stackoom
  简体   繁体   中英

Using https only with spring cloud microservice instances

 原文  2017-09-08 14:31:35       java/ spring/ spring-boot/ https/ spring-cloud

Question

In order to use https between all spring cloud microservice instances we can generate a java keystore and configure each instance with it like this: 

server.ssl.key-store=server.jks
server.ssl.key-store-password=<pw>
server.ssl.keyStoreType=jks
server.ssl.keyAlias=tomcat
server.ssl.key-password=<pw>

IIUC as far as setting up the ssl transport layer thats all we need to do? Is it OK / secure to use the same keystore in all instances of the same microservice type? For example the edge server could be using Ribbon to load balance between microserviceA - instance1 , microserviceA - instance2 , and microserviceA - instance3 , and these would all have the same keystore baked in.

If we also have a microserviceB, could it also use the same keystore without compromising security?

From a management / devOps point of view is this the simplest way to go?

1 answers

solution1
 3 ACCPTED  2017-09-08 15:36:44

SSL certs should be the same for each running instance of the same microservice and unique for each microservice (your microserviceA vs. microserviceB). If you ever move your services behind a hardware load balancer then it'll become obvious why.

When/if you come to do X.509 client certificate authentication for service-service calls you will need to authenticate and authorize services based on the certificate they present. If they're all presenting the same certificate then you cannot do that.

From a devOps point of view you can save yourself a headache later on by storing the certs centrally - we use the Spring Cloud Config Server with a website backend - and set up a job to check the expiry dates of the certs daily so you don't get an unpleasant surprise a year or so after you deploy.

We use separate keystore/truststore per service because that fits our deployment model but you might be able to use a single keystore with multiple service aliases because the private keys inside can have unique passwords. Beware though, not all java http frameworks are capable of selecting keys by alias or supporting different keystore/key passwords...

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to create several instances of a Microservice: SpringBoot and Spring Cloud Distributed transaction among services in a microservice system, using spring-cloud Using Microservice AppRole to Spring Cloud Config Server and Vault integration Spring cloud microservice server port cast exception Access microservice using Spring Boot Spring Cloud Sleuth log tracing in Spring Boot Microservice Spring Cloud: Microservice authentication works through Eureka Discovery, but not through Zuul microservice doesn't fetch properties from spring-cloud-config-server microservice how to forward requests to another microservice using Spring? Dockerizing microservice using Spring Boot and Postgres
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM