一般的網頁傳輸都是基于http協議����,在網絡中流通的信息都為明文,非常容易泄密。為保證網站信息不被中間服務器或者其它探測軟件捕獲,一般企業都使用 SSL對網頁內容加密����,下面介紹tomcat中的SSL加密,詳細可參考鏈接:http://tomcat.apache.org/tomcat- 7.0-doc/ssl-howto.html
tomcat的加密根據自身的特色分兩種情況�����,一種為使用Java runtime(非APR)�����,一種為OpenSSL library (through APR/Tomcat-Native). 這兩種的配置完全不同�����,下面分別介紹��,讀者可以按自己應用的情況分別選擇�����。
一��、Java runtime(非APR)情況
1����、產生client /server java key store
import java.io.FileOutputStream;import java.math.BigInteger;import java.security.InvalidKeyException;import java.security.KeyPair;import java.security.KeyStore;import java.security.NoSuchAlgorithmException;import java.security.NoSuchProviderException;import java.security.SecureRandom;import java.security.SignatureException;import java.security.cert.Certificate;import java.security.cert.CertificateEncodingException;import java.security.cert.X509Certificate;import java.util.Date;import javax.security.auth.x500.X500Principal;import javax.security.auth.x500.X500PrivateCredential;import org.bouncycastle.jce.provider.asymmetric.ec.KeyPairGenerator;import org.bouncycastle.x509.X509V3CertificateGenerator;/** * * Tomcat HTTPS client/server key Certificate generator * */public class TomcatKey { //Client Certificate static String TRUST_STORE_NAME = "client"; static char[] TRUST_STORE_PASSWORD = "test".toCharArray(); //Server Certificate static String SERVER_NAME = "server"; static char[] SERVER_PASSWORD = "test".toCharArray(); static String SERVER_HOST = "localhost"; /** * @param args */ public static void main(String[] args) { try { // trustsotre, my root certificate KeyStore store = KeyStore.getInstance("JKS"); // initialize store.load(null, null); KeyPair rootPair = generateKeyPair(); X500PrivateCredential rootCredential = createRootCredential(rootPair); store.setCertificateEntry(TRUST_STORE_NAME, rootCredential .getCertificate()); store.store(new FileOutputStream(TRUST_STORE_NAME + ".keystore"), TRUST_STORE_PASSWORD); // server credentials store = KeyStore.getInstance("JKS"); store.load(null, null); store.setKeyEntry(SERVER_NAME, rootCredential.getPrivateKey(), SERVER_PASSWORD, new Certificate[] { rootCredential .getCertificate() }); store.store(new FileOutputStream(SERVER_NAME + ".keystore"), SERVER_PASSWORD); } catch (NoSuchAlgorithmException e) { e.printStackTrace(); } catch (NoSuchProviderException e) { e.printStackTrace(); } catch (Exception e) { e.printStackTrace(); } } //generate Key Pair public static KeyPair generateKeyPair() throws NoSuchAlgorithmException, NoSuchProviderException { // create the keys java.security.KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA"); generator.initialize(1024, new SecureRandom()); return generator.generateKeyPair(); } //generate certificate public static X500PrivateCredential createRootCredential(KeyPair rootPair) throws Exception { X509Certificate rootCert = generateX509V3RootCertificate(rootPair); return new X500PrivateCredential(rootCert, rootPair.getPrivate()); } public static X509Certificate generateX509V3RootCertificate(KeyPair pair)throws NoSuchAlgorithmException, NoSuchProviderException, CertificateEncodingException, InvalidKeyException, IllegalStateException, SignatureException { X509V3CertificateGenerator certGen = new X509V3CertificateGenerator(); certGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis())); certGen.setIssuerDN(new X500Principal("CN=" + SERVER_HOST+ ", OU=GoldenSF, O=SHA, C=cn")); certGen.setNotBefore(new Date(System.currentTimeMillis() - 5000L)); certGen.setSubjectDN(new X500Principal("CN=" + SERVER_HOST+ ", OU=GoldenSF, O=SHA, C=cn")); certGen.setPublicKey(pair.getPublic()); certGen.setSignatureAlgorithm("SHA1WithRSA"); certGen.setNotAfter(new Date(System.currentTimeMillis() + Integer.MAX_VALUE)); return certGen.generate(pair.getPrivate(), new SecureRandom()); }}2、將產生的文件:client.keystore, and server.keystore放到apache-tomcat-7/conf下面
3�����、修改/conf/server.xml如下:
<?xml version='1.0' encoding='utf-8'?><Server port="8005" shutdown="SHUTDOWN"> <!--<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" /> --> <Listener className="org.apache.catalina.core.JasperListener" /> <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" /> <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" /> <GlobalNamingResources> <Resource name="UserDatabase" auth="Container" type="org.apache.catalina.UserDatabase" description="User database that can be updated and saved" factory="org.apache.catalina.users.MemoryUserDatabaseFactory" pathname="conf/tomcat-users.xml" /> </GlobalNamingResources> <Service name="Catalina"> <Connector port="443" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="conf/server.keystore" keystorePass="test" truststoreFile ="conf/client.keystore" truststorePass="test"/> <Connector port="8009" enableLookups="false" redirectPort="443" protocol="AJP/1.3" /> <Engine name="Catalina" defaultHost="localhost"> <Realm className="org.apache.catalina.realm.LockOutRealm"> <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/> </Realm> <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true"> <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log." suffix=".txt" pattern="%h %l %u %t "%r" %s %b" resolveHosts="false"/> </Host> </Engine> </Service></Server>
4��、啟動tomcat, 如果 https://localhost/ 能正常打開�����,說明配置成功��。
一些注意:
1)如果不使用JAVA文件生成keystore,也可以通過JDK自帶的命令生成��,
如生成服務器端證書 keytool -genkey -keyalg RSA -dname "cn=localhost,ou=test,o=test,l=hongkong,st=hk,c=hk" -alias server -keypass asdfzxcv23 -keystore server.jks -storepass asdfzxcv23 -validity 3650 客戶端的CN可以是任意值,具體的可以參考相關文章
2)在修改server.xml時��,需要將tomcat的默認APR配置刪除
<!--<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" /> -->
3)如果之前有APR的配置��,需要刪除文件bin/tcnative-1.dll
4)注意JAVA文件生成的key和密碼一定要與配置中的一致�����,區分大小寫���。
二��、OPENSSL library (through APR/Tomcat-Native)情況
1����、首先需要到OPENSSL網站下載OpenSSL-Win32(或者Linux),安裝非常簡單
2、利用OPENSSL生成公鑰
D:/OpenSSL-Win32/bin>openssl
genrsa -des3 -out key1.pem 2048
enter pwd: test, to get a file : key1.pem
3��、繼續利用OPENSSL生成私鑰
req -new -x509 -key key1.pem -out key1cert.pem -days 1095
得到文件: key1cert.pem
4��、將這兩個文件放到apache-tomcat-7/conf目錄下�,并修改server.xml為如下內容:
<?xml version='1.0' encoding='utf-8'?><Server port="8005" shutdown="SHUTDOWN"> <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" /> <Listener className="org.apache.catalina.core.JasperListener" /> <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" /> <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" /> <GlobalNamingResources> <Resource name="UserDatabase" auth="Container" type="org.apache.catalina.UserDatabase" description="User database that can be updated and saved" factory="org.apache.catalina.users.MemoryUserDatabaseFactory" pathname="conf/tomcat-users.xml" /> </GlobalNamingResources> <Service name="Catalina"> <Connector port="443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" SSLEnabled="true" protocol="org.apache.coyote.http11.Http11AprProtocol" SSLCertificateFile="D:/apache-tomcat-7/conf/key1cert.pem" SSLCertificateKeyFile="D:/apache-tomcat-7/conf/key1.pem" SSLPassword="test" /> <Connector port="8009" enableLookups="false" redirectPort="443" protocol="AJP/1.3" /> <Engine name="Catalina" defaultHost="localhost"> <Realm className="org.apache.catalina.realm.LockOutRealm"> <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/> </Realm> <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true"> <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log." suffix=".txt" pattern="%h %l %u %t "%r" %s %b" resolveHosts="false"/> </Host> </Engine> </Service></Server>
5、啟動tomcat ,https://localhost如果能正常打開���,說明配置成功��。
幾點注意:
1)��、注意APR是否已經正常配置�,
2)���、在啟動tomcat前需要確認任務管理器中沒有其它tomcat進程在執行(一般刪除所有javaw.exe即可)�,免得造成沖突����,提示:java.lang.Exception: Socket bind failed���;
3)��、密碼要一致����,文件名不可寫混。
以上是我在tomcat環境下配置HTTPS的一點心得��,歡迎大家指正�。
http://zeallf.javaeye.com/blog/833250
