This is an automated email from the ASF dual-hosted git repository. ningjiang pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/incubator-servicecomb-saga.git
commit 20382b88ef782a7d8f2db52c1e5531824da3556c Author: Yang Bo <yangb...@huawei.com> AuthorDate: Wed May 9 15:45:20 2018 +0800 SCB-569 Add document for enabling SSL --- docs/enable_ssl.md | 87 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 87 insertions(+) diff --git a/docs/enable_ssl.md b/docs/enable_ssl.md new file mode 100644 index 0000000..759ccb0 --- /dev/null +++ b/docs/enable_ssl.md @@ -0,0 +1,87 @@ +# Enable TLS for omega-alpha communication + +Saga now supports TLS for communication between omega and alpha server. Client side authentication(Mutual authentication) is also supported. + +## Prepare Certificates + +You can use the following commands to generate self-signed certificates for testing. + +The client certificates is only needed if you want to use mutual authentication. + + +``` +# Changes these CN's to match your hosts in your environment if needed. +SERVER_CN=localhost +CLIENT_CN=localhost # Used when doing mutual TLS + +echo Generate CA key: +openssl genrsa -passout pass:1111 -des3 -out ca.key 4096 +echo Generate CA certificate: +# Generates ca.crt which is the trustCertCollectionFile +openssl req -passin pass:1111 -new -x509 -days 365 -key ca.key -out ca.crt -subj "/CN=${SERVER_CN}" +echo Generate server key: +openssl genrsa -passout pass:1111 -des3 -out server.key 4096 +echo Generate server signing request: +openssl req -passin pass:1111 -new -key server.key -out server.csr -subj "/CN=${SERVER_CN}" +echo Self-signed server certificate: +# Generates server.crt which is the certChainFile for the server +openssl x509 -req -passin pass:1111 -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt +echo Remove passphrase from server key: +openssl rsa -passin pass:1111 -in server.key -out server.key +echo Generate client key +openssl genrsa -passout pass:1111 -des3 -out client.key 4096 +echo Generate client signing request: +openssl req -passin pass:1111 -new -key client.key -out client.csr -subj "/CN=${CLIENT_CN}" +echo Self-signed client certificate: +# Generates client.crt which is the clientCertChainFile for the client (need for mutual TLS only) +openssl x509 -passin pass:1111 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt +echo Remove passphrase from client key: +openssl rsa -passin pass:1111 -in client.key -out client.key +echo Converting the private keys to X.509: +# Generates client.pem which is the clientPrivateKeyFile for the Client (needed for mutual TLS only) +openssl pkcs8 -topk8 -nocrypt -in client.key -out client.pem +# Generates server.pem which is the privateKeyFile for the Server +openssl pkcs8 -topk8 -nocrypt -in server.key -out server.pem +``` + +## Enable TLS for Alpha Server + +1. Edit the application.yaml file for alpha-server, add the ssl configuration under the `alpha.server` section. + +``` +alpha: + server: + ssl: + enable: true + cert: server.crt + key: server.pem + mutualAuth: true + clientCert: client.crt +``` + +2. Put the server.crt and server.pem files under the root directory of the alpha-server. If you want to use mutual authentication, Merge all the client certificates into one file client.crt, then put the client.crt under the root directory. + +3. Restart alpha-server. + + +## Enable TLS for Omega + +1. Get the CA certificate chain, you may need to merge multiple CA certificates into one file if you are running alpha server in cluster. + +2. Edit the application.yaml file for the client application, add the ssl configuration under the `alpha.cluster` section. + +``` +alpha: + cluster: + address: alpha-server.servicecomb.io:8080 + ssl: + enable: false + certChain: ca.crt + mutualAuth: false + cert: client.crt + key: client.pem +``` +3. Put the ca.crt file under the client application root directory. If you want to use mutual authentication, also put the client.crt and client.pem under the root directory. + +4. Restart the client application. + -- To stop receiving notification emails like this one, please contact ningji...@apache.org.