The first step is generating security.toml file via weed scaffold -config=security:

  1. $ weed scaffold -config=security
  3. # Put this file to one of the location, with descending priority
  4. #    ./security.toml
  5. #    $HOME/.seaweedfs/security.toml
  6. #    /etc/seaweedfs/security.toml
  7. # this file is read by master, volume server, and filer
  9. # the jwt signing key is read by master and volume server.
  10. # a jwt defaults to expire after 10 seconds.
  11. [jwt.signing]
  12. key = ""
  13. expires_after_seconds = 10           # seconds
  15. # jwt for read is only supported with master+volume setup. Filer does not support this mode.
  16. [jwt.signing.read]
  17. key = ""
  18. expires_after_seconds = 10           # seconds
  20. # volume server also uses grpc that should be secured.
  22. # all grpc tls authentications are mutual
  23. # the values for the following ca, cert, and key are paths to the PERM files.
  24. # the host name is not checked, so the PERM files can be shared.
  25. [grpc]
  26. ca = ""
  28. [grpc.volume]
  29. cert = ""
  30. key = ""
  32. [grpc.master]
  33. cert = ""
  34. key = ""
  36. [grpc.filer]
  37. cert = ""
  38. key = ""
  40. # use this for any place needs a grpc client
  41. # i.e., "weed backup|benchmark|filer.copy|filer.replicate|mount|s3|upload"
  42. [grpc.client]
  43. cert = ""
  44. key = ""

The following command is what I used to generate the private key and certificate files, using https://github.com/square/certstrap , or just go get github.com/square/certstrap

  1. certstrap init --common-name "SeaweedFS CA"
  2. certstrap request-cert --common-name volume01
  3. certstrap request-cert --common-name master01
  4. certstrap request-cert --common-name filer01
  5. certstrap request-cert --common-name client01
  6. certstrap sign --CA "SeaweedFS CA" volume01
  7. certstrap sign --CA "SeaweedFS CA" master01
  8. certstrap sign --CA "SeaweedFS CA" filer01
  9. certstrap sign --CA "SeaweedFS CA" client01

Here is my security.toml file content:

  2. # Put this file to one of the location, with descending priority
  3. #    ./security.toml
  4. #    $HOME/.seaweedfs/security.toml
  5. #    /etc/seaweedfs/security.toml
  7. [jwt.signing]
  8. key = "blahblahblahblah"
  10. # all grpc tls authentications are mutual 
  11. [grpc]
  12. ca = "/Users/chris/.seaweedfs/out/SeaweedFS_CA.crt"
  14. [grpc.volume]
  15. cert = "/Users/chris/.seaweedfs/out/volume01.crt"
  16. key  = "/Users/chris/.seaweedfs/out/volume01.key"
  18. [grpc.master]
  19. cert = "/Users/chris/.seaweedfs/out/master01.crt"
  20. key  = "/Users/chris/.seaweedfs/out/master01.key"
  22. [grpc.filer]
  23. cert = "/Users/chris/.seaweedfs/out/filer01.crt"
  24. key  = "/Users/chris/.seaweedfs/out/filer01.key"
  26. [grpc.client]
  27. cert = "/Users/chris/.seaweedfs/out/client01.crt"
  28. key  = "/Users/chris/.seaweedfs/out/client01.key"

For Java gRPC

Java gRPC uses Netty's SslContext. From https://netty.io/wiki/sslcontextbuilder-and-private-key.html

The SslContextBuilder and so Netty's SslContext implementations only support PKCS8 keys.

If you have a key with another format you need to convert it to PKCS8 first to be able to use it. This can be done easily by using openssl.

For example to convert a non-encrypted PKCS1 key to PKCS8 you would use:

openssl pkcs8 -topk8 -nocrypt -in pkcs1_key_file -out pkcs8_key.pem