針對 ZooKeeper 配置 SSL/TLS
使用 ThingWorx HA 叢集時,您可針對 ZooKeeper 配置 SSL 或 TLS。
配置 ZooKeeper
1. 確保您執行的 ZooKeeper 版本支援 SSL 或 TLS。
2. 取得您的 SSL 憑證與信任存放區。
可接受的憑證副檔名只有 JKS、PEM 與 PKCS12(p12)。
3. 轉至 apache-zookeeper-[version]-bin/conf,然後更新或建立 zoo.cfg
4. 新增下列項目:
dataDir=/<path-to-zookeeper-data>/data
dataLogDir=/<path-to-zookeeper-datalog>/datalog
secureClientPort=2281
tickTime=2000
initLimit=5
syncLimit=2
autopurge.snapRetainCount=3
autopurge.purgeInterval=0
maxClientCnxns=60
admin.enableServer=true
standaloneEnabled=false
quorumListenOnAllIPs=true
sslQuorum=true
欲在 ZooKeeper 節點之間啟動仲裁,請在 zoo.cfg 檔案中設定變數 sslQuorum=true。節點將會使用自動產生的 SSL 來保護仲裁。
5. 修改 <zookeeper 的路徑>/bin/zkServer.sh
export SERVER_JVMFLAGS="
-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
-Dzookeeper.ssl.keyStore.location=<path-to-zookeeper-certificates>/zookeeper.p12
-Dzookeeper.ssl.keyStore.password=<certificate-password>
-Dzookeeper.ssl.trustStore.location=<path-to-zookeeper-certificates>/truststore.p12
-Dzookeeper.ssl.trustStore.password=<truststore-password>
-Dzookeeper.ssl.quorum.keyStore.location=<path-to-zookeeper-certificates>/zookeeper.p12
-Dzookeeper.ssl.quorum.keyStore.password=<certificate-password>
-Dzookeeper.ssl.quorum.trustStore.location=<path-to-zookeeper-certificates>/truststore.p12
-Dzookeeper.ssl.quorum.trustStore.password=<truststore-password>
-Dzookeeper.ssl.quorum.hostnameVerification=false
6. 啟動 ZooKeeper:
./zkServer.sh start
7. 在記錄檔中,核對組態是否正確:
tail -f apache-zookeeper-3.5.6-bin/logs/<zookeeper-log-file>
配置 ThingWorx
1. 將 ZooKeeper 憑證複製到您的實例,或確保它們可在 ThingWorx 執行所在的電腦上使用。
2. 修改您的 platform-settings.json,以在與 PlatformSettingsConfig 相同的層級上,將下列內容作為根元素包含在檔案結尾。
"ZookeeperSettings": {
"SSLEnabled": "true",
# If SSL is enabled, you must include the following; trust store is optional:
"KeyStorePath": "<path-to-zookeeper-certificates>/zookeeper.p12",
"KeyStorePass": "<certificate-password>",
"TrustStorePath": "<path-to-zookeeper-certificates>/truststore.p12",
"TrustStorePass": "<truststore-password>"
"SASLEnabled": "false",
# If SASL is enabled, you must include the following:
"JaasConfPath": "/tmp1/jaas.conf",
"Krb5ConfPath": "/tmp1/krb5.conf"
}
3. 搜尋預設 ZooKeeper 埠 2181,並將其取代為安全埠 2281。
4. 確保所有 CoordinatorHosts 項目與 address-resolver > connection ports 都會更新以與 zoo.cfg 中的 secureClientPort 值相符。
配置 Ignite
1. 將 Ignite 憑證複製到您的 ThingWorx 實例,或確保它們可在 Ignite 伺服器執行所在的電腦上使用。
2. 設定 ZOOKEEPER_CONNECTION 環境變數,並尋找用來啟動 Ignite 的 JVM_XOPTS 環境變數,然後依照下列方式對其進行更新:
# zookeeper1 represents the host name where zookeeper is available and 2281 the secure port from zoo.cfg
export ZOOKEEPER_CONNECTION=zookeeper1:2281,zookeeper2:2281,zookeeper3:2281
# update the JVM_XOPTS
JVM_XOPTS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty -Dzookeeper.client.secure=true -Dzookeeper.ssl.keyStore.location=<path-to-zookeeper-certificates>/zookeeper.p12 -Dzookeeper.ssl.keyStore.password=<keystore-password> -Dzookeeper.ssl.trustStore.location=<path-to-zookeeper-certificates>/truststore.p12 -Dzookeeper.ssl.trustStore.password=<truststore-password>
配置 Connection Server
1. 將 ZooKeeper 憑證複製到您的實例,或確保它們可在 Connection Server 執行所在的電腦上使用。
2. 將 Connection Server 組態檔中 cx-server.discovery.connectionString 的埠更新為使用安全埠。
例如,cx-server.discovery.connectionString = "{zookeeper-host}:2281"
3. 將下列系統內容新增至 CONNECTION_SERVER_OPTS 環境變數。
例如:
export CONNECTION_SERVER_OPTS="
-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
-Dzookeeper.client.secure=true
-Dzookeeper.ssl.keyStore.location=<path-to-zookeeper-certificates>/zookeeper.p12
-Dzookeeper.ssl.keyStore.password=<keystore-password>
-Dzookeeper.ssl.trustStore.location=<path-to-zookeeper-certificates>/truststore.p12
-Dzookeeper.ssl.trustStore.password=<truststore-password>"
使用 ThingWorx 安全性管理工具加密密碼
如果您要避免將明文密碼插入到 platform-settings.json 檔案中,您可使用安全性工具來加密 twx-keystore 內的密碼。您必須針對金鑰存放區與信任存放區密碼分別使用 encrypt.zk.keystore.passwordencrypt.zk.truststore.password 來加密密碼。
./security-common-cli keystore.conf set encrypt.zk.keystore.password "ptcptc"
然後,變更 platform-settings.json 檔案,讓 ThingWorx 從金鑰存放區中挑選密碼:
"KeyStorePass": "encrypt.zk.keystore.password",
"TrustStorePass": "encrypt.zk.truststore.password"
這是否有幫助?