tomcat双向认证服务器部署
2016-04-26 14:22
501 查看
原始出处http://520and519.blog.51cto.com/2254416/1432514一、准备环境搭建平台:linux+apache-tomcat-7.0.35.tar.gz二、生成CA证书创建目录:#mkdir ca client server目前不使用第三方权威机构的CA来认证,自己充当CA的角色。 2.1 创建私钥#openssl genrsa -out ca/ca-key.pem 1024 2.2 创建证书请求#openssl req -new -out ca/ca-req.csr -key ca/ca-key.pem-----Country Name (2 letter code) [AU]:cnState or Province Name (full name) [Some-State]:bjLocality Name (eg, city) []:bjOrganization Name (eg, company) [Internet Widgits Pty Ltd]:tbOrganizational Unit Name (eg, section) []:tbCommon Name (eg, YOUR name) []:caEmail Address []:ca@ca.comPlease enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:2.3 自签署证书#openssl x509 -req -in ca/ca-req.csr -out ca/ca-cert.pem -signkey ca/ca-key.pem -days 3650 2.4 将证书导出成浏览器支持的.p12格式#openssl pkcs12 -export -clcerts -in ca/ca-cert.pem -inkey ca/ca-key.pem -out ca/ca.p12 密码:123456三、生成server证书3.1 创建私钥 #openssl genrsa -out server/server-key.pem 1024 3.2 创建证书请求#openssl req -new -out server/server-req.csr -key server/server-key.pem-----Country Name (2 letter code) [AU]:cnState or Province Name (full name) [Some-State]:bjLocality Name (eg, city) []:bjOrganization Name (eg, company) [Internet Widgits Pty Ltd]:tbOrganizational Unit Name (eg, section) []:tbCommon Name (eg, YOUR name) []:localhost #此处一定要写服务器所在ipEmail Address []:server@server.comPlease enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:3.3 自签署证书#openssl x509 -req -in server/server-req.csr -out server/server-cert.pem -signkey server/server-key.pem -CA ca/ca-cert.pem -CAkey ca/ca-key.pem -CAcreateserial -days 3650 3.4 将证书导出成浏览器支持的.p12格式#openssl pkcs12 -export -clcerts -in server/server-cert.pem -inkey server/server-key.pem -out server/server.p12 密码:123456四、生成client证书4.1 创建私钥#openssl genrsa -out client/client-key.pem 1024 4.2 创建证书请求#openssl req -new -out client/client-req.csr -key client/client-key.pem-----Country Name (2 letter code) [AU]:cnState or Province Name (full name) [Some-State]:bjLocality Name (eg, city) []:bjOrganization Name (eg, company) [Internet Widgits Pty Ltd]:tbOrganizational Unit Name (eg, section) []:tbCommon Name (eg, YOUR name) []:dongEmail Address []:dong@dong.com Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []: 4.3 自签署证书#openssl x509 -req -in client/client-req.csr -out client/client-cert.pem -signkey client/client-key.pem -CA ca/ca-cert.pem -CAkey ca/ca-key.pem -CAcreateserial -days 3650 4.4将证书导出成浏览器支持的.p12格式#openssl pkcs12 -export -clcerts -in client/client-cert.pem -inkey client/client-key.pem -out client/client.p12 密码:1234564.5 根据ca证书生成jks文件 (java keystore)#keytool -keystore truststore.jks -keypass 222222 -storepass 222222 -alias ca -import -trustcacerts -file ca/ca-cert.pem#keytool -import -keystore truststore.jks -keypass 222222 -storepass 222222 -alias client -import -trustcacerts -file client/client-cert.pem ------导入client证书,让服务器信任client证书#keytool -list -v -keystore truststore.jks --查看keystore,密码:222222五、配置tomcat ssl修改conf/server.xml。tomcat中多了SSLEnabled="true"属性。keystorefile, truststorefile设置为你正确的相关路径 xml 代码修改如下: <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="true" sslProtocol="TLS" keystoreFile="/root/ca/server/server.p12" keystorePass="123456" keystoreType="PKCS12" truststoreFile="/root/ca/truststore.jks" truststorePass="222222" truststoreType="JKS"/> 属性说明:clientAuth:设置是否双向验证,默认为false,设置为true代表双向验证keystoreFile:服务器证书文件路径keystorePass:服务器证书密码truststoreFile:用来验证客户端证书的根证书,此例中就是ca证书truststorePass:根证书密码六、客户端验证
启动tomcat服务,客户端导入client.p12证书,然后访问https://ip:8443
启动tomcat服务,客户端导入client.p12证书,然后访问https://ip:8443
相关文章推荐
- ganglia对于tomcat进程的res内存监控扩展
- Nginx loaction配置和Tomcat部署方式
- Java设计模式(六) Command(命令模式)及Tomcat引申
- Spring Boot应用服务部署——使用内嵌的tomcat容器
- Tomcat与Jre绿色环境配置(生产环境)【参考自用】
- CentOS下安装配置Tomcat
- 解决nginx中proxy_pass到tomcat的session丢失问题
- eclipse使用笔记-maven项目发到tomcat,报错提示找不到local-repo中到jar
- tomcat内存设置
- keytool--生成证书与Tomcat SSL配置
- tomcat启动报错Error listenerStart
- Tomcat version 6.0 only supports J2EE 1.2, 1.3, 1.4, and Java EE 5 Web modules (web项目不能加载到服务器))
- tomcat的realm域
- tomcat的realm域
- Tomcat如何实现资源安全管理
- Tomcat如何实现资源安全管理
- tomcat无法正常启动的原因
- How Tomcat works 第三总结
- maven利用tomcat插件部署远程Linux服务器的步骤详解
- 11、Tomcat使用、Servlet入门