FATE-Serving 2.0.4 版本开始支持TLS双向认证,数据使用方和数据提供方分别作为客户端和服务端,启用TLS认证后双方交互时会进行安全性认证,配置所需文件由服务端生成提供给客户端。要使用TLS,需要以PEM格式指定证书链和私钥。
开启TLS认证需要在serving-proxy组件中配置,配置如下:
服务端配置¶
• application.properties配置
```yaml
only support PLAINTEXT, TLS(we use Mutual TLS here), if use TSL authentication¶
proxy.grpc.inter.negotiationType=TLS
only needs to be set when negotiationType is TLS¶
proxy.grpc.inter.CA.file=/data/projects/fate-serving/serving-proxy/conf/ssl/ca.crt
negotiated server side certificates¶
proxy.grpc.inter.server.certChain.file=/data/projects/fate-serving/serving-proxy/conf/ssl/server.crt proxy.grpc.inter.server.privateKey.file=/data/projects/fate-serving/serving-proxy/conf/ssl/server.pem ```
客户端配置¶
2.1.0之前:¶
• application.properties配置
```yaml
only support PLAINTEXT, TLS(we use Mutual TLS here), if use TSL authentication¶
proxy.grpc.inter.negotiationType=TLS
only needs to be set when negotiationType is TLS¶
proxy.grpc.inter.CA.file=/data/projects/fate-serving/serving-proxy/conf/ssl/ca.crt
negotiated client side certificates¶
proxy.grpc.inter.client.certChain.file=/data/projects/fate-serving/serving-proxy/conf/ssl/client.crt proxy.grpc.inter.client.privateKey.file=/data/projects/fate-serving/serving-proxy/conf/ssl/client.pem ```
• route_table.json配置
json
{
"route_table": {
"default": {
"default": [
{
"ip": "127.0.0.1",
"port": 9999,
"useSSL": true # 配置对外节点时,需要将useSSL配置成true,client端请求时将携带证书
}
]
},
......
}
}
2.1.0之后:¶
由于FATE-Serving要支持多host预测,所以客户端guest方需要在route_table内配置安全证书。
• route_table.json配置如下: ```json { "route_table": { "default": { "default": [ { "ip": "127.0.0.1", "port": 9999, "useSSL": true # 配置对外节点时,需要将useSSL配置成true,client端请求时将携带证书 "negotiationType": "TLS", "certChainFile": "/data/projects/fate-serving/serving-proxy/conf/ssl/client.crt ", "privateKeyFile": "/data/projects/fate-serving/serving-proxy/conf/ssl/client.pem", "caFile": "/data/projects/fate-serving/serving-proxy/conf/ssl/ca.crt" } ] }, ...... } }
```