This is a series of articles for those of you who haven’t read the previous episodes:
- Spring Cloud Series Config Center (1)
- Spring Cloud Series Config Center (2)
This article explains how Config implements encryption and decryption in the configuration center and configures user security authentication in the configuration center.
Configure central encryption and decryption
Consider this: all configuration files are stored in a Git remote repository, and some of the information in the configuration files is sensitive. Therefore, we need to encrypt these sensitive information. There are two encryption methods: one is shared key encryption (symmetric key encryption) and the other is public key encryption (asymmetric key encryption).
Symmetric Encryption
Symmetric encryption is the fastest and easiest form of encryption. Encryption uses the same secret key as decryption.
Checking the Encryption Environment
Click the link to watch: Check the encryption environment video (for more please follow the public account “Mr. Hello Ward”)
Version of the problem
To access the Config Server: http://localhost:8888/encrypt/status
If the results are: {“description”:”No key was installed for encryption service”,”status”:”NO_KEY”} indicates that No key is installed for encryption service and that you are using a lower JDK version.
An easy fix: Switch to a higher JDK, such as the latest LTS version JDK-11.0.6.
Complex solution: from Oracle corresponding JCE website to download, download link: https://www.oracle.com/java/technologies/javase-jce-all-downloads.html
The red box below is enough to explain why: JDK 9 and later ships with policy files and are enabled by default.
If your current environment must use a lower version of the JDK, download the corresponding JCE zip, Jar and us_export_policy. jar files to the security directory of the JDK or JRE installed on the JCE machine.
Configuration problem
If The result is {“description”:”The encryption algorithm is not strong enough”,”status”:”INVALID”}, no encryption is configured on The server.
Config Server Create the configuration file. Note that the name must be bootstrap.yml, and configure the key information.
# key
encrypt:
key: example
Copy the codeRestart the Config Server access: http://localhost:8888/encrypt/status results are as follows:
Encryption and decryption demonstration
Click the link to watch: symmetric encryption and decryption video (for more please pay attention to the public number “Mr. Hello Ward”)
Configure the central server
Run the curl command to access the /encrypt endpoint to encrypt the root attribute. Reverse operation /decrypt decrypts.
curl http://localhost:8888/encrypt -d root
Copy the codeEncryption results: bfb5cf8d7cab63e4b770b76d4e96c3a57d40f7c9df13612cb3134e2f7ed26123
decryption
Git repository
Update the encrypted data to a configuration file in a Git remote repository. It is important to note that the {cipher} string is appended to the encrypted result, and if the remote property source contains the encrypted content (the leading value {cipher}), it is decrypted and then sent to the client via HTTP.
Configure the central client
Config Client control layer adds code to get configuration information.
package com.example.controller;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.cloud.context.config.annotation.RefreshScope;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController; @RefreshScope @RestController public class ConfigController { @Value("${name}") private String name; @Value("${password}") private String password; @GetMapping("/name") public String getName(a) { return name; } @GetMapping("/password") public String getPassword(a) { return password; } } Copy the codeModify the Config Client configuration file and restart the test.
spring:
cloud:
config:
name: order-service Git repository configuration file name, corresponding to the first half of the configuration file
label: master # git branch
profile: prod # specify environment discovery: enabled: true # open service-id: config-server # specify the service id of the configuration center server Metrics monitoring and health check management: endpoints: web: base-path: /actuator # access the root path of the endpoints. The default is /actuator exposure: include: The '*' Refresh is the endpoint that needs to be enabled #exclude: # endpoints that do not need to be opened Copy the codeVisit: http://localhost:9091/password returns decrypted result.
Asymmetric encryption and encryption
The difference between symmetric and asymmetric encryption
Symmetric encryption algorithms use the same key for encryption and decryption. As long as you get the key, anyone can break jie.
Asymmetric encryption algorithms require two keys for encryption and decryption: a public key and a private key. During transmission, even if an attacker intercepts the transmitted ciphertext and obtains the public key, the JIE ciphertext cannot be broken, because the jie ciphertext can be broken only by using the private key.
The image is taken from illustrated HTTP.
Java-keytool usage description
Keytool is used to manage a private keystore (keystore) and its associated x.509 certificate chain (which validates the public key corresponding to the private key), as well as to manage other trusted entities.
Everyone has Java environment variables configured by default. Open a CMD window and run the following command.
#Generate a keystore file named config.keystore. The alias is config, the encryption algorithm type is RSA, and the keystore password and key password are config
keytool -genkeypair -keystore config.keystore -alias config -keyalg RSA -keypass config -storepass config
Copy the code
A config.keystore file will be generated in my drive D.
Encryption and decryption demonstration
Click the link to watch: asymmetric encryption and decryption video (for more please follow the public account “Mr. Hello Ward”)
Configure the central server
Add the config.keystore file to the Config Server project resources directory.
Create bootstrap.yml to add asymmetric encryption and decryption configuration. Note: the value must correspond to the value entered in CMD otherwise an error will occur.
Asymmetric encryption and decryption
encrypt:
key-store:
location: classpath:config.keystore # keystore file storage path
alias: config # Key pair alias
password: config # storePass key store secret: config Keypass is used to protect the private key in the generated key pair Copy the codePom.xml adds a configuration to avoid filtering files for Maven.
<! The build tag is often used to add plug-ins and build configurations.
<build>
<! -- Read config file -->
<resources>
<resource>
<directory>src/main/resources</directory> </resource> <resource> <directory>src/main/java</directory> <includes> <include>**/*.xml</include> <include>**/*.properties</include> <include>**/*.tld</include> <include>**/*.keystore</include> </includes> <filtering>false</filtering> </resource> </resources> </build> Copy the codeCheck the encrypted environment, visit: http://localhost:8889/encrypt/status the results are as follows:
Run the curl command to access the /encrypt endpoint to encrypt the root attribute. Reverse operation /decrypt decrypts.
curl http://localhost:8889/encrypt -d root
Copy the codeEncryption result:
decryption
Git repository
Update the encrypted data to a configuration file in a Git remote repository. It is important to note that the {cipher} string is appended to the encrypted result, and if the remote property source contains the encrypted content (the leading value {cipher}), it is decrypted and then sent to the client via HTTP.
Configure the central client
The Config Client configuration file is as follows:
spring:
cloud:
config:
name: order-service Git repository configuration file name, corresponding to the first half of the configuration file
label: master # git branch
profile: prod # specify environment discovery: enabled: true # open service-id: config-server # specify the service id of the configuration center server Metrics monitoring and health check management: endpoints: web: base-path: /actuator # access the root path of the endpoints. The default is /actuator exposure: include: The '*' Refresh is the endpoint that needs to be enabled #exclude: # endpoints that do not need to be opened Copy the codeVisit: http://localhost:9091/password returns decrypted result.
Configure security authentication for central users
If you are careful enough, you will find that the Config Server can be accessed by anyone. If you access the configuration file directly from the Config Server, the encrypted content will be decrypted and displayed in the browser. Of course not, we just need to add user security authentication.
Add the dependent
Config Server Adds the security dependency.
<! Spring Boot Security dependencies -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
Copy the codeThe configuration file
Config Server application.yml adds the security authentication configuration.
spring:
# Safety Certification
security:
user:
name: user
password: 123456 Copy the codeConfig Bootstrap. yml of the Client adds the security authentication configuration.
spring:
cloud:
config:
# Safety Certification
username: user
password: 123456 Copy the codetest
The service side
Config Server access: http://localhost:8889/order-service-prod.yml is redirected to the login page.
After entering the user name and password, the following information is displayed:
The client
The Config Client visit: http://localhost:9091/password the results are as follows:
This concludes all the knowledge of the Config configuration center.
This article is licensed under a Creative Commons attribution – Noncommercial – No Deductive 4.0 International license.
You can see more articles about Spring Cloud in the category.
🤗 your likes and retweets are the biggest support for me.
📢 Scan code pay attention to Mr. Hallward “document + video” each article is equipped with a special video explanation, learning more easily oh ~
