安全证书配置
FATE-Serving 2.0.4 版本开始支持TLS双向认证,数据使用方和数据提供方分别作为客户端和服务端,启用TLS认证后双方交互时会进行安全性认证,配置所需文件由服务端生成提供给客户端。要使用TLS,需要以PEM格式指定证书链和私钥。
开启TLS认证需要在serving-proxy组件中配置,配置如下:
服务端配置¶
• application.properties配置
# only support PLAINTEXT, TLS(we use Mutual TLS here), if use TSL authentication
proxy.grpc.inter.negotiationType=TLS
# only needs to be set when negotiationType is TLS
proxy.grpc.inter.CA.file=/data/projects/fate-serving/serving-proxy/conf/ssl/ca.crt
# negotiated server side certificates
proxy.grpc.inter.server.certChain.file=/data/projects/fate-serving/serving-proxy/conf/ssl/server.crt
proxy.grpc.inter.server.privateKey.file=/data/projects/fate-serving/serving-proxy/conf/ssl/server.pem
客户端配置¶
2.1.0之前:¶
• application.properties配置
# only support PLAINTEXT, TLS(we use Mutual TLS here), if use TSL authentication
proxy.grpc.inter.negotiationType=TLS
# only needs to be set when negotiationType is TLS
proxy.grpc.inter.CA.file=/data/projects/fate-serving/serving-proxy/conf/ssl/ca.crt
# negotiated client side certificates
proxy.grpc.inter.client.certChain.file=/data/projects/fate-serving/serving-proxy/conf/ssl/client.crt
proxy.grpc.inter.client.privateKey.file=/data/projects/fate-serving/serving-proxy/conf/ssl/client.pem
• route_table.json配置
{
"route_table": {
"default": {
"default": [
{
"ip": "127.0.0.1",
"port": 9999,
"useSSL": true # 配置对外节点时,需要将useSSL配置成true,client端请求时将携带证书
}
]
},
......
}
}
2.1.0之后:¶
由于FATE-Serving要支持多host预测,所以客户端guest方需要在route_table内配置安全证书。
• route_table.json配置如下:
{
"route_table": {
"default": {
"default": [
{
"ip": "127.0.0.1",
"port": 9999,
"useSSL": true # 配置对外节点时,需要将useSSL配置成true,client端请求时将携带证书
"negotiationType": "TLS",
"certChainFile": "/data/projects/fate-serving/serving-proxy/conf/ssl/client.crt ",
"privateKeyFile": "/data/projects/fate-serving/serving-proxy/conf/ssl/client.pem",
"caFile": "/data/projects/fate-serving/serving-proxy/conf/ssl/ca.crt"
}
]
},
......
}
}