[GitHub] [rocketmq] tsunghanjacktsai commented on a diff in pull request #4387: [ISSUE #4067] fix: Add TLS configuration documents.

[GitBox <gi...@apache.org>]

tsunghanjacktsai commented on code in PR #4387:
URL: https://github.com/apache/rocketmq/pull/4387#discussion_r883715423


##########
docs/en/Configuration_TLS.md:
##########
@@ -0,0 +1,123 @@
+# TLS Configuration
+This section introduce TLS configuration in Rocket MQ.
+
+## 1 Generate Certification Files
+User can generate certification files using OpenSSL. Suggested to gengerate files in Linux.

Review Comment:
   > Suggested to gengerate files in Linux.
   
   Correct the spelling mistakes in "gengerate".



##########
docs/en/Configuration_TLS.md:
##########
@@ -0,0 +1,123 @@
+# TLS Configuration
+This section introduce TLS configuration in Rocket MQ.
+
+## 1 Generate Certification Files
+User can generate certification files using OpenSSL. Suggested to gengerate files in Linux.
+
+### 1.1 Generate ca.pem
+```shell
+openssl req -newkey rsa:2048 -keyout ca_rsa_private.pem -x509 -days 365 -out ca.pem
+```
+### 1.2 Generate server.csr
+```shell
+openssl req -newkey rsa:2048 -keyout server_rsa.key  -out server.csr
+```
+### 1.3 Generate server.pem
+```shell
+openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca_rsa_private.pem -CAcreateserial -out server.pem
+```
+### 1.4 Generate client.csr
+```shell
+openssl req -newkey rsa:2048 -keyout client_rsa.key -out client.csr
+```
+### 1.5 Generate client.pem
+```shell
+openssl x509 -req -days 365 -in client.csr -CA ca.pem -CAkey ca_rsa_private.pem -CAcreateserial -out client.pem
+```
+### 1.6 Generate server.key
+```shell
+openssl pkcs8 -topk8 -v1 PBE-SHA1-RC4-128 -in  server_rsa.key -out server.key
+```
+### 1.7 Generateclient.key
+```shell
+openssl pkcs8 -topk8 -v1 PBE-SHA1-RC4-128 -in client_rsa.key -out client.key
+```
+
+## 2 Create tls.properties
+Create tls.properties，correctly configure the path and password of the generated certificates.
+
+```properties
+# The flag to determine whether use test mode when initialize TLS context. default is true
+tls.test.mode.enable=false                     
+# Indicates how SSL engine respect to client authentication, default is none
+tls.server.need.client.auth=require   
+# The store path of server-side private key
+tls.server.keyPath=/opt/certFiles/server.key
+# The password of the server-side private key
+tls.server.keyPassword=123456
+# The store path of server-side X.509 certificate chain in PEM format
+tls.server.certPath=/opt/certFiles/server.pem
+# To determine whether verify the client endpoint's certificate strictly. default is false
+tls.server.authClient=false
+# The store path of trusted certificates for verifying the client endpoint's certificate
+tls.server.trustCertPath=/opt/certFiles/ca.pem
+```
+
+If you need to authenticate the client connection, you also need to add the following content to the file.
+
+```properties
+# The store path of client-side private key 
+tls.client.keyPath=/opt/certFiles/client.key
+# The password of the client-side private key
+tls.client.keyPassword=123456
+# The store path of client-side X.509 certificate chain in PEM format
+tls.client.certPath=/opt/certFiles/client.pem
+# To determine whether verify the server endpoint's certificate strictly
+tls.client.authServer=false                    
+# The store path of trusted certificates for verifying the server endpoint's certificate
+tls.client.trustCertPath=/opt/certFiles/ca.pem
+```
+
+
+## 3 Update Rocketmq JVM parameters
+
+Edit the configuration file under the rocketmq/bin path to make tls.properties configurations takes effect.

Review Comment:
   > make tls.properties configurations takes effect.
   
   "takes" should be "take".



##########
docs/en/Configuration_TLS.md:
##########
@@ -0,0 +1,123 @@
+# TLS Configuration
+This section introduce TLS configuration in Rocket MQ.

Review Comment:
   Please remove the blank space between "Rocket MQ".



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org