All geek questions in one place

Simple encryption Akka ssl

There are several stackoverflow questions regarding Akka, SSL, and certificate management to provide secure (encrypted) peer-to-peer communication between Akka actors.

Akka's removal documentation ( http://doc.akka.io/docs/akka/current/scala/remoting.html ) reads this resource as an example of how to create X.509 certificates.

http://typesafehub.imtqy.com/ssl-config/CertificateGeneration.html#generating-a-server-ca

Because the participants work on internal servers, the CA server generation for example.com (or indeed any DNS name) seems unrelated. Most servers (for example, EC2 instances running on Amazon web services) will run on VPC, and Akka start pools will be private IP addresses, such as

remote = "akka.tcp:// sampleActorSystem@172.16.0.10 :2553"

My understanding is that it should be possible to create a self-signed certificate and create a trust store that shares all peers.

As all Akka nodes are brought online, they should (I suppose) be able to use the same signed certificate and the trust store used by all other peers. I also assume that there is no need to trust all peer-to-peer servers with an ever-growing list of certificates, even if you do not have a certificate authority, as the trust store verifies this certificate and avoids people in medium attacks.

The ideal solution and hope is the ability to create a single self-signed certificate without CA steps, a single trust store file and sharing it between any combination of remote Akka / phones (as a client calling remote and remote, that is, all peers)

There should be a simple process for creating certificates for simple internal encryption and client authentication (just trust all peer servers the same)

Question: can they be the same file on each peer, which ensures that they talk with trusted clients and allow encryption?

 key-store = "/example/path/to/mykeystore.jks" trust-store = "/example/path/to/mytruststore.jks"

Question: Are X.509 instructions above overkill related. Is there a simple self-subscription / truststore approach without CA steps? In particular, for internal IP addresses (without DNS) and without a constantly growing network of IP addresses in the certificate, since servers can automatically scale up and down.

+5
source share
1 answer

Firstly, I must admit that I do not know Akka, but I can give you recommendations for identification with X509 certificates in SSL.

Akka server configuration requires an SSL certificate bound to the host name

You will need a server with a DNS host name to verify the host name. In this example, we assume the host name is example.com.

An SSL certificate can be tied to a DNS name or IP address (not ordinary). For client verification to be correct, it must match the server IP / host

AKKA requires a certificate for each server issued by a common CA

 CA - server1: server1.yourdomain.com (or IP1) - server2: server2.yourdomain.com (or IP2)

To simplify server deployment, you can use the *.yourdomain.com

 CA - server1: *.yourdomain.com - server2: *.yourdomain.com

On the client side, you need to configure a trusted store, including the public key of the CA certificate in JKS. The client will trust any certificate issued by this CA.

In the described scheme, I think that you do not need a keystore. This is necessary when you also want to identify the client with the certificate. An encrypted SSL channel will be installed in both cases.

If you do not have a domain name such as yourdomain.com , and you want to use the internal IP address, I suggest issuing a certificate for each server and binding it to the IP address.

Depending on how akka verifies the server certificate, a unique, self-signed certificate could be used for all servers. Akka probably relies on the JVM default trust configuration. If you include a self-signed certificate in a trusted store (and not a CA), then the ssl socket factory will trust the connections representing this certificate, even if it has expired, or if the server host name and certificate do not match. I do not recommend it

+2
source

Source: https://habr.com/ru/post/1260796/

More articles:


All Articles