
 | issuers             | A list of acceptable principals, in `issuer` subelements, that issued the token. If multiple issuer values are present, then each value is tried until either all are exhausted (in which case validation fails) or until one succeeds.                                                                                                                                         | No       |
 | required-claims     | A list of claims, in [`claim`](#claim-attributes) subelements, expected to be present on the token for it to be considered valid. When multiple claims are present, the token must match claim values according to the value of the `match` attribute. | No       |
@@ -93,9 +93,9 @@ The `validate-jwt` policy enforces existence and validity of a supported JSON we
 | Attribute                            | Description                                                                                                                                                                                                                                                                                                                                                                                                                                            | Required                                                                         | Default                                                                           |
 | ------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------- | --------------------------------------------------------------------------------- |
 | id  | String. Identifier used to match `kid` claim presented in JWT.  | No | N/A |
-| certificate-id  | Identifier of a certificate entity [uploaded](/rest/api/apimanagement/apimanagementrest/azure-api-management-rest-api-certificate-entity#Add) to API Management, used to specify the public key to verify an RS256 signed token.   | No | N/A |
-| n | Modulus of the public key used to verify the issuer of an RS256 signed token. Must be specified with the value of the exponent `e`. Policy expressions aren't allowed. | No | N/A|
-| e | Exponent of the public key used to verify the issuer an RS256 signed token. Must be specified with the value of the modulus `n`. Policy expressions aren't allowed. | No | N/A|
+| certificate-id  | Identifier of a certificate entity [uploaded](/rest/api/apimanagement/apimanagementrest/azure-api-management-rest-api-certificate-entity#Add) to API Management, used to specify the public key to verify a token signed with an asymmetric key.   | No | N/A |
+| n | Modulus of the public key used to verify the issuer of a token signed with an asymmetric key. Must be specified with the value of the exponent `e`. Policy expressions aren't allowed. | No | N/A|
+| e | Exponent of the public key used to verify the issuer of a token signed with an asymmetric key. Must be specified with the value of the modulus `n`. Policy expressions aren't allowed. | No | N/A|
 
 
 
@@ -114,10 +114,11 @@ The `validate-jwt` policy enforces existence and validity of a supported JSON we
 ### Usage notes
 
 * The `validate-jwt` policy requires that the `exp` registered claim is included in the JWT token, unless `require-expiration-time` attribute is specified and set to `false`.
-* The policy supports HS256 and RS256 signing algorithms: 
-    * **HS256** - the key must be provided inline within the policy in the Base64-encoded form. 
-    * **RS256** - the key may be provided either via an OpenID configuration endpoint, or by providing the ID of an uploaded certificate (in PFX format) that contains the public key, or the modulus-exponent pair of the public key.
-* The policy supports tokens encrypted with symmetric keys using the following encryption algorithms: A128CBC-HS256, A192CBC-HS384, A256CBC-HS512.
+* The policy supports both symmetric and asymmetric signing algorithms: 
+    * **Symmetric** - The following encryption algorithms are supported: A128CBC-HS256, A192CBC-HS384, A256CBC-HS512.
+    	* If used in the policy, the key must be provided inline within the policy in the Base64-encoded form.
+    * **Asymmetric** - The following encryption algortithms are supported: PS256, RS256, RS512. 
+    	* If used in the policy, the key may be provided either via an OpenID configuration endpoint, or by providing the ID of an uploaded certificate (in PFX format) that contains the public key, or the modulus-exponent pair of the public key.
 * To configure the policy with one or more OpenID configuration endpoints for use with a self-hosted gateway, the OpenID configuration endpoints URLs must also be reachable by the cloud gateway.
 * You can use access restriction policies in different scopes for different purposes. For example, you can secure the whole API with Microsoft Entra authentication by applying the `validate-jwt` policy on the API level, or you can apply it on the API operation level and use `claims` for more granular control.
 * When using a custom header (`header-name`), the configured required scheme (`require-scheme`) will be ignored. To use a required scheme, JWT tokens must be provided in the `Authorization` header.
diff --git a/articles/iot-operations/manage-devices-assets/howto-autodetect-opcua-assets-using-akri.md b/articles/iot-operations/manage-devices-assets/howto-autodetect-opcua-assets-using-akri.md
@@ -17,7 +17,7 @@ ms.date: 11/14/2023
 
 In this article, you learn how to discover OPC UA data sources. After you deploy Azure IoT Operations, you configure Azure IoT Akri to discover OPC UA data sources at the edge. Azure IoT Akri creates custom resources into the Azure IoT Operations namespace on your cluster to represent the discovered devices. The capability to discover OPC UA data sources simplifies the process of manually configuring them from the cloud and onboarding them to your cluster. Currently, Azure IoT Akri can't detect and create assets that can be ingested into the Azure Device Registry. For more information on supported features, see [Azure IoT Akri overview](overview-akri.md#features).
 
-Azure IoT Akri enables you to detect and create `Assets` in the address space of an OPC UA Server. The OPC UA asset detection generates `AssetType` and `Asset` Kubernetes custom resources (CRs) for [OPC UA Device Integration (DI) specification](https://reference.opcfoundation.org/DI/v104/docs/) compliant `Assets`.  
+Azure IoT Akri enables you to detect and create `Assets` in the address space of an OPC UA server. The OPC UA asset detection generates `AssetType` and `Asset` Kubernetes custom resources (CRs) for [OPC UA Device Integration (DI) specification](https://reference.opcfoundation.org/DI/v104/docs/) compliant `Assets`.  
 
 ## Prerequisites
 
@@ -28,7 +28,7 @@ Azure IoT Akri enables you to detect and create `Assets` in the address space of
     kubectl get pods -n azure-iot-operations
     ```
 
-    You should see the agent and discovery handler pod running:
+    You should see the agent and discovery handler pod running.
     
     ```output
     NAME                                             READY   STATUS    RESTARTS   AGE
@@ -40,10 +40,10 @@ Azure IoT Akri enables you to detect and create `Assets` in the address space of
 
 To configure the custom OPC UA discovery handler with asset detection, first you create a YAML configuration file using the values described in this section. Before you create the file, note the following configuration details:
 
-- The specified server contains a sample address model that uses the Robotics companion specification, which is based on the DI specification.  A model that uses these specifications is required for asset detection. The Robot contains five assets with observable variables and a `DeviceHealth` node that is automatically detected for monitoring.
+- The specified server contains a sample address model that uses the Robotics companion specification, which is based on the DI specification. A model that uses these specifications is required for asset detection. The Robot contains five assets with observable variables and a `DeviceHealth` node that is automatically detected for monitoring.
 - You can specify other servers by providing the `endpointUrl` and ensuring that a security `None` profile is enabled.
 - To enable Azure IoT Akri to discover the servers, confirm that you specified the correct discovery endpoint URL during installation.
-- Discovery URLs appear as `opc.tcp://<FQDN>:50000/`. To find the FQDNs of your OPC PLC servers, navigate to your deployments in the Azure portal. For each server, copy and paste the **FQDN** value into your discovery URLs. The following example demonstrates discovery of two OPC PLC servers. You can add the asset parameters for each OPC PLC server.  If you only have one OPC PLC server, delete one of the assets.
+- Discovery URLs appear as `opc.tcp://<FQDN>:50000/`. To find the FQDNs of your OPC PLC servers, navigate to your deployments in the Azure portal. For each server, copy and paste the **FQDN** value into your discovery URLs. The following example demonstrates discovery of two OPC PLC servers. You can add the asset parameters for each OPC PLC server. If you only have one OPC PLC server, delete one of the assets.
     
 
     > [!div class="mx-tdBreakAll"]
@@ -59,7 +59,7 @@ To configure the custom OPC UA discovery handler with asset detection, first you
     ² Temporary implementation until Azure IoT Akri can pass K8S secrets.
 
 
-1. To create the YAML configuration file, copy and paste the following content into a new file, and save it as `opcua-configuration.yaml`. 
+1. To create the YAML configuration file, copy and paste the following content into a new file, and save it as `opcua-configuration.yaml`:
     
     If you're using the simulated PLC server that was deployed with the Azure IoT Operations Quickstart, you don't need to change the `endpointUrl`. If you have your own OPC UA servers running or are using the simulated PLC servers deployed on Azure, add in your endpoint URL accordingly.
 
@@ -77,13 +77,13 @@ To configure the custom OPC UA discovery handler with asset detection, first you
     ```
 
 
-2. Apply the YAML to configure Azure Iot Akri to discover the assets:
+1. Apply the YAML to configure Azure Iot Akri to discover the assets:
 
     ```bash
     kubectl apply -f opcua-configuration.yaml -n azure-iot-operations
     ```
 
-3. To confirm that the asset discovery container is configured and started, check the pod logs with the following command: 
+1. To confirm that the asset discovery container is configured and started, check the pod logs with the following command: 
 
     ```bash
     kubectl logs <insert aio-akri-opcua-asset-discovery pod name> -n azure-iot-operations
@@ -143,13 +143,20 @@ To configure the custom OPC UA discovery handler with asset detection, first you
 
     After the discovery is completed, the result is sent back to Azure IoT Akri to create an Akri instance custom resource with asset information and observable variables. The discovery handler repeats the discovery every 10 minutes to detect changes on the server.
 
-4. To view the discovered Azure IoT Akri instances, run the following command:
+1. To view the discovered Azure IoT Akri instances, run the following command:
 
     ```bash
     kubectl get akrii -n azure-iot-operations
     ```
 
-    Note that it may take a few minutes for the instance to show up.
+    It might take a few minutes for the instance to show up.
+
+    The output from the previous command looks like the following example. You might need to wait for a few seconds for the Akri instance to be created:
+    
+    ```console
+    NAMESPACE              NAME                      CONFIG             SHARED   NODES            AGE
+    azure-iot-operations   akri-opcua-asset-dbdef0   akri-opcua-asset   true     ["my-aio-vm"]   35m
+    ```
 
     You can inspect the instance custom resource by using an editor such as OpenLens, under `CustomResources/akri.sh/Instance`.
 
@@ -161,7 +168,22 @@ To configure the custom OPC UA discovery handler with asset detection, first you
 
     The OPC UA Connector supervisor watches for new Azure IoT Akri instance custom resources of type `opc-ua-asset`, and generates the initial asset types and asset custom resources for them. You can modify asset custom resources to add settings such as extending publishing for more data points, or to add OPC UA Broker observability settings.
 
+1. To confirm that the Akri instance properly connected to the OPC UA Broker, copy and paste the name of the Akri instance that was the output of the previous step, into the following command: 
 
+    ```bash
+    kubectl get akrii <AKRI_INSTANCE_NAME> -n azure-iot-operations -o json
+    ```
+
+    The command output looks like the following example. This example output shows the Akri instance `brokerProperties` values and confirms that the OPC UA Broker is connected.
+
+    ```json
+    "spec": {
+    
+            "brokerProperties": {
+                "ApplicationUri": "Boiler #2",
+                "AssetEndpointProfile": "{\"spec\":{\"uuid\":\"opc-ua-broker-opcplc-000000-azure-iot-operation\"……   
+    ```
+    
 ## Related content
 
 - [Azure IoT Akri overview](overview-akri.md)
