mirror of
https://github.com/taosdata/TDengine
synced 2026-05-24 10:09:01 +00:00
a95d8a6322
* feat(docs): security demos and connector docs update - add JDBC security demo implementations and rotation helpers (SecurityPoolDemo, SecurityTmqDemo, NacosSecurityDemo, SecurityUtils, TmqRotationManager) - add validation artifacts (NacosSecurityDemoTest and TEST-VALIDATION.md) - add new zh/en security guides: connector-security-best-practices and ssl-configuration-guide - sync zh/en TMQ and Java connector reference docs for token/SSL guidance - add demo env/cert support files and related project config updates * fix(security): align rotation logic and update connector security docs - fix NacosSecurityDemo TMQ rotation call to pass currentToken for duplicate-token guard - tighten step1 token validation and remove shaded StringUtil dependency - align SecurityUtils masking/auth detection with tests and rename test class accordingly - sync zh/en connector-security-best-practices Node.js token and REST API examples - refine demo env and pool/rotation guard checks * docs(jdbc): harden security rotation demos and cleanup nacos client - unify security connection error handling for token/TLS failures - fetch TMQ token from Nacos and close ConfigService on shutdown - encode bearer token in JDBC URL and add regression tests - align dependency versions and localhost defaults in examples Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Update docs/zh/07-develop/connector-security-best-practices.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Update docs/zh/07-develop/connector-security-best-practices.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * docs(jdbc): clarify cert generation working directory Agent-Logs-Url: https://github.com/taosdata/TDengine/sessions/60de2a08-9962-4bda-8e35-b75687ab4856 Co-authored-by: sheyanjie-qq <57549981+sheyanjie-qq@users.noreply.github.com> * docs: fix token parsing snippet and SAN guidance Update zh/en connector security docs to use robust multi-line token parsing examples with explicit missing-token handling. Update zh/en SSL guide to document SAN requirements and provide an openssl SAN generation example, plus typo correction (Widgets). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: update JDBC cert README Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(jdbc-security): align TMQ rotation behavior and docs - add auth-failure recovery rotation path for TMQ consumer\n- tighten auth/TLS error matching and short-token masking\n- align zh/en TMQ state diagram and trigger wording with runtime behavior Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(jdbc-security): fail fast for blank bearer token URLs Agent-Logs-Url: https://github.com/taosdata/TDengine/sessions/290f50cd-c3a5-4672-932a-a2eecb2ff441 Co-authored-by: sheyanjie-qq <57549981+sheyanjie-qq@users.noreply.github.com> * refactor(jdbc-security): scope URL encoding helper to token usage Agent-Logs-Url: https://github.com/taosdata/TDengine/sessions/290f50cd-c3a5-4672-932a-a2eecb2ff441 Co-authored-by: sheyanjie-qq <57549981+sheyanjie-qq@users.noreply.github.com> * chore: revert unintended springboot wrapper file changes Agent-Logs-Url: https://github.com/taosdata/TDengine/sessions/290f50cd-c3a5-4672-932a-a2eecb2ff441 Co-authored-by: sheyanjie-qq <57549981+sheyanjie-qq@users.noreply.github.com> * Update docs/examples/JDBC/JDBCDemo/src/main/java/com/taos/example/security/SecurityTmqDemo.java Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Update docs/examples/JDBC/JDBCDemo/.env.example Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * chore: update docs/examples/JDBC/JDBCDemo gitignore file --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: sheyanjie <yjshe@taosdata.com>
3.9 KiB
3.9 KiB
| title | sidebar_label |
|---|---|
| TDengine SSL 配置指南 | SSL 配置指南 |
TDengine SSL 配置指南
本指南专注于 TDengine 服务端的 SSL/TLS 基础设施配置,包括证书生成与 taosAdapter 服务端配置。
:::note 应用层安全
如需了解客户端 SSL/TLS(TrustStore、wss/useSSL、REST HTTPS)、Token 认证、动态轮换、连接池管理等应用层安全实践,请参考 连接器安全最佳实践。
:::
1. 生成自签名证书
1.1 生成私钥
# 生成 RSA 2048 位私钥
openssl genrsa -out server.key 2048
1.2 生成证书签名请求 (CSR)
# 交互式生成 CSR
openssl req -new -key server.key -out server.csr
# 按照提示填写信息(重要:Common Name 必须是你的服务器 IP 或域名)
# 以下是示例值,请根据实际情况修改:
#
# Country Name (2 letter code) [AU]: <YOUR_COUNTRY_CODE> # 示例: CN
# State or Province Name (full name) [Some-State]: <YOUR_STATE> # 示例: Beijing
# Locality Name (eg, city) []: <YOUR_CITY> # 示例: Beijing
# Organization Name (eg, company) [Internet Widgets Pty Ltd]: <YOUR_ORG> # 示例: YourCompany
# Organizational Unit Name (eg, section) []: <YOUR_UNIT> # 示例: IT Department
# Common Name (e.g. server FQDN or YOUR name) []: <YOUR_SERVER_IP_OR_DOMAIN> # 重要!示例: 192.168.1.100 或 tdserver.example.com
# Email Address []: <YOUR_EMAIL> # 示例: admin@example.com
:::tip 关键配置项
- Common Name (CN):必须填入客户端连接时使用的服务器 IP 地址或域名
- Subject Alternative Name (SAN):必须包含客户端实际连接使用的域名/IP(现代 TLS 客户端通常优先校验 SAN)
- 如果客户端使用
192.168.1.100连接,CN 应填192.168.1.100 - 如果客户端使用
tdserver.example.com连接,CN 应填tdserver.example.com:::
1.3 生成自签名证书(有效期 365 天)
# 推荐:显式添加 SAN(将示例域名/IP替换为你的实际连接地址)
cat > san.ext <<'EOF'
subjectAltName=DNS:tdserver.example.com,IP:192.168.1.100
EOF
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt -extfile san.ext
1.4 将证书和密钥复制到 TDengine 配置目录
# 假设 TDengine 配置目录为 /etc/taos
sudo cp server.crt /etc/taos/
sudo cp server.key /etc/taos/
sudo chown taos:taos /etc/taos/server.crt /etc/taos/server.key
sudo chmod 600 /etc/taos/server.key
2. 手动配置 TDengine 服务端
:::info WebSocket SSL 配置 本文档适用于 WebSocket 连接,SSL 配置在 taosAdapter 服务上进行。 :::
2.1 编辑 taosadapter.toml
sudo vi /etc/taos/taosadapter.toml
2.2 在配置文件中启用 SSL
[ssl]
# Enable SSL. Applicable for the Enterprise Edition.
enable = true
# 证书文件路径(根据实际位置修改)
certFile = "/path/to/your/server.crt" # 示例:/etc/taos/server.crt
keyFile = "/path/to/your/server.key" # 示例:/etc/taos/server.key
:::tip 路径说明
- 如果您在 1.4 步中将证书复制到了
/etc/taos/,则使用上述示例路径 - 如果您使用了其他路径,请相应修改
certFile和keyFile的值 - 确保证书和私钥文件具有正确的权限(私钥文件应为 600) :::
2.3 重启 taosAdapter 服务
sudo systemctl restart taosadapter
# 验证服务是否正常启动
sudo systemctl status taosadapter
2.4 查看日志确认 SSL 已启用
journalctl -u taosadapter -n 50
# 应该看到类似的日志:
# SSL is enabled
3. 配置客户端
客户端 SSL/TLS(TrustStore、wss/useSSL、REST HTTPS)已统一收敛到 连接器安全最佳实践。
如需 Token 认证、动态轮换、连接池安全实践,也请参考该文档。