SalesBuy
1-855-856-7678
Technical SupportSupport
Authenticating Windows Azure SQL Database Management API Requests
The SQL Database Management API requires mutual authentication of certificates. This means that in order to authenticate with the SQL Database Management Service, you must first associate a public key certificate (.cer) file with the subscription by uploading it to the subscription’s certificate store in Windows Azure using the Windows Azure Platform Management Portal. Then, you attach the matching private key certificate (.pfx) file with the SQL Database Management API request. The private key is not sent with the request. It is only used for authenticating the request. All Database Management API requests must be encrypted over the Secure Sockets Layer (SSL) to ensure the security of the request made to the SQL Database Management Service. Requests that have a private key certificate authenticated with a public key certificate in the subscription’s certificate store will be authorized to manage SQL Database servers and firewall rules for that subscription only.
 Warning |
|---|
| The private key associated with a certificate should always be maintained in a secure location. Once the public key (.cer) file is uploaded to the subscription’s certificate store, anyone who gains access to the private key (.pfx) file can authenticate and use the Database Management API to modify SQL Database servers and firewall rules for that particular subscription. Applications containing the certificate should also not be distributed to users who you do not want to grant service management permissions. |
The certificate uploaded to the subscription’s certificate store can be used for authentication with the Windows Azure Service Management REST API and the SQL Database Management REST API.
For instruction on how to add a certificate to a subscription’s certificate store using the Windows Azure Platform Management Portal see, How to Add a Management Certificate to a Windows Azure Subscription in the Windows Azure Platform documentation.
Certificate Requirements
Any valid X.509 v3 certificate can be used for authentication against the SQL Database Management API. You can use a self-signed certificate or one signed by a certificate authority.
The length of the certificate’s key must be at least 2048 bits. Windows Azure will reject any certificate that does not meet this requirement or that is invalid.
 Note |
|---|
| The Service Management API does not verify that a certificate is still valid. Authentication will succeed against an expired certificate. |
For more information about certificates in general see, Certificates.
For more information on creating a certificate see, How to Create a Certificate for a Role.
Attaching a Certificate to a SQL Database Management Request
Once you have your public key certificate added the certificate store for the subscription that will be managed using the Database Management API, the private key (.pfx) file can be associated to a secure request using the System.Net.HttpWebRequest and System.Security.Cryptography.X509Certificate2 .NET classes. The following code snippet demonstrates this using the URL for the Get Servers operation which returns all SQL Database servers associated to a subscription.
string certFilename = "C:\\SecuredDirectory\\MyCertificate.pfx";
string url = string.Format("https://management.database.windows.net:8443/{0}/servers", subscriptionId);
HttpWebRequest webRequest = HttpWebRequest.Create(url) as HttpWebRequest;
webRequest.ClientCertificates.Add(new X509Certificate2(certFilename, certPassword));
webRequest.Headers["x-ms-version"] = "1.0";
webRequest.Method = "GET";
More complete code examples are given with the technical reference for each of the operations.
See Also
