This is an automated email from the ASF dual-hosted git repository.

ningjiang pushed a commit to branch master
in repository

commit 20382b88ef782a7d8f2db52c1e5531824da3556c
Author: Yang Bo <>
AuthorDate: Wed May 9 15:45:20 2018 +0800

    SCB-569 Add document for enabling SSL
 docs/ | 87 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 87 insertions(+)

diff --git a/docs/ b/docs/
new file mode 100644
index 0000000..759ccb0
--- /dev/null
+++ b/docs/
@@ -0,0 +1,87 @@
+# Enable TLS for omega-alpha communication
+Saga now supports TLS for communication between omega and alpha server. Client 
side authentication(Mutual authentication) is also supported.
+## Prepare Certificates
+You can use the following commands to generate self-signed certificates for 
+The client certificates is only needed if you want to use mutual 
+# Changes these CN's to match your hosts in your environment if needed.
+CLIENT_CN=localhost # Used when doing mutual TLS
+echo Generate CA key:
+openssl genrsa -passout pass:1111 -des3 -out ca.key 4096
+echo Generate CA certificate:
+# Generates ca.crt which is the trustCertCollectionFile
+openssl req -passin pass:1111 -new -x509 -days 365 -key ca.key -out ca.crt 
-subj "/CN=${SERVER_CN}"
+echo Generate server key:
+openssl genrsa -passout pass:1111 -des3 -out server.key 4096
+echo Generate server signing request:
+openssl req -passin pass:1111 -new -key server.key -out server.csr -subj 
+echo Self-signed server certificate:
+# Generates server.crt which is the certChainFile for the server
+openssl x509 -req -passin pass:1111 -days 365 -in server.csr -CA ca.crt -CAkey 
ca.key -set_serial 01 -out server.crt 
+echo Remove passphrase from server key:
+openssl rsa -passin pass:1111 -in server.key -out server.key
+echo Generate client key
+openssl genrsa -passout pass:1111 -des3 -out client.key 4096
+echo Generate client signing request:
+openssl req -passin pass:1111 -new -key client.key -out client.csr -subj 
+echo Self-signed client certificate:
+# Generates client.crt which is the clientCertChainFile for the client (need 
for mutual TLS only)
+openssl x509 -passin pass:1111 -req -days 365 -in client.csr -CA ca.crt -CAkey 
ca.key -set_serial 01 -out client.crt
+echo Remove passphrase from client key:
+openssl rsa -passin pass:1111 -in client.key -out client.key
+echo Converting the private keys to X.509:
+# Generates client.pem which is the clientPrivateKeyFile for the Client 
(needed for mutual TLS only)
+openssl pkcs8 -topk8 -nocrypt -in client.key -out client.pem
+# Generates server.pem which is the privateKeyFile for the Server
+openssl pkcs8 -topk8 -nocrypt -in server.key -out server.pem
+## Enable TLS for Alpha Server
+1. Edit the application.yaml file for alpha-server, add the ssl configuration 
under the `alpha.server` section.
+  server:
+    ssl:
+      enable: true
+      cert: server.crt
+      key: server.pem
+      mutualAuth: true
+      clientCert: client.crt
+2. Put the server.crt and server.pem files under the root directory of the 
alpha-server. If you want to use mutual authentication, Merge all the client 
certificates into one file client.crt, then put the client.crt under the root 
+3. Restart alpha-server.
+## Enable TLS for Omega
+1. Get the CA certificate chain, you may need to merge multiple CA 
certificates into one file if you are running alpha server in cluster.
+2. Edit the application.yaml file for the client application, add the ssl 
configuration under the `alpha.cluster` section.
+  cluster:
+    address:
+    ssl:
+      enable: false
+      certChain: ca.crt
+      mutualAuth: false
+      cert: client.crt
+      key: client.pem
+3. Put the ca.crt file under the client application root directory. If you 
want to use mutual authentication, also put the client.crt and client.pem under 
the root directory.
+4. Restart the client application.

To stop receiving notification emails like this one, please contact

Reply via email to