TLS Support

Understand how TLS ensures transmission security in Dubbo

Feature Description

The built-in Dubbo Netty Server and the newly introduced gRPC protocol provide TLS-based secure link transmission mechanisms.

TLS configuration has a unified entry point.

Use Cases

Users with encryption requirements for end-to-end links can use TLS.

Reference Use Case https://github.com/apache/dubbo-samples/tree/master/dubbo-samples-ssl

Usage

Provider Side

  1. SslConfig sslConfig = new SslConfig();
  2. sslConfig.setServerKeyCertChainPath("path to cert");
  3. sslConfig.setServerPrivateKeyPath(args[1]);
  4. // If mutual cert authentication is enabled
  5. if (mutualTls) {
  6.   sslConfig.setServerTrustCertCollectionPath(args[2]);
  7. }
  9. ProtocolConfig protocolConfig = new ProtocolConfig("dubbo/grpc");
  10. protocolConfig.setSslEnabled(true);

If using the gRPC protocol, protocol negotiation will be used when enabling TLS, so a Provider supporting the ALPN mechanism must be used, with netty-tcnative recommended. See the gRPC Java community’s summary.

Consumer Side

  1. if (!mutualTls) {}
  2.     sslConfig.setClientTrustCertCollectionPath(args[0]);
  3. } else {
  4.     sslConfig.setClientTrustCertCollectionPath(args[0]);
  5.     sslConfig.setClientKeyCertChainPath(args[1]);
  6.     sslConfig.setClientPrivateKeyPath(args[2]);
  7. }

To ensure flexibility in application startup, the TLS Cert specification can also be dynamically set during startup based on the deployment environment using -D parameters or environment variables. Refer to Dubbo’s configuration reading rules.

Regarding the security of service calls, Dubbo will continue to invest in this area in future versions, with authentication mechanisms for service discovery/calls expected to be available in upcoming releases.

Feedback

Was this page helpful?

Yes No

Last modified September 30, 2024: Update & Translate Overview Docs (#3040) (d37ebceaea7)