Enable TLS to protect data security - Microservices Engine

The Nacos engine supports Transport Layer Security (TLS) to protect the security of transmitted data. TLS is a common cryptographic protocol designed to ensure the security of transmitted data in network communications. After the TLS feature is enabled, all data transmitted between Nacos clients and servers is encrypted to prevent sensitive information from being stolen or tampered with during transmission.

Prerequisites

Microservices Engine (MSE) is activated. For more information, see Activate MSE.
The Nacos engine in version 2.1.2.1 or later is created. For more information, see Create a Nacos engine. If the engine version is earlier than 2.1.2.1, upgrade the engine version to 2.1.2.1 or later. For more information about how to upgrade an engine version, see Update a Nacos version.
The Java Development Kit (JDK) version is 8u252 or later.
Note
JDKs of versions earlier than 8u252 are incompatible with TLS. Therefore, you must upgrade such JDKs to 8u252 or later. If the JDK versions cannot be upgraded, you can use Nacos clients that are not bundled with JDKs. For more information, see How do I use Nacos clients unbundled with JDKs? in this topic.
- If Nacos clients are not bundled with JDKs, you can use OpenSSL as the SSL provider. In this case, you must remove the nacos.remote.client.rpc.tls.provider parameter.
- For Nacos clients that are not bundled with JDKs, the required second-party packages are not shaded. Therefore, you may need to resolve package conflicts.

Step 1: Modify Nacos parameters

Log on to the MSE console, and select a region in the top navigation bar.
In the left-side navigation pane, choose Microservices Registry > Instances. Click the name of the instance.
In the left-side navigation pane, click Parameter Settings. On the page that appears, click Edit, set the TLSEnabled parameter to Yes, and then click Save and Restart Instance.
After you restart the Nacos instance, the server can support the TLS-enabled Nacos client.

Step 2: Upgrade the Nacos client

Note

Nacos clients of version 2.2.3 or later support TLS.

Upgrade the version of the Nacos client to 2.2.3. Sample code:

<dependency>
    <groupId>com.alibaba.nacos</groupId>
    <artifactId>nacos-client</artifactId>
    <version>2.2.3</version>
</dependency>

Configure TLS-related parameters to enable TLS.
You can configure TLS-related parameters by using the following methods in order of precedence: .properties files > JVM parameters > environment variables. You can select a method based on your business requirements.
- Use .properties files. When you create a NacosConfigService or NacosNamingService, specify TLS-related parameters in the .properties file.
  - properties.put("nacos.remote.client.rpc.tls.enable","true");
  - properties.put("nacos.remote.client.rpc.tls.trustAll","true");
  - properties.put("nacos.remote.client.rpc.tls.provider","JDK");
  This method takes precedence over the methods of configuring JVM parameters and environment variables. You can use this method to configure TLS-related parameters for NacosConfigService and NacosNamingService.
- Configure JVM parameters.
  - -Dnacos.remote.client.rpc.tls.enable=true
  - -Dnacos.remote.client.rpc.tls.trustAll=true
  - -Dnacos.remote.client.rpc.tls.provider=JDK
  This method is used at the Java virtual machine (JVM) process level. In a JVM process, TLS-related JVM parameters take effect for NacosConfigService and NacosNamingService for which TLS-related parameters are not specified in the .properties file.
- Configure environment variables.
  - nacos_remote_client_rpc_tls_enable=true
  - nacos_remote_client_rpc_tls_trustAll=true
  - nacos_remote_client_rpc_tls_provider=JDK
  This method is used at the server level. The TLS-related parameters that are not specified in JVM parameters or the .properties file take effect.
Confirm that TLS is enabled.
1. View the startup logs of the Nacos client.
  When the Nacos client starts, configuration parameters are listed in the remote.log file in the {user.home}/logs/nacos/ directory.
```
2023-04-06 09:56:56.539 INFO [com.alibaba.nacos.client.Worker:c.a.n.c.r.c.g.GrpcClient] grpc client connection server:mse-xxx.nacos-ans.mse.aliyuncs.com ip,serverPort:9848,grpcTslConfig:{"sslProvider":"","enableTls":true,"mutualAuthEnable":false,"trustAll":true}
```
  "enableTls":true indicates that TLS is enabled. If the client successfully starts and NacosConfigService reads and writes data as expected, TLS is enabled for data communications.
2. Run the tcpdump command to capture packets.
  You can run the tcpdump command to capture packets and specify the directory in which the output file is stored in the command. For example, if you run the following tcpdump command, the captured content is stored in the tcptrace.cap file in the /tmp/ directory. You can customize the file name and directory.
```
sudo tcpdump -i any -w /tmp/tcptrace.cap -p 9848
```
  Use a packet analytics tool such as Wireshark to parse the preceding file. If captured packets are TCP/TLS packets, TLS is enabled.

FAQ

How do I use Nacos clients unbundled with JDKs?

Add the related dependencies. Sample dependencies:

<dependency>
    <groupId>com.alibaba.nacos</groupId>
    <artifactId>nacos-client</artifactId>
    <version>2.2.3</version>
    <classifier>pure</classifier>
</dependency>
<dependency>
    <groupId>com.alibaba.nacos</groupId>
    <artifactId>nacos-common</artifactId>
    <version>2.2.3</version>
</dependency>
<dependency>
    <groupId>com.alibaba.nacos</groupId>
    <artifactId>nacos-api</artifactId>
    <version>2.2.3</version>
</dependency>

Do Nacos clients of versions earlier than 2.2.3 support TLS after TLS is enabled for the Nacos engine?

Nacos clients of versions earlier than 2.2.3 do not support TLS in this case. You must upgrade the versions of the Nacos clients to 2.2.3 or later.

Is the TLS-enabled Nacos engine compatible with Nacos clients of versions earlier than 2.2.3?

By default, the TLS-enabled Nacos engine is compatible with Nacos clients of versions earlier than 2.2.3.

Do MSE Nacos instances support one-way TLS or mTLS?

MSE Nacos instances support one-way TLS. The client authenticates the server, but the server does not authenticate the client.

Why do clients use the trust-all mode?

The trust-all mode provides a simple way for clients to enable TLS. If you have higher security requirements, you can join the DingTalk group (ID: 43525005207) to contact MSE technical support engineers and ask them to add the MSE official CA certificate and specify the certificate as the trusted CA file. Formats of TLS-related parameters:

.properties files: nacos.remote.client.rpc.tls.trustCollectionChainPath=file:{filePath}
JVM parameters: -Dnacos.remote.client.rpc.tls.trustCollectionChainPath=file:{filePath}
Environment variables: nacos_remote_client_rpc_tls_trustCollectionChainPath=file:{filePath}

Note

Parameter priorities: .properties files > JVM parameters > environment variables.

Why do TLS-related parameters specified in the .properties file not take effect?

If you specify TLS-related parameters in the .properties file, the property values must be of the STRING type. Property values of the BOOLEAN type are not supported.

Correct example: properties.put("nacos.remote.client.rpc.tls.enable","true");
Incorrect example: properties.put("nacos.remote.client.rpc.tls.enable",true);

What do I do if `NotSslRecordException: not an SSL/TLS record` is logged on my Nacos client?

The log information indicates that the packets returned by the server are not in the TLS format. This issue occurs because TLS is not enabled for the server. To address this issue, enable TLS for the server. For more information, see Step 1: Modify Nacos parameters in this topic.