You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@rocketmq.apache.org by GitBox <gi...@apache.org> on 2022/05/27 12:29:35 UTC
[GitHub] [rocketmq] chris-joys opened a new pull request, #4387: [ISSUE #4067] fix: Add TLS configuration documents.
chris-joys opened a new pull request, #4387:
URL: https://github.com/apache/rocketmq/pull/4387
**Make sure set the target branch to `develop`**
## What is the purpose of the change
Add tls configuration documents
## Brief changelog
Add tls configuration documents including generate certification files and configura on rocketmq server.
## Verifying this change
Following the documents should be able to do tls configuration on rocket server and client.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [rocketmq] duhenglucky merged pull request #4387: [ISSUE #4067] fix: Add TLS configuration documents.
Posted by GitBox <gi...@apache.org>.
duhenglucky merged PR #4387:
URL: https://github.com/apache/rocketmq/pull/4387
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [rocketmq] codecov-commenter commented on pull request #4387: [ISSUE #4067] fix: Add TLS configuration documents.
Posted by GitBox <gi...@apache.org>.
codecov-commenter commented on PR #4387:
URL: https://github.com/apache/rocketmq/pull/4387#issuecomment-1139614491
# [Codecov](https://codecov.io/gh/apache/rocketmq/pull/4387?src=pr&el=h1&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) Report
> Merging [#4387](https://codecov.io/gh/apache/rocketmq/pull/4387?src=pr&el=desc&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) (db6bb55) into [develop](https://codecov.io/gh/apache/rocketmq/commit/af011b1e2d4395a5619ba9ffd27769d4d5ecdd19?el=desc&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) (af011b1) will **decrease** coverage by `0.11%`.
> The diff coverage is `n/a`.
```diff
@@ Coverage Diff @@
## develop #4387 +/- ##
=============================================
- Coverage 48.20% 48.09% -0.12%
+ Complexity 5089 5073 -16
=============================================
Files 642 642
Lines 42780 42780
Branches 5597 5597
=============================================
- Hits 20622 20573 -49
- Misses 19652 19691 +39
- Partials 2506 2516 +10
```
| [Impacted Files](https://codecov.io/gh/apache/rocketmq/pull/4387?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) | Coverage Δ | |
|---|---|---|
| [...org/apache/rocketmq/common/stats/StatsItemSet.java](https://codecov.io/gh/apache/rocketmq/pull/4387/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-Y29tbW9uL3NyYy9tYWluL2phdmEvb3JnL2FwYWNoZS9yb2NrZXRtcS9jb21tb24vc3RhdHMvU3RhdHNJdGVtU2V0LmphdmE=) | `41.79% <0.00%> (-8.96%)` | :arrow_down: |
| [...org/apache/rocketmq/store/ha/WaitNotifyObject.java](https://codecov.io/gh/apache/rocketmq/pull/4387/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-c3RvcmUvc3JjL21haW4vamF2YS9vcmcvYXBhY2hlL3JvY2tldG1xL3N0b3JlL2hhL1dhaXROb3RpZnlPYmplY3QuamF2YQ==) | `66.07% <0.00%> (-7.15%)` | :arrow_down: |
| [...apache/rocketmq/remoting/netty/ResponseFuture.java](https://codecov.io/gh/apache/rocketmq/pull/4387/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-cmVtb3Rpbmcvc3JjL21haW4vamF2YS9vcmcvYXBhY2hlL3JvY2tldG1xL3JlbW90aW5nL25ldHR5L1Jlc3BvbnNlRnV0dXJlLmphdmE=) | `85.00% <0.00%> (-5.00%)` | :arrow_down: |
| [...ketmq/common/protocol/body/ConsumerConnection.java](https://codecov.io/gh/apache/rocketmq/pull/4387/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-Y29tbW9uL3NyYy9tYWluL2phdmEvb3JnL2FwYWNoZS9yb2NrZXRtcS9jb21tb24vcHJvdG9jb2wvYm9keS9Db25zdW1lckNvbm5lY3Rpb24uamF2YQ==) | `95.83% <0.00%> (-4.17%)` | :arrow_down: |
| [...rocketmq/remoting/netty/NettyRemotingAbstract.java](https://codecov.io/gh/apache/rocketmq/pull/4387/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-cmVtb3Rpbmcvc3JjL21haW4vamF2YS9vcmcvYXBhY2hlL3JvY2tldG1xL3JlbW90aW5nL25ldHR5L05ldHR5UmVtb3RpbmdBYnN0cmFjdC5qYXZh) | `47.08% <0.00%> (-4.02%)` | :arrow_down: |
| [...ava/org/apache/rocketmq/filter/util/BitsArray.java](https://codecov.io/gh/apache/rocketmq/pull/4387/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-ZmlsdGVyL3NyYy9tYWluL2phdmEvb3JnL2FwYWNoZS9yb2NrZXRtcS9maWx0ZXIvdXRpbC9CaXRzQXJyYXkuamF2YQ==) | `59.82% <0.00%> (-2.57%)` | :arrow_down: |
| [...va/org/apache/rocketmq/logging/inner/Appender.java](https://codecov.io/gh/apache/rocketmq/pull/4387/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-bG9nZ2luZy9zcmMvbWFpbi9qYXZhL29yZy9hcGFjaGUvcm9ja2V0bXEvbG9nZ2luZy9pbm5lci9BcHBlbmRlci5qYXZh) | `34.83% <0.00%> (-2.25%)` | :arrow_down: |
| [...a/org/apache/rocketmq/store/StoreStatsService.java](https://codecov.io/gh/apache/rocketmq/pull/4387/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-c3RvcmUvc3JjL21haW4vamF2YS9vcmcvYXBhY2hlL3JvY2tldG1xL3N0b3JlL1N0b3JlU3RhdHNTZXJ2aWNlLmphdmE=) | `35.85% <0.00%> (-1.13%)` | :arrow_down: |
| [...che/rocketmq/namesrv/kvconfig/KVConfigManager.java](https://codecov.io/gh/apache/rocketmq/pull/4387/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-bmFtZXNydi9zcmMvbWFpbi9qYXZhL29yZy9hcGFjaGUvcm9ja2V0bXEvbmFtZXNydi9rdmNvbmZpZy9LVkNvbmZpZ01hbmFnZXIuamF2YQ==) | `59.18% <0.00%> (-1.03%)` | :arrow_down: |
| [...n/java/org/apache/rocketmq/store/ha/HAService.java](https://codecov.io/gh/apache/rocketmq/pull/4387/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-c3RvcmUvc3JjL21haW4vamF2YS9vcmcvYXBhY2hlL3JvY2tldG1xL3N0b3JlL2hhL0hBU2VydmljZS5qYXZh) | `70.76% <0.00%> (-1.00%)` | :arrow_down: |
| ... and [2 more](https://codecov.io/gh/apache/rocketmq/pull/4387/diff?src=pr&el=tree-more&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) | |
------
[Continue to review full report at Codecov](https://codecov.io/gh/apache/rocketmq/pull/4387?src=pr&el=continue&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation).
> **Legend** - [Click here to learn more](https://docs.codecov.io/docs/codecov-delta?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation)
> `Δ = absolute <relative> (impact)`, `ø = not affected`, `? = missing data`
> Powered by [Codecov](https://codecov.io/gh/apache/rocketmq/pull/4387?src=pr&el=footer&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation). Last update [af011b1...db6bb55](https://codecov.io/gh/apache/rocketmq/pull/4387?src=pr&el=lastupdated&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation). Read the [comment docs](https://docs.codecov.io/docs/pull-request-comments?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [rocketmq] tsunghanjacktsai commented on a diff in pull request #4387: [ISSUE #4067] fix: Add TLS configuration documents.
Posted by GitBox <gi...@apache.org>.
tsunghanjacktsai commented on code in PR #4387:
URL: https://github.com/apache/rocketmq/pull/4387#discussion_r883715423
##########
docs/en/Configuration_TLS.md:
##########
@@ -0,0 +1,123 @@
+# TLS Configuration
+This section introduce TLS configuration in Rocket MQ.
+
+## 1 Generate Certification Files
+User can generate certification files using OpenSSL. Suggested to gengerate files in Linux.
Review Comment:
> Suggested to gengerate files in Linux.
Correct the spelling mistakes in "gengerate".
##########
docs/en/Configuration_TLS.md:
##########
@@ -0,0 +1,123 @@
+# TLS Configuration
+This section introduce TLS configuration in Rocket MQ.
+
+## 1 Generate Certification Files
+User can generate certification files using OpenSSL. Suggested to gengerate files in Linux.
+
+### 1.1 Generate ca.pem
+```shell
+openssl req -newkey rsa:2048 -keyout ca_rsa_private.pem -x509 -days 365 -out ca.pem
+```
+### 1.2 Generate server.csr
+```shell
+openssl req -newkey rsa:2048 -keyout server_rsa.key -out server.csr
+```
+### 1.3 Generate server.pem
+```shell
+openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca_rsa_private.pem -CAcreateserial -out server.pem
+```
+### 1.4 Generate client.csr
+```shell
+openssl req -newkey rsa:2048 -keyout client_rsa.key -out client.csr
+```
+### 1.5 Generate client.pem
+```shell
+openssl x509 -req -days 365 -in client.csr -CA ca.pem -CAkey ca_rsa_private.pem -CAcreateserial -out client.pem
+```
+### 1.6 Generate server.key
+```shell
+openssl pkcs8 -topk8 -v1 PBE-SHA1-RC4-128 -in server_rsa.key -out server.key
+```
+### 1.7 Generateclient.key
+```shell
+openssl pkcs8 -topk8 -v1 PBE-SHA1-RC4-128 -in client_rsa.key -out client.key
+```
+
+## 2 Create tls.properties
+Create tls.properties,correctly configure the path and password of the generated certificates.
+
+```properties
+# The flag to determine whether use test mode when initialize TLS context. default is true
+tls.test.mode.enable=false
+# Indicates how SSL engine respect to client authentication, default is none
+tls.server.need.client.auth=require
+# The store path of server-side private key
+tls.server.keyPath=/opt/certFiles/server.key
+# The password of the server-side private key
+tls.server.keyPassword=123456
+# The store path of server-side X.509 certificate chain in PEM format
+tls.server.certPath=/opt/certFiles/server.pem
+# To determine whether verify the client endpoint's certificate strictly. default is false
+tls.server.authClient=false
+# The store path of trusted certificates for verifying the client endpoint's certificate
+tls.server.trustCertPath=/opt/certFiles/ca.pem
+```
+
+If you need to authenticate the client connection, you also need to add the following content to the file.
+
+```properties
+# The store path of client-side private key
+tls.client.keyPath=/opt/certFiles/client.key
+# The password of the client-side private key
+tls.client.keyPassword=123456
+# The store path of client-side X.509 certificate chain in PEM format
+tls.client.certPath=/opt/certFiles/client.pem
+# To determine whether verify the server endpoint's certificate strictly
+tls.client.authServer=false
+# The store path of trusted certificates for verifying the server endpoint's certificate
+tls.client.trustCertPath=/opt/certFiles/ca.pem
+```
+
+
+## 3 Update Rocketmq JVM parameters
+
+Edit the configuration file under the rocketmq/bin path to make tls.properties configurations takes effect.
Review Comment:
> make tls.properties configurations takes effect.
"takes" should be "take".
##########
docs/en/Configuration_TLS.md:
##########
@@ -0,0 +1,123 @@
+# TLS Configuration
+This section introduce TLS configuration in Rocket MQ.
Review Comment:
Please remove the blank space between "Rocket MQ".
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [rocketmq] coveralls commented on pull request #4387: [ISSUE #4067] fix: Add TLS configuration documents.
Posted by GitBox <gi...@apache.org>.
coveralls commented on PR #4387:
URL: https://github.com/apache/rocketmq/pull/4387#issuecomment-1139628347
[](https://coveralls.io/builds/49516070)
Coverage increased (+0.007%) to 52.251% when pulling **db6bb558bbc2cd51896b2b63300869a44d2c429d on chris-joys:dev-docs-tls0.1** into **af011b1e2d4395a5619ba9ffd27769d4d5ecdd19 on apache:develop**.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [rocketmq] chris-joys commented on a diff in pull request #4387: [ISSUE #4067] fix: Add TLS configuration documents.
Posted by GitBox <gi...@apache.org>.
chris-joys commented on code in PR #4387:
URL: https://github.com/apache/rocketmq/pull/4387#discussion_r884068362
##########
docs/en/Configuration_TLS.md:
##########
@@ -0,0 +1,123 @@
+# TLS Configuration
+This section introduce TLS configuration in Rocket MQ.
+
+## 1 Generate Certification Files
+User can generate certification files using OpenSSL. Suggested to gengerate files in Linux.
Review Comment:
Updated.
Thanks.
##########
docs/en/Configuration_TLS.md:
##########
@@ -0,0 +1,123 @@
+# TLS Configuration
+This section introduce TLS configuration in Rocket MQ.
+
+## 1 Generate Certification Files
+User can generate certification files using OpenSSL. Suggested to gengerate files in Linux.
+
+### 1.1 Generate ca.pem
+```shell
+openssl req -newkey rsa:2048 -keyout ca_rsa_private.pem -x509 -days 365 -out ca.pem
+```
+### 1.2 Generate server.csr
+```shell
+openssl req -newkey rsa:2048 -keyout server_rsa.key -out server.csr
+```
+### 1.3 Generate server.pem
+```shell
+openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca_rsa_private.pem -CAcreateserial -out server.pem
+```
+### 1.4 Generate client.csr
+```shell
+openssl req -newkey rsa:2048 -keyout client_rsa.key -out client.csr
+```
+### 1.5 Generate client.pem
+```shell
+openssl x509 -req -days 365 -in client.csr -CA ca.pem -CAkey ca_rsa_private.pem -CAcreateserial -out client.pem
+```
+### 1.6 Generate server.key
+```shell
+openssl pkcs8 -topk8 -v1 PBE-SHA1-RC4-128 -in server_rsa.key -out server.key
+```
+### 1.7 Generateclient.key
+```shell
+openssl pkcs8 -topk8 -v1 PBE-SHA1-RC4-128 -in client_rsa.key -out client.key
+```
+
+## 2 Create tls.properties
+Create tls.properties,correctly configure the path and password of the generated certificates.
+
+```properties
+# The flag to determine whether use test mode when initialize TLS context. default is true
+tls.test.mode.enable=false
+# Indicates how SSL engine respect to client authentication, default is none
+tls.server.need.client.auth=require
+# The store path of server-side private key
+tls.server.keyPath=/opt/certFiles/server.key
+# The password of the server-side private key
+tls.server.keyPassword=123456
+# The store path of server-side X.509 certificate chain in PEM format
+tls.server.certPath=/opt/certFiles/server.pem
+# To determine whether verify the client endpoint's certificate strictly. default is false
+tls.server.authClient=false
+# The store path of trusted certificates for verifying the client endpoint's certificate
+tls.server.trustCertPath=/opt/certFiles/ca.pem
+```
+
+If you need to authenticate the client connection, you also need to add the following content to the file.
+
+```properties
+# The store path of client-side private key
+tls.client.keyPath=/opt/certFiles/client.key
+# The password of the client-side private key
+tls.client.keyPassword=123456
+# The store path of client-side X.509 certificate chain in PEM format
+tls.client.certPath=/opt/certFiles/client.pem
+# To determine whether verify the server endpoint's certificate strictly
+tls.client.authServer=false
+# The store path of trusted certificates for verifying the server endpoint's certificate
+tls.client.trustCertPath=/opt/certFiles/ca.pem
+```
+
+
+## 3 Update Rocketmq JVM parameters
+
+Edit the configuration file under the rocketmq/bin path to make tls.properties configurations takes effect.
Review Comment:
Updated.
Thanks.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [rocketmq] chris-joys commented on a diff in pull request #4387: [ISSUE #4067] fix: Add TLS configuration documents.
Posted by GitBox <gi...@apache.org>.
chris-joys commented on code in PR #4387:
URL: https://github.com/apache/rocketmq/pull/4387#discussion_r884068336
##########
docs/en/Configuration_TLS.md:
##########
@@ -0,0 +1,123 @@
+# TLS Configuration
+This section introduce TLS configuration in Rocket MQ.
Review Comment:
Updated.
Thanks.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org