Shulou(Shulou.com)05/31 Report--

This article mainly shows you the "sample analysis of Ceph OpenSSL", which is easy to understand and well-organized. I hope it can help you solve your doubts. Let the editor lead you to study and learn the article "sample Analysis of Ceph OpenSSL".

Ceph OpenSSL1. SSL introduction

SSL (Secure Sockets Layer secure Sockets layer) and its successor Transport layer Security (Transport Layer Security,TLS) are security protocols that provide security and data integrity for network communications. TLS and SSL encrypt the network connection at the transport layer. Secure Socket Layer, developed by Netscape, is used to ensure the security of data transmission on Internet. Data encryption (Encryption) technology can be used to ensure that data will not be intercepted and eavesdropped during transmission over the network. The general specification is a safety standard of 40 bit, while the United States has introduced a higher safety standard of 128 bit, but the exit is restricted. As long as version 3.0 or above of I.E. Or Netscape browser can support SSL.

The secure channel provided by the SSL protocol has the following three features:

Confidentiality: the SSL protocol uses keys to encrypt communication data.

Reliability: both the server and the customer are authenticated, and the customer's authentication is optional.

Integrity: the SSL protocol checks the integrity of the transmitted data.

1.1 ssl Certificate Classification

SSL certificate varies according to function and brand, but as an international product, the most important thing of SSL certificate is product compatibility (that is, certificate root embedded technology), because it solves the trust problem of netizens logging in to the website, and netizens can easily identify the real identity of the website through SSL certificate. SSL certificates are classified into the following categories:

Extended authenticated (EV) SSL certificate

Organizational Verification (OV) SSL Certificate

Domain name Verification (DV) SSL Certificate

There are some differences in the above three certificates, which are briefly described here:

The biggest difference between DV and OV certificate is that DV certificate does not contain enterprise name information, while OV certificate contains enterprise name information.

Both OV and EV certificates contain information such as enterprise names, but because EV certificates adopt more stringent authentication standards, browsers have more "trust" in EV certificates. When browsers access EV certificates, they can display the company name in the address bar and turn the address bar green.

The prices of the three SSL certificates generally decrease one by one according to EV,OV,DV.

2. HTTPS introduction

HTTPS (Hypertext Transfer Protocol Secure) secure Hypertext transfer Protocol. It is developed by Netscape and built into its browser to compress and decompress the data and return the results sent back on the network. HTTPS actually applies Netscape's full socket layer (SSL) as a sublayer of the HTTP application layer. (HTTPS uses port 443 instead of port 80 to communicate with TCP/IP as HTTP does. SSL uses 40-bit keywords as the RC4 stream encryption algorithm, which is appropriate for the encryption of business information. Https is a security-oriented HTTP channel, which is simply the secure version of HTTP. That is, add the SSL layer under HTTP, and the security foundation of https is SSL.

3. Civetweb configuration SSL3.1 prerequisites

You need to create a bucket bucket1 before operation, and set the permission to public access. In order to verify the intuition, it is recommended to upload multiple objects at the same time, such as obj1,obj2.... And the permissions of the object are also set to public access, so as to facilitate subsequent access by the browser.

3.2 create a self-signed authentication

First of all, you need to use openssl to generate root certificates, and later server-side certificates or client-side certificates can be signed by him, and multiple root certificates can be established, just like different companies.

# generate the private key of the root certificate. The parameter des3 is the encryption algorithm openssl genrsa-des3-out server.key 1024 # to generate the server-side certificate signature request file (csr file), and use the private key to generate a root certificate application. The general certificate application format is csr. Therefore, private keys and csr generally need to keep the protection password of openssl req-new-key server.key-out server.csr cp server.key server.key.orig# to remove the key file, and each time you read the key file, you can self-sign without the password openssl rsa-in server.key.orig-out server.key #, valid for 10 years: openssl x509-req-days 3650-in server.csr-signkey server.key-out server.crt cp server.crt server.pemcat server.key > > server.pem.

Note: in the second step, there is a setting of the common name (CN) option, which can be set to * .exampletest.com in order to be consistent with the domain name access rules of AWS S3. Other options are optional.

3.3 use the following soft connections

You need to use a soft connection, or you will make an error. You can view the error message in the log file.

Ln-s / lib64/libssl.so.1.0.1e / usr/lib64/libssl.soln-s / lib64/libcrypto.so.1.0.1e / usr/lib64/libcrypto.so3.4 configuration port information

Here you need to configure the rgw_dns_name and rgw_frontends parameter information in the ceph.conf file.

[client.rgw.rgw1] host = ceph2rgw_dns_name = exampletest.comrgw_frontends = "civetweb port=443s ssl_certificate=/etc/ceph/private/server.pem"

Note: the path to the ssl certificate server.pem generated in section 3.1 needs to be configured in the rgw_frontends parameter.

3.5 add a domain name

Add the following domain name mapping to the etc/hosts of the host where the rgw instance resides:

192.168.141.142 bucket1.exampletest.com4. Access verification 4.1web page access domain name through https

Add under the hosts file of the host accessed by the browser:

192.168.141.142 bucket1.exampletest.com

The following visit to the website takes the IE browser as an example

Certificateless access

Enter the URL https://bucket1.exampletest.com directly into the browser, which can be accessed correctly and list the contents of the bucket bucket1, but the address bar will prompt for the wrong word of the certificate, which is due to the fact that the certificate has not been imported.

Have certificate access

First import the certificate.

When you enter the URL https://bucket1.exampletest.com in the browser address bar, a lock appears, indicating a secure access link, and can correctly list the contents of the bucket bucket1.

4.2 access through sdk

For testing purposes, the certificate here is self-signed, not issued by an institution. So in sdk, you need to set parameters to bypass the certificate check. Here, taking python as an example, two places that are different from using http access are explained separately, as follows:

Url= 'https://192.168.141.142' S3 = boto3.client (' s 3 parameters, verify=False, # just need to set this parameter to False endpoint_url=url, aws_access_key_id=access_key, aws_secret_access_key=secret_key)

After the above modification, it can operate normally.

The above is all the content of this article "sample Analysis of Ceph OpenSSL". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.