在 Linux 群集上设置加密证书并对机密进行加密Set up an encryption certificate and encrypt secrets on Linux clusters

本文展示了如何在 Linux 群集上设置加密证书并使用它来加密机密。This article shows how to set up an encryption certificate and use it to encrypt secrets on Linux clusters. 对于 Windows 群集,请参阅在 Windows 群集上设置加密证书并对机密进行加密For Windows clusters, see Set up an encryption certificate and encrypt secrets on Windows clusters.

获取数据加密证书Obtain a data encipherment certificate

数据加密证书专门用来对服务 Settings.xml 中的参数以及服务 ServiceManifest.xml 中的环境变量进行加密和解密。A data encipherment certificate is used strictly for encryption and decryption of parameters in a service's Settings.xml and environment variables in a service's ServiceManifest.xml. 它不用于密码文本的身份验证或签名。It is not used for authentication or signing of cipher text. 该证书必须满足以下要求:The certificate must meet the following requirements:

  • 证书必须包含私钥。The certificate must contain a private key.

  • 证书密钥用法必须包括数据加密 (10),不应包括服务器身份验证或客户端身份验证。The certificate key usage must include Data Encipherment (10), and should not include Server Authentication or Client Authentication.

    例如,可以通过以下命令使用 OpenSSL 来生成所需的证书:For example, the following commands can be used to generate the required certificate using OpenSSL:

    user@linux:~$ openssl req -newkey rsa:2048 -nodes -keyout TestCert.prv -x509 -days 365 -out TestCert.pem
    user@linux:~$ cat TestCert.prv >> TestCert.pem
    

在群集中安装证书Install the certificate in your cluster

必须在群集中每个节点上的 /var/lib/sfcerts 下安装此证书。The certificate must be installed on each node in the cluster under /var/lib/sfcerts. 用来运行该服务的用户帐户(默认情况下为 sfuser)对已安装的证书(对于当前示例为 /var/lib/sfcerts/TestCert.pem应当具有读取访问权限The user account under which the service is running (sfuser by default) should have read access to the installed certificate (that is, /var/lib/sfcerts/TestCert.pem for the current example).

加密机密Encrypt secrets

以下代码片段可用来加密机密。The following snippet can be used to encrypt a secret. 此代码片段仅对值进行加密;对密码文本进行签名。This snippet only encrypts the value; it does not sign the cipher text. 若要生成机密值的密文,必须使用群集中安装的同一个加密证书。You must use the same encipherment certificate that is installed in your cluster to produce ciphertext for secret values.

user@linux:$ echo "Hello World!" > plaintext.txt
user@linux:$ iconv -f ASCII -t UTF-16LE plaintext.txt | tr -d '\n' > plaintext_UTF-16.txt
user@linux:$ openssl smime -encrypt -in plaintext_UTF-16.txt -binary -outform der TestCert.pem | base64 > encrypted.txt

所生成的输出到 encrypted.txt 中的 base-64 编码字符串包含机密密文,以及用来将其加密的证书相关信息。The resulting base-64 encoded string output to encrypted.txt contains both the secret ciphertext as well as information about the certificate that was used to encrypt it. 可以通过使用 OpenSSL 将其解密来验证其有效性。You can verify its validity by decrypting it with OpenSSL.

user@linux:$ cat encrypted.txt | base64 -d | openssl smime -decrypt -inform der -inkey TestCert.prv

后续步骤Next steps

了解如何在应用程序中指定加密机密Learn how to Specify encrypted secrets in an application.