Springcloud Series 10: Springcloudconfig Advanced Configuration (Key encryption Processing (JCE), KeyStore encryption processing, springcloudconfig high availability mechanism)

1. Concept: Springcloudconfig Advanced Configuration

2. Specific content

In Springcloudconfig, considering the security issues that all profiles are exposed to in the remote repository, there is a handling mechanism for secure access that encrypts some data and enables decryption control when read.

2.1, key encryption processing

The so-called key processing refers to setting a public operation access password, and then through the Curl command to access the data to do a cryptographic processing.

1, "microcloud-config-7101" Modify the application.yml configuration file, the key settings:

Encrypt:  key:studyjava.cn    # Set up an encrypted access key

The "microcloud-config-7101" micro-service process is then started immediately.

2. Replace the JCE to be used (: http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html)

· Unzip the downloaded file and save it to the JDK directory you used: "D:\Java\jdk1.8.0_144\jre\lib\security";

3, "Local System" using the curl command for micro-service access, the specified data to do an encrypted operation processing:

· Note: Make sure that the JDK you are using for your current microservices is a JDK that has been updated with JCE.

Curl-x POST http://studyava:[email protected]:7101/encrypt-d mysqladmin

After password encryption processing: A2722E75244753F656AA9776E5AF8A4E94452046FE68087B798A1500FEE9BDCA

It is now possible to find that the contents of the encryption are relatively long. If you want to decrypt it, you can also use:

Curl-x POST Http://studyava:[email protected]:7101/decrypt-d A2722e75244753f656aa9776e5af8a4e94452046fe68087b798a1500fee9bdca

4, "GITHUB" modified "D:\springcloudconfig\microconfig\microcloud-config-dept-client\ microcloud-config-dept-client.yml" File, save the encrypted content here, but you need to be aware of a problem if you want to do the correct decryption to keep the following format:

Spring:  profiles:dev  DataSource:    type:com.alibaba.druid.pool.DruidDataSource    # Configure the type of operation for the data source you are currently using    driver-class-name:org.gjt.mm.mysql.driver      # Configuring the MySQL driver class    url:jdbc:mysql://localhost:3306/ study8001           # Database connection address    username:root                                  # Database user name    password: ' {cipher} A2722E75244753F656AA9776E5AF8A4E94452046FE68087B798A1500FEE9BDCA '

5. "GitHub" submits the modified microcloud-config-dept-client.yml to GitHub:

Now only the content that is saved to GITHUB is encrypted, but due to the presence of the Springcloudconfig Configuration center (the key is configured), the user is normally accessed in the traditional mode.

Access path: Http://studyava:[email protected]:7101/microcloud-config-dept-client-dev.yml;

The key is that the decryption process can now be found, if no encrypted data is not decrypted.

2.2, KeyStore encryption processing

In the encryption process, there is also a way of encryption is more convenient, is directly using the JKS operation mode to complete, through this encryption more secure, because only need to have a JKS configuration file to achieve encryption and decryption.

1, "Local system" needs to generate a cryptographic processing key information (mainly obtained "*.jks" file)

mytestkey -keyalg rsa-dname "Cn=web server,ou=unit,o=organization,l=city,s=state,c=us"-keypass  ChangeitStudyjava

2, "microcloud-config-7101" a "server.jks" configuration file appears, and the configuration file is copied to the "src/main/resources" directory in the project as shown in:

3, "microcloud-config-7101" Modify the Application.yml configuration file, in this configuration file is appended with KeyStore related configuration items:

Encrypt:  keyStore:    location:classpath:/server.jks   # server.jks configuration file path    Password:studyjava      # Set the store password     alias:mytestkey    secret:changeit      # keypass Password

4, "microcloud-config-7101" above the configuration file has set the path of Server.jks, but this path you now if you can not find in Maven, so you should modify the project Pom.xml file, append the output configuration of the resource:

    <Build>        <Finalname>Microcloud-config</Finalname>        <Resources>            <Resource>     <!--prevent JKs from being lost by maven. -                <Directory>Src/main/resources</Directory>                <filtering>False</filtering>            </Resource>        </Resources>    </Build>

5, "Browser testing" for data encryption and decryption processing:

Data encryption: Curl-x POST http://studyjava:[email protected]:7101/encrypt-d mysqladmin

Encryption Result: aqabpn8zrzbbynx2cvboy2qcqli/mgcetja5l ... Thousands of characters omitted here

Data decryption: Curl-x POST http://studyjava:[email protected]:7101/decrypt-d aqabpn8zrzbby ... Thousands of characters omitted here

6. "GITHUB" modifies the MICROCLOUD-CONFIG-DEPT-CLIENT.YML configuration file to configure the encrypted content:

Spring:  profiles:dev  DataSource:    type:com.alibaba.druid.pool.DruidDataSource    # Configure the type of operation for the data source you are currently using    driver-class-name:org.gjt.mm.mysql.driver      # Configuring the MySQL driver class    url:jdbc:mysql://localhost:3306/ study8001           # Database connection address    username:root                                  # Database user name    password: '{cipher} aqabpn8zrzbbynx2cvboy2qcqli/ Mgcetja5l6cksgdctglboaybsvmvlanshwukev985cmtmetdlqpvikz7yxeo3pgiw9slgqxf2mb2yefztkouzqk1epubnylndw8jrkei41yiwzq6pj28yjfe4 lwv8mcirb7xhdwr4xywy/bwgana8c+ 4gho9plhtdu4mvu0ccr3eqpv6hc9sk8elr7saq48hgjoszjzt0v4g1hwrwmf58xshgod1qbl2ixshkcbgjupzbtcqbkdeavamhxia3sllqtcx7cufov1ene09 W1l0vdj3whjcmnygr1pmmnpugrl3vbmdksysu5kd3kkn/ncwval+jwt01j/fdhp7q6jpi2o5pwmccyv+mplcnp8= '  

The configuration file is then submitted to GITHUB, and the original data is available after Springcloudconfig access.

2.3. Springcloudconfig High Availability mechanism

Now that the entire Springcloudconfig configuration item has been implemented, there is a small problem in this, which means that all services now need to load the configuration file through Springcloudconfig, so once The springcloudconfig went wrong and all the services went down.

1, "microcloud-config-eureka-7301" to establish a new module, through the existing Eureka service configuration module copied over, in order to facilitate the Eureka only one node design, and then for easy access later, you can modify the hosts configuration file , append the new host name:

127.0.0.1 eureka-config.com

2. "microcloud-config-eureka-7301" modifies the APPLICATION.YML configuration file in the project:

Spring:  Profiles:    active:    -dev-7301---Spring:  profiles:dev-7301  Application:     Name: Microcloud-eureka-7301server:  port:7301security:  basic:    enabled:true   # Enable secure authentication processing  User:    name:edmin     # user name    Password:studyjava  # password Eureka:   client: # Configuration    for Eureka Registration Service-url:      defaultzone:http://edmin:[email protected]:7002/eureka    register-with-eureka:false    # The current microservices are not registered    with Eureka Fetch-registry:false     # Eureka Get registration Information  instance: # Eureak instance definition    hostname: Eureka-7301.com # defines the host name where the Eureka instance resides

Start of service after configuration is complete, access address: Http://edmin:[email protected]:7301

3, "microcloud-config-*" Modify the Pom.xml configuration file, append Eureka client Dependency Package:

        < Dependency >            < groupId >org.springframework.cloud</groupId>            <  Artifactid>spring-cloud-starter-eureka</artifactid>        </dependency>

4, "microcloud-config-*" Modify the application.yml configuration file, mainly for the Eureka Client configuration processing:

Eureka:  Client:    service-url:      defaultzone:http://edmin:[email protected]:7301/eureka  instance:    prefer-ip-address:true     # Display on the address bar using an IP address    instance-id:config-7101.com

Subsequent configuration files only need to take into account the "Instance-id" the difference can be;

5, "microcloud-config-*" Modify the Program startup class, append Eureka client annotations:

 PackageCn.study.microcloud;Importorg.springframework.boot.SpringApplication;Importorg.springframework.boot.autoconfigure.SpringBootApplication;ImportOrg.springframework.cloud.config.server.EnableConfigServer;Importorg.springframework.cloud.netflix.eureka.EnableEurekaClient, @SpringBootApplication @enableconfigserver@ Enableeurekaclient  Public classconfig_7101_startspringcloudapplication { Public Static voidMain (string[] args) {Springapplication.run (config_7101_startspringcloudapplication.class, args); }}

6, "localhost" Modify the hosts configuration file, append multiple configuration host name:

127.0.0.1 config-7101. com127.0.0.1 config-7102. com127.0.0.1 config-7103.com

7, "Local test" to start all the Springcloudconfig micro-service process, followed by Access testing:

8, "GITHUB" Modify MICROCLOUD-CONFIG-CLIENT.YML configuration file, in this configuration file need to consider the problem of good Eureka;

 spring:profiles:active: - dev ---
   
    server:port:  8201
    spring:profiles:dev application: Name:microcloud -config-
    clienteureka:client:service -
    url:defaultzone:http:  
    // 
     Edmin:[email protected]:7301/eureka ---
    server:port:  8102
    spring:profiles:beta application:name:microcloud -config-
    clienteureka:client:service -
    url:defaultzone:http:  
    // 
    edmin:[email protected]:7301/eureka  
   

 9, "microcloud-config-client-8201" modifies the bootstrap.yml configuration file, at which point the configuration file needs to obtain the Config service information through Eureka;

 spring:cloud:config:name:microcloud -config-client # defines the name of the resource file to read Profile:beta # defines the name of the profile Label:master # defines the branch where the configuration file is located # Uri:htt P:  // CONFIG-7101.COM:7101 # Springcloudconfig Service address   Username:studyjava # connected user name Password:hello # connected Password discovery:enabled:  true   # through the configuration center Load Profile Service -id:microcloud-config # in the Eureka of services registered in Eureka: # Be sure to write a Eureka Address client: # The purpose is to allow clients to find Springcloudconfig microservices service -url:d through Eureka Efaultzone:http:  // edmin:[email  Protected]:7301/eureka  

10. "microcloud-config-client-8201" Appends the configuration annotations of the Eureka client on the startup class:

 PackageCn.study.microcloud;Importorg.springframework.boot.SpringApplication;Importorg.springframework.boot.autoconfigure.SpringBootApplication;Importorg.springframework.cloud.netflix.eureka.EnableEurekaClient, @SpringBootApplication@EnableEurekaClient  Public classclient_8201_startspringcloudapplication { Public Static voidMain (string[] args) {Springapplication.run (client_8201_startspringcloudapplication.class, args); }}

The Springcloudconfig is now implemented with a high-availability processing mechanism based on Eureka.

Springcloud Series 10: Springcloudconfig Advanced Configuration (Key encryption Processing (JCE), KeyStore encryption processing, springcloudconfig high availability mechanism)