Transport Layer Security (TLS) is a very common security way when transport data through Internet. In some use cases, end users report the background:
Target(under monitoring) applications are in a region, which also named VPC, at the same time, the SkyWalking backend is in another region (VPC).
Because of that, security requirement is very obvious.
The first step is to generate certificates and key files for encrypting communication. This is fairly straightforward: use openssl from the command line.
Use this script if you are not familiar with how to generate key files.
We need the following files:
client.pem: A private RSA key to sign and authenticate the public key. It's either a PKCS#8(PEM) or PKCS#1(DER).client.crt: Self-signed X.509 public keys for distribution.ca.crt: A certificate authority public key for a client to validate the server's certificate.ca.crt, and use it at client side. In mTLS mode, client.crt and client.pem are required at client side.server.crt, server.pem and ca.crt. Use them at server side. Please refer to gRPC Security of the OAP server doc for more details.ca.crt(by default /ca folder in agent package) file is detected.agent.force_tls=${SW_AGENT_FORCE_TLS:true}
receiver-sharing-server section in application.yaml. Please refer to gRPC Security and gRPC/HTTP server for receiver.agent/ca.agent.conf.SW_AGENT_COLLECTOR_BACKEND_SERVICES targeting to host and port of receiver-sharing-server.For example:
agent.force_tls=${SW_AGENT_FORCE_TLS:true}
agent.ssl_trusted_ca_path=${SW_AGENT_SSL_TRUSTED_CA_PATH:/ca/ca.crt}
agent.ssl_key_path=${SW_AGENT_SSL_KEY_PATH:/ca/client.pem}
agent.ssl_cert_chain_path=${SW_AGENT_SSL_CERT_CHAIN_PATH:/ca/client.crt}
collector.backend_service=${SW_AGENT_COLLECTOR_BACKEND_SERVICES:skywalking-oap:11801}
Notice, the client-side's certificate and the private key are from the same CA certificate with server-side.