This is a series of articles for those of you who haven’t read the previous episodes:

  • Spring Cloud Series Config Center (1)
  • Spring Cloud Series Config Center (2)

This article explains how Config implements encryption and decryption in the configuration center and configures user security authentication in the configuration center.

Configure central encryption and decryption

Consider this: all configuration files are stored in a Git remote repository, and some of the information in the configuration files is sensitive. Therefore, we need to encrypt these sensitive information. There are two encryption methods: one is shared key encryption (symmetric key encryption) and the other is public key encryption (asymmetric key encryption).

Symmetric Encryption

Symmetric encryption is the fastest and easiest form of encryption. Encryption uses the same secret key as decryption.

Checking the Encryption Environment

Click the link to watch: Check the encryption environment video (for more please follow the public account “Mr. Hello Ward”)

Version of the problem

To access the Config Server: http://localhost:8888/encrypt/status

If the results are: {“description”:”No key was installed for encryption service”,”status”:”NO_KEY”} indicates that No key is installed for encryption service and that you are using a lower JDK version.

An easy fix: Switch to a higher JDK, such as the latest LTS version JDK-11.0.6.

Complex solution: from Oracle corresponding JCE website to download, download link: https://www.oracle.com/java/technologies/javase-jce-all-downloads.html

The red box below is enough to explain why: JDK 9 and later ships with policy files and are enabled by default.

If your current environment must use a lower version of the JDK, download the corresponding JCE zip, Jar and us_export_policy. jar files to the security directory of the JDK or JRE installed on the JCE machine.


Configuration problem

If The result is {“description”:”The encryption algorithm is not strong enough”,”status”:”INVALID”}, no encryption is configured on The server.


Config Server Create the configuration file. Note that the name must be bootstrap.yml, and configure the key information.

# key
encrypt:
  key: example
Copy the code

Restart the Config Server access: http://localhost:8888/encrypt/status results are as follows:


Encryption and decryption demonstration

Click the link to watch: symmetric encryption and decryption video (for more please pay attention to the public number “Mr. Hello Ward”)

Configure the central server

Run the curl command to access the /encrypt endpoint to encrypt the root attribute. Reverse operation /decrypt decrypts.

curl http://localhost:8888/encrypt -d root
Copy the code

Encryption results: bfb5cf8d7cab63e4b770b76d4e96c3a57d40f7c9df13612cb3134e2f7ed26123


decryption


Git repository

Update the encrypted data to a configuration file in a Git remote repository. It is important to note that the {cipher} string is appended to the encrypted result, and if the remote property source contains the encrypted content (the leading value {cipher}), it is decrypted and then sent to the client via HTTP.


Configure the central client

Config Client control layer adds code to get configuration information.

package com.example.controller;

import org.springframework.beans.factory.annotation.Value;
import org.springframework.cloud.context.config.annotation.RefreshScope;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;  @RefreshScope @RestController public class ConfigController {   @Value("${name}")  private String name;   @Value("${password}")  private String password;   @GetMapping("/name")  public String getName(a) {  return name;  }   @GetMapping("/password")  public String getPassword(a) {  return password;  }  } Copy the code

Modify the Config Client configuration file and restart the test.

spring:
  cloud:
    config:
      name: order-service Git repository configuration file name, corresponding to the first half of the configuration file
 label: master # git branch
 profile: prod # specify environment  discovery:  enabled: true # open  service-id: config-server # specify the service id of the configuration center server  Metrics monitoring and health check management:  endpoints:  web:  base-path: /actuator # access the root path of the endpoints. The default is /actuator  exposure:  include: The '*' Refresh is the endpoint that needs to be enabled  #exclude: # endpoints that do not need to be opened Copy the code

Visit: http://localhost:9091/password returns decrypted result.


Asymmetric encryption and encryption

The difference between symmetric and asymmetric encryption

Symmetric encryption algorithms use the same key for encryption and decryption. As long as you get the key, anyone can break jie.


Asymmetric encryption algorithms require two keys for encryption and decryption: a public key and a private key. During transmission, even if an attacker intercepts the transmitted ciphertext and obtains the public key, the JIE ciphertext cannot be broken, because the jie ciphertext can be broken only by using the private key.


The image is taken from illustrated HTTP.

Java-keytool usage description

Keytool is used to manage a private keystore (keystore) and its associated x.509 certificate chain (which validates the public key corresponding to the private key), as well as to manage other trusted entities.

Everyone has Java environment variables configured by default. Open a CMD window and run the following command.

#Generate a keystore file named config.keystore. The alias is config, the encryption algorithm type is RSA, and the keystore password and key password are config
keytool -genkeypair -keystore config.keystore -alias config -keyalg RSA -keypass config -storepass config
Copy the code

A config.keystore file will be generated in my drive D.

Encryption and decryption demonstration

Click the link to watch: asymmetric encryption and decryption video (for more please follow the public account “Mr. Hello Ward”)

Configure the central server

Add the config.keystore file to the Config Server project resources directory.


Create bootstrap.yml to add asymmetric encryption and decryption configuration. Note: the value must correspond to the value entered in CMD otherwise an error will occur.

Asymmetric encryption and decryption
encrypt:
  key-store:
    location: classpath:config.keystore # keystore file storage path
 alias: config # Key pair alias
 password: config # storePass key store  secret: config Keypass is used to protect the private key in the generated key pair Copy the code

Pom.xml adds a configuration to avoid filtering files for Maven.

<! The build tag is often used to add plug-ins and build configurations.
<build>
    <! -- Read config file -->
    <resources>
        <resource>
 <directory>src/main/resources</directory>  </resource>  <resource>  <directory>src/main/java</directory>  <includes>  <include>**/*.xml</include>  <include>**/*.properties</include>  <include>**/*.tld</include>  <include>**/*.keystore</include>  </includes>  <filtering>false</filtering>  </resource>  </resources> </build> Copy the code

Check the encrypted environment, visit: http://localhost:8889/encrypt/status the results are as follows:


Run the curl command to access the /encrypt endpoint to encrypt the root attribute. Reverse operation /decrypt decrypts.

curl http://localhost:8889/encrypt -d root
Copy the code

Encryption result:


decryption


Git repository

Update the encrypted data to a configuration file in a Git remote repository. It is important to note that the {cipher} string is appended to the encrypted result, and if the remote property source contains the encrypted content (the leading value {cipher}), it is decrypted and then sent to the client via HTTP.


Configure the central client

The Config Client configuration file is as follows:

spring:
  cloud:
    config:
      name: order-service Git repository configuration file name, corresponding to the first half of the configuration file
 label: master # git branch
 profile: prod # specify environment  discovery:  enabled: true # open  service-id: config-server # specify the service id of the configuration center server  Metrics monitoring and health check management:  endpoints:  web:  base-path: /actuator # access the root path of the endpoints. The default is /actuator  exposure:  include: The '*' Refresh is the endpoint that needs to be enabled  #exclude: # endpoints that do not need to be opened Copy the code

Visit: http://localhost:9091/password returns decrypted result.


Configure security authentication for central users

If you are careful enough, you will find that the Config Server can be accessed by anyone. If you access the configuration file directly from the Config Server, the encrypted content will be decrypted and displayed in the browser. Of course not, we just need to add user security authentication.


Add the dependent

Config Server Adds the security dependency.

<! Spring Boot Security dependencies -->
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>
Copy the code

The configuration file

Config Server application.yml adds the security authentication configuration.

spring:
  # Safety Certification
  security:
    user:
 name: user
 password: 123456 Copy the code

Config Bootstrap. yml of the Client adds the security authentication configuration.

spring:
  cloud:
    config:
      # Safety Certification
 username: user
 password: 123456 Copy the code

test

The service side

Config Server access: http://localhost:8889/order-service-prod.yml is redirected to the login page.


After entering the user name and password, the following information is displayed:


The client

The Config Client visit: http://localhost:9091/password the results are as follows:


This concludes all the knowledge of the Config configuration center.


This article is licensed under a Creative Commons attribution – Noncommercial – No Deductive 4.0 International license.

You can see more articles about Spring Cloud in the category.

🤗 your likes and retweets are the biggest support for me.

📢 Scan code pay attention to Mr. Hallward “document + video” each article is equipped with a special video explanation, learning more easily oh ~