<!DOCTYPE html> <html class="writer-html5" lang="en" > <head> <meta charset="utf-8" /> <meta http-equiv="X-UA-Compatible" content="IE=edge" /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <link rel="shortcut icon" href="../../img/favicon.ico" /> <title>Using TLS - ServiceComb Java Chassis Developers Guide</title> <link rel="stylesheet" href="../../css/theme.css" /> <link rel="stylesheet" href="../../css/theme_extra.css" /> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/10.5.0/styles/github.min.css" /> <script> // Current page data var mkdocs_page_name = "Using TLS"; var mkdocs_page_input_path = "security/tls.md"; var mkdocs_page_url = null; </script> <script src="../../js/jquery-3.6.0.min.js" defer></script> <!--[if lt IE 9]> <script src="../../js/html5shiv.min.js"></script> <![endif]--> <script src="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/10.5.0/highlight.min.js"></script> <script>hljs.initHighlightingOnLoad();</script> </head> <body class="wy-body-for-nav" role="document"> <div class="wy-grid-for-nav"> <nav data-toggle="wy-nav-shift" class="wy-nav-side stickynav"> <div class="wy-side-scroll"> <div class="wy-side-nav-search"> <a href="../.." class="icon icon-home"> ServiceComb Java Chassis Developers Guide </a><div role="search"> <form id ="rtd-search-form" class="wy-form" action="../../search.html" method="get"> <input type="text" name="q" placeholder="Search docs" title="Type search term here" /> </form> </div> </div> <div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="Navigation menu"> <ul> <li class="toctree-l1"><a class="reference internal" href="../..">Introduction</a> </li> </ul> <p class="caption"><span class="caption-text">Getting Started</span></p> <ul> <li class="toctree-l1"><a class="reference internal" href="../../start/terminology/">Glossary</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../start/architecture/">Architecture</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../start/development-environment/">Development environment</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../start/first-sample/">Develop the first microservice</a> </li> </ul> <p class="caption"><span class="caption-text">Development Service Provider</span></p> <ul> <li class="toctree-l1"><a class="reference internal" href="../../build-provider/definition/service-definition/">Service definition</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../build-provider/define-contract/">Service contract definition</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../build-provider/code-first/">Implicit API definition</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../build-provider/swagger-annotation/">Use Swagger annotations</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../build-provider/springmvc/">Develop with SpringMVC</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../build-provider/jaxrs/">Develop with JAX-RS</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../build-provider/transparent-rpc/">Develop with Transparent RPC</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../build-provider/interface-constraints/">Interface definition and data type</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../build-provider/listen-address-and-publish-address/">Service listening address and publishing address</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../build-provider/thread-pool/">Thread pool</a> </li> <li class="toctree-l1"><a class="reference internal" href="#">Service Configuration</a> <ul> <li class="toctree-l2"><a class="reference internal" href="../../build-provider/configuration/ratelimite-strategy/">Rate Limiting Policy</a> </li> <li class="toctree-l2"><a class="reference internal" href="../../build-provider/configuration/downgrade-strategy/">Fallback Policy</a> </li> <li class="toctree-l2"><a class="reference internal" href="../../build-provider/configuration/parameter-validator/">Parameter Validator</a> </li> </ul> </li> <li class="toctree-l1"><a class="reference internal" href="../../build-provider/bootup/">Boot-up Process</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../build-provider/access-log-configuration/">Access Log Configuration</a> </li> </ul> <p class="caption"><span class="caption-text">Writing Service Consumer</span></p> <ul> <li class="toctree-l1"><a class="reference internal" href="../../build-consumer/common-configuration/">Consumer common configuration</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../build-consumer/using-resttemplate/">Using Rest Template</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../build-consumer/using-AsyncRestTemplate/">Using AsyncRestTemplate</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../build-consumer/develop-consumer-using-rpc/">Using with RPC</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../build-consumer/with-contract/">Contract</a> </li> <li class="toctree-l1"><a class="reference internal" href="#">Invoke control</a> <ul> <li class="toctree-l2"><a class="reference internal" href="../../build-consumer/circuit-breaker/">Circuit Breaker</a> </li> <li class="toctree-l2"><a class="reference internal" href="../../build-consumer/flow-control/">Flow Control</a> </li> <li class="toctree-l2"><a class="reference internal" href="../../build-consumer/fault-injection/">Fault Injection</a> </li> </ul> </li> <li class="toctree-l1"><a class="reference internal" href="../../build-consumer/3rd-party-service-invoke/">Invoke 3rd-party REST services</a> </li> </ul> <p class="caption"><span class="caption-text">Transports</span></p> <ul> <li class="toctree-l1"><a class="reference internal" href="../../transports/rest-over-servlet/">REST over Servlet</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../transports/rest-over-vertx/">REST over Vertx</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../transports/highway-rpc/">Highway</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../transports/http2/">HTTP2</a> </li> </ul> <p class="caption"><span class="caption-text">General Development</span></p> <ul> <li class="toctree-l1"><a class="reference internal" href="../../general-development/visit-sc/">Access Service Center</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../general-development/metrics/">Metrics</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../general-development/microservice-invocation-chain/">Microservice invocation chain</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../general-development/customized-tracing/">Customized-Tracing</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../general-development/local-develop-test/">Local development and testing</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../general-development/http-filter/">Http Filter</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../general-development/file-upload/">File Uploading</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../general-development/file-download/">File Downloading</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../general-development/reactive/">Reactive Programing</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../general-development/dnsconfig/">DNS Custom Configuration</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../general-development/dai-li-she-zhi/">Proxy Settings</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../general-development/report-framework-version/">Report framework version</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../general-development/cross-app-invocation/">Cross-application invocation</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../general-development/secret-field/">Customized serialization and deserialization</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../general-development/context/">Using Context to pass control messages</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../general-development/produceprocess/">Return value serialization extension</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../general-development/CORS/">CORS mechanism</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../general-development/AlarmEvent/">Get fuse and instance isolation alarm event information</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../general-development/shutdown/">Shutdown gracefully</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../general-development/error-handling/">Handling exceptions</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../general-development/multienvironment/">Multi-environment isolation between microservice instances</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../general-development/thread-model/">Thread Model</a> </li> </ul> <p class="caption"><span class="caption-text">Configuration</span></p> <ul> <li class="toctree-l1"><a class="reference internal" href="../../config/general-config/">General config</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../config/inject-config/">Configuration injection</a> </li> </ul> <p class="caption"><span class="caption-text">Service Capability Open</span></p> <ul> <li class="toctree-l1"><a class="reference internal" href="../../edge/open-service/">Intruductions</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../edge/by-servicecomb-sdk/">Using Edge Service</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../edge/nginx/">Using confd and Nginx as edge services</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../edge/zuul/">Use zuul as edge services</a> </li> </ul> <p class="caption"><span class="caption-text">Service Packing and Running</span></p> <ul> <li class="toctree-l1"><a class="reference internal" href="../../packaging/standalone/">Standalone mode</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../packaging/web-container/">WEB container mode</a> </li> </ul> <p class="caption"><span class="caption-text">Micro Service Security</span></p> <ul class="current"> <li class="toctree-l1 current"><a class="reference internal current" href="./">Using TLS</a> <ul class="current"> </ul> </li> <li class="toctree-l1"><a class="reference internal" href="../rsa/">Using RSA certification</a> </li> </ul> <p class="caption"><span class="caption-text">Using java chassis in Spring Boot</span></p> <ul> <li class="toctree-l1"><a class="reference internal" href="../../using-java-chassis-in-spring-boot/using-java-chassis-in-spring-boot/">Intruductions</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../using-java-chassis-in-spring-boot/components-for-spring-boot/">spring boot starter for java-chassis</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../using-java-chassis-in-spring-boot/java-application/">JAVA application development</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../using-java-chassis-in-spring-boot/web-application/">Web development method development</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../using-java-chassis-in-spring-boot/diff-between-java-web/">The difference between JAVA application method and Web development method</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../using-java-chassis-in-spring-boot/diff-spring-mvc/">The difference in Spring MVC mode</a> </li> </ul> <p class="caption"><span class="caption-text">Handlers reference</span></p> <ul> <li class="toctree-l1"><a class="reference internal" href="../../references-handlers/intruduction/">Intruductions</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../references-handlers/loadbalance/">Load Balancing</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../references-handlers/publickey/">Public key authentication</a> </li> </ul> <p class="caption"><span class="caption-text">FAQ</span></p> <ul> <li class="toctree-l1"><a class="reference internal" href="../../question-and-answer/question_answer/">Q & A</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../question-and-answer/faq/">FAQ</a> </li> <li class="toctree-l1"><a class="reference internal" href="../../question-and-answer/interface-compatibility/">Micro Service Interface Compatibility FAQ</a> </li> </ul> </div> </div> </nav> <section data-toggle="wy-nav-shift" class="wy-nav-content-wrap"> <nav class="wy-nav-top" role="navigation" aria-label="Mobile navigation menu"> <i data-toggle="wy-nav-top" class="fa fa-bars"></i> <a href="../..">ServiceComb Java Chassis Developers Guide</a> </nav> <div class="wy-nav-content"> <div class="rst-content"><div role="navigation" aria-label="breadcrumbs navigation"> <ul class="wy-breadcrumbs"> <li><a href="../.." class="icon icon-home" alt="Docs"></a> &raquo;</li> <li>Micro Service Security &raquo;</li> <li>Using TLS</li> <li class="wy-breadcrumbs-aside"> </li> </ul> <hr/> </div> <div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article"> <div class="section" itemprop="articleBody"> <h2 id="scene-description">Scene Description</h2> <p>Users can enable TLS communication through simple configuration to ensure data transmission security.</p> <h2 id="external-service-communication-configuration">External Service Communication Configuration</h2> <p>The configuration related to external service communication is written in the microservice.yaml file.</p> <ul> <li>Service Center, Configuration Center TLS communication configuration    The connection between the microservices and the service center and the configuration center can be enabled by changing http to https. The configuration example is as follows:</li> </ul> <p><code>yaml servicecomb: service: registry: address: https://127.0.0.1:30100 config: client: serverUri: https://127.0.0.1:30103</code></p> <ul> <li>Service provider enables TLS communication    When the service provider configures the service listening address, it can open TLS communication by appending <code>?sslEnabled=true</code> to the address. The example is as follows:</li> </ul> <p><code>yaml servicecomb: rest: address: 0.0.0.0:8080?sslEnabled=true highway: address: 0.0.0.0:7070?sslEnabled=true</code></p> <h2 id="certificate-configuration">Certificate Configuration</h2> <p>The certificate configuration item is written in the microservice.yaml file. It supports the unified development of certificates. It can also add tags for finer-grained configuration. The tag configuration overrides the global configuration. The configuration format is as follows:</p> <pre><code>ssl.[tag].[property] </code></pre> <p>The common tags are as follows:</p> <table> <thead> <tr> <th align="left">Project</th> <th align="left">tag</th> </tr> </thead> <tbody> <tr> <td align="left">Service Center</td> <td align="left">sc.consumer</td> </tr> <tr> <td align="left">Configuration Center</td> <td align="left">cc.consumer</td> </tr> <tr> <td align="left">Kanban Center</td> <td align="left">mc.consumer</td> </tr> <tr> <td align="left">Rest server</td> <td align="left">rest.provider</td> </tr> <tr> <td align="left">Highway Server</td> <td align="left">highway.provider</td> </tr> <tr> <td align="left">Rest client</td> <td align="left">rest.consumer</td> </tr> <tr> <td align="left">Highway Client</td> <td align="left">highway.consumer</td> </tr> <tr> <td align="left">auth client</td> <td align="left">apiserver.consumer</td> </tr> <tr> <td align="left">Generally, there is no need to configure tags. The normal situation is divided into three categories: 1. Connecting internal services 2. As a server 3. As a client, if the certificates required by these three types are inconsistent, then you need to use tags to distinguish</td> <td align="left"></td> </tr> </tbody> </table> <p>The certificate configuration items are shown in Table 1. Certificate Configuration Item Description Table. <strong>Table 1 Certificate Configuration Item Description Table</strong></p> <table> <thead> <tr> <th align="left">Configuration Item</th> <th align="left">Default Value</th> <th align="left">Range of Value</th> <th align="left">Required</th> <th align="left">Meaning</th> <th align="left">Caution</th> </tr> </thead> <tbody> <tr> <td align="left">Ssl.engine</td> <td align="left">jdk</td> <td align="left">-</td> <td align="left">No</td> <td align="left">ssl protocol, provide jdk/openssl options</td> <td align="left">default jdk</td> </tr> <tr> <td align="left">ssl.protocols</td> <td align="left">TLSv1.2</td> <td align="left">-</td> <td align="left">No</td> <td align="left">Protocol List</td> <td align="left">separated by comma</td> </tr> <tr> <td align="left">ssl.ciphers</td> <td align="left">TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,<br/>TLS_ECDHE_RSA_WITH _AES_128_GCM_SHA256</td> <td align="left">-</td> <td align="left">No</td> <td align="left">List of laws</td> <td align="left">separated by comma</td> </tr> <tr> <td align="left">ssl.authPeer</td> <td align="left">false</td> <td align="left">-</td> <td align="left">No</td> <td align="left">Whether to authenticate the peer</td> <td align="left">-</td> </tr> <tr> <td align="left">ssl.checkCN.host</td> <td align="left">false</td> <td align="left">-</td> <td align="left">No</td> <td align="left">Check whether the CN of the certificate is checked.</td> <td align="left">This configuration item is valid only on the Consumer side and is valid using the http protocol. That is, the Consusser side uses the rest channel. Invalid for Provider, highway, etc. The purpose of checking CN is to prevent the server from being phishing, refer to Standard definition: <a href="https://tools.ietf.org/html/rfc2818.">https://tools.ietf.org/html/rfc2818. </a></td> </tr> <tr> <td align="left">ssl.trustStore</td> <td align="left">trust.jks</td> <td align="left">-</td> <td align="left">No</td> <td align="left">Trust certificate file</td> <td align="left">-</td> </tr> <tr> <td align="left">ssl.trustStoreType</td> <td align="left">JKS</td> <td align="left">-</td> <td align="left">No</td> <td align="left">Trust Certificate Type</td> <td align="left">-</td> </tr> <tr> <td align="left">ssl.trustStoreValue</td> <td align="left">-</td> <td align="left">-</td> <td align="left">No</td> <td align="left">Trust Certificate Password</td> <td align="left">-</td> </tr> <tr> <td align="left">ssl.keyStore</td> <td align="left">server.p12</td> <td align="left">-</td> <td align="left">No</td> <td align="left">Identity Certificate File</td> <td align="left">-</td> </tr> <tr> <td align="left">ssl.keyStoreType</td> <td align="left">PKCS12</td> <td align="left">-</td> <td align="left">No</td> <td align="left">Identity Certificate Type</td> <td align="left">-</td> </tr> <tr> <td align="left">ssl.keyStoreValue</td> <td align="left">-</td> <td align="left">-</td> <td align="left">No</td> <td align="left">Identity Certificate Password</td> <td align="left">-</td> </tr> <tr> <td align="left">ssl.crl</td> <td align="left">revoke.crl</td> <td align="left">-</td> <td align="left">No</td> <td align="left">Revoked Certificate File</td> <td align="left">-</td> </tr> <tr> <td align="left">ssl.sslCustomClass</td> <td align="left">-</td> <td align="left">org.apache.servicecomb.foundation.ssl.SSLCustom implementation class</td> <td align="left">No</td> <td align="left">SSLCustom class implementation for developers to convert passwords, file paths, etc.</td> <td align="left">-</td> </tr> </tbody> </table> <blockquote> <p><strong>Description</strong>:</p> <ul> <li>The default protocol algorithm is a high-intensity encryption algorithm. The JDK needs to install the corresponding policy file. Reference: <a href="Http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html">http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html</a>. You can use a non-high-intensity algorithm in your profile configuration.</li> <li>Microservice consumers, can specify certificates for different providers (current certificates are issued according to HOST, different providers use a certificate storage medium, this medium is also used by the microservice access service center and configuration center ).</li> </ul> </blockquote> <h2 id="sample-code">Sample Code</h2> <p>An example of a configuration for enabling TLS communication in the microservice.yaml file is as follows:</p> <pre><code class="language-yaml">servicecomb: service: registry: address: https://127.0.0.1:30100 config: client: serverUri: https://127.0.0.1:30103 rest: address: 0.0.0.0:8080?sslEnabled=true highway: address: 0.0.0.0:7070?sslEnabled=true #########SSL options ssl.protocols: TLSv1.2 ssl.authPeer: true ssl.checkCN.host: true #########certificates config ssl.trustStore: trust.jks ssl.trustStoreType: JKS ssl.trustStoreValue: Changeme_123 ssl.keyStore: server.p12 ssl.keyStoreType: PKCS12 ssl.keyStoreValue: Changeme_123 ssl.crl: revoke.crl ssl.sslCustomClass: org.apache.servicecomb.demo.DemoSSLCustom </code></pre> </div> </div><footer> <div class="rst-footer-buttons" role="navigation" aria-label="Footer Navigation"> <a href="../../packaging/web-container/" class="btn btn-neutral float-left" title="WEB container mode"><span class="icon icon-circle-arrow-left"></span> Previous</a> <a href="../rsa/" class="btn btn-neutral float-right" title="Using RSA certification">Next <span class="icon icon-circle-arrow-right"></span></a> </div> <hr/> <div role="contentinfo"> <!-- Copyright etc --> </div> Built with <a href="https://www.mkdocs.org/">MkDocs</a> using a <a href="https://github.com/readthedocs/sphinx_rtd_theme">theme</a> provided by <a href="https://readthedocs.org">Read the Docs</a>. </footer> </div> </div> </section> </div> <div class="rst-versions" role="note" aria-label="Versions"> <span class="rst-current-version" data-toggle="rst-current-version"> <span><a href="../../packaging/web-container/" style="color: #fcfcfc">&laquo; Previous</a></span> <span><a href="../rsa/" style="color: #fcfcfc">Next &raquo;</a></span> </span> </div> <script>var base_url = '../..';</script> <script src="../../js/theme_extra.js" defer></script> <script src="../../js/theme.js" defer></script> <script src="../../search/main.js" defer></script> <script defer> window.onload = function () { SphinxRtdTheme.Navigation.enable(true); }; </script> </body> </html>