For OAP communication we are currently using gRPC, a multi-platform RPC framework that uses protocol buffers for message serialization. The nice part about gRPC is that it promotes the use of SSL/TLS to authenticate and encrypt exchanges. Now OAP supports to enable SSL transportation for gRPC receivers.
You can follow below steps to enable this feature
It seems like step one is to generate certificates and key files for encrypting communication. I thought this would be
fairly straightforward using openssl from the command line.
Use this script if you are not familiar with how to generate key files.
We need below files:
server.pema private RSA key to sign and authenticate the public key. It's either a PKCS#8(PEM) or PKCS#1(DER).server.crtself-signed X.509 public keys for distribution.ca.crta certificate authority public key for a client to validate the server's certificate.
You can enable gRPC SSL by add following lines to application.yml/core/default.
gRPCSslEnabled: true
gRPCSslKeyPath: /path/to/server.pem
gRPCSslCertChainPath: /path/to/server.crt
gRPCSslTrustedCAPath: /path/to/ca.crtgRPCSslKeyPath and gRPCSslCertChainPath are loaded by OAP server to encrypt the communication. gRPCSslTrustedCAPath
helps gRPC client to verify server certificates in cluster mode.
When new files are in place, they can be load dynamically instead of restarting OAP instance.
If you enable sharding-server to ingest data from external, add following lines to application.yml/receiver-sharing-server/default:
gRPCSslEnabled: true
gRPCSslKeyPath: /path/to/server.pem
gRPCSslCertChainPath: /path/to/server.crtBecause sharding-server only receives data from external, so it doesn't need CA at all.
If you port to java agent, refer to TLS.md to config java agent to enable TLS.