Shulou(Shulou.com)06/02 Report--

This article mainly introduces Spring Cloud how to build a micro-service architecture, the article introduces in great detail, has a certain reference value, interested friends must read it!

In the micro-service architecture, we usually use the organizational way of DevOps to reduce the huge cost caused by the communication between teams, so as to accelerate the delivery of micro-service applications. As a result, the online information originally controlled by the operation and maintenance team will be maintained by the members of the organization to which the microservice belongs, which will include a large amount of sensitive information, such as the account and password of the database. Obviously, it is very dangerous if we directly store sensitive information in clear text in the configuration file of the microservice application. To solve this problem, Spring Cloud Config provides the function of encrypting and decrypting attributes to protect the information in the configuration file.

For example, the following example:

Spring.datasource.username=didi spring.datasource.password= {cipher} dba6505baa81d78bd08799d8d4429de499bd4c2053c05f029e7cfbf143695f5b

In Spring Cloud Config, the content is marked as an encrypted value by using the {cipher} prefix before the attribute value. When the microservice client loads the configuration, the configuration center automatically decrypts the value with the {cipher} prefix. Through the implementation of this mechanism, the operation and maintenance team can rest assured that the encrypted resources of online information can be given to the micro-service team without having to worry about the disclosure of these sensitive information. Let's describe in detail how to use this feature in the configuration center.

Use premise

There is a necessary premise for us to pay attention to when using the encryption and decryption function of Spring Cloud Config. To enable this feature, we need to install an unlimited length version of JCE (Unlimited Strength Java Cryptography Extension) in the running environment of the configuration center. Although the JCE feature is included in JRE, a limited version is used by default. We can download it from Oracle's official website. It is a compressed package. After decompression, you can see the following three files:

README.txt local_policy.jar US_export_policy.jar

We need to copy the local_policy.jar and US_export_policy.jar files to the $JAVA_HOME/jre/lib/security directory, overwriting the original default content. At this point, the preparation for encryption and decryption is completed.

Related end point

After completing the installation of JCE, you can try to start the configuration center. In the console, you will output some endpoints specific to the configuration center, mainly including:

/ encrypt/status: the endpoint that views the status of the encryption feature

/ key: view the endpoint of the key

/ encrypt: the endpoint that encrypts the requested body content

/ decrypt: the endpoint that decrypts the requested body content

You can try to access the / encrypt/status endpoint through a GET request, and we will get the following:

{"description": "No key was installed for encryption service", "status": "NO_KEY"}

This return indicates that the encryption function of the current configuration center cannot be used because there is no corresponding key configured for the encryption service.

Configure key

We can specify the key information (symmetric key) directly in the configuration file through the encrypt.key attribute, such as:

Encrypt.key=didispace

After adding the above configuration information, restart the configuration center, and then visit the / encrypt/status endpoint, we will get the following:

{"status": "OK"}

At this point, we can configure the encryption and decryption function of the center, so we might as well try to access the / encrypt and / decrypt endpoints for encryption and decryption. Note that both endpoints are POST requests, and the encrypted and decrypted information needs to be sent through the request body. For example, taking the curl command as an example, we can invoke encryption and decryption endpoints in the following ways:

$curl localhost:7001/encrypt-d didispace 3c70a809bfa24ab88bcb5e1df51cb9e4dd4b8fec88301eb7a18177f1769c849ae9c9f29400c920480be2c99406ae28c7 $curl localhost:7001/decrypt-d 3c70a809bfa24ab88bcb5e1df51cb9e4dd4b8fec88301eb7a18177f1769c849ae9c9f29400c920480be2c99406ae28c7 didispace

Here, we configure the encrypt.key parameter to specify that the key is implemented using symmetric encryption. This method is relatively simple to implement, and only one parameter needs to be configured. In addition, we can also use the environment variable ENCRYPT_KEY to configure and externalize the storage of key information.

Asymmetric encryption

The configuration center of Spring Cloud Config can use not only symmetric encryption, but also asymmetric encryption (such as RSA key pairs). Although the key generation and configuration of asymmetric encryption is relatively complex, it has higher security. Next, let's describe in detail how to use asymmetric encryption.

First, we need to generate the key pair through the keytool tool. Keytool is a key and certificate management tool in JDK. It enables users to manage their own public / private key pairs and related certificates for (through digital signature) self-authentication (users authenticate themselves to other users / services) or data integrity and authentication services. This tool is included in all versions of JDK 1.4 and is located at% JAVA_HOME%\ bin\ keytool.exe.

The specific commands for generating keys are as follows:

Keytool-genkeypair-alias config-server-keyalg RSA-keystore config-server.keystore enter the KeyStore password: enter the new password again: what is your first and last name? [Unknown]: zhaiyongchao what is the name of your organizational unit? [Unknown]: company what is the name of your organization? [Unknown]: organization what is the name of your city or region? [Unknown]: city what is the name of your province / municipality / autonomous region? [Unknown]: province what is the two-letter country code for this unit? [Unknown]: is china CN=zhaiyongchao, OU=company, O=organization, L=city, ST=province, C=china correct? [no]: y enter the key password (press enter if it is the same as the KeyStore password): enter the new password again:

In addition, if we do not want to enter those prompts step by step, we can use-dname to specify directly, while KeyStore passwords and key passwords can be directly specified using-storepass and-keypass. Therefore, we can directly create the same KeyStore as the above command with the following command:

Keytool-genkeypair-alias config-server-keyalg RSA\-dname "CN=zhaiyongchao, OU=company, O=organization, L=city, ST=province, C=china"\-keypass 222222\-keystore config-server.keystore\-storepass 111111\

By default, the keys created by the above command are only valid for 90 days. If we want to adjust its validity, we can do so by adding the-validity parameter. For example, we can extend the validity of the key to one year by using the following command:

$keytool-genkeypair-alias config-server-keyalg RSA\-dname "CN=zhaiyongchao, OU=company, O=organization, L=city, ST=province, C=china"\-keypass 222222\-keystore config-server.keystore\-storepass 111111\-validity

The above three command generation methods will eventually generate a config-server.keystore file in the current execution directory of the command. Next, we need to save it somewhere in the file system of the configuration center, such as under the current user directory, and then add the relevant configuration information to the configuration center:

Encrypt.key-store.location= file://${user.home}/config-server.keystore encrypt.key-store.alias=config-server encrypt.key-store.password=111111 encrypt.key-store.secret=222222

If we put config-server.keystore in the src/main/resource directory in the configuration center, we can also configure it like this directly: encrypt.key-store.location=config-server.keystore. In addition, the configuration information of asymmetric encryption can also be configured by means of environment variables. The specific variable names corresponding to them are as follows:

ENCRYPT_KEY_STORE_LOCATION ENCRYPT_KEY_STORE_ALIAS ENCRYPT_KEY_STORE_PASSWORD ENCRYPT_KEY_STORE_SECRET

Better security can be obtained by configuring KeyStore related information through environment variables, so it is a good choice that we can store sensitive password information in the environment variables in the configuration center.

These are all the contents of the article "how to build a micro-service architecture in Spring Cloud". Thank you for reading! Hope to share the content to help you, more related knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.