• Tomcat 中配置SSL


    介绍

    SSL和TLS是用户网络通信安全的加密协议。允许客户端和服务器之间通过安全链接通信。

    SSL协议的特性:

    1. 保密:通过SSL链接传输的数据时加密的
    2. 鉴别:通信双方的身份鉴别,这时可选的,通常是一方需要验证(服务端)
    3. 完整性:传输数据的完整性检查

    配置SSL

    Tomcat提供两种方式部署SSL:一种是JSSE,另一种是APR(使用OPENSSL引擎)。前者适用于BIO、NIO、NIO2链接器(8.5版本后,NIO和NIO2支持OPENSSL以适应HTTP/2.0),后者使用APR链接器。在配置的时候最好使用Connector的Protocol属性指定链接器的类名,而不是使用协议名(如HTTP/1.1),否则,Tomcat会自动按照本地配置构造Connector,这样会导致SSL不可用。

    1、生成秘钥

    Tomcat支持的秘钥有JKS、PKCS11、PKCS12。JKS是Java标准的秘钥库格式,使用keytool命令创建,位于$JAVA_HOME/binx下,创建方法如下:

    ① Windows系统:

    keytool -genkey -alias tomcat -keyalg RSA -keystore C:certmykey.keystore

    ② Linux操作系统:

    [root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# mkdir cert
    [root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore /opt/softwares/apache-tomcat-8.5.57/cert/mykey.keystore
    Enter keystore password:  
    Re-enter new password: 
    What is your first and last name?
      [Unknown]:  Tomcat
    What is the name of your organizational unit?
      [Unknown]:  Apache
    What is the name of your organization?
      [Unknown]:  Apache
    What is the name of your City or Locality?
      [Unknown]:  Beijing
    What is the name of your State or Province?
      [Unknown]:  Beijing
    What is the two-letter country code for this unit?
      [Unknown]:  CN
    Is CN=Tomcat, OU=Apache, O=Apache, L=Beijing, ST=Beijing, C=CN correct?
      [no]:  Y
    
    Enter key password for <tomcat>
        (RETURN if same as keystore password):  (按回车)
    
    Warning:
    The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /opt/softwares/apache-tomcat-8.5.57/cert/mykey.keystore -destkeystore /opt/softwares/apache-tomcat-8.5.57/cert/mykey.keystore -deststoretype pkcs12".

    2、部署

    将生成的秘钥复制到$CATALINA_BASE/conf下,修改server.xml,如下:

    [root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# cp cert/mykey.keystore $CATALINA_BASE/conf/
    [root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# vim conf/server.xml 
    
        <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
                   maxThreads="150" schema="https" secure="true" SSLEnabled="true" >
            <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
            <SSLHostConfig certificateVerification="false" >
                <Certificate certificateKeystoreFile="conf/mykey.keystore"
                             certificateKeystorePassword="mnbvcxzaA0."
                             type="RSA" />
            </SSLHostConfig>
        </Connector>

    port为SSL链接器端口,如果修改为其他端口,要保证和HTTP链接器的redirectPort属性一致。

    8.5版本之前的配置如下:

        <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
                   maxThreads="150" schema="https" secure="true" SSLEnabled="true" 
                   KeystoreFile="conf/mykey.keystore"
                   KeystorePass="mnbvcxzaA0."
                   clientAuth="false"  sslProtocol="TLS" />

    配置多证书(8.5版本以前)

    <Connector 
           port="8443" maxThreads="200" address="10.0.0.1"
           scheme="https" secure="true" SSLEnabled="true"
           keystoreFile="keystore1.jks" keystorePass="..."
           clientAuth="false" sslProtocol="TLS"/>
    <Connector 
           port="8443" maxThreads="200" address="10.0.0.2"
           scheme="https" secure="true" SSLEnabled="true"
           keystoreFile="keystore2.jks" keystorePass="..."
           clientAuth="false" sslProtocol="TLS"/>

    3、访问测试

     可以看到证书信息

     使用openssl命令创建秘钥

    测试环境可以使用,生产环境需要向有资质的签发机构(CA)提交证书请求文件,CA返回数字证书

    生成根秘钥

    [root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# openssl genrsa -out rootkey.pem 2048
    Generating RSA private key, 2048 bit long modulus (2 primes)
    .................................................+++++
    ..................................+++++
    e is 65537 (0x010001)

    创建根证书(用来签发服务器端请求文件)

    [root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# openssl req -x509 -new -key rootkey.pem -out root.crt
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:CN
    State or Province Name (full name) []:Beijing
    Locality Name (eg, city) [Default City]:Beijing
    Organization Name (eg, company) [Default Company Ltd]:Apache
    Organizational Unit Name (eg, section) []:Tomcat  
    Common Name (eg, your name or your server's hostname) []:Tomcat
    Email Address []:183041251@126.com

    创建服务器秘钥

    [root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# openssl genrsa -out serverkey.pem 2048
    Generating RSA private key, 2048 bit long modulus (2 primes)
    ...+++++
    ..........................................+++++
    e is 65537 (0x010001)

    创建服务器端证书请求文件

    [root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# openssl req -new -key  serverkey.pem -out server.csr
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:CN
    State or Province Name (full name) []:Beijing
    Locality Name (eg, city) [Default City]:Beijing
    Organization Name (eg, company) [Default Company Ltd]:Apache
    Organizational Unit Name (eg, section) []:Tomcat
    Common Name (eg, your name or your server's hostname) []:Tomcat
    Email Address []:183041251@126.com
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:tomcat
    An optional company name []:Tomcat

    用根证书签发服务器端请求文件,生成服务器端证书

    [root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# openssl x509 -req -in server.csr -CA root.crt -CAkey rootkey.pem -CAcreateserial -days 365 -out server.crt
    Signature ok
    subject=C = CN, ST = Beijing, L = Beijing, O = Apache, OU = Tomcat, CN = Tomcat, emailAddress = 183041251@126.com
    Getting CA Private Key

    将证书导出为pkcs12格式

    [root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# openssl pkcs12 -export -in server.crt -inkey serverkey.pem -out server.pkcs12

    Enter Export Password:
    # 自己设置一个导出密码即可
    Verifying - Enter Export Password: 

    生成服务器端秘钥库

    [root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# keytool -importkeystore -srckeystore server.pkcs12 -destkeystore mykey.keystore -srcstoretype pkcs12
    Importing keystore server.pkcs12 to mykey.keystore...
    Enter destination keystore password:                              ## 输入之前创建的秘钥库mykey.keystore的密码即可 
    Re
    -enter new password:
    Enter source keystore password: ## 输入上一步设置的源秘钥库密码
    Entry
    for alias 1 successfully imported.
    Import command completed:
    1 entries successfully imported, 0 entries failed or cancelled

    Warning:
    The JKS keystore uses a proprietary format. It
    is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore mykey.keystore -destkeystore mykey.keystore -deststoretype pkcs12".

    查看秘钥库包含的证书信息

    [root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# keytool -list -v -keystore mykey.keystore
    Enter keystore password:                            ## 输入秘钥库密码
    Keystore type: jks
    Keystore provider: SUN
    
    Your keystore contains 1 entry
    
    Alias name: 1
    Creation date: Sep 12, 2020
    Entry type: PrivateKeyEntry
    Certificate chain length: 1
    Certificate[1]:
    Owner: EMAILADDRESS=183041251@126.com, CN=Tomcat, OU=Tomcat, O=Apache, L=Beijing, ST=Beijing, C=CN
    Issuer: EMAILADDRESS=183041251@126.com, CN=Tomcat, OU=Tomcat, O=Apache, L=Beijing, ST=Beijing, C=CN
    Serial number: 25100e367ff3f3117f90489ad91605bc08080222
    Valid from: Sat Sep 12 18:06:53 CST 2020 until: Sun Sep 12 18:06:53 CST 2021
    Certificate fingerprints:
         MD5:  E7:F4:B6:EE:18:26:FC:92:18:4B:66:EA:DE:9A:20:72
         SHA1: 40:D9:E2:15:B6:03:5D:B4:56:38:23:3F:95:B9:35:64:F6:02:B7:80
         SHA256: 6E:33:84:44:82:A0:46:B7:D4:49:35:56:74:89:8A:C2:4A:05:95:66:D5:98:D8:2A:0E:01:5E:3D:45:83:5E:B9
    Signature algorithm name: SHA256withRSA
    Subject Public Key Algorithm: 2048-bit RSA key
    Version: 1
    
    
    *******************************************
    *******************************************
    
    
    
    Warning:
    The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore mykey.keystore -destkeystore mykey.keystore -deststoretype pkcs12".

    将秘钥库文件部署到tomcat中,就可以访问了(注意,不能是APR链接器)

    APR链接器配置SSL

    配置监听器

    [root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# vim conf/server.xml 
    <!--APR library loader. Documentation at /docs/apr.html --> <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" SSLRandomSeed="builtin" useAprConnector="true" />

    APR的证书必须使用OpenSSL,生成方式见上面的操作(只生成自签证书,无需导入秘钥库)。然后添加SSL链接器配置,如下:

    [root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# vim conf/server.xml 
        <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
                   maxThreads="150" schema="https" secure="true" SSLEnabled="true" >
            <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
            <SSLHostConfig >
                    <Certificate certificateKeyFile="${catalina.base}/conf/serverkey.pem"
                                 certificateFile="${catalina.base}/conf/server.crt"
                                 type="RSA" />
            </SSLHostConfig>
        </Connector>
    certificateKeyFile:用于配置服务器端秘钥
    certificateFile:用于配置服务器端证书
  • 相关阅读:
    MongoDB Query 常用方法
    plsql中文乱码问题(显示问号)
    xtype的使用
    LinQ:list基础操作
    VMware Fusion自动切换分辨率
    C#截取字符串的方法小结
    HTML 编码
    AMQP(Advanced Message Queuing Protocol)
    rabibtMQ安装及集群配置linux
    今天是个开始
  • 原文地址:https://www.cnblogs.com/zh-dream/p/13658139.html
Copyright © 2020-2023  润新知