简介:
SSL 协议的3个特性:
保密:通过SSL链接传输的数据是加密的鉴别:通信双方的身份鉴别,通常是可选的,但至少有一方需要验证(通常是服务端)
完成性:传输数据的完整性检查
从性能角度考虑,加密是一项计算昂贵的处理,因此尽量不要讲整个Web采用SSL链接,实际部署中,选择有必要进行安全加密的页面(如存在敏感信息传输的页面)采用SSL通信。
接下来相信介绍一下如何在Tomcat中添加SSL 支持。
注意:
配置Tomcat以支持SSL通常只在其作为独立的web服务器时才有必要。当Tomcat作为servlet容器运行与Web服务器后端时,只需要配置前置的Web服务器支持SSL即可。Web服务器负载所有的SSL 相关处理,Tomcat 接收到的请求为解密后的数据,而且返回的响应也是明文,有Web 服务器完成加密。
Tomcat实现SSL两种方式:
一种是JSSE,另一种是APR(默认的OpenSSL引擎)。
JSSE适用于BIO、NIO、NIO2链接器(8.5版本之后,NIO、NIO2同时支持OpenSSL,以用于HTTP/2.0), APR适用于APR链接器。由于JSSE和APR配置有明显区别,因此我们最好在Connector的protocol属性中明确指定链接器的类名,而非协议名(如HTTP/1.1),否则,Tomcat会自动按照本地配置构造connector(如果安装了APR,则适用APR链接器,否则使用NIO链接器),这样可能导致SSL不可用。
方法一(简单粗暴)
在为Tomcat添加SSL配置之前,我们需要先创建一个秘钥库。Tomcat支持秘钥库有JKS、PKCS11和PKCS112。JKS是Java标准的秘钥库格式,由keytool命令行工具创建,该工具位于$JAVA_HOME/bin/目录下。
1创建秘钥库
执行命令如下:
Windows (文件存放于C:cert目录,存放路径也可自己定义):
keytool -genkey -alias tomcat -keyalg RSA -keystore C:certmykey.key.store
Linux(文件存放于/home/liugr/cert目录,存放路径也可自己定义):
keytool -genkey -alias tomcat -keyalg RSA -keystore /home/liuge/cert/mykey.keystore
Enter keystore password: 输入秘钥库口令
Re-enter new password: 再次输入新口令
What is your first and last name? 您的姓氏是什么
[Unknown]: Tomcat
What is the name of your organizational unit? 您的单位名称
[Unknown]: Apache
What is the name of your organization? 您的组织名称
[Unknown]: Apache
What is the name of your City or Locality?省份
[Unknown]: Beijing
What is the name of your State or Province?城市
[Unknown]: Beijing
What is the two-letter country code for this unit? 国家代码
[Unknown]: CN
Is CN=Tomcat, OU=Apache, O=Apache, L=Beijing, ST=Beijing, C=CN correct? 信息是否正确
[no]: y
Enter key password for <tomcat> 输入Tomcat的秘钥口令
(RETURN if same as keystore password): 如果和秘钥库口令相同,按回车
Re-enter new password:
2 配置server.xml文件
秘钥库密码将在server.xml配置是用到,其他信息作为基本信息,客户端可以通过浏览器查看。命令执行成功后,将生成的mykey.keystore复制到Tomcat的conf目录下。将默认注释的SSL链接器取消注释
8.5版本配置如下(server.xml的88行)
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" scheme="https" secure="true" SSLEnabled="true"> <SSLHostConfig> <Certificate certificateKeystoreFile="conf/mykey.keystore" certificateKeystorePassword="123456" ##秘钥库口令 type="RSA" /> </SSLHostConfig> </Connector>
链接器的protocol设置为org.apache.coyote.http11.Http11NioProtocol,以避免Tomcat自动选择HTTP链接器实现(当然,可以根据需要改为NIO2的实现,不能选择APR)
CertificateKeystorePassword为创建秘钥库是填写的秘钥库文件,port为SSL链接器端口,如果要修改为其他端口,必须确保与无SSL得HTTP链接器的redirectPort属性一致。
启动Tomcat,在浏览器中输入https://ip:8443,浏览器会弹出证书提示,接收后才会进入页面,而且通过浏览器还可以查看证书信息。
方法二(婆婆妈妈)
除此以上方法之外,我们还可以通过OpenSSL创建证书并导入到秘钥库。
注意:绝大多数Linux系统以及默认安装了OpenSSL,Windows系统中,如果你安装了Apache服务器,那样也可以在安装目录的bin文件夹下找到openssl.exe可执行文件。
OpenSSL的命令格式都是 "openssl 命令 命令参数"的形式。
1 执行以下命名生成根秘钥:
[root@ ~]# openssl genrsa -out rootkey.pem 2048
输出如下:
Generating RSA private key, 2048 bit long modulus ..................+++ .....+++ e is 65537 (0x10001)
2 创建根证书(用根证书来签发服务器端请求文件):
[root@ ~]# openssl req -x509 -new -key rootkey.pem -out root.crt
输出如下:
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Beijing Locality Name (eg, city) [Default City]:Beijing Organization Name (eg, company) [Default Company Ltd]:Apache Organizational Unit Name (eg, section) []:Tomcat Common Name (eg, your name or your server's hostname) []:Tomcat Email Address []:tomcat@apache.com
根据提示,需要输入国家、省份、城市、以及公司信息等。
3 创建服务器秘钥:
[root@ ~]# openssl genrsa -out serverkey.pem 2048
输出如下:
Generating RSA private key, 2048 bit long modulus ............................................................+++ ................................+++ e is 65537 (0x10001)
4 生成服务器端证书的请求文件:
[root@ ~]# openssl req -new -key serverkey.pem -out server.csr
输出如下:
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Beijing Locality Name (eg, city) [Default City]:Beijing Organization Name (eg, company) [Default Company Ltd]:Apache Organizational Unit Name (eg, section) []:Tomcat Common Name (eg, your name or your server's hostname) []:Tomcat Email Address []:tomcat@apache.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:123456 An optional company name []:Tomcat
同样,根据提示,需要输入国家、省份、城市等信息。
5用根证书来签发服务器端请求文件,生成服务器端证书:
[root@ ~]# openssl x509 -req -in server.csr -CA root.crt -CAkey rootkey.pem -CAcreateserial -days 3650 -out server.crt
输出如下:
Signature ok subject=/C=CN/ST=Beijing/L=Beijing/O=Apache/OU=Tomcat/CN=Tomcat/emailAddress=tomcat@apache.comfx08 Getting CA Private Key
以上我们创建的是自签名证书,多用于开发测试环境。在生产中,我们需要向数字证书颁发机构(CA)提交请求文件(server.csr),CA则返回给我们数字证书。这个过程一般是要收费的。
6 将证书导出为pkcs12格式:
[root@ ~]# openssl pkcs12 -export -in server.crt -inkey serverkey.pem -out server.pkcs12
输出如下:
Enter Export Password:
Verifying - Enter Export Password:
根据提示输出一个导出密码
7 执行keytool命令生成服务端秘钥库:
[root@ ~]# keytool -importkeystore -srckeystore server.pkcs12 -destkeystore mykey.keystore -srcstoretype pkcs12
输出如下
Importing keystore server.pkcs12 to mykey.keystore... Enter destination keystore password: Enter source keystore password: Entry for alias 1 successfully imported. Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
根据提示输入秘钥库密码已经上一步的导出密码。
至此,我们创建了一个mykey.keystore秘钥库文件
这半天创建的相关文件如下
[root@ ~]# ll total 36 -rw-r--r--. 1 root root 4461 Apr 16 16:41 mykey.keystore -rw-r--r--. 1 root root 1407 Apr 16 16:21 root.crt -rw-r--r--. 1 root root 1679 Apr 16 16:14 rootkey.pem -rw-r--r--. 1 root root 17 Apr 16 16:31 root.srl -rw-r--r--. 1 root root 1289 Apr 16 16:31 server.crt -rw-r--r--. 1 root root 1110 Apr 16 16:28 server.csr -rw-r--r--. 1 root root 1675 Apr 16 16:26 serverkey.pem -rw-r--r--. 1 root root 2517 Apr 16 16:37 server.pkcs12
8 通过keytool的list命令,可以查看其包含的证书信息:
根据提示输入秘钥库密码后,既输出秘钥库包含的证书信息
[root@ ~]# keytool -list -v -keystore mykey.keystore
输出如下:
Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 2 entries Alias name: tomcat Creation date: Apr 16, 2018 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=Tomcat, OU=Apache, O=Apache, L=Beijing, ST=Beijing, C=CN Issuer: CN=Tomcat, OU=Apache, O=Apache, L=Beijing, ST=Beijing, C=CN Serial number: 5f59c5e3 Valid from: Mon Apr 16 15:36:30 CST 2018 until: Sun Jul 15 15:36:30 CST 2018 Certificate fingerprints: MD5: 0E:FB:D2:73:54:89:51:9A:20:96:E8:22:2B:92:36:B6 SHA1: 2C:DF:97:E9:88:85:72:0E:15:68:B1:09:19:76:7E:67:FC:A7:F9:12 SHA256: EE:42:E8:96:CE:E1:B5:A6:2C:EC:57:82:44:3A:A8:AD:A3:89:04:01:C8:E8:85:7D:CA:96:B4:E4:63:87:91:49 Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 2048-bit RSA key Version: 3 Extensions: #1: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 3A 8F 05 4C 85 6D 2F EE 1E E6 46 ED AD CC CA A6 :..L.m/...F..... 0010: 06 78 A7 CA .x.. ] ] ******************************************* ******************************************* Alias name: 1 Creation date: Apr 16, 2018 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: EMAILADDRESS=tomcat@apache.com, CN=Tomcat, OU=Tomcat, O=Apache, L=Beijing, ST=Beijing, C=CN Issuer: EMAILADDRESS=tomcat@apache.com, CN=Tomcat, OU=Tomcat, O=Apache, L=Beijing, ST=Beijing, C=CN Serial number: 84802670058ff7d5 Valid from: Mon Apr 16 16:31:46 CST 2018 until: Thu Apr 13 16:31:46 CST 2028 Certificate fingerprints: MD5: 46:F0:86:8A:FB:60:2E:AA:14:E5:AF:7F:8B:05:A2:F5 SHA1: EF:3E:90:08:0D:9E:53:95:4E:4F:36:29:78:05:93:E1:DB:48:CB:A2 SHA256: 8E:B7:51:6D:04:09:24:28:20:68:4F:C3:2A:2E:47:1E:B8:F6:C2:87:D1:55:30:8C:B0:2A:EA:2A:02:8B:09:76 Signature algorithm name: SHA1withRSA Subject Public Key Algorithm: 2048-bit RSA key Version: 1 ******************************************* ******************************************* Warning: The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore mykey.keystore -destkeystore mykey.keystore -deststoretype pkcs12".
9 将mykey.keystore 秘钥库文件按照前文说明的方式部署到Tomcat中(非APR链接器)。通过浏览器可查看证书信息。
10 如果在APR链接器配置SSL,首先需要在server.xml的<Server>下添加监听器AprLifecycleListener:
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on"
SSLRandomSeed="builtin" userAprConnector="true" />
说明:userAprConnector 为8.5版本新属性,用于启用Apr Connector,8.5版本之前不必配置,默认自动启用
然后,添加SSL链接器配置如下(Tomcat8.5):
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" scheme="https" secure="true" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="${catalina.base}/conf/serverkey.pem"
certificateFile="${catalina.base}/conf/serverkey.crt"
type="RSA" />
</SSLHostConfig>
</Connector>
certificateKeystoreFile 用于配置服务器端秘钥
certificateFile用于配置服务器端证书
至此配置完成