Using TLS
Scene Description
Users can enable TLS communication through simple configuration to ensure data transmission security.
External Service Communication Configuration
The configuration related to external service communication is written in the microservice.yaml file.
- Service Center, Configuration Center TLS communication configuration The connection between the microservices and the service center and the configuration center can be enabled by changing http to https. The configuration example is as follows:
yaml
servicecomb:
service:
registry:
address: https://127.0.0.1:30100
config:
client:
serverUri: https://127.0.0.1:30103
- Service provider enables TLS communication
When the service provider configures the service listening address, it can open TLS communication by appending
?sslEnabled=trueto the address. The example is as follows:
yaml
servicecomb:
rest:
address: 0.0.0.0:8080?sslEnabled=true
highway:
address: 0.0.0.0:7070?sslEnabled=true
Certificate Configuration
The certificate configuration item is written in the microservice.yaml file. It supports the unified development of certificates. It can also add tags for finer-grained configuration. The tag configuration overrides the global configuration. The configuration format is as follows:
ssl.[tag].[property]
The common tags are as follows:
| Project | tag |
|---|---|
| Service Center | sc.consumer |
| Configuration Center | cc.consumer |
| Kanban Center | mc.consumer |
| Rest server | rest.provider |
| Highway Server | highway.provider |
| Rest client | rest.consumer |
| Highway Client | highway.consumer |
| auth client | apiserver.consumer |
| Generally, there is no need to configure tags. The normal situation is divided into three categories: 1. Connecting internal services 2. As a server 3. As a client, if the certificates required by these three types are inconsistent, then you need to use tags to distinguish |
The certificate configuration items are shown in Table 1. Certificate Configuration Item Description Table. Table 1 Certificate Configuration Item Description Table
| Configuration Item | Default Value | Range of Value | Required | Meaning | Caution |
|---|---|---|---|---|---|
| Ssl.engine | jdk | - | No | ssl protocol, provide jdk/openssl options | default jdk |
| ssl.protocols | TLSv1.2 | - | No | Protocol List | separated by comma |
| ssl.ciphers | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH _AES_128_GCM_SHA256 |
- | No | List of laws | separated by comma |
| ssl.authPeer | false | - | No | Whether to authenticate the peer | - |
| ssl.checkCN.host | false | - | No | Check whether the CN of the certificate is checked. | This configuration item is valid only on the Consumer side and is valid using the http protocol. That is, the Consusser side uses the rest channel. Invalid for Provider, highway, etc. The purpose of checking CN is to prevent the server from being phishing, refer to Standard definition: https://tools.ietf.org/html/rfc2818. |
| ssl.trustStore | trust.jks | - | No | Trust certificate file | - |
| ssl.trustStoreType | JKS | - | No | Trust Certificate Type | - |
| ssl.trustStoreValue | - | - | No | Trust Certificate Password | - |
| ssl.keyStore | server.p12 | - | No | Identity Certificate File | - |
| ssl.keyStoreType | PKCS12 | - | No | Identity Certificate Type | - |
| ssl.keyStoreValue | - | - | No | Identity Certificate Password | - |
| ssl.crl | revoke.crl | - | No | Revoked Certificate File | - |
| ssl.sslCustomClass | - | org.apache.servicecomb.foundation.ssl.SSLCustom implementation class | No | SSLCustom class implementation for developers to convert passwords, file paths, etc. | - |
Description:
- The default protocol algorithm is a high-intensity encryption algorithm. The JDK needs to install the corresponding policy file. Reference: http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html. You can use a non-high-intensity algorithm in your profile configuration.
- Microservice consumers, can specify certificates for different providers (current certificates are issued according to HOST, different providers use a certificate storage medium, this medium is also used by the microservice access service center and configuration center ).
Sample Code
An example of a configuration for enabling TLS communication in the microservice.yaml file is as follows:
servicecomb:
service:
registry:
address: https://127.0.0.1:30100
config:
client:
serverUri: https://127.0.0.1:30103
rest:
address: 0.0.0.0:8080?sslEnabled=true
highway:
address: 0.0.0.0:7070?sslEnabled=true
#########SSL options
ssl.protocols: TLSv1.2
ssl.authPeer: true
ssl.checkCN.host: true
#########certificates config
ssl.trustStore: trust.jks
ssl.trustStoreType: JKS
ssl.trustStoreValue: Changeme_123
ssl.keyStore: server.p12
ssl.keyStoreType: PKCS12
ssl.keyStoreValue: Changeme_123
ssl.crl: revoke.crl
ssl.sslCustomClass: org.apache.servicecomb.demo.DemoSSLCustom