Users can enable TLS communication through simple configuration to ensure data transmission security.
External Service Communication Configuration
The configuration related to external service communication is written in the microservice.yaml file.
Service Center, Configuration Center TLS communication configuration The connection between the microservices and the service center and the configuration center can be enabled by changing http to https. The configuration example is as follows:
servicecomb: service: registry: address: https://127.0.0.1:30100 config: client: serverUri: https://127.0.0.1:30103
Service provider enables TLS communication When the service provider configures the service listening address, it can open TLS communication by appending
?sslEnabled=trueto the address. The example is as follows:
servicecomb: rest: address: 0.0.0.0:8080?sslEnabled=true highway: address: 0.0.0.0:7070?sslEnabled=true
The certificate configuration item is written in the microservice.yaml file. It supports the unified development of certificates. It can also add tags for finer-grained configuration. The tag configuration overrides the global configuration. The configuration format is as follows:
The common tags are as follows:
Generally, there is no need to configure tags. The normal situation is divided into three categories: 1. Connecting internal services 2. As a server 3. As a client, if the certificates required by these three types are inconsistent, then you need to use tags to distinguish
The certificate configuration items are shown in Table 1. Certificate Configuration Item Description Table. Table 1 Certificate Configuration Item Description Table
|Configuration Item||Default Value||Range of Value||Required||Meaning|
Ssl.engine| jdk | - | No | ssl protocol, provide jdk/openssl options | default jdk |
| ssl.protocols | TLSv1.2 | - | No | Protocol List | Separated by Comma |
| ssl.ciphers | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_RSA_WITH_AES_128_GCM_SHA256 | - | No| List of laws | separated by commas | | ssl.authPeer | true | - | No | Whether to authenticate the peer | - | ssl.checkCN.host | true | - | No | Check whether the CN of the certificate is checked. This configuration item is valid only on the Consumer side and is valid using the http protocol. That is, the Consusser side uses the rest channel. Invalid for Provider, highway, etc. The purpose of checking CN is to prevent the server from being phishing, refer to > Standard definition: https://tools.ietf.org/html/rfc2818. | | ssl.trustStore | trust.jks | - | No | Trust certificate file | - | | ssl.trustStoreType | JKS | - | No | Trust Certificate Type | - | | ssl.trustStoreValue | - | - | No | Trust Certificate Password | - | | ssl.keyStore | server.p12 | - | No | Identity Certificate File | - | | ssl.keyStoreType | PKCS12 | - | No | Identity Certificate Type | - | | ssl.keyStoreValue | - | - | No | Identity Certificate Password | - | | ssl.crl | revoke.crl | - | No | Revoked Certificate File | - | | ssl.sslCustomClass | - | org.apache.servicecomb.foundation.ssl.SSLCustom implementation class | No | SSLCustom class implementation for developers to convert passwords, file paths, etc. | - |
- The default protocol algorithm is a high-intensity encryption algorithm. The JDK needs to install the corresponding policy file. Reference: http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html. You can use a non-high-intensity algorithm in your profile configuration.
- Microservice consumers, can specify certificates for different providers (current certificates are issued according to HOST, different providers use a certificate storage medium, this medium is also used by the microservice access service center and configuration center ).
An example of a configuration for enabling TLS communication in the microservice.yaml file is as follows:
servicecomb: service: registry: address: https://127.0.0.1:30100 config: client: serverUri: https://127.0.0.1:30103 rest: address: 0.0.0.0:8080?sslEnabled=true highway: address: 0.0.0.0:7070?sslEnabled=true #########SSL options ssl.protocols: TLSv1.2 ssl.authPeer: true ssl.checkCN.host: true #########certificates config ssl.trustStore: trust.jks ssl.trustStoreType: JKS ssl.trustStoreValue: Changeme_123 ssl.keyStore: server.p12 ssl.keyStoreType: PKCS12 ssl.keyStoreValue: Changeme_123 ssl.crl: revoke.crl ssl.sslCustomClass: org.apache.servicecomb.demo.DemoSSLCustom