Skip to content

安全证书配置

FATE-Serving 2.0.4 版本开始支持TLS双向认证,数据使用方和数据提供方分别作为客户端和服务端,启用TLS认证后双方交互时会进行安全性认证,配置所需文件由服务端生成提供给客户端。要使用TLS,需要以PEM格式指定证书链和私钥。
开启TLS认证需要在serving-proxy组件中配置,配置如下:

服务端配置

• application.properties配置

# only support PLAINTEXT, TLS(we use Mutual TLS here), if use TSL authentication
proxy.grpc.inter.negotiationType=TLS
# only needs to be set when negotiationType is TLS
proxy.grpc.inter.CA.file=/data/projects/fate-serving/serving-proxy/conf/ssl/ca.crt
# negotiated server side certificates
proxy.grpc.inter.server.certChain.file=/data/projects/fate-serving/serving-proxy/conf/ssl/server.crt
proxy.grpc.inter.server.privateKey.file=/data/projects/fate-serving/serving-proxy/conf/ssl/server.pem

客户端配置

2.1.0之前:

• application.properties配置

# only support PLAINTEXT, TLS(we use Mutual TLS here), if use TSL authentication
proxy.grpc.inter.negotiationType=TLS
# only needs to be set when negotiationType is TLS
proxy.grpc.inter.CA.file=/data/projects/fate-serving/serving-proxy/conf/ssl/ca.crt
# negotiated client side certificates
proxy.grpc.inter.client.certChain.file=/data/projects/fate-serving/serving-proxy/conf/ssl/client.crt
proxy.grpc.inter.client.privateKey.file=/data/projects/fate-serving/serving-proxy/conf/ssl/client.pem

• route_table.json配置

{
  "route_table": {
    "default": {
      "default": [
        {
          "ip": "127.0.0.1",
          "port": 9999,
          "useSSL": true        # 配置对外节点时,需要将useSSL配置成true,client端请求时将携带证书
        }
      ]
    },
      ......
  }
}

2.1.0之后:

由于FATE-Serving要支持多host预测,所以客户端guest方需要在route_table内配置安全证书。

• route_table.json配置如下:

{
  "route_table": {
    "default": {
      "default": [
        {
          "ip": "127.0.0.1",
          "port": 9999,
          "useSSL": true        # 配置对外节点时,需要将useSSL配置成true,client端请求时将携带证书
          "negotiationType": "TLS",
          "certChainFile": "/data/projects/fate-serving/serving-proxy/conf/ssl/client.crt ",
          "privateKeyFile": "/data/projects/fate-serving/serving-proxy/conf/ssl/client.pem",
          "caFile": "/data/projects/fate-serving/serving-proxy/conf/ssl/ca.crt"
        }
      ]
    },
    ......
  }
}