incubator-seata
incubator-seata copied to clipboard
apache
feature: support ssl communication for raft nodes
- [ ] I have registered the PR changes.
Ⅰ. Describe what this PR did
Raft集群节点之间的通信现在支持开启ssl The communication between nodes in the Raft cluster now supports SSL.
Ⅱ. Does this pull request fix one issue?
Ⅲ. Why don't you add test cases (unit test/integration test)?
Ⅳ. Describe how to verify it
server的application.yml中添加如下配置开启ssl支持。 Add the following configuration to the application.yml file on the server to enable SSL support. server: raft: ssl: enabled: true //是否开启ssl支持 keystore.type: pkcs12 //keystore类型 kmf.algorithm: SunX509 //kmf算法 server: keystore: bolt.pfx //raft节点rpc服务端keystore文件路径 keystore.password: sfbolt //keystore密码 client: keystore: cbolt.pfx //raft节点rpc客户端keystore文件路径 keystore.password: sfbolt //keystore密码 其中服务端 SSL keystore 文件 bolt.pfx 和客户端 SSL keystore 文件 cbolt.pfx 按照以下步骤生成: The server-side SSL keystore file bolt.pfx and the client-side SSL keystore file cbolt.pfx can be generated using the following steps:
1.首先生成 keystore 并且导出其认证文件。 First, generate the keystore and export its certificate.
keytool -genkey -alias securebolt -keysize 2048 -validity 365 -keyalg RSA -dname "CN=localhost" -keypass sfbolt -storepass sfbolt -keystore bolt.pfx -deststoretype pkcs12 keytool -export -alias securebolt -keystore bolt.pfx -storepass sfbolt -file bolt.cer
2.接着生成客户端 keystore并且导出其认证文件。 Next, generate the client keystore and export its certificate.
keytool -genkey -alias smcc -keysize 2048 -validity 365 -keyalg RSA -dname "CN=localhost" -keypass sfbolt -storepass sfbolt -keystore cbolt.pfx -deststoretype pkcs12 keytool -export -alias smcc -keystore cbolt.pfx -storepass sfbolt -file cbolt.cer
3.最后导入服务端认证文件到客户端 keystore, 导入客户端认证文件到服务端 keystore。 Finally, import the server certificate into the client keystore and the client certificate into the server keystore.
keytool -import -trustcacerts -alias securebolt -file bolt.cer -storepass sfbolt -keystore cbolt.pfx keytool -import -trustcacerts -alias smcc -file cbolt.cer -storepass sfbolt -keystore bolt.pfx
将生成的证书copy到每个节点。 然后启动seata集群,可以看到raft集群已经开启ssl支持,没有证书的节点与其他节点的通信会被拒绝 Copy the generated certificates to each node. Then, start the Seata cluster. You should see that the Raft cluster has SSL support enabled, and any node without the certificate will have its communication with other nodes rejected.
