You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@servicecomb.apache.org by ni...@apache.org on 2017/12/25 01:09:12 UTC
[incubator-servicecomb-website] branch master updated: SCB-115
document translation for website (#8)
This is an automated email from the ASF dual-hosted git repository.
ningjiang pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-servicecomb-website.git
The following commit(s) were added to refs/heads/master by this push:
new ba75cef SCB-115 document translation for website (#8)
ba75cef is described below
commit ba75cefb63a0b234c3b834f2619e52ba3b0818e0
Author: sunius <su...@hotmail.com>
AuthorDate: Mon Dec 25 09:09:10 2017 +0800
SCB-115 document translation for website (#8)
---
_users/use-tls.md | 136 +++++++++++++++++++++++++++---------------------------
1 file changed, 68 insertions(+), 68 deletions(-)
diff --git a/_users/use-tls.md b/_users/use-tls.md
index 5d5857b..a64612e 100644
--- a/_users/use-tls.md
+++ b/_users/use-tls.md
@@ -1,24 +1,24 @@
---
-title: "使用TLS通信"
+title: "Using TLS for Communication"
lang: en
ref: use-tls
permalink: /users/use-tls/
-excerpt: "使用TLS通信"
+excerpt: "Using TLS for Communication"
last_modified_at: 2017-08-15T15:01:43-04:00
redirect_from:
- /theme-setup/
---
-## 场景描述
+## Scenario
-用户通过简单的配置即可启用TLS通信,以保障数据的传输安全。
+Users can use simple configurations to enable TLS communication to ensure data transmission security.
-## 外部服务通信配置
+## External Service Communication Configuration
-与外部服务通信相关的配置写在microservice.yaml文件中。
+The configuration related to external service communication is set in the microservice.yaml file.
-* 服务中心TLS通信配置
- 微服务与服务中心的连接可以通过将http改为https启用TLS通信,配置示例如下:
+* TLS communication configuration of the service center and configuration center
+ The connection between the microservice and the service and configuration centers can be changed from HTTP to HTTPS, enabling TLS communication. The configuration example is as below:
```yaml
cse:
@@ -27,8 +27,8 @@ redirect_from:
address: https://127.0.0.1:30100
```
-* 服务提供者启用TLS通信
- 服务提供者在配置服务监听地址时,可以通过在地址后面追加`?sslEnabled=true`开启TLS通信,示例如下:
+* TLS communication enabled by the service provider
+ When configuring the service listening address, the service provider can add`?sslEnabled=true` to the end of the address to enable TLS communication. For example:
```yaml
cse:
@@ -38,83 +38,83 @@ redirect_from:
address: 0.0.0.0:7070?sslEnabled=true
```
-## 证书配置
+## Configure a Certificate
-证书配置项写在microservice.yaml文件中,支持统一制定证书,也可以添加tag进行更细粒度的配置,有tag的配置会覆盖全局配置,配置格式如下:
+The certificate configuration items are set in the microservice.yaml file. You can customize certificates in a unified manner or add tags for configuration in a small granularity. The tag configuration overwrites the global configuration, and the configuration format is as follows:
```yaml
ssl.[tag].[property]
```
-证书配置项见下表证书配置项说明表。
-
-**表1 证书配置项说明表**
-
-| 配置项 | 默认值 | 取值范围 | 是否必选 | 含义 | 注意 |
-| :--- | :--- | :--- | :--- | :--- | :--- |
-| ssl.protocols | TLSv1.2 | - | 否 | 协议列表 | 使用逗号分隔 |
-| ssl.ciphers | TLS\_ECDHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384,<br/>TLS\_RSA\_WITH\_AES\_256\_GCM\_SHA384,<br/>TLS\_ECDHE\_RSA\_WITH\_AES\_128\_GCM\_SHA256,<br/>TLS\_RSA\_WITH\_AES\_128\_GCM\_SHA256 | - | 否 | 算法列表 | 使用逗号分隔 |
-| ssl.authPeer | true | - | 否 | 是否认证对端 | - |
-| ssl.checkCN.host | true | - | 否 | 是否对证书的CN进行检查 | 该配置项只对Consumer端,并且使用http协议有效,即Consumer端使用rest通道有效。对于Provider端、highway通道等无效。检查CN的目的是防止服务器被钓鱼,参考标准定义:[https://tools.ietf.org/html/rfc2818。](https://tools.ietf.org/html/rfc2818。) |
-| ssl.trustStore | trust.jks | - | 否 | 信任证书文件 | - |
-| ssl.trustStoreType | JKS | - | 否 | 信任证书类型 | - |
-| ssl.trustStoreValue | - | - | 否 | 信任证书密码 | - |
-| ssl.keyStore | server.p12 | - | 否 | 身份证书文件 | - |
-| ssl.keyStoreType | PKCS12 | - | 否 | 身份证书类型 | - |
-| ssl.keyStoreValue | - | - | 否 | 身份证书密码 | - |
-| ssl.crl | revoke.crl | - | 否 | 吊销证书文件 | - |
-| ssl.sslCustomClass | - | io.servicecomb.foundation.ssl.SSLCustom的实现类 | 否 | SSLCustom类的实现,用于开发者转换密码、文件路径等。 | - |
-
-> **说明**:
+For details about the certificate configuration items, see Table 1.
+
+**Table 1 Certificate configuration items**
+
+| Configuration Item | Default Value | Value Range | Mandatory | Description | Remarks |
+| :------------------ | :--------------------------------------- | :--------------------------------------- | :-------- | :--------------------------------------- | :--------------------------------------- |
+| ssl.protocols | TLSv1.2 | - | No | Specifies the protocol list. | Use commas (,) to separate protocols. |
+| ssl.ciphers | TLS\_ECDHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384,<br/>TLS\_RSA\_WITH\_AES\_256\_GCM\_SHA384,<br/>TLS\_ECDHE\_RSA\_WITH\_AES\_128\_GCM\_SHA256,<br/>TLS\_RSA\_WITH\_AES\_128\_GCM\_SHA256 | - | No | Specifies the algorithm list | Use commas (,) to separate protocols. |
+| ssl.authPeer | true | - | No | Specifies whether auhentication is required for the peer end. | - |
+| ssl.checkCN.host | true | - | No | Whether the CN of the certificate is checked | This configuration item is available and valid only for consumers using the HTTP protocol (the rest channel). This parameter is invalid for providers and highway channels. The purpose of checking CN is to protect the server from phishing attacks. For details, see the following standard:[https://tools.ietf.org/html/rfc2818 [...]
+| ssl.trustStore | trust.jks | - | No | Specifies the trust certificate file. | - |
+| ssl.trustStoreType | JKS | - | No | Specifies the type of trust certificate | - |
+| ssl.trustStoreValue | - | - | No | Specifies the password of the trust certificate file. | - |
+| ssl.keyStore | server.p12 | - | No | Specifies the identity certificate file. | - |
+| ssl.keyStoreType | PKCS12 | - | No | Specifies the type of identity certificate. | - |
+| ssl.keyStoreValue | - | - | No | Specifies the password of identity certificate. | - |
+| ssl.crl | revoke.crl | - | No | Specifies the certificate revocation list(CRL) file. | - |
+| ssl.sslCustomClass | - | io.servicecomb.foundation.ssl.SSLCustom implementation | No | Specifies implementation of the SSLCustom class, which is used by developers to convert passwords and file paths. | - |
+
+> **NOTE:**
>
-> * 默认的协议算法是高强度加密算法,JDK需要安装对应的策略文件,参考:[http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html](http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html)。 您可以在配置文件配置使用非高强度算法。
-> * 微服务消费者,可以针对不同的提供者指定证书(当前证书是按照HOST签发的,不同的提供者都使用一份证书存储介质,这份介质同时给微服务访问服务中心和配置中心使用)。
+> * The default protocol algorithm is high-strength algorithm. The JDK needs to be installed together withe the corresponding policy file. For details, visit [http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html](http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html). You can configure a non-high-strength algorithm in the configuration file.
+> * The microservice consumers can specify certificates for different providers. (The current certificate is issued by HOST. Different providers use a certificate storage medium, which is used by the service center and configuration center).
-## 服务中心的证书配置
+## Certificate Configuration in the Service Center
-目前支持使用环境变量来配置服务中心的TLS认证方式,默认开启TLS通信,双向认证模式,认证对端时同时校验对端是否匹配证书(CommonName)字段。服务管理中心的证书配置项说明见下表服务中心TLS证书配置项说明。
+Currently, the TLS authentication mode of the service center can be configured using environment variables. By default, TLS communication and bidirectional authentication are enables. During peer end authentication, whether the peer end matches the CommonName field of the certificate is checked. For details about the certificate configuration items in the service center, see table 2.
-**表2 服务中心TLS证书配置项说明**
+**Table 2 Configuration file of the service center**
-| 配置项 | 默认值 | 取值范围 | 是否必选 | 含义 | 注意 |
-| :--- | :--- | :--- | :--- | :--- | :--- |
-| CSE\_SSL\_MODE | 1 | 1/0<br/>0:HTTPS<br/>1:HTTP | 否 | 设置协议模式 | - |
-| CSE\_SSL\_VERIFY\_CLIENT | 1 | 1/0<br/>0:HTTPS<br/>1:HTTP | 否 | 设置HTTPS模式下是否认证对端 | - |
-| CSE\_SSL\_PASSPHASE | - | - | 否 | 设置HTTPS模式下的证书密钥访问密码 | - |
+| Configuration Item | Default Value | Value Range | Mandatory | Description | Remarks |
+| :----------------------- | :------------ | :------------------------- | :-------- | :--------------------------------------- | :------ |
+| CSE\_SSL\_MODE | 1 | 1/0<br/>0:HTTPS<br/>1:HTTP | No | Set the protocol mode. | - |
+| CSE\_SSL\_VERIFY\_CLIENT | 1 | 1/0<br/>0:HTTPS<br/>1:HTTP | No | Set whether the peer end is authenticated in HTTPS mode | - |
+| CSE\_SSL\_PASSPHASE | - | - | No | Set the password for the certificate key in HTTPS mode | - |
-服务管理中心配置文件为$APP\_ROOT/conf/app.conf,配置项见,该配置暂不支持环境变量方式设置。
+The configuration file of the service center is$APP\_ROOT/conf/app.conf. For details about the configuration item, see table 3. This configuration does not support the settings of environment variables.
-表3 服务中心配置文件
+Table 3 Configuration file of the service center
-| 配置项 | 默认值 | 取值范围 | 是否必选 | 含义 | 注意 |
-| :--- | :--- | :--- | :--- | :--- | :--- |
-| ssl\_protocols | TLSv1.2 | - | 否 | 通信使用的SSL版本 | - |
-| ssl\_ciphers | TLS\_ECDHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384,<br/>TLS\_RSA\_WITH\_AES\_256\_GCM\_SHA384,<br/>TLS\_ECDHE\_RSA\_WITH\_AES\_128\_GCM\_SHA256,<br/>TLS\_RSA\_WITH\_AES\_128\_GCM\_SHA256,<br/>TLS\_RSA\_WITH\_AES\_128\_CBC\_SHA | - | 否 | 配置使用算法列表 | 由于服务中心支持HTTP/2协议,所以ssl\_ciphers必须配置有TLS\_ECDHE\_RSA\_WITH\_AES\_128\_GCM\_SHA256算法。TLS\_RSA\_WITH\_AES\_128\_GCM\_SHA256、TLS\_RSA\_WITH\_AES\_128\_CBC\_SHA被列为HTTP/2协议的不安全算法黑名单,但为了客户端算法兼容性,存在时必须配置到最后一位。 |
+| Configuration Items | Default Value | Value Range | Mandatory | Description | Remarks |
+| :------------------ | :--------------------------------------- | :---------- | :-------- | :--------------------------------------- | :--------------------------------------- |
+| ssl\_protocols | TLSv1.2 | - | No | Specifies the SSL version used for communication. | - |
+| ssl\_ciphers | TLS\_ECDHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384,<br/>TLS\_RSA\_WITH\_AES\_256\_GCM\_SHA384,<br/>TLS\_ECDHE\_RSA\_WITH\_AES\_128\_GCM\_SHA256,<br/>TLS\_RSA\_WITH\_AES\_128\_GCM\_SHA256,<br/>TLS\_RSA\_WITH\_AES\_128\_CBC\_SHA | - | No | Specifies the algorithms list used to configuration | ssl_cipher must be configured with the TLS\_ECDHE\_RSA\_WITH\_AES\_128\_GCM\_SHA256 algorithm, because th eservice center supports the HTTP/2 protocal. TLS\_RSA\_WIT [...]
-## 密钥物料及证书存放路径
+## Path for Storing Key Materials and Certificates
-**表4 密钥物料及证书存放路径**
+**Table 4 Path for storing key materials and certificate**
-| 配置项 | 含义 | 对应环境变量 | 注意 |
-| :--- | :--- | :--- | :--- |
-| / | - | - | - |
-| /opt | - | - | - |
-| /opt/CSE | - | INSTALL\_ROOT | - |
-| /opt/CSE/etc | - | - | - |
-| /opt/CSE/etc/cipher | 密钥物料存放目录 | CIPHER\_ROOT | - |
-| /opt/CSE/etc/ssl | 证书存放目录 | SSL\_ROOT | - |
-| /opt/CSE/etc/ssl/trust.cer | 授信CA | - | - |
-| /opt/CSE/etc/ssl/server\_key.pem | 已加密服务端私钥文件 | - | - |
-| /opt/CSE/etc/ssl/server.cer | 服务器证书 | - | - |
-| /opt/CSE/etc/ssl/cert\_pwd | 用于存放解密私钥的对称加密密文文件 | - | - |
-| /opt/CSE/apps | - | - | - |
-| /opt/CSE/apps/ServiceCenter | - | APP\_ROOT | - |
-| /opt/CSE/apps/ServiceCenter/conf | 服务管理中心配置文件目录 | - | - |
-| /opt/CSE/apps/ServiceCenter/conf/app.conf | 应用配置文件 | - | - |
+| Configuration Items | Description | Environment Variable | Remarks |
+| :--------------------------------------- | :--------------------------------------- | :------------------- | :------ |
+| / | - | - | - |
+| /opt | - | - | - |
+| /opt/CSE | - | INSTALL\_ROOT | - |
+| /opt/CSE/etc | - | - | - |
+| /opt/CSE/etc/cipher | Specifies the directory for storing key materials | CIPHER\_ROOT | - |
+| /opt/CSE/etc/ssl | Specifies the directory for storing certificates. | SSL\_ROOT | - |
+| /opt/CSE/etc/ssl/trust.cer | Specifies the trusted CA. | - | - |
+| /opt/CSE/etc/ssl/server\_key.pem | Specifies the private key file on the encrypted server. | - | - |
+| /opt/CSE/etc/ssl/server.cer | Specifies the server certificate. | - | - |
+| /opt/CSE/etc/ssl/cert\_pwd | Specifies the symmetric ciphertext file used to store the decrypted private key. | - | - |
+| /opt/CSE/apps | - | - | - |
+| /opt/CSE/apps/ServiceCenter | - | APP\_ROOT | - |
+| /opt/CSE/apps/ServiceCenter/conf | Specifies the configuration file directory of the service center. | - | - |
+| /opt/CSE/apps/ServiceCenter/conf/app.conf | Specifies the application configuration file. | - | - |
-## 示例代码
+## Sample Code
-microservice.yaml文件中启用TLS通信的配置示例如下:
+The configuration example of enabling the TLS communication in the microservicce.yaml file is as follows:
```yaml
cse:
service:
--
To stop receiving notification emails like this one, please contact
['"commits@servicecomb.apache.org" <co...@servicecomb.apache.org>'].