标准配置文件
ui = true
api_addr = "https://10.10.100.95:8200"
cluster_addr = "https://10.10.100.95:8201"
storage "raft" {
path = "/app/vault/data"
node_id = "hadoop-drill-nn-1"
}
listener "tcp" {
address = "10.10.100.95:8200"
tls_cert_file = "/app/vault/cert/fullchain.pem"
tls_key_file = "/app/vault/cert/privkey.pem"
}
# 可以不要
telemetry {
statsite_address = "10.10.100.95:8125"
disable_hostname = true
}
生成秘钥
生成秘钥
openssl genpkey -algorithm RSA -out privkey.pem
创建一个配置文件 (openssl.cnf):
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no[req_distinguished_name]
CN = 10.10.100.95[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names[alt_names]
IP.1 = 10.10.100.95生成证书签名请求 (CSR):
openssl req -new -key privkey.pem -out cert.csr -config openssl.cnf
生成自签名证书:
openssl x509 -req -days 365 -in cert.csr -signkey privkey.pem -out fullchain.pem -extensions v3_req -extfile openssl.cnf
启动vault
export DBUS_SESSION_BUS_ADDRESS="$XDG_RUNTIME_DIR/bus"
nohup ./vault server -config=/app/vault/conf/vault.conf > logs/vault.log &
# 使用自签名证书
./vault operator init -address=https://10.10.100.95:8200 -tls-skip-verify
保存根秘钥
Unseal Key 1: msMc9w9n7Ary3pkBGG8y4MlyHqBUcI8TliPyb/Y44UV8
Unseal Key 2: IeIBdK3+faArEM3NG7zM+esd0rFjseraw7M3VV25GEcd
Unseal Key 3: qBlgV6f5cv98J8RNyMNhGF69RnwZWAqEhoJgIkoKPCSZ
Unseal Key 4: wKR0jmC+XCzW8bdCTsuouyJL458MXQe15TgmAqu3I20w
Unseal Key 5: yrUsrBsMNyor0smRds3lTEQTEex6Qb/gEYKIv9t5UleR
Initial Root Token: hvs.PD11jxgLQDSHiNzpaSLYtvq4
export VAULT_ADDR='https://10.10.100.95:8200'
export VAULT_TOKEN='hvs.PD11jxgLQDSHiNzpaSLYtvq4'
export VAULT_TOKEN='hvs.CAESIFiEg-zI2-ZkiOBRmC-Ra8Khem8JNDkfNnI-_xIeexfoGh4KHGh2cy5xUWNqUWdndVJ4eDgzTm5kT0JsRXFlcEE'
export VAULT_SKIP_VERIFY=1
解密服务器
解密服务器必须使用三个根证书,所以以下指令需要执行三次使用上面的Unseal Key
./vault operator unseal -tls-skip-verify
验证登录
./vault login -tls-skip-verify
解决JAVA端无法调用接口问题
导出crt文件
openssl x509 -outform der -in fullchain.pem -out fullchain.crt
keytool -import -alias vault-cert -file D:/MyWorkSpace/iptvcrm/crmsecurity/src/main/resources/fullchain.crt -keystore C:/jdk-21.0.2/lib/security/cacerts -storepass changeit
keytool -list -keystore C:/jdk-21.0.2/lib/security/cacerts -storepass changeit -alias vault-cert
编写测试令牌权限
如果没有适当的策略,首先创建一个策略文件,例如 test.hcl,内容如下:
path "secret/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
vault secrets enable -path=secret kv
vault secrets enable transit
vault secrets enable -path=transit/encrypt/ transit
vault write transit/encrypt/testvalue plaintext=$(base64 <<< "你好")
vault write transit/decrypt/testvalue ciphertext="vault:v1:6qwHKS45qLeFvnpGpwh7daC/Q9nViNfV6MMhLeY12hQPP5A="
vault policy write test test.hcl
vault token create -policy="test"
启用AppRole
./vault auth enable approle
./vault write auth/approle/role/my-role \
token_policies="my-policy" \
secret_id_ttl=60m \
token_ttl=20m \
token_max_ttl=60m
编写iptvcrm.hcl
path "secret/data/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
path "transit/encrypt/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
path "transit/decrypt/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
vault policy write iptvcrm iptvcrm.hcl
编写角色
vault write auth/approle/role/aaa-role \
token_policies="aaa" \
secret_id_ttl=60m \
token_ttl=20m \
token_max_ttl=60m
获取 Role ID 和 Secret ID
vault read auth/approle/role/aaa-role/role-id
Key Value
--- -----
role_id f80459fc-16db-55b5-d50c-7582e197653e
vault write -f auth/approle/role/aaa-role/secret-id
Key Value
--- -----
secret_id eff18d3c-5909-9d04-7acc-450344082925
secret_id_accessor c6a52203-7dd3-05bd-b9b6-b118b2895706
secret_id_num_uses 0
secret_id_ttl 1h
vault write auth/approle/login role_id="f80459fc-16db-55b5-d50c-7582e197653e" secret_id="eff18d3c-5909-9d04-7acc-450344082925"