From 8fee77b95ae8308edc3678676f296b41aef36d2a Mon Sep 17 00:00:00 2001 From: Andrey Aksenov <38073144+andreyaksenov@users.noreply.github.com> Date: Wed, 10 Jan 2024 14:43:30 +0300 Subject: [PATCH] 3.0 iproto uri params (#3973) --- .../instances.enabled/ssl/README.md | 11 ++ .../instances.enabled/ssl/certs/generate.sh | 29 ++++ .../ssl/certs/instance001/server001.crt | 21 +++ .../ssl/certs/instance001/server001.key | 30 ++++ .../ssl/certs/instance002/server002.crt | 21 +++ .../ssl/certs/instance002/server002.key | 30 ++++ .../ssl/certs/instance003/server003.crt | 21 +++ .../ssl/certs/instance003/server003.key | 30 ++++ .../instances.enabled/ssl/certs/root_ca.crt | 20 +++ .../ssl/certs/ssl_passwords.txt | 3 + .../instances.enabled/ssl/config.yaml | 59 +++++++ .../instances.enabled/ssl/instances.yml | 3 + .../instances.enabled/ssl/myapp.lua | 10 ++ doc/enterprise/security.rst | 11 +- .../configuration/configuration_reference.rst | 164 ++++++++++++++++-- 15 files changed, 442 insertions(+), 21 deletions(-) create mode 100644 doc/code_snippets/snippets/replication/instances.enabled/ssl/README.md create mode 100644 doc/code_snippets/snippets/replication/instances.enabled/ssl/certs/generate.sh create mode 100644 doc/code_snippets/snippets/replication/instances.enabled/ssl/certs/instance001/server001.crt create mode 100644 doc/code_snippets/snippets/replication/instances.enabled/ssl/certs/instance001/server001.key create mode 100644 doc/code_snippets/snippets/replication/instances.enabled/ssl/certs/instance002/server002.crt create mode 100644 doc/code_snippets/snippets/replication/instances.enabled/ssl/certs/instance002/server002.key create mode 100644 doc/code_snippets/snippets/replication/instances.enabled/ssl/certs/instance003/server003.crt create mode 100644 doc/code_snippets/snippets/replication/instances.enabled/ssl/certs/instance003/server003.key create mode 100644 doc/code_snippets/snippets/replication/instances.enabled/ssl/certs/root_ca.crt create mode 100644 doc/code_snippets/snippets/replication/instances.enabled/ssl/certs/ssl_passwords.txt create mode 100644 doc/code_snippets/snippets/replication/instances.enabled/ssl/config.yaml create mode 100644 doc/code_snippets/snippets/replication/instances.enabled/ssl/instances.yml create mode 100644 doc/code_snippets/snippets/replication/instances.enabled/ssl/myapp.lua diff --git a/doc/code_snippets/snippets/replication/instances.enabled/ssl/README.md b/doc/code_snippets/snippets/replication/instances.enabled/ssl/README.md new file mode 100644 index 0000000000..cc747d8516 --- /dev/null +++ b/doc/code_snippets/snippets/replication/instances.enabled/ssl/README.md @@ -0,0 +1,11 @@ +# TLS traffic encryption + +A sample application demonstrating how to enable TLS traffic encryption for connections between replica set peers. + +## Running + +To start all instances, execute the following command in the [replication](../../../replication) directory: + +```console +$ tt start ssl +``` diff --git a/doc/code_snippets/snippets/replication/instances.enabled/ssl/certs/generate.sh b/doc/code_snippets/snippets/replication/instances.enabled/ssl/certs/generate.sh new file mode 100644 index 0000000000..4ceb4cc970 --- /dev/null +++ b/doc/code_snippets/snippets/replication/instances.enabled/ssl/certs/generate.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env bash +set -xeuo pipefail + +# 1. Generate a root CA key. +openssl genrsa -out root_ca.key 2048 + +# 2. Generate a root CA certificate. +openssl req -x509 -new -key root_ca.key -days 365 -out root_ca.crt -subj "/C=US/CN=Example-Root-CA" + +# 3. Generate server keys encrypted using different passphrases. +openssl genrsa -aes256 -passout pass:'qwerty' -out server001.key 2048 +openssl genrsa -aes256 -passout pass:'123456' -out server002.key 2048 +openssl genrsa -aes256 -passout pass:'topsecret' -out server003.key 2048 + +# 4. Create certificate signing requests based on server keys. +openssl req -new -key server001.key -passin pass:'qwerty' -subj "/C=US/ST=State/L=City/O=Example-Certificates/CN=server001/" -out server001.csr +openssl req -new -key server002.key -passin pass:'123456' -subj "/C=US/ST=State/L=City/O=Example-Certificates/CN=server002/" -out server002.csr +openssl req -new -key server003.key -passin pass:'topsecret' -subj "/C=US/ST=State/L=City/O=Example-Certificates/CN=server003/" -out server003.csr + +# 5. Generate server certificates. +openssl x509 -req -in server001.csr -extfile <(printf "subjectAltName=DNS:localhost,IP:127.0.0.1") -days 365 -CA root_ca.crt -CAkey root_ca.key -CAcreateserial -out server001.crt +openssl x509 -req -in server002.csr -extfile <(printf "subjectAltName=DNS:localhost,IP:127.0.0.1") -days 365 -CA root_ca.crt -CAkey root_ca.key -CAcreateserial -out server002.crt +openssl x509 -req -in server003.csr -extfile <(printf "subjectAltName=DNS:localhost,IP:127.0.0.1") -days 365 -CA root_ca.crt -CAkey root_ca.key -CAcreateserial -out server003.crt + +cp server001.crt server001.key instance001 +cp server002.crt server002.key instance002 +cp server003.crt server003.key instance003 + +rm -rf root_ca.key server* diff --git a/doc/code_snippets/snippets/replication/instances.enabled/ssl/certs/instance001/server001.crt b/doc/code_snippets/snippets/replication/instances.enabled/ssl/certs/instance001/server001.crt new file mode 100644 index 0000000000..b8b3176231 --- /dev/null +++ b/doc/code_snippets/snippets/replication/instances.enabled/ssl/certs/instance001/server001.crt @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDdDCCAlygAwIBAgIUZ3UUfbU+PVMvCBz6V60Cdhhlmi8wDQYJKoZIhvcNAQEL +BQAwJzELMAkGA1UEBhMCVVMxGDAWBgNVBAMMD0V4YW1wbGUtUm9vdC1DQTAgFw0y +NDAxMDkxMDIwMjlaGA8yMTAwMDEwMTEwMjAyOVowXzELMAkGA1UEBhMCVVMxDjAM +BgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5MR0wGwYDVQQKDBRFeGFtcGxlLUNl +cnRpZmljYXRlczESMBAGA1UEAwwJc2VydmVyMDAxMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAjV8WYiwj6pKhdvhd5JHKiRWsPH8DldGkuC22WYYqW4pG +4jwIgbHK4XDw7dtIKiTp5j1hxswPYfelwT4PswvvUt2ZTuWrC2wxH7gUeX3WOoRV +GuQWvz5jwyZecGKa0D9a/0e/MedcqyNY8e15qUfFZXOg74hCp1VtXGJLtJ3ttL2Z +JXCXK+tLKbn5hK5XnyksHbd0yhHbfv3WgbyIJHkPf9Ld1McmvlJOsP/pYM31L3Pv +KS/NYtjC7ZrxGNYwmry+9ECfsqvdrR3WOSPc7x6XDluqQhsBpR5L5yMBD7/Pmdmh +85QO89FpuE2fZbzbBgOAIv74m1+9vVo0bl9GQ5ItdQIDAQABo14wXDAaBgNVHREE +EzARgglsb2NhbGhvc3SHBH8AAAEwHQYDVR0OBBYEFLRPcYdn/ZzyvTICSE4eHkpq +Yo2uMB8GA1UdIwQYMBaAFMcoPooETZGmQ44FaE298f3LsrBDMA0GCSqGSIb3DQEB +CwUAA4IBAQCu2eVNEPiCgH2oEpieb5O3+H13RGt7K0OG8xIdrScLm8g7UP964uqS +V8svDodF++o/zBtL2ebbeTL7+cqW8Oz3NZrBiUmRdXUrGncpT26wNut8pppV9C8c +O533Mu0yPLXguoykE67BMiZ0aXafvCxEWj0d5Ml1BlIucaZ7HJY+C4JMeX/T27OQ +u4jrvNLykyfWu7aIquhKcxuzdMo7rFRGOR01738M0/Sp4a952of1lFuv/macgttQ +6M5oWW/XgNwbbcTnN7oCv4aTK7QOoi3NZfAD723hq9AQLTZD/Nl+xkMBDMNiDc3R +9r39ptN92K3YkAHaULLyk+c14Wox4f7N +-----END CERTIFICATE----- diff --git a/doc/code_snippets/snippets/replication/instances.enabled/ssl/certs/instance001/server001.key b/doc/code_snippets/snippets/replication/instances.enabled/ssl/certs/instance001/server001.key new file mode 100644 index 0000000000..09585dc45a --- /dev/null +++ b/doc/code_snippets/snippets/replication/instances.enabled/ssl/certs/instance001/server001.key @@ -0,0 +1,30 @@ +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIIFLTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQIoIzCBu75OnUCAggA +MAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBAGERLT6LYhWrk4nTQ2rAfEBIIE +0Awkcsj9RAgl07YEFq0YrhjBmLw4xg++qKFBm5TKwwBBpzNLkefqzOoY9wRAQZF6 +vhgGg87rEUwWaKhyhVI2yq0osKtIz4wrC+VWdB5G4eMVRYes8f1DSXHBRksTs314 +QTF1TY+0mecGmEBQ0iOvE5Z4EcxZMUeZimMEb4nXnGVdkz+tskcru5Br9a7iArC0 +hp7ibf71J4KnQAS/rBiUBVBpDaE5tdNo0mU8Icy11vg/YkykTwZ5qeO3VLsHho5/ +nOsv7CB6UbGnVJCsQckFViJTDJvyyrmJ6urfqvPMLG5u/0sIWTDfYnPrTQOibt+N +XcvqrgZ09xLzLrgrqZ8E8nHX1xQ1w3m4TWKnXlM0enpzKp+BTMRTdly3V45asvpa +cUlbZjX+ktW0c/bsq91DU79uy5MZuOiX3BpPFeMgreES2YIjOYo1pYloHeAw3tGG +rfXYVuPo9IfrdkXmfq9LpqPcB5zsqkAAomPpLLfb2B/gisUZZ//Y+BAEaGOlwWoa +81JrM363jt8U11up+6ahShwSjHol9QhqC1yEPgBVnpNbCj4ypzJxq9upnNjowvuL +D4MhVdVf58ILkiybASTvW2IeilQf9N3scwQwiRq1duLqkrjDKD1AqxsJQobPVuV3 +YxYZ7JwwvWD86eMsvtnevT1mG9NFRfmxPD4xesvtv7OdYxQqrrkGYhOz9f3YQJiu +EJBjq3HFnMmh9FFZ0W1I8OjnLKoN2z4XMo29HtPUX1sJpWM4wWAf+ZxABnO2kJyp +xV6XvuhZU4V/seL+DGL6cT1b4Zg0gcc//RnlkeX3l9cE0Sqi3FKv4aKBG4/g41vR +fNee0eB1O71rzwaNh4KYBgInNy70XjNnARxSC/KOd/el77Xv7hPKL9Wxah+B11Uc +Csw6Ynj+Ea+HrifVBWeo7z5cqQ1ZXQD6DKWfdvujYNxwSLMpBpk5d9rX1gUvQHOU +GmJjKp80Wrr3eA9tuBBiMkp0ljBjbagDr8PGjRwO9LslzGAUdzDuqsqLVJz8vv2t +uDxjYARmtQHCeG8VowpP3QmrbmNM2m7s4M5+G8ZhzAZCHvPXyEEItGMP9qcjNUk2 +Sqpkz3ZYPAtDFp+cx6raggULd1AWv2xJU0kvJULE8tyWev7AyZKz/buiG2Fib5WX +oJAQwAymkP13eGvIXaWUybsO98TgtlcaNlNkvTdmAwZyuZlYYvH9yiV2vi4ldqdl +irAVTWqiqDo9TiGRBR0QxuJPJciuJG5D+pOdIw6tU4XHq1RiikCYE9RMqiBddqlr +5WB4j/ls0Mpqk6fvUkttEW6vovO1AQw80Ut5hifDu5hLM3CzqysTf0bbEgS7DcWg +hpQghcIWFJuNIrR4o7zN9hHHyKg6oZKF35edDoEmEr8COd12vIzLezanNkTwKB1A +7FKSpT1A/u3W0D2oPHrkd2mGEjYO8RDhScMsPQjTnHObzSQvX8wGIQDIE4rLD8me +9nxcodr+gNO/rdvEnQ1JWD52jW+S4mkJM4EswIO56sGy60sq4YoEzyWCexGxoWwF +lOrrX4vn2H6N++TPNBeWdnrT2L5BEKlbh0SHn74CPXXBNp6JqmdRUvTfHuC1C0jK +7KQPwMleAeh969wMyGqZO+DGULNC0D+Apck9ZQ3Hb28E +-----END ENCRYPTED PRIVATE KEY----- diff --git a/doc/code_snippets/snippets/replication/instances.enabled/ssl/certs/instance002/server002.crt b/doc/code_snippets/snippets/replication/instances.enabled/ssl/certs/instance002/server002.crt new file mode 100644 index 0000000000..c29206916a --- /dev/null +++ b/doc/code_snippets/snippets/replication/instances.enabled/ssl/certs/instance002/server002.crt @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDdDCCAlygAwIBAgIUYnbNUm7f3GQuqcJUmOcYMY7vu2QwDQYJKoZIhvcNAQEL +BQAwJzELMAkGA1UEBhMCVVMxGDAWBgNVBAMMD0V4YW1wbGUtUm9vdC1DQTAgFw0y +NDAxMDkxMDIwMjlaGA8yMTAwMDEwMTEwMjAyOVowXzELMAkGA1UEBhMCVVMxDjAM +BgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5MR0wGwYDVQQKDBRFeGFtcGxlLUNl +cnRpZmljYXRlczESMBAGA1UEAwwJc2VydmVyMDAyMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAqjNtMpDuy9XXI6Ve7wFlHFvA0PZIIooobHqSNt7A4fPQ +NgOvjSXi04o2dOCQ3Tz0ku5AMkx14ZLv13NMJNPWIO+jbuqIY0sTA7qxj7T2ykEW +Dga9lWKTe4fFXNOITClImF2OKYlriCYXQ+UrUSRSYfaapc2byo94qQG6GqNC4RI9 +AsKSVlEXbOtwglTjA2gItBZ0URyCntddXek4JaUfdfDjY4RT1prNUniIaAT/8Xz5 +HPJR1jSJ8093mDdIBjDCwv7tY8N9dVtUOdV9k0q0JMgwaKv9rj93J1Esnew8uDiL +UhEojYkRCZQ267csSnXghtl2ZVulcttJLhyeqQ7PUwIDAQABo14wXDAaBgNVHREE +EzARgglsb2NhbGhvc3SHBH8AAAEwHQYDVR0OBBYEFE+RD/crlhgQjup7dCT53kMG +cfYDMB8GA1UdIwQYMBaAFMcoPooETZGmQ44FaE298f3LsrBDMA0GCSqGSIb3DQEB +CwUAA4IBAQBXLD8RlbclU/w/ynL7Clr1EZRVaXtcvBNhzZMPG+N+cl9/OAbCc+K1 +zBqU9MC3+ftjCo0b1Gn+WelB0rBR43JMDbP/Lkwcn7GqJXk/KApG54ygSDxTasMj +rmMuw8eES/7ndo+X/u/Jy71CFEJZbW15GKzv55fYE1LIOILLEepn3ikOn/1jujCZ +3oSikIlcIVkQSXOoglT1VBsWlNjA5AynofCjyW8VKVTZGCBvoBx7kVPUg4yzK2dx +gaIFosrqhV1v9ENfu+exErHDFyctsKsH34Tjjrkm+3hdseMjivBT8sOzWmTMNryk +3QquTfdJbOMFw873ynIEj/Q9vHFT76Ae +-----END CERTIFICATE----- diff --git a/doc/code_snippets/snippets/replication/instances.enabled/ssl/certs/instance002/server002.key b/doc/code_snippets/snippets/replication/instances.enabled/ssl/certs/instance002/server002.key new file mode 100644 index 0000000000..280627b6e7 --- /dev/null +++ b/doc/code_snippets/snippets/replication/instances.enabled/ssl/certs/instance002/server002.key @@ -0,0 +1,30 @@ +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIIFLTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQIg0PYOtHuXYsCAggA +MAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBCSkBdX9Acur/mj1FWWXiiyBIIE +0H4nMqNCCkvVkbBKBy+5khhbCxN0kLgseHIPP3oAo6phLrhAAkv0xKr3wv/mR6Zp +3jQ2JHbOfGrduFckdCBU8tST621p6wdRLwm9MbeWNjjsuSCKH45y5w2jU3aXiLpz +4AsbweoO9a260nR4Aq5DG1t8VrJpofCfmye9FjacNGbCAa6HINigGrlp25USoead +sqqKf8Jl/g1729yzIB6WkTA9hXBxwz25BtgwSd+tUlvl6dYocKXCM6ljn/q25SgW +ozNBfOkzX3S8g6ZXjx0SkMdbUjuTrgjl7mn5cVYdjx6VM9fJjalca0h4Gr0kdHFM +z50D40Ha2O3HQ36ImKjlyzbZOjkIMpqOa6o7kH7jLlJLjYJo2+LocIr8/REw4Lgl +DeahUAl6Iya4K67sJG61FGKhzuOuxWW/Ymsa1v2Yq80PsZS1IyAD7jmH7zrT8mNq +0T82z/hQfY+vOo+1+VMmZd1azm5UHap/bsJ32e8GXszdjH2P6dMkymAykYQVtt4/ +W6+Q53tCNfmfbdzFNszzvRP5VjcDvUGtiD9gSLsqsFCh7GJlD8vXcrrOn61l3OLC +0CR3X9VBqerMiUFmsT1g7HsSHTD1h0OX2DTkhAfM0P4QXemGGke9/LBRsYaN07XD +akhs4jd++3hdMSWPSrm7JNx2BC2L+u4SyRdHnu7DtQ9DVPubwT63dhxMGkGzXOGK +3x3payRlp96ckms27tiWnsiPfVe/CECS6YXK0PLONenbvVDQO31iWDcV2AgOd0nv +OKUuC/oN37kY4P6J8MGao3zsmcfWxQSWjnImdnLsqtD6QxqyNH18Id2GOcwrkuoG +3Jyi43rR5c6r6O0ldvCB+iFHizzIBWA6GpDmzRYRd7lJlkQJ0ihCozWOsPC1lKZu +E3DiRwaTbGcOTOTJDHG6B3RE9YgZjZPkVVRYsPUp2e/flLr+2QZo3XyAFd9TJDOZ +GlCGnjmKVT83gRmgTd5mMfI2lm6vJwWC1jAIYNVuAQNWf+ZKsPfhm6mr6n6Najxr +lVPZOg+7loKxJLfcXIP3sItLCHT4Jc/rmn6/HwnFqrdFQDkIk/dPVYnIPZlCG24Z +to8pmjFyK5qX15rjZKAacYpSIoYHo26wFnFGSGtikUZXFm5aTGCxKnf+gBQ1Zrtw ++d9hKnmef0zlozU2b8byPRFNqV0cBaXxccXc5WFWJY60PZ6wbEs8wkBUmOh06pcR +IO4qX4RX1QRfSSldXNZ+3CFbUXT8u999DCCV/onw2NlbdqKiHQMoLhQQAWGReG1e +xpXXU8lRBMpW3PGHsWsGlzNTb4DkasKfL3LPxDc8DzDGrlkudYxARI23lHhKAZEv +WVqp00HiFA2n1HSqrdUjoBsnX5KzU5By4KgdS4pp8Le0vFStlq47257P3PUWEFnB +BFTmdbd44kOZK4mDgpyH3hQMJesdYMr8wWxhAUPx6SLK9OvVKRiLjjC1AHJQI6lS +umT8min1q88Pw9PfmL6speXYkPXD3PLms//bnqTI44rcptlWwmaZydW51cPc5CNA +CMVAoUHgwpJe+t+JH2B/ShmIG+Vh4aCEer70ZG38g8lLTG/wQNs0Cmfv01R2B53K +4bJY7jCy8YUnB+pEVohyWltI3rNkA27brnISIBVllPKn +-----END ENCRYPTED PRIVATE KEY----- diff --git a/doc/code_snippets/snippets/replication/instances.enabled/ssl/certs/instance003/server003.crt b/doc/code_snippets/snippets/replication/instances.enabled/ssl/certs/instance003/server003.crt new file mode 100644 index 0000000000..76a85e35bf --- /dev/null +++ b/doc/code_snippets/snippets/replication/instances.enabled/ssl/certs/instance003/server003.crt @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDdDCCAlygAwIBAgIUC2vN8EGo9naK0NawqRXTBdiR1BYwDQYJKoZIhvcNAQEL +BQAwJzELMAkGA1UEBhMCVVMxGDAWBgNVBAMMD0V4YW1wbGUtUm9vdC1DQTAgFw0y +NDAxMDkxMDIwMjlaGA8yMTAwMDEwMTEwMjAyOVowXzELMAkGA1UEBhMCVVMxDjAM +BgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5MR0wGwYDVQQKDBRFeGFtcGxlLUNl +cnRpZmljYXRlczESMBAGA1UEAwwJc2VydmVyMDAzMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAn51RtVj89wuf8lVjCiQ0UeIvkPO87YIO8O5b0G35IKuQ +rRcanLifN8skooDs+oINzHpgp7tENy+uPynOuw02TJx+Li4JXX1XAX5v2WGWET2Y +/VykmTzCFDovzAR+aVyarDONxRDvV1v86Hfee34mBxkWF8gz5cyTOZjtQMWKmaxZ +jGSazuNcqet9XJYsUqRdCnxG+VRJTfGG7lnQ/+7sRE0BVqOaU+xOdRZCuHEUp99d +NponYJUJa6UwL06abvS6OO0Ab81mBTnaev7hAjsfpY+SYItUfcRlc57yBESGGB0r +ymQKy70KmK2vMUPGoS6YKE3sBXBJJdl/DOAe2v53FQIDAQABo14wXDAaBgNVHREE +EzARgglsb2NhbGhvc3SHBH8AAAEwHQYDVR0OBBYEFLal5fgbXAZz+Zg11+GEVbjT +ed0oMB8GA1UdIwQYMBaAFMcoPooETZGmQ44FaE298f3LsrBDMA0GCSqGSIb3DQEB +CwUAA4IBAQC2qhOwJ3ZtZ5wyvI7qKzQ0IHy3D01tjN80YnUXm1MLkc3Jt8N/6apT +SvtS7o/IAmjlctoR2Xg4XTp0zgECgIWAQ07G9rGF5+i3au9ydTkFY3mjBEFCaa/6 +oet/MYSfx5JBfQoz4GkQk7qBesz1HTP19w10HFYH5HoLGkWkd3SITYnAn0aSzMvi +ymstSd1O9/rFefIrPuSRuKAxsSdIH/L6q5LAmq/k4BM1WeV7zpjxcNc7+SdiiW22 +ZoXcPLYcKh9UsbYon//1lipvR+x/zB4t5YyaevbpaY4MRTASVHM7rF/szTQE5+VZ +a9vz/3X+K9QrpCGqOyMzU8A6zcNeV3Kc +-----END CERTIFICATE----- diff --git a/doc/code_snippets/snippets/replication/instances.enabled/ssl/certs/instance003/server003.key b/doc/code_snippets/snippets/replication/instances.enabled/ssl/certs/instance003/server003.key new file mode 100644 index 0000000000..880140dea7 --- /dev/null +++ b/doc/code_snippets/snippets/replication/instances.enabled/ssl/certs/instance003/server003.key @@ -0,0 +1,30 @@ +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIIFLTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQI4hq3UcvHxeMCAggA +MAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBANIql3sdt63kUD9IS1h8uQBIIE +0AyuJU6umXXNb8aO5UwcfJoeiVT6P0xr8guiPXNHx/hZpEE21RoHEUlqRgStLFqH +AaeWOaPBNehqpcFnU34llM+XZMt7diL9nVkZFa5cePGuR6Od4ZE5S0xDmzyOpAbq +Hvn3FhZtDih9nyZHZUFO7WFZFxQLLE6YU9GOW8UsHEBt8Z2zbn4eBaVUw81Elpv6 +uhpx0H+apmj+TcXehv7FvWxn64nOQSDICuK6Zwva3DC4Bc0OpRAhWKR81w0hdufK +ej1mcANgGu/zTp3JJ9eGf1DX1TIB8nM7SXPVz+mDELZPu6U9kMBRoiQ8B24UEoRY +4VHODLDOoL7X+vbAk4oJVRqPnR/FvaAmzSTu4quOjRKE2fhBYD4oe4UTdp+5GxPK +4qcxS9eqe1/Jl4mPYCsM9oXdrRNVvk3lKPG63TVqEr6vrCfV+sogFYY/qY1sL81H +vkHF5QjqLTdWiSI82HiqoczQKfvZXdqZWB32YPiiZhv9LyyuTdHzvijFNRW6X6xf +Eng66BJ+S8TYr7ib+cUUy1OLyh5a6WAs/qsy2Fi02KOHN8BNfznwAqmJ14IbQrRQ +JjYaHhTHm+FZFpU+if32mSPr/CjmGuzhGNlh+Pm+5udDOvVcqAE9ifAZ9G9f9jgd +1vuTNOkWSwLcY2hs3vRN9VrDxbQ9PivB8Asr08F84KceJEaReN2CCiyCR++q95oH +2imrrQLH5EXM6Xc2k5OnltrWSLzvA58bJ+KcHj+MvRMx7kTjDcTrOHL0/xbqeXzU +TDaft8gGtudlFqy3/4kuV5Zp3E0Bgn/1WjUe8/VUJuYCX2ffhQVAc+Yum3o80Mu3 +RH7kEaZQeqnxC8qwiu6aOsqg3C74Hc+rguWeXnUV5Ysb3rcq1O50PGWEsey/+nxn +7I8hgZFvJrlYs05jQu93/Hzps5jVuxluRzFHuZcEM1v/12jNnY/C7yQSWctZFdD4 +h7DnzGjPgD/CRd0V63ScciRDfofQtFcshMEJjtCiP2tzmCMB4S7VB1186JdTLWys +u5OmQ76F2CcmBybksrx7dZyVB/z3gNB3/DObBVvVxn8z/WMqsoKjjXbJvHUBeo2W +KnZY7VHMjhsRGTLcxfL8jeS2clkEl4qOO0d47HIFy90BmLLpWosC+ZX5AMsrX2x7 +xV6yfXBGU5JHXRrofvC3AH33GlHkQ1r6r5SDqLDQrAAMm0eqlOjmiNM151M1uORw +m4r1csflKlIkWLwFVH1BIMmB8eGefyfS/4lXhx+UvvZKgFkJDJ3IJ0oHdj2zHiln +sp2WIm/nh9wqDh7fvGP+b1skVFlrChuTtjNHa4Ye2QagWRgZfAZAh89HuMfclC5x +0w971lLbnoC3iB7tjY8+J9Ye6Mzim6oZofROdBDxbDXraaYjcq/EezfFDPTUSpGx +JtX2Cr4nq596TucXXwKjHBHnjfhUPdeLRWBRSidkyogjrW68tVUCUZ7a0/3a2wz1 +6hRLvKzxnMGXfr1cggtX8PapgIXNOLxkjmLPmoEEQLNqOSXzx7y+iLGPzYcj2Fe+ +gV93fIq1IbwEChOFTHa/WtoN+idhESqvPvH2PKnWmAB5ioLYDCIQ6BnKWdPflrYh +mGfTg3YhOuwFmTkZPnvKux+yOLTDZfzeaMmBpdeQuHl3 +-----END ENCRYPTED PRIVATE KEY----- diff --git a/doc/code_snippets/snippets/replication/instances.enabled/ssl/certs/root_ca.crt b/doc/code_snippets/snippets/replication/instances.enabled/ssl/certs/root_ca.crt new file mode 100644 index 0000000000..a01999b815 --- /dev/null +++ b/doc/code_snippets/snippets/replication/instances.enabled/ssl/certs/root_ca.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDMTCCAhmgAwIBAgIUTbG8/x5SNhhMkhq1/spUkvTNGtUwDQYJKoZIhvcNAQEL +BQAwJzELMAkGA1UEBhMCVVMxGDAWBgNVBAMMD0V4YW1wbGUtUm9vdC1DQTAgFw0y +NDAxMDkxMDIwMjRaGA8yMTAwMDEwMTEwMjAyNFowJzELMAkGA1UEBhMCVVMxGDAW +BgNVBAMMD0V4YW1wbGUtUm9vdC1DQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC +AQoCggEBAL7K7lF5lXLunkNNI1ieuOgWyASA4fLNGxoGmZznwHCS3qVO2OmULy1Z +tKYCDZdQLRfc1GRR+PepbU5XVZUSm0k3VRVgT6FXrml6WVIISfjti18tZeybQzpt +c1HnnZk4prsq+pbckiCzFisg1xpG3CxyJUzrq010rKt1LGAeP32L0rI0yBBe08U6 +fSbX3kyGTl6bf3OIhpMVmg9VNB2LZm+FgEUG4OUpRT0yMk7Al+IxFt/R2TndfIhd +ZHu4t/lJLqHzfFyvM6XVEThP8y5eJ9dF0Oz6jUcNC45Tw6t9ubOGnwBriWkgLtw9 +4VK0XwK4tRvVQgptd2xro/sHFW14Sa0CAwEAAaNTMFEwHQYDVR0OBBYEFMcoPooE +TZGmQ44FaE298f3LsrBDMB8GA1UdIwQYMBaAFMcoPooETZGmQ44FaE298f3LsrBD +MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAGBnpnV8NoGoz8sF +IjEFwF76rfYT/NhYEE5SV9zOGE5kgbFh1N1+lAlcFpULsxXm+6ULnMZbrKGTDCKS +tD7XhPqTP5DHjxyXvD4VTZVgQ8NAUtttM+w8vdjIIHGHoQkdCo5QpGxqGZhlRCnM +HFQwmeXFKalln4qfgpkBA92K8H2eK/7ZhnnAGh/bclgOV7KOknV/hs7cBuwYIHVP +c7UCSyUMSkhujCysjRw5zjLiSM6bO8XFrVt0hOxZhV91mHXsIFZ2MopVIO4vPBHJ +q1z2XTu49XOrY4+N+7Sk37wImjfE5BD+U3GTw2QfoFO4EHd2JvvfoqS6Q5BtQ1lp +6OZswbA= +-----END CERTIFICATE----- diff --git a/doc/code_snippets/snippets/replication/instances.enabled/ssl/certs/ssl_passwords.txt b/doc/code_snippets/snippets/replication/instances.enabled/ssl/certs/ssl_passwords.txt new file mode 100644 index 0000000000..bca0b5d502 --- /dev/null +++ b/doc/code_snippets/snippets/replication/instances.enabled/ssl/certs/ssl_passwords.txt @@ -0,0 +1,3 @@ +qwerty +123456 +topsecret diff --git a/doc/code_snippets/snippets/replication/instances.enabled/ssl/config.yaml b/doc/code_snippets/snippets/replication/instances.enabled/ssl/config.yaml new file mode 100644 index 0000000000..84afc46ee7 --- /dev/null +++ b/doc/code_snippets/snippets/replication/instances.enabled/ssl/config.yaml @@ -0,0 +1,59 @@ +credentials: + users: + admin: + password: 'topsecret' + roles: [ super ] + replicator: + password: 'topsecret' + roles: [replication] + +iproto: + advertise: + peer: + login: replicator + +replication: + failover: manual + +groups: + group001: + replicasets: + replicaset001: + leader: instance001 + instances: + instance001: + iproto: + listen: + - uri: '127.0.0.1:3301' + params: + transport: 'ssl' + ssl_ca_file: 'certs/root_ca.crt' + ssl_cert_file: 'certs/instance001/server001.crt' + ssl_key_file: 'certs/instance001/server001.key' + ssl_password: 'qwerty' + ssl_ciphers: 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256' + instance002: + iproto: + listen: + - uri: '127.0.0.1:3302' + params: + transport: 'ssl' + ssl_ca_file: 'certs/root_ca.crt' + ssl_cert_file: 'certs/instance002/server002.crt' + ssl_key_file: 'certs/instance002/server002.key' + ssl_password_file: 'certs/ssl_passwords.txt' + ssl_ciphers: 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256' + instance003: + iproto: + listen: + - uri: '127.0.0.1:3303' + params: + transport: 'ssl' + ssl_ca_file: 'certs/root_ca.crt' + ssl_cert_file: 'certs/instance003/server003.crt' + ssl_key_file: 'certs/instance003/server003.key' + ssl_password_file: 'certs/ssl_passwords.txt' + ssl_ciphers: 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256' + +app: + file: 'myapp.lua' diff --git a/doc/code_snippets/snippets/replication/instances.enabled/ssl/instances.yml b/doc/code_snippets/snippets/replication/instances.enabled/ssl/instances.yml new file mode 100644 index 0000000000..9a634da7a0 --- /dev/null +++ b/doc/code_snippets/snippets/replication/instances.enabled/ssl/instances.yml @@ -0,0 +1,3 @@ +instance001: +instance002: +instance003: diff --git a/doc/code_snippets/snippets/replication/instances.enabled/ssl/myapp.lua b/doc/code_snippets/snippets/replication/instances.enabled/ssl/myapp.lua new file mode 100644 index 0000000000..53182dbae3 --- /dev/null +++ b/doc/code_snippets/snippets/replication/instances.enabled/ssl/myapp.lua @@ -0,0 +1,10 @@ +function connect() + local connection = require('net.box').connect({ + uri = 'admin:topsecret@127.0.0.1:3301', + params = { transport = 'ssl', + ssl_cert_file = 'certs/instance001/server001.crt', + ssl_key_file = 'certs/instance001/server001.key', + ssl_password = 'qwerty' } + }) + return connection +end diff --git a/doc/enterprise/security.rst b/doc/enterprise/security.rst index c86f85daf1..ee22781975 100644 --- a/doc/enterprise/security.rst +++ b/doc/enterprise/security.rst @@ -440,12 +440,11 @@ In the :ref:`next section `, you can fin Example: - .. code-block:: lua - - c = require('net.box').connect({ - uri = 'localhost:3301', - params = {transport = 'ssl'} - }) + .. literalinclude:: /code_snippets/snippets/replication/instances.enabled/ssl/myapp.lua + :language: lua + :start-at: net.box + :end-before: return connection + :dedent: * ``ssl_key_file`` -- a path to a private SSL key file. Mandatory for a server. diff --git a/doc/reference/configuration/configuration_reference.rst b/doc/reference/configuration/configuration_reference.rst index 43f02458b4..c676c5fca1 100644 --- a/doc/reference/configuration/configuration_reference.rst +++ b/doc/reference/configuration/configuration_reference.rst @@ -536,9 +536,9 @@ iproto.advertise.* .. confval:: iproto.advertise.client - An URI used to advertise the current instance to clients. + A URI used to advertise the current instance to clients. - The ``iproto.advertise.client`` option accepts an URI in the following formats: + The ``iproto.advertise.client`` option accepts a URI in the following formats: - An address: ``host:port``. @@ -564,9 +564,9 @@ iproto.advertise.* .. confval:: iproto.advertise.peer - An URI used to advertise the current instance to other cluster members. + A URI used to advertise the current instance to other cluster members. - The ``iproto.advertise.peer`` option accepts an URI in the format described in :ref:`iproto_advertise.\.* `. + The ``iproto.advertise.peer`` option accepts a URI in the format described in :ref:`iproto_advertise.\.* `. **Example** @@ -590,7 +590,7 @@ iproto.advertise.* An advertise URI used by a router and rebalancer. - The ``iproto.advertise.sharding`` option accepts an URI in the format described in :ref:`iproto_advertise.\.* `. + The ``iproto.advertise.sharding`` option accepts a URI in the format described in :ref:`iproto_advertise.\.* `. **Example** @@ -619,7 +619,8 @@ iproto.advertise..* .. confval:: iproto_advertise..uri - An URI used to advertise the current instance. + (Optional) A URI used to advertise the current instance. + By default, the URI defined in :ref:`iproto.listen ` is used to advertise the current instance. .. include:: /reference/configuration/configuration_reference.rst :start-after: host_port_limitations_start @@ -634,7 +635,8 @@ iproto.advertise..* .. confval:: iproto_advertise..login - A username that should be used to connect to the current instance. + (Optional) A username used to connect to the current instance. + If a username is not set, the ``guest`` user is used. | | Type: string @@ -645,8 +647,8 @@ iproto.advertise..* .. confval:: iproto_advertise..password - A password for the specified user. - If a password is missing, it is taken from :ref:`credentials ` for the specified username. + (Optional) A password for the specified user. + If a ``login`` is specified but a password is missing, it is taken from the user's :ref:`credentials `. | | Type: string @@ -657,9 +659,7 @@ iproto.advertise..* .. confval:: iproto_advertise..params - Additional parameters required for connecting to the current instance. - These parameters are described in :ref:`.params.* `. - + (Optional) URI parameters (:ref:`.params.* `) required for connecting to the current instance. .. _configuration_reference_iproto_misc: @@ -676,8 +676,9 @@ iproto.* These URIs are used for different purposes, for example: - - Communicating between replica set peers or cluster members. + - Communicating between replica set peers or cluster members. See also: :ref:`iproto.advertise.* `. - Remote administration using :ref:`tt connect `. + - Connecting to an instance using the :ref:`net.box ` module. - Connecting to an instance using :ref:`connectors ` for different languages. To grant the specified privileges for connecting to an instance, use the :ref:`credentials ` configuration section. @@ -775,24 +776,84 @@ iproto.* | Environment variable: TT_IPROTO_THREADS -.. _`configuration_reference_iproto_uri_params`: +.. _configuration_reference_iproto_uri_params: .params.* ~~~~~~~~~~~~~~ +.. admonition:: Enterprise Edition + :class: fact + + TLS traffic encryption is supported by the `Enterprise Edition `_ only. + +URI parameters that can be used in the following options: + +- :ref:`iproto_advertise.\.params ` +- :ref:`iproto.listen ` + +.. NOTE:: + + Note that ``.params.*`` options don't have corresponding :ref:`environment variables ` for URIs specified in ``iproto.listen``. + .. _configuration_reference_iproto_uri_params_transport: .. confval:: .params.transport + Allows you to enable traffic encryption for client-server communications over :ref:`binary connections `: + + - A server is a Tarantool instance. + - A client might be one of the following: + + - Another Tarantool instance from this cluster. This means that one instance might act as the server that accepts connections from other instances and the client that connects to other instances. + - A remote administrative console (:ref:`tt connect `). + - A :ref:`net.box ` connector. + - :ref:`Connectors ` provided for different languages. + + ``.params.transport`` accepts one of the following values: + + - ``plain`` (default): turn off traffic encryption. + - ``ssl``: encrypt traffic by using the TLS 1.2 protocol (`Enterprise Edition `_ only). + + **Example** + + The example below demonstrates how to enable traffic encryption for connections between replica set peers. + The following parameters are specified for each instance: + + - ``ssl_ca_file``: a path to a trusted certificate authorities (CA) file. + - ``ssl_cert_file``: a path to an SSL certificate file. + - ``ssl_key_file``: a path to a private SSL key file. + - ``ssl_password`` (``instance001``): a password for an encrypted private SSL key. + - ``ssl_password_file`` (``instance002`` and ``instance003``): a text file containing passwords for encrypted SSL keys. + - ``ssl_ciphers``: a colon-separated list of SSL cipher suites the connection can use. + + .. literalinclude:: /code_snippets/snippets/replication/instances.enabled/ssl/config.yaml + :language: yaml + :start-at: groups: + :end-before: app: + :dedent: + + You can find the full example here: `ssl `_. + | | Type: string - | Default: nil + | Default: 'plain' | Environment variable: TT_IPROTO_ADVERTISE_PEER_PARAMS_TRANSPORT, TT_IPROTO_ADVERTISE_SHARDING_PARAMS_TRANSPORT .. _configuration_reference_iproto_uri_params_ssl_ca_file: .. confval:: .params.ssl_ca_file + (Optional) A path to a trusted certificate authorities (CA) file. + If not set, the peer won't be checked for authenticity. + + Both a server and a client can use the ``ssl_ca_file`` parameter: + + - If it's on the server side, the server verifies the client. + - If it's on the client side, the client verifies the server. + - If both sides have the CA files, the server and the client verify each other. + + **See also:** :ref:`.params.transport `. + | | Type: string | Default: nil @@ -802,6 +863,13 @@ iproto.* .. confval:: .params.ssl_cert_file + A path to an SSL certificate file: + + - For a server, it's mandatory. + - For a client, it's mandatory if the :ref:`ssl_ca_file ` parameter is set for a server; otherwise, optional. + + **See also:** :ref:`.params.transport `. + | | Type: string | Default: nil @@ -811,6 +879,45 @@ iproto.* .. confval:: .params.ssl_ciphers + (Optional) A colon-separated (``:``) list of SSL cipher suites the connection can use. + Note that the list is not validated: if a cipher suite is unknown, Tarantool ignores it, doesn't establish the connection, and writes to the log that no shared cipher was found. + + The supported cipher suites are: + + * ECDHE-ECDSA-AES256-GCM-SHA384 + * ECDHE-RSA-AES256-GCM-SHA384 + * DHE-RSA-AES256-GCM-SHA384 + * ECDHE-ECDSA-CHACHA20-POLY1305 + * ECDHE-RSA-CHACHA20-POLY1305 + * DHE-RSA-CHACHA20-POLY1305 + * ECDHE-ECDSA-AES128-GCM-SHA256 + * ECDHE-RSA-AES128-GCM-SHA256 + * DHE-RSA-AES128-GCM-SHA256 + * ECDHE-ECDSA-AES256-SHA384 + * ECDHE-RSA-AES256-SHA384 + * DHE-RSA-AES256-SHA256 + * ECDHE-ECDSA-AES128-SHA256 + * ECDHE-RSA-AES128-SHA256 + * DHE-RSA-AES128-SHA256 + * ECDHE-ECDSA-AES256-SHA + * ECDHE-RSA-AES256-SHA + * DHE-RSA-AES256-SHA + * ECDHE-ECDSA-AES128-SHA + * ECDHE-RSA-AES128-SHA + * DHE-RSA-AES128-SHA + * AES256-GCM-SHA384 + * AES128-GCM-SHA256 + * AES256-SHA256 + * AES128-SHA256 + * AES256-SHA + * AES128-SHA + * GOST2012-GOST8912-GOST8912 + * GOST2001-GOST89-GOST89 + + For detailed information on SSL ciphers and their syntax, refer to `OpenSSL documentation `__. + + **See also:** :ref:`.params.transport `. + | | Type: string | Default: nil @@ -820,6 +927,15 @@ iproto.* .. confval:: .params.ssl_key_file + A path to a private SSL key file: + + - For a server, it's mandatory. + - For a client, it's mandatory if the :ref:`ssl_ca_file ` parameter is set for a server; otherwise, optional. + + If the private key is encrypted, provide a password for it in the ``ssl_password`` or ``ssl_password_file`` parameter. + + **See also:** :ref:`.params.transport `. + | | Type: string | Default: nil @@ -829,6 +945,19 @@ iproto.* .. confval:: .params.ssl_password + (Optional) A password for an encrypted private SSL key provided using ``ssl_key_file``. + Alternatively, the password can be provided in ``ssl_password_file``. + + Tarantool applies the ``ssl_password`` and ``ssl_password_file`` parameters in the following order: + + 1. If ``ssl_password`` is provided, Tarantool tries to decrypt the private key with it. + 2. If ``ssl_password`` is incorrect or isn't provided, Tarantool tries all passwords from ``ssl_password_file`` + one by one in the order they are written. + 3. If ``ssl_password`` and all passwords from ``ssl_password_file`` are incorrect, + or none of them is provided, Tarantool treats the private key as unencrypted. + + **See also:** :ref:`.params.transport `. + | | Type: string | Default: nil @@ -838,6 +967,11 @@ iproto.* .. confval:: .params.ssl_password_file + (Optional) A text file with one or more passwords for encrypted private SSL keys provided using ``ssl_key_file`` (each on a separate line). + Alternatively, the password can be provided in ``ssl_password``. + + **See also:** :ref:`.params.transport `. + | | Type: string | Default: nil