Merge pull request #291704 from gsteve88/add-entra-upload-files

Updated how to upload file to add cert auth include file

Author: JamesJBarnett

articles/iot-hub/how-to-file-upload.md

@@ -7,7 +7,7 @@ ms.author: kgremban
 manager: lizross
 ms.service: azure-iot-hub
 ms.topic: how-to
-ms.date: 07/01/2024
+ms.date: 12/12/2024
 zone_pivot_groups: iot-hub-howto-c2d-1
 ms.custom: [amqp, mqtt, "Role: Cloud Development", "Role: IoT Device"]
 ---

includes/iot-hub-howto-auth-device-cert-dotnet.md

@@ -0,0 +1,58 @@
+---
+title: How to connect a device to IoT Hub using a certificate (.NET)
+titleSuffix: Azure IoT Hub
+description: Learn how to connect a device to IoT Hub using a certificate and the Azure IoT Hub SDK for .NET.
+author: kgremban
+ms.author: kgremban
+ms.service: iot-hub
+ms.devlang: csharp
+ms.topic: include
+ms.manager: lizross
+ms.date: 12/12/2024
+ms.custom: mqtt, devx-track-csharp, devx-track-dotnet
+---
+
+To connect a device to IoT Hub using an X.509 certificate:
+
+1. Use [DeviceAuthenticationWithX509Certificate](/dotnet/api/microsoft.azure.devices.client.deviceauthenticationwithx509certificate) to create an object that contains device and certificate information. `DeviceAuthenticationWithX509Certificate` is passed as the second parameter to `DeviceClient.Create` (step 2).
+
+1. Use [DeviceClient.Create](/dotnet/api/microsoft.azure.devices.client.deviceclient.create?&#microsoft-azure-devices-client-deviceclient-create(system-string-microsoft-azure-devices-client-iauthenticationmethod-microsoft-azure-devices-client-transporttype)) to connect the device to IoT Hub using an X.509 certificate.
+
+In this example, device and certificate information is populated in the `auth` `DeviceAuthenticationWithX509Certificate` object that is passed to `DeviceClient.Create`.
+
+This example shows certificate input parameter values as local variables for clarity. In a production system, store sensitive input parameters in environment variables or another more secure storage location. For example, use `Environment.GetEnvironmentVariable("HOSTNAME")` to read the host name environment variable.
+
+```csharp
+RootCertPath = "~/certificates/certs/sensor-thl-001-device.cert.pem";
+Intermediate1CertPath = "~/certificates/certs/sensor-thl-001-device.intermediate1.cert.pem";
+Intermediate2CertPath = "~/certificates/certs/sensor-thl-001-device.intermediate2.cert.pem";
+DevicePfxPath = "~/certificates/certs/sensor-thl-001-device.cert.pfx";
+DevicePfxPassword = "1234";
+DeviceName = "MyDevice";
+HostName = "xxxxx.azure-devices.net";
+
+var chainCerts = new X509Certificate2Collection();
+chainCerts.Add(new X509Certificate2(RootCertPath));
+chainCerts.Add(new X509Certificate2(Intermediate1CertPath));
+chainCerts.Add(new X509Certificate2(Intermediate2CertPath));
+using var deviceCert = new X509Certificate2(DevicePfxPath, DevicePfxPassword);
+using var auth = new DeviceAuthenticationWithX509Certificate(DeviceName, deviceCert, chainCerts);
+
+using var deviceClient = DeviceClient.Create(
+    HostName,
+    auth,
+    TransportType.Amqp);
+```
+
+For more information about certificate authentication, see:
+
+* [Authenticate identities with X.509 certificates](/azure/iot-hub/authenticate-authorize-x509)
+* [Tutorial: Create and upload certificates for testing](/azure/iot-hub/tutorial-x509-test-certs)
+
+##### Code samples
+
+For working samples of device X.509 certificate authentication, see:
+
+* [Connect with X.509 certificate](https://github.com/Azure/azure-iot-sdk-csharp/tree/main/iothub/device/samples/how%20to%20guides/X509DeviceCertWithChainSample)
+* [DeviceClientX509AuthenticationE2ETests](https://github.com/Azure/azure-iot-sdk-csharp/blob/main/e2e/test/iothub/DeviceClientX509AuthenticationE2ETests.cs)
+* [Guided project - Provision IoT devices securely and at scale with IoT Hub Device Provisioning Service](/training/modules/provision-iot-devices-secure-scale-with-iot-hub-dps/)

includes/iot-hub-howto-auth-device-cert-java.md

@@ -0,0 +1,51 @@
+---
+title: How to connect a device to IoT Hub using a certificate (Java)
+titleSuffix: Azure IoT Hub
+description: Learn how to connect a device to IoT Hub using a certificate and the Azure IoT Hub SDK for Java.
+author: kgremban
+ms.author: kgremban
+ms.service: iot-hub
+ms.devlang: java
+ms.topic: include
+ms.manager: lizross
+ms.date: 12/12/2024
+---
+
+To connect a device to IoT Hub using an X.509 certificate:
+
+1. Build the [SSLContext](https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/SSLContext.html) object using [buildSSLContext](https://hc.apache.org/httpcomponents-core-4.4.x/current/httpcore/apidocs/org/apache/http/ssl/SSLContextBuilder.html).
+1. Add the `SSLContext` information to a [ClientOptions](/java/api/com.microsoft.azure.sdk.iot.device.clientoptions) object.
+1. Call [DeviceClient](/java/api/com.microsoft.azure.sdk.iot.device.deviceclient?#com-microsoft-azure-sdk-iot-device-deviceclient-deviceclient(java-lang-string-com-microsoft-azure-sdk-iot-device-iothubclientprotocol-com-microsoft-azure-sdk-iot-device-clientoptions)) using the `ClientOptions` information to create the device-to-IoT Hub connection.
+
+This example shows certificate input parameter values as local variables for clarity. In a production system, store sensitive input parameters in environment variables or another more secure storage location. For example, use `Environment.GetEnvironmentVariable("PUBLICKEY")` to read a public key certificate string environment variable.
+
+```java
+private static final String publicKeyCertificateString =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\n" +
+        "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\n" +
+        "-----END CERTIFICATE-----\n";
+
+//PEM encoded representation of the private key
+private static final String privateKeyString =
+        "-----BEGIN EC PRIVATE KEY-----\n" +
+        "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\n" +
+        "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\n" +
+        "-----END EC PRIVATE KEY-----\n";
+
+SSLContext sslContext = SSLContextBuilder.buildSSLContext(publicKeyCertificateString, privateKeyString);
+ClientOptions clientOptions = ClientOptions.builder().sslContext(sslContext).build();
+DeviceClient client = new DeviceClient(connString, protocol, clientOptions);
+```
+
+For more information about certificate authentication, see:
+
+* [Authenticate identities with X.509 certificates](/azure/iot-hub/authenticate-authorize-x509)
+* [Tutorial: Create and upload certificates for testing](/azure/iot-hub/tutorial-x509-test-certs)
+
+##### Code samples
+
+For working samples of device X.509 certificate authentication, see:
+
+* [Send-receive x509 sample](https://github.com/Azure/azure-iot-sdk-java/tree/main/iothub/device/iot-device-samples/send-receive-x509-sample)
+* [Send event x509](https://github.com/Azure/azure-iot-sdk-java/blob/main/iothub/device/iot-device-samples/send-event-x509/src/main/java/samples/com/microsoft/azure/sdk/iot/SendEventX509.java)

includes/iot-hub-howto-auth-device-cert-node.md

@@ -0,0 +1,47 @@
+---
+title: How to connect a device to IoT Hub using a certificate (Node.js)
+titleSuffix: Azure IoT Hub
+description: Learn how to connect a device to IoT Hub using a certificate and the Azure IoT Hub SDK for Node.js.
+author: kgremban
+ms.author: kgremban
+ms.service: iot-hub
+ms.devlang: node
+ms.topic: include
+ms.manager: lizross
+ms.date: 12/12/2024
+---
+
+The X.509 certificate is attached to the device-to-IoT Hub connection transport.
+
+To configure a device-to-IoT Hub connection using an X.509 certificate:
+
+1. Call [fromConnectionString](/javascript/api/azure-iothub/client?#azure-iothub-client-fromconnectionstring) to add the device connection string and transport type. Add `x509=true` to the device connection string to indicate that a certificate is added to `DeviceClientOptions`. For example: `HostName=xxxxx.azure-devices.net;DeviceId=Device-1;SharedAccessKey=xxxxxxxxxxxxx;x509=true`.
+1. Configure a JSON variable with certificate details and pass it to [DeviceClientOptions](/javascript/api/azure-iot-device/deviceclientoptions).
+1. Call [setOptions](/javascript/api/azure-iot-device/client?#azure-iot-device-client-setoptions-1) to add an X.509 certificate and key (and optionally, passphrase) to the client transport.
+1. Call [open](/javascript/api/azure-iothub/client?#azure-iothub-client-open) to open the connection from the device to IoT Hub.
+
+This example shows certificate configuration information within a JSON variable. The certification configuration `options` are passed to `setOptions` and the connection is opened using `open`.
+
+```javascript
+var options = {
+   cert: myX509Certificate,
+   key: myX509Key,
+   passphrase: passphrase,
+   http: {
+     receivePolicy: {
+       interval: 10
+     }
+   }
+ }
+ client.setOptions(options, callback);
+ client.open(connectCallback);
+```
+
+For more information about certificate authentication, see:
+
+* [Authenticate identities with X.509 certificates](/azure/iot-hub/authenticate-authorize-x509)
+* [Create and upload certificates for testing](/azure/iot-hub/tutorial-x509-test-certs)
+
+##### Code sample
+
+For a working sample of device X.509 certificate authentication, see [Simple sample device X.509](https://github.com/Azure/azure-iot-sdk-node/blob/main/device/samples/javascript/simple_sample_device_x509.js).

includes/iot-hub-howto-auth-device-cert-python.md

@@ -0,0 +1,56 @@
+---
+title: How to connect a device to IoT Hub using a certificate (Python)
+titleSuffix: Azure IoT Hub
+description: Learn how to connect a device to IoT Hub using a certificate and the Azure IoT Hub SDK for Python.
+author: kgremban
+ms.author: kgremban
+ms.service: iot-hub
+ms.devlang: python
+ms.topic: include
+ms.manager: lizross
+ms.date: 12/06/2024
+---
+
+To connect a device to IoT Hub using an X.509 certificate:
+
+1. Use [create_from_x509_certificate](/python/api/azure-iot-device/azure.iot.device.iothubdeviceclient?#azure-iot-device-iothubdeviceclient-create-from-x509-certificate) to add the X.509 certificate parameters
+1. Call [connect](/python/api/azure-iot-device/azure.iot.device.iothubdeviceclient?#azure-iot-device-iothubdeviceclient-connect) to connect the device client
+
+This example shows certificate input parameter values as local variables for clarity. In a production system, store sensitive input parameters in environment variables or another more secure storage location. For example, use `os.getenv("HOSTNAME")` to read the host name environment variable.
+
+```python
+# The Azure IoT hub name
+hostname = "xxxxx.azure-devices.net"
+
+# The device that has been created on the portal using X509 CA signing or self-signing capabilities
+device_id = "MyDevice"
+
+# The X.509 certificate file name
+cert_file = "~/certificates/certs/sensor-thl-001-device.cert.pfx"
+key_file = "~/certificates/certs/sensor-thl-001-device.cert.key"
+# The optional certificate pass phrase
+pass_phrase = "1234"
+
+x509 = X509(
+    cert_file,
+    key_file,
+    pass_phrase,
+)
+
+# The client object is used to interact with your Azure IoT hub.
+device_client = IoTHubDeviceClient.create_from_x509_certificate(
+    hostname=hostname, device_id=device_id, x509=x509
+)
+
+# Connect to IoT Hub
+await device_client.connect()
+```
+
+For more information about certificate authentication, see:
+
+* [Authenticate identities with X.509 certificates](/azure/iot-hub/authenticate-authorize-x509)
+* [Tutorial: Create and upload certificates for testing](/azure/iot-hub/tutorial-x509-test-certs)
+
+##### Code samples
+
+For working samples of device X.509 certificate authentication, see the examples whose file names end in x509 at [Async hub scenarios](https://github.com/Azure/azure-iot-sdk-python/tree/main/samples/async-hub-scenarios).

includes/iot-hub-howto-file-upload-dotnet.md

@@ -7,7 +7,7 @@ ms.author: kgremban
 ms.service: azure-iot-hub
 ms.devlang: csharp
 ms.topic: include
-ms.date: 07/01/2024
+ms.date: 12/12/2024
 ms.custom: mqtt, devx-track-csharp, devx-track-dotnet
 ---
 
@@ -29,7 +29,18 @@ Follow this procedure to upload a file from a device to IoT hub:
 1. Upload the file to Azure storage
 1. Notify IoT hub of the file upload status
 
-### Connect to the device
+### Connect a device to IoT Hub
+
+A device app can authenticate with IoT Hub using the following methods:
+
+* X.509 certificate
+* Shared access key
+
+#### Authenticate using an X.509 certificate
+
+[!INCLUDE [iot-hub-howto-auth-device-cert-dotnet](iot-hub-howto-auth-device-cert-dotnet.md)]
+
+#### Authenticate using a shared access key
 
 Call [CreateFromConnectionString](/dotnet/api/microsoft.azure.devices.client.deviceclient.createfromconnectionstring?#microsoft-azure-devices-client-deviceclient-createfromconnectionstring(system-string)) to connect to the device. Pass the device primary connection string.
 
@@ -109,21 +120,47 @@ You can create a backend service to receive file upload notification messages fr
 
 The [ServiceClient](/dotnet/api/microsoft.azure.devices.serviceclient) class contains methods that services can use to receive file upload notifications.
 
-To receive file upload notification:
+### Add service NuGet Package
 
-1. Call [CreateFromConnectionString](/dotnet/api/microsoft.azure.devices.serviceclient.createfromconnectionstring) to connect to IoT hub. Pass the IoT hub primary connection string.
-1. Create a [CancellationToken](/dotnet/api/azure.core.httpmessage.cancellationtoken?#azure-core-httpmessage-cancellationtoken).
-1. Call [GetFileNotificationReceiver](/dotnet/api/microsoft.azure.devices.serviceclient.getfilenotificationreceiver?#microsoft-azure-devices-serviceclient-getfilenotificationreceiver) to create a notification receiver.
-1. Use a loop with [ReceiveAsync](/dotnet/api/microsoft.azure.devices.receiver-1.receiveasync?#microsoft-azure-devices-receiver-1-receiveasync(system-threading-cancellationtoken)) to wait for the file upload notification.
+Backend service applications require the **Microsoft.Azure.Devices** NuGet package.
+
+### Connect to IoT hub
+
+You can connect a backend service to IoT Hub using the following methods:
+
+* Shared access policy
+* Microsoft Entra
+
+[!INCLUDE [iot-authentication-service-connection-string.md](iot-authentication-service-connection-string.md)]
+
+#### Connect using a shared access policy
+
+Connect a backend application to a device using [CreateFromConnectionString](/dotnet/api/microsoft.azure.devices.registrymanager.createfromconnectionstring). Your application needs **service connect** permission. Supply this shared access policy connection string as a parameter to `fromConnectionString`. For more information about shared access policies, see [Control access to IoT Hub with shared access signatures](/azure/iot-hub/authenticate-authorize-sas).
 
 For example:
 
 ```csharp
 using Microsoft.Azure.Devices;
 static ServiceClient serviceClient;
-static string connectionString = "{IoT hub connection string}";
+static string connectionString = "{Shared access policy connection string}";
 serviceClient = ServiceClient.CreateFromConnectionString(connectionString);
+```
+
+#### Connect using Microsoft Entra
+
+[!INCLUDE [iot-hub-howto-connect-service-iothub-entra-dotnet](iot-hub-howto-connect-service-iothub-entra-dotnet.md)]
+
+### Receive file upload notification
 
+To receive file upload notification:
+
+1. Create a [CancellationToken](/dotnet/api/azure.core.httpmessage.cancellationtoken?#azure-core-httpmessage-cancellationtoken).
+1. Call [GetFileNotificationReceiver](/dotnet/api/microsoft.azure.devices.serviceclient.getfilenotificationreceiver?#microsoft-azure-devices-serviceclient-getfilenotificationreceiver) to create a notification receiver.
+1. Use a loop with [ReceiveAsync](/dotnet/api/microsoft.azure.devices.receiver-1.receiveasync?#microsoft-azure-devices-receiver-1-receiveasync(system-threading-cancellationtoken)) to wait for the file upload notification.
+
+For example:
+
+```csharp
 // Define the cancellation token
 CancellationTokenSource source = new CancellationTokenSource();
 CancellationToken token = source.Token;
@@ -144,3 +181,7 @@ while (true)
     await notificationReceiver.CompleteAsync(fileUploadNotification);
 }
 ```
+
+### SDK file upload receiver sample
+
+The SDK includes this [file upload receiver sample](https://github.com/Azure/azure-iot-sdk-csharp/blob/86065001a92fedb42877722c6a57ae37e45eed30/iothub/service/samples/getting%20started/FileUploadNotificationReceiverSample/FileUploadNotificationReceiverSample.cs).