You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@skywalking.apache.org by GitBox <gi...@apache.org> on 2020/03/09 15:42:44 UTC

[GitHub] [skywalking] wu-sheng commented on a change in pull request #4470: Enable OAP gRPC SSL transportation

wu-sheng commented on a change in pull request #4470: Enable OAP gRPC SSL transportation
URL: https://github.com/apache/skywalking/pull/4470#discussion_r389776661
 
 

 ##########
 File path: docs/en/setup/backend/grpc-ssl.md
 ##########
 @@ -0,0 +1,32 @@
+# Support gRPC SSL transportation for OAP server
+
+For OAP communication we are currently using gRPC, a multi-platform RPC framework that uses protocol buffers for
+message serialization. The nice part about gRPC is that it promotes the use of SSL/TLS to authenticate and encrypt
+exchanges. Now OAP supports to enable SSL transportation for gRPC receivers.
+
+You can follow below steps to enable this feature
+
+## Creating SSL/TLS Certificates
+
+It seems like step one is to generate certificates and key files for encrypting communication. I thought this would be
+fairly straightforward using `openssl` from the command line, However, it may be simpler to use
+[certstrap](https://github.com/square/certstrap), a simple certificate manager written in Go by the folks at Square.
+The app avoids dealing with `openssl`, but has a very simple workflow: create a certificate authority, sign certificates
+with it.
+
+After signing the certificates of OAP server, we should convert private key to a PKCS8 format before placing it into the host.
+
+```
+$ openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in server.key -out server-key.pem
+```
+
+## Config OAP server 
+
+You can enable gRPC SSL by add following lines to `application.yml/core/default`.
+```json
+gRPCSslEnabled: true
+gRPCSslKeyPath: /path/to/server-key.pem
+gRPCSslCertChainPath: /path/to/server.crt
+```
+
+If you port to java agent, refer to [TLS.md](../service-agent/java-agent/TLS.md) to config java agent to enable TLS.
 
 Review comment:
   This linked file should be updated too, to keep consistently

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services