TLS 对 omega-alpha 开启TLS通信

Saga 现在支持在omega和alpha服务之间采用 TLS 通信.同样客户端方面的认证(双向认证)。

准备证书 (Certificates)

你可以用下面的命令去生成一个用于测试的自签名的证书。如果你想采用双向认证的方式,只需要客户端证书。

  1. # Changes these CN's to match your hosts in your environment if needed.
  2. SERVER_CN=localhost
  3. CLIENT_CN=localhost # Used when doing mutual TLS
  5. echo Generate CA key:
  6. openssl genrsa -passout pass:1111 -des3 -out ca.key 4096
  7. echo Generate CA certificate:
  8. # Generates ca.crt which is the trustCertCollectionFile
  9. openssl req -passin pass:1111 -new -x509 -days 365 -key ca.key -out ca.crt -subj "/CN=${SERVER_CN}"
  10. echo Generate server key:
  11. openssl genrsa -passout pass:1111 -des3 -out server.key 4096
  12. echo Generate server signing request:
  13. openssl req -passin pass:1111 -new -key server.key -out server.csr -subj "/CN=${SERVER_CN}"
  14. echo Self-signed server certificate:
  15. # Generates server.crt which is the certChainFile for the server
  16. openssl x509 -req -passin pass:1111 -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt 
  17. echo Remove passphrase from server key:
  18. openssl rsa -passin pass:1111 -in server.key -out server.key
  19. echo Generate client key
  20. openssl genrsa -passout pass:1111 -des3 -out client.key 4096
  21. echo Generate client signing request:
  22. openssl req -passin pass:1111 -new -key client.key -out client.csr -subj "/CN=${CLIENT_CN}"
  23. echo Self-signed client certificate:
  24. # Generates client.crt which is the clientCertChainFile for the client (need for mutual TLS only)
  25. openssl x509 -passin pass:1111 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
  26. echo Remove passphrase from client key:
  27. openssl rsa -passin pass:1111 -in client.key -out client.key
  28. echo Converting the private keys to X.509:
  29. # Generates client.pem which is the clientPrivateKeyFile for the Client (needed for mutual TLS only)
  30. openssl pkcs8 -topk8 -nocrypt -in client.key -out client.pem
  31. # Generates server.pem which is the privateKeyFile for the Server
  32. openssl pkcs8 -topk8 -nocrypt -in server.key -out server.pem

TLS为Alpha服务开启TLS

1.为alpha-server修改application.yaml文件,在alpha.server部门增加ssl配置。

  1. alpha:
  2.   server:
  3.     ssl:
  4.       enable: true
  5.       cert: server.crt
  6.       key: server.pem
  7.       mutualAuth: true
  8.       clientCert: client.crt

  • 将server.crt 和 server.pem 文件放到alpha-server的root 目录。如果你想双向认证,合并所有client证书到一个client.crt文件,并把client.crt文件放到root目录.

  • 重新启动alpha服务器.

为Omega启用TLS

  • 获取CA证书串(chain), 如果你是将alpha服务运行在集群中,你可能需要去合并多个CA证书到一个文件中.

  • 为客户端应用修改application.yaml文件, 在alpha.cluster 部分增加ssl配置.

  1. alpha:
  2.   cluster:
  3.     address: alpha-server.servicecomb.io:8080
  4.     ssl:
  5.       enable: false
  6.       certChain: ca.crt
  7.       mutualAuth: false
  8.       cert: client.crt
  9.       key: client.pem

  • 把ca.crt文件放到客户端应用程序的root目录 file under the client application root directory.如果你想用双向认证,仍需要把client.crt和client.pem放到root目录下.

  • 重新启动客户端应用程序.