本节介绍TLS相关配置
开发、测试的证书可以自行安装OpenSSL进行生成.建议在Linux环境下安装Open SSL并进行证书生成。
openssl req -newkey rsa:2048 -keyout ca_rsa_private.pem -x509 -days 365 -out ca.pem
openssl req -newkey rsa:2048 -keyout server_rsa.key -out server.csr
openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca_rsa_private.pem -CAcreateserial -out server.pem
openssl req -newkey rsa:2048 -keyout client_rsa.key -out client.csr
openssl x509 -req -days 365 -in client.csr -CA ca.pem -CAkey ca_rsa_private.pem -CAcreateserial -out client.pem
openssl pkcs8 -topk8 -v1 PBE-SHA1-RC4-128 -in server_rsa.key -out server.key
openssl pkcs8 -topk8 -v1 PBE-SHA1-RC4-128 -in client_rsa.key -out client.key
创建tls.properties文件,并将生成证书的路径和密码进行正确的配置.
# The flag to determine whether use test mode when initialize TLS context. default is true tls.test.mode.enable=false # Indicates how SSL engine respect to client authentication, default is none tls.server.need.client.auth=require # The store path of server-side private key tls.server.keyPath=/opt/certFiles/server.key # The password of the server-side private key tls.server.keyPassword=123456 # The store path of server-side X.509 certificate chain in PEM format tls.server.certPath=/opt/certFiles/server.pem # To determine whether verify the client endpoint's certificate strictly. default is false tls.server.authClient=false # The store path of trusted certificates for verifying the client endpoint's certificate tls.server.trustCertPath=/opt/certFiles/ca.pem # The ciphers in TLS # tls.ciphers=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 # The protocols in TLS # tls.protocols=TLSv1.2,TLSv1.3
如果需要客户端连接时也进行认证,则还需要在该文件中增加以下内容
# The store path of client-side private key tls.client.keyPath=/opt/certFiles/client.key # The password of the client-side private key tls.client.keyPassword=123456 # The store path of client-side X.509 certificate chain in PEM format tls.client.certPath=/opt/certFiles/client.pem # To determine whether verify the server endpoint's certificate strictly tls.client.authServer=false # The store path of trusted certificates for verifying the server endpoint's certificate tls.client.trustCertPath=/opt/certFiles/ca.pem # The ciphers in TLS # tls.ciphers=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 # The protocols in TLS # tls.protocols=TLSv1.2,TLSv1.3
编辑rocketmq/bin路径下的配置文件,使tls.properties配置生效.-Dtls.config.file的值需要替换为步骤2中创建的tls.peoperties文件的路径
JAVA_OPT="${JAVA_OPT} -Dtls.server.mode=enforcing -Dtls.config.file=/opt/rocketmq-4.9.3/conf/tls.properties"
JAVA_OPT="${JAVA_OPT} -Dorg.apache.rocketmq.remoting.ssl.mode=enforcing -Dtls.config.file=/opt/rocketmq-4.9.3/conf/tls.properties -Dtls.enable=true"
创建客户端使用的tlsclient.properties,并加入以下内容:
# The store path of client-side private key tls.client.keyPath=/opt/certFiles/client.key # The password of the client-side private key tls.client.keyPassword=123456 # The store path of client-side X.509 certificate chain in PEM format tls.client.certPath=/opt/certFiles/client.pem # The store path of trusted certificates for verifying the server endpoint's certificate tls.client.trustCertPath=/opt/certFiles/ca.pem # The ciphers in TLS # tls.ciphers=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 # The protocols in TLS # tls.protocols=TLSv1.2,TLSv1.3
JVM中需要加以下参数.tls.config.file的值需要使用之前创建的文件:
-Dtls.client.authServer=true -Dtls.enable=true -Dtls.test.mode.enable=false -Dtls.config.file=/opt/certs/tlsclient.properties
在客户端连接的代码中,需要将setUseTLS设置为true:
public class ExampleProducer { public static void main(String[] args) throws Exception { DefaultMQProducer producer = new DefaultMQProducer("please_rename_unique_group_name"); //setUseTLS should be true producer.setUseTLS(true); producer.start(); // Send messages as usual. producer.shutdown(); } }