将设为首页浏览此站
开启辅助访问 天气与日历 收藏本站联系我们切换到窄版

易陆发现论坛

 找回密码
 开始注册
查看: 44|回复: 1
收起左侧

zkServer添加ssl协议支持方式

[复制链接]
发表于 2022-11-16 09:53:14 | 显示全部楼层 |阅读模式

马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。

您需要 登录 才可以下载或查看,没有帐号?开始注册

x

ZooKeeper的默认网络通信没有加密,开源社区在ZOOKEEPER-2125中加入了netty以支持SSL。

值得一提的是,和其他一些开源组件一样,ZooKeeper的SASL认证配置和SSL配置都可以通过JVM变量配置。这样一来配置起来比较方便,但也带来一些问题。例如在一个JVM中启动多个ZooKeeper时,会有配置冲突。

客户端配置
  • JVM变量方式

    ( O+ t( D+ W5 I5 `$ x6 i0 o

通过设置以下JVM变量启用Netty:

zookeeper.clientCnxnSocket="org.apache.zookeeper.ClientCnxnSocketNetty"

通过设置以下JVM变量启用安全通信:

zookeeper.client.secure=true

设置“secure”后的客户端只能访问服务器的“secureClientPort“

设置keystore 和 truststorJVM环境变量:

zookeeper.ssl.keyStore.location="/path/to/your/keystore"

zookeeper.ssl.keyStore.password="keystore_password"

zookeeper.ssl.trustStore.location="/path/to/your/truststore"

zookeeper.ssl.trustStore.password="truststore_password"

  • ZKClientConfig方式
    4 z8 H) X# [% P8 B


    . N5 D4 z0 l5 J7 L+ a- t# n, u' ?, m

ZKClientConfig clientConfig = new ZKClientConfig();

conf.setProperty(ZKClientConfig.SECURE_CLIENT, "true");

conf.setProperty(ZKClientConfig.ZOOKEEPER_CLIENT_CNXN_SOCKET, "org.apache.zookeeper.ClientCnxnSocketNetty");

conf.setProperty(ZKClientConfig.SSL_KEYSTORE_LOCATION, "KeyStorePath");

conf.setProperty(ZKClientConfig.SSL_KEYSTORE_PASSWD, "KeyStorePasswd");

conf.setProperty(ZKClientConfig.SSL_TRUSTSTORE_LOCATION, "TrustStorePath");

conf.setProperty(ZKClientConfig.SSL_TRUSTSTORE_PASSWD, "TrustStorePasswd");

借助ZKClientConfig社区还实现了在同一个JVM中启动多个客户端分别连接开启Kerberos认证的不同的ZooKeeper集群,或分别连接开启认证与未开启认证的ZooKeeper集群,有机会单开一篇文章介绍。

Server端
  • JVM变量方式

      y9 y% x. @0 Q5 A

Server可以直接在zkServer.sh中增加配置:

export SERVER_JVMFLAGS="

-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory

-Dzookeeper.ssl.keyStore.location=testKeyStore.jks

-Dzookeeper.ssl.keyStore.password=testpass

-Dzookeeper.ssl.trustStore.location=testTrustStore.jks

-Dzookeeper.ssl.trustStore.password=testpass"

export CLIENT_JVMFLAGS="

-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty

-Dzookeeper.client.secure=true

-Dzookeeper.ssl.keyStore.location=testKeyStore.jks

-Dzookeeper.ssl.keyStore.password=testpass

-Dzookeeper.ssl.trustStore.location=testTrustStore.jks

-Dzookeeper.ssl.trustStore.password=testpass"

端口在zoo.cfg中添加:

secureClientPort=2281

所有SSL模式客户端都应该连接到这一端口

  • zoo.cfg方式

    " |# ]5 F# }+ \) \

在zoo.cfg中添加:

secureClientPort=3183

serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory

ssl.keyStore.location=testKeyStore.jks

ssl.keyStore.password=testpass

ssl.trustStore.location=testTrustStore.jks

ssl.trustStore.password=testpass

# W( U8 P: t* e- A" u% x
 楼主| 发表于 2022-11-16 09:54:14 | 显示全部楼层
为 ZooKeeper 配置 SSL/TLS1 ?( C+ _5 n/ I0 e7 m, k
使用 ThingWorx HA 群集时,可以为 ZooKeeper 配置 SSL 或 TLS:
+ \; R3 K7 `' N% _* N6 ~5 t配置 ZooKeeper2 {6 L7 \% E8 N, E" Z+ j
1.请确保正在运行的 ZooKeeper 版本支持 SSL 或 TLS。
* Q  A4 P# S5 R7 _5 [1 ?/ k% G2.获取您的 SSL 证书和信任存储。0 P. k, s9 b2 Y% C* y$ b
证书的可接受文件扩展名仅有:JKS、PEM 和 PKCS12(p12)。8 z6 L% y" P2 R: @, \5 ?5 G
3.转至 apache-zookeeper-[version]-bin/conf 并更新或创建 zoo.cfg。
* B. F/ Z- \" W. D% U5 r" i5 b4.添加以下条目:( @0 f, a5 w# d( |; [
dataDir=/<path-to-zookeeper-data>/data
; p5 {8 s2 q' m4 F- NdataLogDir=/<path-to-zookeeper-datalog>/datalog
. a2 l- j0 r9 V9 |secureClientPort=2281
5 p# N1 v: R; b: EtickTime=2000( F2 h: n) F. |6 `9 ~# @
initLimit=5
: t4 t+ o) [" U0 R9 c* E8 M& @. U/ H3 zsyncLimit=2; S2 {1 C. {7 \4 `. N1 E" j
autopurge.snapRetainCount=3( m3 v' \; v! V& g6 _  y
autopurge.purgeInterval=0
. W* B0 Q8 ?5 G; n" b. S+ Q+ PmaxClientCnxns=60( k3 P0 a4 y1 H/ L9 {1 d8 f" V
admin.enableServer=true
* P: M" }! r" I$ ostandaloneEnabled=false# h- _. q, A+ p# a2 o, L* ?
quorumListenOnAllIPs=true5 n1 k  ~( p7 G1 N& X; ~  d4 h
sslQuorum=true
1 V- J) M  [; p7 F% ]) @要激活 ZooKeeper 节点之间的仲裁,请在 zoo.cfg 文件中设置变量 sslQuorum=true。节点将使用自动生成的 SSL 来保护仲裁。0 V9 A' h1 G  g7 {
5.修改 <path to zookeeper>/bin/zkServer.sh& u" ~$ G9 `$ w) t; E; m$ \8 H7 O
.$ x, Z6 F3 ~5 b8 B5 Z, P) y
export SERVER_JVMFLAGS="6 x' L! g  d! U+ G6 T
-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory- F5 b4 n; A7 S1 V
-Dzookeeper.ssl.keyStore.location=<path-to-zookeeper-certificates>/zookeeper.p12
& O* G$ D6 `* D' o: E-Dzookeeper.ssl.keyStore.password=<certificate-password>+ o1 G9 x, c3 P+ \
-Dzookeeper.ssl.trustStore.location=<path-to-zookeeper-certificates>/truststore.p12: [1 x/ ?7 R5 C# o# o; R
-Dzookeeper.ssl.trustStore.password=<truststore-password>- v, F; X* z: `( {
-Dzookeeper.ssl.quorum.keyStore.location=<path-to-zookeeper-certificates>/zookeeper.p12
$ s/ `4 E  P; J* p6 t! ]7 `" i-Dzookeeper.ssl.quorum.keyStore.password=<certificate-password>
8 {9 w& s" H5 c2 H; R/ F& ^-Dzookeeper.ssl.quorum.trustStore.location=<path-to-zookeeper-certificates>/truststore.p12; D) @+ {4 }; o6 U$ U
-Dzookeeper.ssl.quorum.trustStore.password=<truststore-password>
& S# Y4 V. m  q. W-Dzookeeper.ssl.quorum.hostnameVerification=false
7 k) x( M+ m" ~$ e8 d+ J$ @' p6.启动 ZooKeeper:6 Z8 b) |1 O- j" J! w+ g  [
./zkServer.sh start
/ U7 z! Z# I6 ?' q+ w7 L7.在日志中,验证配置是否正确:
' C* T" J% B; ?' k! Rtail -f apache-zookeeper-3.5.6-bin/logs/<zookeeper-log-file>
+ K$ W; g5 Y# C- S配置 ThingWorx0 l4 ~3 [0 w7 O5 Z* x0 a9 Y
1.将 ZooKeeper 证书复制到您的实例,或确保其在运行 ThingWorx 的计算机上可用。3 H- Y% e: j. ]  a
2.修改 platform-settings.json,使得文件末尾包含下列内容作为根元素,且与 PlatformSettingsConfig 属于同一级别。
5 \& N" S* c8 y9 s/ `"ZookeeperSettings": {
: {, ]/ O3 R8 F1 t+ ^: V+ z    "SSLEnabled": "true",
+ q5 Z9 r* p! q3 A% U    # If SSL is enabled, you must include the following; trust store is optional:) _* r! t0 A9 t1 i
    "KeyStorePath": "<path-to-zookeeper-certificates>/zookeeper.p12",( t5 M- X, Y9 M2 u; `" Z8 L& K0 e% r
    "KeyStorePass": "<certificate-password>",
, I" l* h; D8 M! N# d    "TrustStorePath": "<path-to-zookeeper-certificates>/truststore.p12",/ j2 d+ i1 S" I/ }1 n
    "TrustStorePass": "<truststore-password>"1 L/ l& V9 Q) O* D
    "SASLEnabled": "false",
2 K7 P: M& E8 Z* `; ]: {' ^! @    # If SASL is enabled, you must include the following:
% u1 w. X2 i. G( G9 f    "JaasConfPath": "/tmp1/jaas.conf",6 @$ b/ v  i2 ^' h! B
    "Krb5ConfPath": "/tmp1/krb5.conf") o8 `8 E2 N: f* |; ~
    }+ W7 l# W1 |3 S- q  }/ p" n
3.搜索默认 ZooKeeper 端口 2181,并将其替换为安全端口 2281。! U+ B" \. ^. b4 g7 L
4.请确保所有 CoordinatorHosts 条目和 address-resolver > connection ports 均已更新,以便与 zoo.cfg 中的 secureClientPort 值相匹配。9 h# H* t% X+ u9 \' i# Z% n9 [5 o, U
配置 Ignite: M; X' T( `, {& K" R2 `! @
1.将 Ignite 证书复制到您的 ThingWorx 实例,或确保其在运行 Ignite 服务器的计算机上可用。+ [( _  I4 W$ U$ O, z; g( Z9 m
2.设置 ZOOKEEPER_CONNECTION 环境变量,查找用于启动 Ignite 的 JVM_XOPTS 环境变量,并按如下所示进行更新:
1 _$ L) Y8 q& w$ o7 b# zookeeper1 represents the host name where zookeeper is available and 2281 the secure port from zoo.cfg7 X' ]! Q: ?! D. i
export ZOOKEEPER_CONNECTION=zookeeper1:2281,zookeeper2:2281,zookeeper3:2281* R7 c1 r" J- Y3 s  p4 n" K. `$ Z
# update the JVM_XOPTS
' i. D' O6 k& E5 vJVM_XOPTS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty -Dzookeeper.client.secure=true -Dzookeeper.ssl.keyStore.location=<path-to-zookeeper-certificates>/zookeeper.p12 -Dzookeeper.ssl.keyStore.password=<keystore-password> -Dzookeeper.ssl.trustStore.location=<path-to-zookeeper-certificates>/truststore.p12 -Dzookeeper.ssl.trustStore.password=<truststore-password>% I4 o6 K, X+ F2 l
配置 Connection Server
* X4 b) u6 [8 b% j1.将 ZooKeeper 证书复制到您的实例,或确保其在运行 Connection Server 的计算机上可用。
3 w3 d3 d# F8 J2.在 Connection Server 配置文件中更新 cx-server.discovery.connectionString 的端口,以使用安全端口。
! ?) \" H5 h+ x! ]) B5 @) Y例如,cx-server.discovery.connectionString = "{zookeeper-host}:2281"。
4 d" f' i( ^0 O. P/ X8 `  C3.将下列系统属性添加到 CONNECTION_SERVER_OPTS 环境变量中。
4 {4 _/ A8 r$ L9 q2 Z7 E: W例如:
$ Z3 K* \8 j" v# `1 d; ]export CONNECTION_SERVER_OPTS="% q9 M7 v* }9 G: `; I1 n: t! D& B) A
-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty1 t7 f2 r# q' z" j: F5 @! T
-Dzookeeper.client.secure=true6 n* v& q( X4 M+ n
-Dzookeeper.ssl.keyStore.location=<path-to-zookeeper-certificates>/zookeeper.p12$ V9 V% D+ r: o
-Dzookeeper.ssl.keyStore.password=<keystore-password>
- v$ f5 b  T- y1 N1 A, y3 V( [-Dzookeeper.ssl.trustStore.location=<path-to-zookeeper-certificates>/truststore.p12
; r, Y; C2 O1 h+ i% c7 S/ o-Dzookeeper.ssl.trustStore.password=<truststore-password>"
/ Q, t$ z( `2 Y' I0 _$ L! o使用 ThingWorx 安全管理工具加密密码
; r4 ^& A( w2 a. Q4 v- X4 ~' x如果希望避免将普通密码插入到 platform-settings.json 文件中,则可以使用安全工具加密 twx-keystore 内的密码。您必须分别使用适用于密钥存储和信任存储密码的 encrypt.zk.keystore.password 和 encrypt.zk.truststore.password 对密码进行加密。% E1 H1 G, l4 m
./security-common-cli keystore.conf set encrypt.zk.keystore.password "ptcptc"0 S3 N. ~% \- x% n- {
然后,更改 platform-settings.json 文件,以使得 ThingWorx 从密钥存储中选择密码:
5 B7 `& `) ]8 p' c  i, K! q"KeyStorePass": "encrypt.zk.keystore.password",
8 v7 f* f$ c# ~, P& z"TrustStorePass": "encrypt.zk.truststore.password"6 K* x# s# d, U: d+ u! p3 i. ?
您需要登录后才可以回帖 登录 | 开始注册

本版积分规则

关闭

站长推荐上一条 /4 下一条

如有购买积分卡请联系497906712

QQ|返回首页|Archiver|手机版|小黑屋|易陆发现 点击这里给我发消息

GMT+8, 2022-12-10 11:13 , Processed in 0.073939 second(s), 22 queries .

Powered by LR.LINUX.cloud bbs168x X3.2 Licensed

© 2012-2022 Comsenz Inc.

快速回复 返回顶部 返回列表