SSL/TLS单向认证实现(JAVA、TOMCAT)
2015-07-26 20:44
661 查看
单向认证,客户端会认证服务器端身份,服务器端不对客户端进行认证
1. 生成jks格式服务器端的keystore文件,keypass与storepass需一致,因tomcat server.xml中仅一处keystorePass
keytool -genkey -alias server -keystore D:\keystore.jks -keypass 123456 -storepass 123456 -keyalg RSA -keysize 512 -validity 3650 -v -dname “CN={hostname},O=company,OU=company, L=city,ST=province”
注:{hostname}取服务器的hostname值
2. 从keystore中导出别名为server的服务端证书
keytool -export -alias server -keystore D:\keystore.jks -storepass 123456 -file D:\server.cer
3. 将server.cer导入客户端的信任证书库truststore.jks
keytool -import -alias trust -file D:\server.cer -keystore D:\truststore.jks -storepass 123456
客户端代码(需要引入jar文件httpcore-4.0.1.jar,httpclient-4.0.1.jar,httpmime-4.0.1.jar)
运行后调用成功,打印信息如下:
证书生成
只需要生成服务端的证书,需得到服务端keystore.jks和客户端的truststore.jks证书库(通常是将server.cer文件发送给客户端,客户端自己导入jks证书库),步骤如下:1. 生成jks格式服务器端的keystore文件,keypass与storepass需一致,因tomcat server.xml中仅一处keystorePass
keytool -genkey -alias server -keystore D:\keystore.jks -keypass 123456 -storepass 123456 -keyalg RSA -keysize 512 -validity 3650 -v -dname “CN={hostname},O=company,OU=company, L=city,ST=province”
注:{hostname}取服务器的hostname值
2. 从keystore中导出别名为server的服务端证书
keytool -export -alias server -keystore D:\keystore.jks -storepass 123456 -file D:\server.cer
3. 将server.cer导入客户端的信任证书库truststore.jks
keytool -import -alias trust -file D:\server.cer -keystore D:\truststore.jks -storepass 123456
配置tomcat环境中的server.xml
将证书文件keystore.jks拷贝至tomcat的conf目录下<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" clientAuth="false" sslProtocol="TLS" maxThreads="150" scheme="https" secure="true" keystoreFile="conf/keystore.jks" keystorePass="123456" />
服务端、客户端
服务端web.xml<security-constraint> <web-resource-collection> <web-resource-name>ssl</web-resource-name> <url-pattern>/*</url-pattern> //强制所有请求走https </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>
客户端代码(需要引入jar文件httpcore-4.0.1.jar,httpclient-4.0.1.jar,httpmime-4.0.1.jar)
package com.ssl.http; import java.io.File; import java.io.FileInputStream; import java.security.KeyStore; import org.apache.http.HttpEntity; import org.apache.http.HttpResponse; import org.apache.http.util.EntityUtils; import org.apache.http.client.methods.HttpGet; import org.apache.http.conn.scheme.Scheme; import org.apache.http.conn.ssl.SSLSocketFactory; import org.apache.http.impl.client.DefaultHttpClient; /** * 带证书认证请求处理 * @author blue_coat * @date 2015-7-26 */ public class HttpClientWithCA { public static final String KEYSTORE_FILE = "D:\truststore.jks"; public static final String KEYSTORE_PWD = "123456"; public final static void main(String[] args) throws Exception { String result = oneAuthSSL("https://localhost:8443/ssl", "", KEYSTORE_FILE, KEYSTORE_PWD); ...... } public String oneAuthSSL(String url, String data, String keystore, String password) throws Exception { String result = null; DefaultHttpClient httpclient = new DefaultHttpClient(); KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType()); FileInputStream instream = new FileInputStream(new File(keystore)); try { trustStore.load(instream, password.toCharArray()); } finally { instream.close(); } SSLSocketFactory socketFactory = new SSLSocketFactory(trustStore); Scheme sch = new Scheme("https", socketFactory, 8443); httpclient.getConnectionManager().getSchemeRegistry().register(sch); HttpGet httpget = new HttpGet(url); System.out.println("executing: " + httpget.getRequestLine()); HttpResponse response = httpclient.execute(httpget); HttpEntity entity = response.getEntity(); System.out.println("----------------------------------------"); System.out.println(response.getStatusLine()); if (entity != null) { System.out.println("Response Content-length: " + entity.getContentLength()); result = EntityUtils.toString(entity); entity.consumeContent(); } // 关闭连接,腾出内存空间 httpclient.getConnectionManager().shutdown(); return result; } }
运行后调用成功,打印信息如下:
executing: GET https://localhost:8443/ssl HTTP/1.1 ---------------------------------------- HTTP/1.1 200 OK Response content length: 8432
相关文章推荐
- java对世界各个时区(TimeZone)的通用转换处理方法(转载)
- java-注解annotation
- java-模拟tomcat服务器
- java-用HttpURLConnection发送Http请求.
- java-WEB中的监听器Lisener
- Android IPC进程间通讯机制
- i-jetty环境搭配与编译
- Android Native 绘图方法
- Android java 与 javascript互访(相互调用)的方法例子
- 实现单Tomcat多Server配置
- 生产环境下的Tomcat配置
- 介绍一款信息管理系统的开源框架---jeecg
- 聚类算法之kmeans算法java版本
- java实现 PageRank算法
- 访问Nginx发生SSL connection error的一种情况
- PropertyChangeListener简单理解
- 插入排序