链接的加密

TigerGraph平台通过SSL/TLS加密协议,支持安全的流式数据传输(data-in-flight communication)。该安全通讯方式适用于包括GSQL客户端、RESTPP端点端以及GraphStudio网页客户端在内的所有对外通讯渠道。

前提条件

你需要掌握的有关SSL的基础知识包括:

  1. SSL证书和秘钥的作用

  2. SSL证书如何与域绑定

  3. SSL证书链如何工作

有关SSL的入门知识请参阅: https://httpd.apache.org/docs/2.4/ssl/ssl_intro.html

基于Nginx

由于TigerGraph使用Nginx网页服务器,因此对应的SSL的配置也利用了Nginx的一些内建功能。

http://nginx.org/en/docs/http/configuring_https_servers.html

第一步: 获取一个SSL证书

获取SSL证书有两种不同的方式,用户可选择生成自签名证书,亦或是从一个受信任的证书机构处购买一张证书;但无论采取何种方式,用户获取的证书必须与浏览器内置的根受信证书相互链接。本文档的侧重点不在于介绍如何生成受信任SSL证书的内容细节,而侧重于介绍如何在TigerGraph平台中激活SSL功能并使用安全证书。

方法 1: 使用从受信任证书机构获取的证书

首先,从您选择的受信任证书机构获取SSL证书;通常该机构会同时提供获取证书和安装证书的详细步骤。

随后,您可以通过命令 gadmin --configure ssl 配置证书。

方法 2: 创建一份自签名证书

创建自签名证书的方法有多种,以下为示例:

为了读者便于理解,该示例中直接将根证书作为了HTTPS服务器的证书。对于演示来说这样做是合适的,但不推荐在生产环境中也这么做。

在下面的示例中,Common Name的值应该是用户的服务器主机名,因为HTTPS证书是绑定于域名之下的。

通过openssl生成自签名证书
$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ~/nginx-selfsigned.key -out ~/nginx-selfsigned.crt

Generating a 2048 bit RSA private key
.................................................................................................................................+++
........+++
writing new private key to '/home/tigergraph/nginx-selfsigned.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:Redwood City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:TigerGraph Inc.
Organizational Unit Name (eg, section) []:GLE   
Common Name (e.g. server FQDN or YOUR name) []: my.ip.addr.num
Email Address []:engineer@tigergraph.com

修改证书权限

出于安全方面的考虑,证书权限只能被设定为600或更低。

$ chmod 600 ~/nginx-selfsigned.*

第二步: 使用gadmin工具配置SSL

在自签名证书生成后,用户可以通过gadmin工具对其进行配置,使SSL功能覆盖所有的HTTP数据流。

$ gadmin --configure ssl

Enter new values or accept defaults in brackets with Enter.

Enable SSL with all HTTP responses (SSL Cert required): default False
Nginx.SSL.Enable [False]: True 
True 

Path to SSL cert bundle (domain cert, intermediate cert and root cert)
Nginx.SSL.Cert []: /home/tigergraph/nginx-selfsigned.crt
/home/tigergraph/nginx-selfsigned.crt

Path to SSL key 
Nginx.SSL.Key []: /home/tigergraph/nginx-selfsigned.key
/home/tigergraph/nginx-selfsigned.key
...
Test servers with supplied settings? [Y/n] Y
...
Success. All settings are valid
Save settings? [y/N] y

保存设定之后,需要激活该配置。

$ gadmin config-apply

[FAB ][2017-12-12 18:48:16] check_config
[FAB ][2017-12-12 18:48:16] update_config_all
Local config modification Found, will restart dict server and update configures.
[FAB ][2017-12-12 18:48:21] launch_zookeepers
[FAB ][2017-12-12 18:48:31] gsql_mon_alert_on
[FAB ][2017-12-12 18:48:31] launch_zookeepers
[FAB ][2017-12-12 18:48:42] launch_gsql_subsystems:DICT
[FAB ][2017-12-12 18:48:42] gsql_mon_alert_on
Local config modification sync to dictionary successfully!

随后重启所有对外服务:gsql,nginx,vis

$ gadmin restart gsql nginx vis -y

测试SSL连接

现在用户可以测试连接了。

未指定证书而直接向服务器发送的curl请求会由于证书验证失败而告终:

$ curl https://localhost:14240

curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.

在1.2版本中,为了避免与Zookeeper使用相同的端口,Nginx默认的TCP/IP端口从44240改为14240。

可以通过 -k 参数强制跳过证书验证,但该操作含有潜在风险,我们不推荐使用。

若想让curl请求成功发至服务器端,用户需要通过在命令中添加 --cacert 参数指定证书。

$ curl --cacert /home/tigergraph/nginx-selfsigned.crt https://localhost:14240

<!doctype html><html lang="en"><head><meta charset="utf-8"><title>GraphStudio</title><base href="/"><meta name="viewport" content="width=device-width,initial-scale=1"><link rel="icon" type="image/x-icon" href="favicon.ico"><link href="styles.d67299ba9f5d73aecbe2.bundle.css" rel="stylesheet"/></head><body class="mat-typography"><app-root></app-root><script type="text/javascript" src="inline.4aae6a8088c30a61d5b0.bundle.js"></script><script type="text/javascript" src="polyfills.c9b879328f3396b2bbe8.bundle.js"></script><script type="text/javascript" src="vendor.5392e4ea4f904cd1658c.bundle.js"></script><script type="text/javascript" src="main.a39087227fcdf478cd2a.bundle.js"></script></body></html>

Last updated