BlogJava-我爱佳娃-随笔分类-SSL

转的:果然是5分钟配成TOMCAT使用SSL(https)

我爱佳娃 — Mon, 12 Nov 2012 15:17:00 GMT

Setting Up SSL on Tomcat in 5 minutes (https://localhost:8443)

June 30, 2011 | By Loiane

This tutorial will walk you through how to configure SSL (https://localhost:8443 access) on Tomcat in 5 minutes.

For this tutorial you will need:

Java SDK (used version 6 for this tutorial)
Tomcat (used version 7 for this tutorial)

The set up consists in 3 basic steps:

Create a keystore file using Java
Configure Tomcat to use the keystore
Test it
(Bonus ) Configure your app to work with SSL (access through https://localhost:8443/yourApp)

1 – Creating a Keystore file using Java

Fisrt, open the terminal on your computer and type:

Windows:

cd %JAVA_HOME%/bin

Linux or Mac OS:

cd $JAVA_HOME/bin

The $JAVA_HOME on Mac is located on “/System/Library/Frameworks/JavaVM.framework/Versions/{your java version}/Home/”

You will change the current directory to the directory Java is installed on your computer. Inside the Java Home directory, cd to the bin folder. Inside the bin folder there is a file named keytool. This guy is responsible for generating the keystore file for us.

Next, type on the terminal:

keytool -genkey -alias tomcat -keyalg RSA

When you type the command above, it will ask you some questions. First, it will ask you to create a password (My password is “password“):

loiane:bin loiane$ keytool -genkey -alias tomcat -keyalg RSA Enter keystore password:  password Re-enter new password: password What is your first and last name?   [Unknown]:  Loiane Groner What is the name of your organizational unit?   [Unknown]:  home What is the name of your organization?   [Unknown]:  home What is the name of your City or Locality?   [Unknown]:  Sao Paulo What is the name of your State or Province?   [Unknown]:  SP What is the two-letter country code for this unit?   [Unknown]:  BR Is CN=Loiane Groner, OU=home, O=home, L=Sao Paulo, ST=SP, C=BR correct?   [no]:  yes  Enter key password for 	(RETURN if same as keystore password):  password Re-enter new password: password

It will create a .keystore file on your user home directory. On Windows, it will be on: C:\Documents and Settings\[username]; on Mac it will be on /Users/[username] and on Linux will be on /home/[username].

2 – Configuring Tomcat for using the keystore file – SSL config

Open your Tomcat installation directory and open the conf folder. Inside this folder, you will find the server.xml file. Open it.

Find the following declaration:

Uncomment it and modify it to look like the following:

Connector SSLEnabled="true" acceptCount="100" clientAuth="false"     disableUploadTimeout="true" enableLookups="false" maxThreads="25"     port="8443" keystoreFile="/Users/loiane/.keystore" keystorePass="password"     protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https"     secure="true" sslProtocol="TLS" />

Note we add the keystoreFile, keystorePass and changed the protocol declarations.

3 – Let’s test it!

Start tomcat service and try to access https://localhost:8443. You will see Tomcat’s local home page.

Note if you try to access the default 8080 port it will be working too: http://localhost:8080

4 – BONUS - Configuring your app to work with SSL (access through https://localhost:8443/yourApp)

To force your web application to work with SSL, you simply need to add the following code to your web.xml file (before web-app tag ends):

 	 		securedapp 		/* 	 	 		CONFIDENTIAL

The url pattern is set to /* so any page/resource from your application is secure (it can be only accessed with https). The transport-guarantee tag is set to CONFIDENTIAL to make sure your app will work on SSL.

If you want to turn off the SSL, you don’t need to delete the code above from web.xml, simply changeCONFIDENTIAL to NONE.

Reference: http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html (this tutorial is a little confusing, that is why I decided to write another one my own).

Happy Coding!

我爱佳娃 2012-11-12 23:17 发表评论

Perl与Java的SSL通信示例

我爱佳娃 — Mon, 04 Dec 2006 07:20:00 GMT

用用OpenSSL与JAVA(JSSE)通信一文中所生成的CA证书及keystore就可以在JAVA和OpenSSL之间通信了，下面以Perl代码为例：（Perl实际使用了OpenSSL)

下面的CLIENT端可以与前文提到的JAVA服务端通信：

#use strict;
use IO::Socket::SSL(debug4);

my ($v_mode, $sock, $buf);

if($ARGV[0] eq "DEBUG") { $IO::Socket::SSL::DEBUG = 1; }

# Check to make sure that we were not accidentally run in the wrong
# directory:
unless (-d "certs") {
    if (-d "../certs") {
    chdir "..";
    } else {
#    die "Please run this example from the IO::Socket::SSL distribution directory!\n";
    }
}

if(!($sock = IO::Socket::SSL->new( PeerAddr => '172.19.149.52',
                   PeerPort => '5555',
                   Proto    => 'tcp',
                   SSL_verify_mode => 0x01,
                   SSL_ca_file => 'mycerts/cacert.pem',
                 ))) {
    warn "unable to create socket: ", &IO::Socket::SSL::errstr, "\n";
    exit(0);
} else {
    warn "connect ($sock).\n" if ($IO::Socket::SSL::DEBUG);
}

# check server cert.
my ($subject_name, $issuer_name, $cipher);
if( ref($sock) eq "IO::Socket::SSL") {
    $subject_name = $sock->peer_certificate("subject");
    $issuer_name = $sock->peer_certificate("issuer");
    $cipher = $sock->get_cipher();
}
warn "cipher: $cipher.\n", "server cert:\n",
    "\t '$subject_name' \n\t '$issuer_name'.\n\n";

print $sock "Knock, knock.\n";

my ($buf) = $sock->getlines;

$sock->close();

print "read: '$buf'.\n";

另外，也给出一个PERL的SVR端示例：

#use strict;
use IO::Socket::SSL(debug4);

my ($sock, $s, $v_mode);

if($ARGV[0] eq "DEBUG") { $IO::Socket::SSL::DEBUG = 1; }

# Check to make sure that we were not accidentally run in the wrong
# directory:
unless (-d "certs") {
    if (-d "../certs") {
    chdir "..";
    } else {
#    die "Please run this example from the IO::Socket::SSL distribution directory!\n";
    }
}

if(!($sock = IO::Socket::SSL->new( Listen => 5,
                   LocalAddr => '10.56.28.35',
                   LocalPort => 9000,
                   Proto     => 'tcp',
                   Reuse     => 1,
                   SSL_use_cert => 1,
                   SSL_verify_mode => 0x00,
                   SSL_cert_file => 'mycerts/cert.pem',
                   SSL_key_file => 'mycerts/key.pem'
                 )) ) {
    warn "unable to create socket: ", &IO::Socket::SSL::errstr, "\n";
    exit(0);
}
warn "socket created: $sock.\n";

while (1) {
  warn "waiting for next connection.\n";

  while(($s = $sock->accept())) {
      my ($peer_cert, $subject_name, $issuer_name, $date, $str);

      if( ! $s ) {
      warn "error: ", $sock->errstr, "\n";
      next;
      }

      warn "connection opened ($s).\n";

      if( ref($sock) eq "IO::Socket::SSL") {
      $subject_name = $s->peer_certificate("subject");
      $issuer_name = $s->peer_certificate("issuer");
      }

      warn "\t subject: '$subject_name'.\n";
      warn "\t issuer: '$issuer_name'.\n";

      my $date = localtime();
      print $s "my date command says it's: '$date'";
      close($s);
      warn "\t connection closed.\n";
  }
}

$sock->close();

warn "loop exited.\n";

在PERL中写SSL的SOCKET，要注意：
SVR端中：
       SSL_use_cert => 1,
       SSL_verify_mode => 0x00,
       SSL_cert_file => 'mycerts/cert.pem',
       SSL_key_file => 'mycerts/key.pem'
CLI端是：
       SSL_verify_mode => 0x01,
       SSL_ca_file => 'mycerts/cacert.pem',
mode是0表示，不认证对端，是1表示要认证对方。

我爱佳娃 2006-12-04 15:20 发表评论

用OpenSSL与JAVA(JSSE)通信

我爱佳娃 — Sun, 03 Dec 2006 04:36:00 GMT

摘要: 概念 JAVA使用keystore文件来存储所有KEY，keystore文件可以存放多个KEY，访问它需要密码。下面我介绍下如何将用OpenSSL做自签名的证书一文中介绍的OpenSSL产生的KEY与JAVA的KEY转换后使用，从而达到JAVA与OpenSSL通信的目的。用OpenSSL生成CA根证书，即(P1,V1)此步骤参见用OpenSSL做自签名的证书一文在JAVA环境下生成自己的... 阅读全文

我爱佳娃 2006-12-03 12:36 发表评论

用OpenSSL做自签名的证书

我爱佳娃 — Fri, 01 Dec 2006 07:20:00 GMT

这里抄录LDAP+OpenSSL集中认证配置一文的一部分：
公私钥：公钥可以唯一解密私钥加密过的数据，反之亦然。以下用P指代公钥，V指代私钥。
SSL过程：需要两对公私钥(P1,V1),(P2,V2)，假设通信双方是A和B，B是服务器，A要确认和它通信的是B：
A->B: hello
B->A: 用V2加密过的P1（即用户证书，A就用P2解密出P1）
A->B: ok
B->A: 用V1加密的一段信息
A->B: 用P1加密一个自动生成的K（用之前的P1解密成功这段信息则认为B是可信的了）
B->A: 用K加密的数据（之后两对密钥功能结束，由K来加解密数据）
这里，P2就是第3方的CA证书，由于非对称加密很慢，所以公私钥只是用来保证K的传送安全，之后通信是用K的对称加密算法来保证。

为什么通过以上过程A就能够确定肯定是B，而不是某个C在假装B了呢？因为这个过程中，B用V1加密过一段信息发给A，A也成功解开了。我们开头谈到公钥（P1）只可以唯一解密私钥（V1）加密过的信息，这样A就可以完全相信B是拥有V1的，而V1是严格保密，只被服务提供公司拥有，所以保证了通信的服务方正确性。

这里(P2,V2)就是certificate authority (CA)用来给客户签名用的公私钥。
(P1,V1)是客户自己的公私钥，提交给CA，CA所做的事情就是用(P2,V2)来给客户的(P1,V1)签名，简单吧？
V2是CA公司要保密的，而P2就是公用CA证书。用V2加密过（签名过）的P1，称为用户证书，一般被安装在服务器端。

下面我们OpenSSL来做这一整件事情。

先生成CA的公私钥(Root Certificate )
准备工作

mkdir CA
cd CA
mkdir newcerts private
echo '01' > serial
touch index.txt

生成配置文件。由于openssl命令行参数太多，所以就用文件来组织各种选项。
其中,req_distinguished_name 节表示需要提示用户输入的信息。
v3_ca是有关CA公私钥生成的，v3_req是有关用户证书生成的。
ca_default是用CA公私钥签名的时候，用户证书的默认信息。

vi ./openssl.cnf

dir = .

[ req ]
default_bits = 1024 # Size of keys
default_keyfile = key.pem # name of generated keys
default_md = md5 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
req_extensions = v3_req

[ req_distinguished_name ]
# Variable name   Prompt string
#----------------------   ----------------------------------
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
commonName = Common Name (hostname, IP, or your name)
commonName_max = 64

# Default values for the above, for consistency and less typing.
# Variable name   Value
#------------------------------   ------------------------------
0.organizationName_default = EB Company
localityName_default = Shen Zhen
stateOrProvinceName_default = Guan Dong
countryName_default = CN

[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always

[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash

[ ca ]
default_ca = CA_default

[ CA_default ]
serial = $dir/serial
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/cacert.pem
private_key = $dir/private/cakey.pem
default_days = 365
default_md = md5
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match

[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

生成CA公私钥：

openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 3650 -config ./openssl.cnf

会提示输入密码，当用它给用户证书签名时需要输入，以避免其它人用它随意产生用户证书。
-days表示有效期，因为它是根证书，所以时间一定要很长，否则由它生成的用户证书容易过期。

这时就生成了：
P1
cacert.pem
V1
private/cakey.pem

查看信息用：
openssl x509 -in cacert.pem -noout -text

生成P2,V2，即Certificate Signing Request (CSR)
执行：
openssl req -new -nodes -out req.pem -config ./openssl.cnf
这样就生成了：
P2
req.pem
V2
key.pem

用此命令查看：
openssl req -in req.pem -text -verify -noout

用CA的私钥V1为P2签名，即生成用户证书
执行：
openssl ca -out cert.pem -config ./openssl.cnf -infiles req.pem
生成用户证书：
cert.pem
此时，会拷贝一份到newcerts目录下。并会更新数据库文件：index.txt以及serail文件
用命令查看：
openssl x509 -in cert.pem -noout -text -purpose | more

如果要去除可读信息部分，执行：
mv cert.pem tmp.pem
openssl x509 -in tmp.pem -out cert.pem

安装证书
key.pem(V2)和cert.pem(用V1加密过的P2）安装到服务端
有的服务器需要把这两个文件连为一个，可以执行：
cat key.pem cert.pem >key-cert.pem

cacert.pem安装到客户端

Apache的配置：
File Comment
/home/httpd/html Apache DocumentRoot
/home/httpd/ssl SSL-related files
/home/httpd/ssl/cert.pem Site certificate
/home/httpd/ssl/key.pem Site private key

Stunnel的配置
stunnel -p /etc/ssl/certs/key-cert.pem

编辑于08.4.26，另有两个例子：
用OpenSSL与JAVA(JSSE)通信
Perl与Java的SSL通信示例

我爱佳娃 2006-12-01 15:20 发表评论

在windows下编译openssl

我爱佳娃 — Sun, 26 Nov 2006 03:32:00 GMT

编译环境：
VS2005 Express Edition
SDK WIN SVR 2003 SP1
MASM 8.0

进入打开sdk的2000编译命令行，再运行：
%comspec% /k ""C:\Program Files\Microsoft Visual Studio 8\VC\vcvarsall.bat"" x86

去到解压目录：
cd /d "E:\Prj2\ForMe\RefExe\perl+ssl\openssl-0.9.8d"

再编译：
perl Configure VC-WIN32 --prefix=dist
ms\do_ms
nmake -f ms\ntdll.mak
nmake -f ms\ntdll.mak test
nmake -f ms\ntdll.mak install

完成后，dist目录就是安装好的东西，可以拷贝到别处使用

我爱佳娃 2006-11-26 11:32 发表评论