You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@servicecomb.apache.org by GitBox <gi...@apache.org> on 2018/08/28 10:32:46 UTC

[GitHub] WillemJiang closed pull request #57: Security dir translation

WillemJiang closed pull request #57: Security dir translation
URL: https://github.com/apache/incubator-servicecomb-docs/pull/57
 
 
   

This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:

As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):

diff --git a/java-chassis-reference/en_US/security/rsa.md b/java-chassis-reference/en_US/security/rsa.md
new file mode 100755
index 0000000..9e9fb68
--- /dev/null
+++ b/java-chassis-reference/en_US/security/rsa.md
@@ -0,0 +1,54 @@
+## Scene Description
+
+Users can enable RSA authentication between services through simple configuration to ensure the security of the service interface.
+
+Detailed introduction [public key authentication] (../references-handlers/publickey.md)
+
+## Consumer Configuration
+
+* Add dependencies in pom.xml:
+
+  ```
+   <dependency>
+      <groupId>org.apache.servicecomb</groupId>
+      <artifactId>handler-publickey-auth</artifactId>
+    </dependency>
+  ```
+
+* Added to the processing chain in microservice.yaml
+
+  ```
+  servicecomb:
+   ......
+   handler:
+    chain:
+     Consumer:
+      default: auth-consumer
+   ......
+  ```
+
+## Provider Configuration
+
+* Add dependencies in pom.xml:
+
+  ```
+   <dependency>
+      <groupId>org.apache.servicecomb</groupId>
+      <artifactId>handler-publickey-auth</artifactId>
+    </dependency>
+  ```
+
+* Added to the processing chain in microservice.yaml
+
+  ```
+  servicecomb:
+   ......
+   handler:
+    chain:
+     Provider:
+      default: auth-provider
+   ......
+  ```
+
+
+
diff --git a/java-chassis-reference/en_US/security/shi-yong-rsa-ren-zheng.md b/java-chassis-reference/en_US/security/shi-yong-rsa-ren-zheng.md
deleted file mode 100644
index e66d2a2..0000000
--- a/java-chassis-reference/en_US/security/shi-yong-rsa-ren-zheng.md
+++ /dev/null
@@ -1,54 +0,0 @@
-## 场景描述
-
-用户通过简单的配置即可启用服务间RSA认证,以保障服务接口的安全性。
-
-详细介绍参考[公钥认证](../references-handlers/publickey.md)
-
-## Consumer配置
-
-* 在pom.xml中增加依赖:
-
-  ```
-   <dependency> 
-      <groupId>org.apache.servicecomb</groupId> 
-      <artifactId>handler-publickey-auth</artifactId> 
-    </dependency>
-  ```
-
-* 在microservice.yaml中添加进处理链
-
-  ```
-  servicecomb:
-   ......
-   handler:
-    chain:
-     Consumer:
-      default: auth-consumer
-   ......
-  ```
-
-## Provider配置
-
-* 在pom.xml中增加依赖:
-
-  ```
-   <dependency> 
-      <groupId>org.apache.servicecomb</groupId> 
-      <artifactId>handler-publickey-auth</artifactId> 
-    </dependency>
-  ```
-
-* 在microservice.yaml中添加进处理链
-
-  ```
-  servicecomb:
-   ......
-   handler:
-    chain:
-     Provider:
-      default: auth-provider
-   ......
-  ```
-
-
-
diff --git a/java-chassis-reference/en_US/security/tls.md b/java-chassis-reference/en_US/security/tls.md
old mode 100644
new mode 100755
index 0c4fa6d..22bfae6
--- a/java-chassis-reference/en_US/security/tls.md
+++ b/java-chassis-reference/en_US/security/tls.md
@@ -1,13 +1,13 @@
-## 场景描述
+## Scene Description
 
-用户通过简单的配置即可启用TLS通信,以保障数据的传输安全。
+Users can enable TLS communication through simple configuration to ensure data transmission security.
 
-## 外部服务通信配置
+## External Service Communication Configuration
 
-与外部服务通信相关的配置写在microservice.yaml文件中。
+The configuration related to external service communication is written in the microservice.yaml file.
 
-* 服务中心、配置中心TLS通信配置  
-  微服务与服务中心、配置中心的连接可以通过将http改为https启用TLS通信,配置示例如下:
+* Service Center, Configuration Center TLS communication configuration
+   The connection between the microservices and the service center and the configuration center can be enabled by changing http to https. The configuration example is as follows:
 
   ```yaml
   servicecomb:
@@ -19,8 +19,8 @@
         serverUri: https://127.0.0.1:30103
   ```
 
-* 服务提供者启用TLS通信  
-  服务提供者在配置服务监听地址时,可以通过在地址后面追加`?sslEnabled=true`开启TLS通信,示例如下:
+* Service provider enables TLS communication
+   When the service provider configures the service listening address, it can open TLS communication by appending `?sslEnabled=true` to the address. The example is as follows:
 
   ```yaml
   servicecomb:
@@ -30,54 +30,56 @@
       address: 0.0.0.0:7070?sslEnabled=true
   ```
 
-## 证书配置
+## Certificate Configuration
 
-证书配置项写在microservice.yaml文件中,支持统一制定证书,也可以添加tag进行更细粒度的配置,有tag的配置会覆盖全局配置,配置格式如下:
+The certificate configuration item is written in the microservice.yaml file. It supports the unified development of certificates. It can also add tags for finer-grained configuration. The tag configuration overrides the global configuration. The configuration format is as follows:
 
 ```
 ssl.[tag].[property]
 ```
-常见的tag如下表:   
+The common tags are as follows:
 
-| 项目 | tag |
+| Project | tag |
 | :--- | :--- |
-| 服务中心 | sc.consumer |
-| 配置中心 | cc.consumer |
-| 看板中心 | mc.consumer |
-| Rest服务端 | rest.provider |
-| Highway服务端 | highway.provider |
-| Rest客户端 | rest.consumer|
-| Highway客户端 | highway.consumer|
-| auth客户端 | apiserver.consumer|
-一般不需要配置tag,正常情况分为三类:1、连接内部服务 2、作为服务端 3、作为客户端 所以如果这三类要求的证书不一致,那么需要使用tag来区分
-
-证书配置项见表1 证书配置项说明表。  
-**表1 证书配置项说明表**
-
-| 配置项 | 默认值 | 取值范围 | 是否必选 | 含义 | 注意 |
+| Service Center | sc.consumer |
+| Configuration Center | cc.consumer |
+| Kanban Center | mc.consumer |
+| Rest server | rest.provider |
+| Highway Server | highway.provider |
+| Rest client | rest.consumer|
+| Highway Client | highway.consumer|
+| auth client | apiserver.consumer|
+Generally, there is no need to configure tags. The normal situation is divided into three categories: 1. Connecting internal services 2. As a server 3. As a client, if the certificates required by these three types are inconsistent, then you need to use tags to distinguish
+
+The certificate configuration items are shown in Table 1. Certificate Configuration Item Description Table.
+**Table 1 Certificate Configuration Item Description Table**
+
+| Configuration Item | Default Value | Range of Value | Required | Meaning |
 | :--- | :--- | :--- | :--- | :--- | :--- |
-| ssl.engine| jdk | - | 否 | ssl协议,提供jdk/openssl选择 | 默认为jdk |
-| ssl.protocols | TLSv1.2 | - | 否 | 协议列表 | 使用逗号分隔 |
-| ssl.ciphers | TLS\_ECDHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384,<br/>TLS\_RSA\_WITH\_AES\_256\_GCM\_SHA384,<br/>TLS\_ECDHE\_RSA\_WITH\_AES\_128\_GCM\_SHA256,<br/>TLS\_RSA\_WITH\_AES\_128\_GCM\_SHA256 | - | 否 | 算法列表 | 使用逗号分隔 |
-| ssl.authPeer | true | - | 否 | 是否认证对端 | - |
-| ssl.checkCN.host | true | - | 否 | 是否对证书的CN进行检查 | 该配置项只对Consumer端,并且使用http协议有效,即Consumser端使用rest通道有效。对于Provider端、highway通道等无效。检查CN的目的是防止服务器被钓鱼,参考标准定义:[https://tools.ietf.org/html/rfc2818。](https://tools.ietf.org/html/rfc2818。) |
-| ssl.trustStore | trust.jks | - | 否 | 信任证书文件 | - |
-| ssl.trustStoreType | JKS | - | 否 | 信任证书类型 | - |
-| ssl.trustStoreValue | - | - | 否 | 信任证书密码 | - |
-| ssl.keyStore | server.p12 | - | 否 | 身份证书文件 | - |
-| ssl.keyStoreType | PKCS12 | - | 否 | 身份证书类型 | - |
-| ssl.keyStoreValue | - | - | 否 | 身份证书密码 | - |
-| ssl.crl | revoke.crl | - | 否 | 吊销证书文件 | - |
-| ssl.sslCustomClass | - | org.apache.servicecomb.foundation.ssl.SSLCustom的实现类 | 否 | SSLCustom类的实现,用于开发者转换密码、文件路径等。 | - |
-
-> **说明**:
+Ssl.engine| jdk | - | No | ssl protocol, provide jdk/openssl options | default jdk |
+| ssl.protocols | TLSv1.2 | - | No | Protocol List | Separated by Comma |
+| ssl.ciphers | TLS\_ECDHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384,<br/>TLS\_RSA\_WITH\_AES\_256\_GCM\_SHA384,<br/>TLS\_ECDHE\_RSA\_WITH \_AES\_128\_GCM\_SHA256,<br/>TLS\_RSA\_WITH\_AES\_128\_GCM\_SHA256 | - | No|
+List of laws | separated by commas |
+| ssl.authPeer | true | - | No | Whether to authenticate the peer | - |
+ssl.checkCN.host | true | - | No | Check whether the CN of the certificate is checked. This configuration item is valid only on the Consumer side and is valid using the http protocol. That is, the Consusser side uses the rest channel. Invalid for Provider, highway, etc. The purpose of checking CN is to prevent the server from being phishing, refer to >
+Standard definition: [https://tools.ietf.org/html/rfc2818. ](https://tools.ietf.org/html/rfc2818.) |
+| ssl.trustStore | trust.jks | - | No | Trust certificate file | - |
+| ssl.trustStoreType | JKS | - | No | Trust Certificate Type | - |
+| ssl.trustStoreValue | - | - | No | Trust Certificate Password | - |
+| ssl.keyStore | server.p12 | - | No | Identity Certificate File | - |
+| ssl.keyStoreType | PKCS12 | - | No | Identity Certificate Type | - |
+| ssl.keyStoreValue | - | - | No | Identity Certificate Password | - |
+| ssl.crl | revoke.crl | - | No | Revoked Certificate File | - |
+| ssl.sslCustomClass | - | org.apache.servicecomb.foundation.ssl.SSLCustom implementation class | No | SSLCustom class implementation for developers to convert passwords, file paths, etc. | - |
+
+> **Description**:
 >
-> * 默认的协议算法是高强度加密算法,JDK需要安装对应的策略文件,参考:[http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html](http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html)。 您可以在配置文件配置使用非高强度算法。
-> * 微服务消费者,可以针对不同的提供者指定证书(当前证书是按照HOST签发的,不同的提供者都使用一份证书存储介质,这份介质同时给微服务访问服务中心和配置中心使用)。
+> * The default protocol algorithm is a high-intensity encryption algorithm. The JDK needs to install the corresponding policy file. Reference: [http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html]( Http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html). You can use a non-high-intensity algorithm in your profile configuration.
+> * Microservice consumers, can specify certificates for different providers (current certificates are issued according to HOST, different providers use a certificate storage medium, this medium is also used by the microservice access service center and configuration center ).
 
-## 示例代码
+## Sample Code
 
-microservice.yaml文件中启用TLS通信的配置示例如下:
+An example of a configuration for enabling TLS communication in the microservice.yaml file is as follows:
 ```yaml
 servicecomb:
   service:
@@ -106,6 +108,3 @@ ssl.keyStoreValue: Changeme_123
 ssl.crl: revoke.crl
 ssl.sslCustomClass: org.apache.servicecomb.demo.DemoSSLCustom
 ```
-
-
-


 

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services