Construction of spring cloud microservice architecture: distributed configuration center (encryption and decryption function)
preface
To be able to use, you must first understand. Don't bother to draw pictures. Learn from the pictures of Daniel on the Internet. The structure of springcloud is shown in the figure below:
Application scenarios of microservice architecture:
1. System split, multiple subsystems
2. Each subsystem can deploy multiple applications, and load balancing between applications can be realized
3. A service registry is required. All services are registered in the registry. Load balancing is also achieved by using certain policies for services registered in the registry.
4. All clients access the background service through the same gateway address. The gateway determines which service handles a URL request through routing configuration. Load balancing is also used when forwarding requests to services.
5. Services sometimes need to access each other. For example, there is a user module. When other services process some business, they need to obtain the user data of the user service.
6. A circuit breaker is needed to timely handle the timeout and errors during service invocation, so as to prevent the paralysis of the whole system due to the problem of one of the services.
7. A monitoring function is also needed to monitor the time spent on each service call, etc.
introduction
In the microservice architecture, we usually adopt the organizational mode of Devops to reduce the huge cost caused by team communication, so as to accelerate the delivery ability of microservice applications. This makes the online information originally controlled by the operation and maintenance team be maintained by the members of the organization to which the microservice belongs, which will include a large amount of sensitive information, such as the account and password of the database. Obviously, it is very dangerous if we directly store sensitive information in the configuration file of microservice application in clear text. To solve this problem, spring cloud config provides the function of encrypting and decrypting attributes to protect the information security in the configuration file. For example, the following example:
In spring cloud config, the content is marked as an encrypted value by using the {cipher} prefix in front of the attribute value. When the micro service client loads the configuration, the configuration center will automatically decrypt the value with the {cipher} prefix. Through the implementation of this mechanism, the operation and maintenance team can safely give the encrypted resources of online information to the micro service team without worrying about the disclosure of these sensitive information. Let's describe how to use this function in the configuration center.
Use premise
When using the encryption and decryption function of spring cloud config, we need to pay attention to a necessary premise. To enable this feature, We need to install the unlimited strength Java cryptography extension in the running environment of the configuration center. Although the JCE function comes with JRE, the version with length limit is used by default. We can download it from Oracle's official website. It is a compressed package. After decompression, you can see the following three files:
We need to set local_ policy. Jar and us_ export_ policy. Jar copy the two files to $Java_ In the home / JRE / lib / security directory, overwrite the original default content. Here, the preparation for encryption and decryption is completed.
Related endpoint
After completing the JCE installation, you can try to start the configuration center. In the console, some endpoints unique to the configuration center will be output, mainly including:
You can try to access the / encrypt / status endpoint through a get request, and we will get the following:
This return indicates that the encryption function of the current configuration center cannot be used because the corresponding key is not configured for the encryption service.
Configure key
We can use encrypt The key attribute directly specifies key information (symmetric key) in the configuration file, such as:
After adding the above configuration information, restart the configuration center and access the / encrypt / status endpoint. We will get the following:
At this point, the encryption and decryption function of the configuration center is ready for use. You might as well try to access the / encrypt and / decrypt endpoints for encryption and decryption. Note that both endpoints are post requests, and the encrypted and decrypted information needs to be sent through the request body. For example, taking the curl command as an example, we can call the encryption and decryption endpoint in the following way:
Here, we configure encrypt Key parameter to specify the implementation method of the key. Symmetric encryption is adopted. This method is relatively simple to implement, and only one parameter needs to be configured. In addition, we can also use the environment variable encrypt_ Key to make the key information stored externally.
Asymmetric encryption
The configuration center of spring cloud config can use not only symmetric encryption, but also asymmetric encryption (such as RSA key pair). Although the key generation and configuration of asymmetric encryption are relatively complex, it has higher security. Let's introduce how to use asymmetric encryption in detail.
First, we need to generate a key pair through the keytool tool. Keytool is a key and certificate management tool in JDK. It enables users to manage their own public / private key pairs and related certificates for self authentication (through digital signature) (users authenticate themselves to other users / services) or data integrity and authentication services. This tool is included in JDK versions after 1.4. Its location is:% java_home% \ bin \ keytool.exe.
The specific commands for generating keys are as follows:
In addition, if we don't want to enter the prompt information step by step, we can use - dName to specify it directly, and the keystore password and key password can use - storepass and - KEYPASS to specify it directly. Therefore, we can directly create the same keystore as the above command through the following command:
By default, the key created by the above command is valid for only 90 days. If we want to adjust its validity period, we can add the - validity parameter. For example, we can extend the validity period of the key to one year through the following command:
The above three command generation methods will eventually generate a config server under the current execution directory of the command Keystore file. Next, we need to save it in the file system of the configuration center, for example, in the current user directory, and then add relevant configuration information to the configuration center:
If we use config server The keystore is placed in the Src / main / resource directory of the configuration center, or it can be configured as follows: encrypt key-store. location=config-server. keystore。 In addition, the configuration information of asymmetric encryption can also be configured through environment variables, and their corresponding specific variable names are as follows:
Better security can be obtained by configuring the relevant information of the keystore through the environment variables, so we can store the sensitive password information in the environment variables of the configuration center, which is a good choice.
summary
The above is the whole content of this article. I hope the content of this article has a certain reference value for your study or work. If you have any questions, you can leave a message. Thank you for your support for programming tips.