You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@servicecomb.apache.org by ni...@apache.org on 2018/08/28 10:32:46 UTC
[incubator-servicecomb-docs] branch master updated (1ed6c8b ->
ef2340c)
This is an automated email from the ASF dual-hosted git repository.
ningjiang pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-servicecomb-docs.git.
from 1ed6c8b update java-chassis-reference/en_US/SUMMARY.md
new bd87f24 update java-chassis-reference/en_US/security/rsa.md
new ef2340c update java-chassis-reference/en_US/security/tls.md
The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
java-chassis-reference/en_US/security/rsa.md | 54 ++++++++++++
.../en_US/security/shi-yong-rsa-ren-zheng.md | 54 ------------
java-chassis-reference/en_US/security/tls.md | 95 +++++++++++-----------
3 files changed, 101 insertions(+), 102 deletions(-)
create mode 100755 java-chassis-reference/en_US/security/rsa.md
delete mode 100644 java-chassis-reference/en_US/security/shi-yong-rsa-ren-zheng.md
mode change 100644 => 100755 java-chassis-reference/en_US/security/tls.md
[incubator-servicecomb-docs] 02/02: update
java-chassis-reference/en_US/security/tls.md
Posted by ni...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
ningjiang pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-servicecomb-docs.git
commit ef2340c8a465b99f46910f6789c199af322c0bea
Author: DeanLee <li...@huawei.com>
AuthorDate: Tue Aug 28 11:38:58 2018 +0800
update java-chassis-reference/en_US/security/tls.md
---
java-chassis-reference/en_US/security/tls.md | 95 ++++++++++++++--------------
1 file changed, 47 insertions(+), 48 deletions(-)
diff --git a/java-chassis-reference/en_US/security/tls.md b/java-chassis-reference/en_US/security/tls.md
old mode 100644
new mode 100755
index 0c4fa6d..22bfae6
--- a/java-chassis-reference/en_US/security/tls.md
+++ b/java-chassis-reference/en_US/security/tls.md
@@ -1,13 +1,13 @@
-## 场景描述
+## Scene Description
-用户通过简单的配置即可启用TLS通信,以保障数据的传输安全。
+Users can enable TLS communication through simple configuration to ensure data transmission security.
-## 外部服务通信配置
+## External Service Communication Configuration
-与外部服务通信相关的配置写在microservice.yaml文件中。
+The configuration related to external service communication is written in the microservice.yaml file.
-* 服务中心、配置中心TLS通信配置
- 微服务与服务中心、配置中心的连接可以通过将http改为https启用TLS通信,配置示例如下:
+* Service Center, Configuration Center TLS communication configuration
+ The connection between the microservices and the service center and the configuration center can be enabled by changing http to https. The configuration example is as follows:
```yaml
servicecomb:
@@ -19,8 +19,8 @@
serverUri: https://127.0.0.1:30103
```
-* 服务提供者启用TLS通信
- 服务提供者在配置服务监听地址时,可以通过在地址后面追加`?sslEnabled=true`开启TLS通信,示例如下:
+* Service provider enables TLS communication
+ When the service provider configures the service listening address, it can open TLS communication by appending `?sslEnabled=true` to the address. The example is as follows:
```yaml
servicecomb:
@@ -30,54 +30,56 @@
address: 0.0.0.0:7070?sslEnabled=true
```
-## 证书配置
+## Certificate Configuration
-证书配置项写在microservice.yaml文件中,支持统一制定证书,也可以添加tag进行更细粒度的配置,有tag的配置会覆盖全局配置,配置格式如下:
+The certificate configuration item is written in the microservice.yaml file. It supports the unified development of certificates. It can also add tags for finer-grained configuration. The tag configuration overrides the global configuration. The configuration format is as follows:
```
ssl.[tag].[property]
```
-常见的tag如下表:
+The common tags are as follows:
-| 项目 | tag |
+| Project | tag |
| :--- | :--- |
-| 服务中心 | sc.consumer |
-| 配置中心 | cc.consumer |
-| 看板中心 | mc.consumer |
-| Rest服务端 | rest.provider |
-| Highway服务端 | highway.provider |
-| Rest客户端 | rest.consumer|
-| Highway客户端 | highway.consumer|
-| auth客户端 | apiserver.consumer|
-一般不需要配置tag,正常情况分为三类:1、连接内部服务 2、作为服务端 3、作为客户端 所以如果这三类要求的证书不一致,那么需要使用tag来区分
-
-证书配置项见表1 证书配置项说明表。
-**表1 证书配置项说明表**
-
-| 配置项 | 默认值 | 取值范围 | 是否必选 | 含义 | 注意 |
+| Service Center | sc.consumer |
+| Configuration Center | cc.consumer |
+| Kanban Center | mc.consumer |
+| Rest server | rest.provider |
+| Highway Server | highway.provider |
+| Rest client | rest.consumer|
+| Highway Client | highway.consumer|
+| auth client | apiserver.consumer|
+Generally, there is no need to configure tags. The normal situation is divided into three categories: 1. Connecting internal services 2. As a server 3. As a client, if the certificates required by these three types are inconsistent, then you need to use tags to distinguish
+
+The certificate configuration items are shown in Table 1. Certificate Configuration Item Description Table.
+**Table 1 Certificate Configuration Item Description Table**
+
+| Configuration Item | Default Value | Range of Value | Required | Meaning |
| :--- | :--- | :--- | :--- | :--- | :--- |
-| ssl.engine| jdk | - | 否 | ssl协议,提供jdk/openssl选择 | 默认为jdk |
-| ssl.protocols | TLSv1.2 | - | 否 | 协议列表 | 使用逗号分隔 |
-| ssl.ciphers | TLS\_ECDHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384,<br/>TLS\_RSA\_WITH\_AES\_256\_GCM\_SHA384,<br/>TLS\_ECDHE\_RSA\_WITH\_AES\_128\_GCM\_SHA256,<br/>TLS\_RSA\_WITH\_AES\_128\_GCM\_SHA256 | - | 否 | 算法列表 | 使用逗号分隔 |
-| ssl.authPeer | true | - | 否 | 是否认证对端 | - |
-| ssl.checkCN.host | true | - | 否 | 是否对证书的CN进行检查 | 该配置项只对Consumer端,并且使用http协议有效,即Consumser端使用rest通道有效。对于Provider端、highway通道等无效。检查CN的目的是防止服务器被钓鱼,参考标准定义:[https://tools.ietf.org/html/rfc2818。](https://tools.ietf.org/html/rfc2818。) |
-| ssl.trustStore | trust.jks | - | 否 | 信任证书文件 | - |
-| ssl.trustStoreType | JKS | - | 否 | 信任证书类型 | - |
-| ssl.trustStoreValue | - | - | 否 | 信任证书密码 | - |
-| ssl.keyStore | server.p12 | - | 否 | 身份证书文件 | - |
-| ssl.keyStoreType | PKCS12 | - | 否 | 身份证书类型 | - |
-| ssl.keyStoreValue | - | - | 否 | 身份证书密码 | - |
-| ssl.crl | revoke.crl | - | 否 | 吊销证书文件 | - |
-| ssl.sslCustomClass | - | org.apache.servicecomb.foundation.ssl.SSLCustom的实现类 | 否 | SSLCustom类的实现,用于开发者转换密码、文件路径等。 | - |
-
-> **说明**:
+Ssl.engine| jdk | - | No | ssl protocol, provide jdk/openssl options | default jdk |
+| ssl.protocols | TLSv1.2 | - | No | Protocol List | Separated by Comma |
+| ssl.ciphers | TLS\_ECDHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384,<br/>TLS\_RSA\_WITH\_AES\_256\_GCM\_SHA384,<br/>TLS\_ECDHE\_RSA\_WITH \_AES\_128\_GCM\_SHA256,<br/>TLS\_RSA\_WITH\_AES\_128\_GCM\_SHA256 | - | No|
+List of laws | separated by commas |
+| ssl.authPeer | true | - | No | Whether to authenticate the peer | - |
+ssl.checkCN.host | true | - | No | Check whether the CN of the certificate is checked. This configuration item is valid only on the Consumer side and is valid using the http protocol. That is, the Consusser side uses the rest channel. Invalid for Provider, highway, etc. The purpose of checking CN is to prevent the server from being phishing, refer to >
+Standard definition: [https://tools.ietf.org/html/rfc2818. ](https://tools.ietf.org/html/rfc2818.) |
+| ssl.trustStore | trust.jks | - | No | Trust certificate file | - |
+| ssl.trustStoreType | JKS | - | No | Trust Certificate Type | - |
+| ssl.trustStoreValue | - | - | No | Trust Certificate Password | - |
+| ssl.keyStore | server.p12 | - | No | Identity Certificate File | - |
+| ssl.keyStoreType | PKCS12 | - | No | Identity Certificate Type | - |
+| ssl.keyStoreValue | - | - | No | Identity Certificate Password | - |
+| ssl.crl | revoke.crl | - | No | Revoked Certificate File | - |
+| ssl.sslCustomClass | - | org.apache.servicecomb.foundation.ssl.SSLCustom implementation class | No | SSLCustom class implementation for developers to convert passwords, file paths, etc. | - |
+
+> **Description**:
>
-> * 默认的协议算法是高强度加密算法,JDK需要安装对应的策略文件,参考:[http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html](http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html)。 您可以在配置文件配置使用非高强度算法。
-> * 微服务消费者,可以针对不同的提供者指定证书(当前证书是按照HOST签发的,不同的提供者都使用一份证书存储介质,这份介质同时给微服务访问服务中心和配置中心使用)。
+> * The default protocol algorithm is a high-intensity encryption algorithm. The JDK needs to install the corresponding policy file. Reference: [http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html]( Http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html). You can use a non-high-intensity algorithm in your profile configuration.
+> * Microservice consumers, can specify certificates for different providers (current certificates are issued according to HOST, different providers use a certificate storage medium, this medium is also used by the microservice access service center and configuration center ).
-## 示例代码
+## Sample Code
-microservice.yaml文件中启用TLS通信的配置示例如下:
+An example of a configuration for enabling TLS communication in the microservice.yaml file is as follows:
```yaml
servicecomb:
service:
@@ -106,6 +108,3 @@ ssl.keyStoreValue: Changeme_123
ssl.crl: revoke.crl
ssl.sslCustomClass: org.apache.servicecomb.demo.DemoSSLCustom
```
-
-
-
[incubator-servicecomb-docs] 01/02: update
java-chassis-reference/en_US/security/rsa.md
Posted by ni...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
ningjiang pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-servicecomb-docs.git
commit bd87f24daf23e17c1391209e40ecbcecbf0e51c0
Author: DeanLee <li...@huawei.com>
AuthorDate: Tue Aug 28 11:38:47 2018 +0800
update java-chassis-reference/en_US/security/rsa.md
---
java-chassis-reference/en_US/security/rsa.md | 54 ++++++++++++++++++++++
.../en_US/security/shi-yong-rsa-ren-zheng.md | 54 ----------------------
2 files changed, 54 insertions(+), 54 deletions(-)
diff --git a/java-chassis-reference/en_US/security/rsa.md b/java-chassis-reference/en_US/security/rsa.md
new file mode 100755
index 0000000..9e9fb68
--- /dev/null
+++ b/java-chassis-reference/en_US/security/rsa.md
@@ -0,0 +1,54 @@
+## Scene Description
+
+Users can enable RSA authentication between services through simple configuration to ensure the security of the service interface.
+
+Detailed introduction [public key authentication] (../references-handlers/publickey.md)
+
+## Consumer Configuration
+
+* Add dependencies in pom.xml:
+
+ ```
+ <dependency>
+ <groupId>org.apache.servicecomb</groupId>
+ <artifactId>handler-publickey-auth</artifactId>
+ </dependency>
+ ```
+
+* Added to the processing chain in microservice.yaml
+
+ ```
+ servicecomb:
+ ......
+ handler:
+ chain:
+ Consumer:
+ default: auth-consumer
+ ......
+ ```
+
+## Provider Configuration
+
+* Add dependencies in pom.xml:
+
+ ```
+ <dependency>
+ <groupId>org.apache.servicecomb</groupId>
+ <artifactId>handler-publickey-auth</artifactId>
+ </dependency>
+ ```
+
+* Added to the processing chain in microservice.yaml
+
+ ```
+ servicecomb:
+ ......
+ handler:
+ chain:
+ Provider:
+ default: auth-provider
+ ......
+ ```
+
+
+
diff --git a/java-chassis-reference/en_US/security/shi-yong-rsa-ren-zheng.md b/java-chassis-reference/en_US/security/shi-yong-rsa-ren-zheng.md
deleted file mode 100644
index e66d2a2..0000000
--- a/java-chassis-reference/en_US/security/shi-yong-rsa-ren-zheng.md
+++ /dev/null
@@ -1,54 +0,0 @@
-## 场景描述
-
-用户通过简单的配置即可启用服务间RSA认证,以保障服务接口的安全性。
-
-详细介绍参考[公钥认证](../references-handlers/publickey.md)
-
-## Consumer配置
-
-* 在pom.xml中增加依赖:
-
- ```
- <dependency>
- <groupId>org.apache.servicecomb</groupId>
- <artifactId>handler-publickey-auth</artifactId>
- </dependency>
- ```
-
-* 在microservice.yaml中添加进处理链
-
- ```
- servicecomb:
- ......
- handler:
- chain:
- Consumer:
- default: auth-consumer
- ......
- ```
-
-## Provider配置
-
-* 在pom.xml中增加依赖:
-
- ```
- <dependency>
- <groupId>org.apache.servicecomb</groupId>
- <artifactId>handler-publickey-auth</artifactId>
- </dependency>
- ```
-
-* 在microservice.yaml中添加进处理链
-
- ```
- servicecomb:
- ......
- handler:
- chain:
- Provider:
- default: auth-provider
- ......
- ```
-
-
-