conf-server

conf-server is a common project for centralized conf server based on spring configure server

Server Config

Configure to use SSL and http2, and configure the management port to the same 8443 port, and the management context to /admin, see application.properties for details.

Config Git Repository

You can use the remote git repository or the local git repository to configure the Git warehouse information. see application.yml for details. please refer to [spring-cloud-config] (https://cloud.spring.io/spring-cloud-config/reference/html/#_git_backend)

Self-signed certificate

Http Server SSL

#!/usr/bin/env bash

# 生成jks格式
# 使用RSA加密，生成一个有效期为１年,别名为cnfsrv,密码为keypassAsin,存储密码为srv666的server.jks.
keytool -validity 365 -genkey -v -alias cnfsrv -keyalg RSA -keystore server.jks -keypass keypassAsin  -storepass srv666 -dname "CN=Web Server,OU=China,O=confserver.bittx.net,L=Beijing,S=Beijing,C=China"

# 生成p12格式
keytool -genkeypair -alias cnfsrv -keyalg RSA -keysize 2048 -storetype PKCS12 -keystore cnfsrv.p12 -validity 3650 -keypass srv666 -storepass srv666 -dname "CN=confserver.bittx.net,OU=China,O=confserver.bittx.net,L=Beijing,S=Beijing,C=China"

# 导出证书备用(可选)
keytool -export -v -alias cnfsrv -keystore cnfsrv.p12 -storepass srv666 -rfc -file cnfsrv.cer

Note:

Generate client certificate

When generating a client certificate, keytool has no mandatory requirements for the parameter O=client.bittx.net.

keytool -validity 365 -genkeypair -v -alias cnfcli -keyalg RSA -storetype PKCS12 -keystore client.p12 -keypass cli666  -storepass cli666 -dname "CN=client,OU=China,O=client.bittx.net,L=Beijing,S=Beijing,C=China"

Config encrypt key

This part of the security can be configured in the application.properties file or can be configured separately. In order to show that the config server can also have its own bootstrap.yml configuration file, We configured the security of the encryption part in this file, and the configured path is classpath *: encrypt.jks.
see bootstrap.yml for details

encrypt:
  fail-on-error: false
  key-store:
    alias: asin
    location: classpath*:encrypt.jks
    # 必选参数，keytools中的 -storepass
    password: ${KEYSTORE_PASSWORD:spAsinRay666}
    # 可选参数, keytools中的 -keypass 此参数在生成jks时会被忽略
    secret: kpAsinRay666

As you can see, we used a encrypt.jks to store security information.

How to generate encrypt.jks

#!/usr/bin/env bash
ju

Attention: If you are using the jks file generated by jdk11's keytool, the following warning will be generated:

Warning: Different store and key passwords not supported for PKCS12 KeyStores. Ignoring user-specified -keypass value.

Then please set the -keypss and -storepass to be the same, and configure the same in bootstrap.yml.

If you want to use different -keypass and -storepass, please use the jdk8 version of keytool to generate jks, and then apply it to jdk11 environment, you can also use .p12 format to achieve.