From 7004dc290d72c80617baa68f8555966b48cab8c2 Mon Sep 17 00:00:00 2001
From: Chris Lu <chrislusf@users.noreply.github.com>
Date: Tue, 19 Feb 2019 21:01:53 -0800
Subject: [PATCH] Created Security Configuration (markdown)

---
 Security-Configuration.md | 91 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 91 insertions(+)
 create mode 100644 Security-Configuration.md

diff --git a/Security-Configuration.md b/Security-Configuration.md
new file mode 100644
index 0000000..4fafe51
--- /dev/null
+++ b/Security-Configuration.md
@@ -0,0 +1,91 @@
+
+
+The first step is generating `security.toml` file via `weed scaffold -config=security`:
+
+```
+$ weed scaffold -config=security
+
+# Put this file to one of the location, with descending priority
+#    ./security.toml
+#    $HOME/.seaweedfs/security.toml
+#    /etc/seaweedfs/security.toml
+# this file is read by master, volume server, and filer
+
+# the jwt signing key is read by master and volume server
+# a jwt expires in 10 seconds
+[jwt.signing]
+key = ""
+
+# volume server also uses grpc that should be secured.
+
+# all grpc tls authentications are mutual
+[grpc]
+ca = ""
+
+[grpc.volume]
+cert = ""
+key = ""
+
+[grpc.master]
+cert = ""
+key = ""
+
+[grpc.filer]
+cert = ""
+key = ""
+
+# use this for any place needs a grpc client
+# i.e., "weed backup|benchmark|filer.copy|filer.replicate|mount|s3|upload"
+[grpc.client]
+cert = ""
+key = ""
+
+```
+
+The following command is what I used to generate the private key and certificate files, using https://github.com/square/certstrap , or just `go get github.com/square/certstrap`
+
+```
+certstrap init --common-name "SeaweedFS CA"
+certstrap request-cert --common-name volume01
+certstrap request-cert --common-name master01
+certstrap request-cert --common-name filer01
+certstrap request-cert --common-name client01
+certstrap sign --CA "SeaweedFS CA" volume01
+certstrap sign --CA "SeaweedFS CA" master01
+certstrap sign --CA "SeaweedFS CA" filer01
+certstrap sign --CA "SeaweedFS CA" client01
+```
+
+Here is my `security.toml` file content:
+```
+
+# Put this file to one of the location, with descending priority
+#    ./security.toml
+#    $HOME/.seaweedfs/security.toml
+#    /etc/seaweedfs/security.toml
+
+[jwt.signing]
+key = "blahblahblahblah"
+
+# all grpc tls authentications are mutual 
+[grpc]
+ca = "/Users/chris/.seaweedfs/out/SeaweedFS_CA.crt"
+
+[grpc.volume]
+cert = "/Users/chris/.seaweedfs/out/volume01.crt"
+key  = "/Users/chris/.seaweedfs/out/volume01.key"
+
+[grpc.master]
+cert = "/Users/chris/.seaweedfs/out/master01.crt"
+key  = "/Users/chris/.seaweedfs/out/master01.key"
+
+[grpc.filer]
+cert = "/Users/chris/.seaweedfs/out/filer01.crt"
+key  = "/Users/chris/.seaweedfs/out/filer01.key"
+
+[grpc.client]
+cert = "/Users/chris/.seaweedfs/out/client01.crt"
+key  = "/Users/chris/.seaweedfs/out/client01.key"
+
+
+```