Tomcat 中配置SSL
介绍
SSL和TLS是用户网络通信安全的加密协议。允许客户端和服务器之间通过安全链接通信。
SSL协议的特性:
- 保密:通过SSL链接传输的数据时加密的
- 鉴别:通信双方的身份鉴别,这时可选的,通常是一方需要验证(服务端)
- 完整性:传输数据的完整性检查
配置SSL
Tomcat提供两种方式部署SSL:一种是JSSE,另一种是APR(使用OPENSSL引擎)。前者适用于BIO、NIO、NIO2链接器(8.5版本后,NIO和NIO2支持OPENSSL以适应HTTP/2.0),后者使用APR链接器。在配置的时候最好使用Connector的Protocol属性指定链接器的类名,而不是使用协议名(如HTTP/1.1),否则,Tomcat会自动按照本地配置构造Connector,这样会导致SSL不可用。
1、生成秘钥
Tomcat支持的秘钥有JKS、PKCS11、PKCS12。JKS是Java标准的秘钥库格式,使用keytool命令创建,位于$JAVA_HOME/binx下,创建方法如下:
① Windows系统:
keytool -genkey -alias tomcat -keyalg RSA -keystore C:\cert\mykey.keystore
② Linux操作系统:
[root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# mkdir cert [root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore /opt/softwares/apache-tomcat-8.5.57/cert/mykey.keystore Enter keystore password: Re-enter new password: What is your first and last name? [Unknown]: Tomcat What is the name of your organizational unit? [Unknown]: Apache What is the name of your organization? [Unknown]: Apache What is the name of your City or Locality? [Unknown]: Beijing What is the name of your State or Province? [Unknown]: Beijing What is the two-letter country code for this unit? [Unknown]: CN Is CN=Tomcat, OU=Apache, O=Apache, L=Beijing, ST=Beijing, C=CN correct? [no]: Y Enter key password for <tomcat> (RETURN if same as keystore password): (按回车) Warning: The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /opt/softwares/apache-tomcat-8.5.57/cert/mykey.keystore -destkeystore /opt/softwares/apache-tomcat-8.5.57/cert/mykey.keystore -deststoretype pkcs12".
2、部署
将生成的秘钥复制到$CATALINA_BASE/conf下,修改server.xml,如下:
[root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# cp cert/mykey.keystore $CATALINA_BASE/conf/ [root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# vim conf/server.xml <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" schema="https" secure="true" SSLEnabled="true" > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> <SSLHostConfig certificateVerification="false" > <Certificate certificateKeystoreFile="conf/mykey.keystore" certificateKeystorePassword="mnbvcxzaA0." type="RSA" /> </SSLHostConfig> </Connector>
port为SSL链接器端口,如果修改为其他端口,要保证和HTTP链接器的redirectPort属性一致。
8.5版本之前的配置如下:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" schema="https" secure="true" SSLEnabled="true" KeystoreFile="conf/mykey.keystore" KeystorePass="mnbvcxzaA0." clientAuth="false" sslProtocol="TLS" />
配置多证书(8.5版本以前)
<Connector port="8443" maxThreads="200" address="10.0.0.1" scheme="https" secure="true" SSLEnabled="true" keystoreFile="keystore1.jks" keystorePass="..." clientAuth="false" sslProtocol="TLS"/> <Connector port="8443" maxThreads="200" address="10.0.0.2" scheme="https" secure="true" SSLEnabled="true" keystoreFile="keystore2.jks" keystorePass="..." clientAuth="false" sslProtocol="TLS"/>
3、访问测试
可以看到证书信息
使用openssl命令创建秘钥
测试环境可以使用,生产环境需要向有资质的签发机构(CA)提交证书请求文件,CA返回数字证书
生成根秘钥
[root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# openssl genrsa -out rootkey.pem 2048 Generating RSA private key, 2048 bit long modulus (2 primes) .................................................+++++ ..................................+++++ e is 65537 (0x010001)
创建根证书(用来签发服务器端请求文件)
[root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# openssl req -x509 -new -key rootkey.pem -out root.crt You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Beijing Locality Name (eg, city) [Default City]:Beijing Organization Name (eg, company) [Default Company Ltd]:Apache Organizational Unit Name (eg, section) []:Tomcat Common Name (eg, your name or your server's hostname) []:Tomcat Email Address []:183041251@126.com
创建服务器秘钥
[root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# openssl genrsa -out serverkey.pem 2048 Generating RSA private key, 2048 bit long modulus (2 primes) ...+++++ ..........................................+++++ e is 65537 (0x010001)
创建服务器端证书请求文件
[root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# openssl req -new -key serverkey.pem -out server.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Beijing Locality Name (eg, city) [Default City]:Beijing Organization Name (eg, company) [Default Company Ltd]:Apache Organizational Unit Name (eg, section) []:Tomcat Common Name (eg, your name or your server's hostname) []:Tomcat Email Address []:183041251@126.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:tomcat An optional company name []:Tomcat
用根证书签发服务器端请求文件,生成服务器端证书
[root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# openssl x509 -req -in server.csr -CA root.crt -CAkey rootkey.pem -CAcreateserial -days 365 -out server.crt Signature ok subject=C = CN, ST = Beijing, L = Beijing, O = Apache, OU = Tomcat, CN = Tomcat, emailAddress = 183041251@126.com Getting CA Private Key
将证书导出为pkcs12格式
[root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# openssl pkcs12 -export -in server.crt -inkey serverkey.pem -out server.pkcs12
Enter Export Password: # 自己设置一个导出密码即可
Verifying - Enter Export Password:
生成服务器端秘钥库
[root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# keytool -importkeystore -srckeystore server.pkcs12 -destkeystore mykey.keystore -srcstoretype pkcs12 Importing keystore server.pkcs12 to mykey.keystore... Enter destination keystore password: ## 输入之前创建的秘钥库mykey.keystore的密码即可
Re-enter new password:
Enter source keystore password: ## 输入上一步设置的源秘钥库密码
Entry for alias 1 successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore mykey.keystore -destkeystore mykey.keystore -deststoretype pkcs12".
查看秘钥库包含的证书信息
[root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# keytool -list -v -keystore mykey.keystore Enter keystore password: ## 输入秘钥库密码 Keystore type: jks Keystore provider: SUN Your keystore contains 1 entry Alias name: 1 Creation date: Sep 12, 2020 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: EMAILADDRESS=183041251@126.com, CN=Tomcat, OU=Tomcat, O=Apache, L=Beijing, ST=Beijing, C=CN Issuer: EMAILADDRESS=183041251@126.com, CN=Tomcat, OU=Tomcat, O=Apache, L=Beijing, ST=Beijing, C=CN Serial number: 25100e367ff3f3117f90489ad91605bc08080222 Valid from: Sat Sep 12 18:06:53 CST 2020 until: Sun Sep 12 18:06:53 CST 2021 Certificate fingerprints: MD5: E7:F4:B6:EE:18:26:FC:92:18:4B:66:EA:DE:9A:20:72 SHA1: 40:D9:E2:15:B6:03:5D:B4:56:38:23:3F:95:B9:35:64:F6:02:B7:80 SHA256: 6E:33:84:44:82:A0:46:B7:D4:49:35:56:74:89:8A:C2:4A:05:95:66:D5:98:D8:2A:0E:01:5E:3D:45:83:5E:B9 Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 2048-bit RSA key Version: 1 ******************************************* ******************************************* Warning: The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore mykey.keystore -destkeystore mykey.keystore -deststoretype pkcs12".
将秘钥库文件部署到tomcat中,就可以访问了(注意,不能是APR链接器)
APR链接器配置SSL
配置监听器
[root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# vim conf/server.xml
<!--APR library loader. Documentation at /docs/apr.html --> <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" SSLRandomSeed="builtin" useAprConnector="true" />
APR的证书必须使用OpenSSL,生成方式见上面的操作(只生成自签证书,无需导入秘钥库)。然后添加SSL链接器配置,如下:
[root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# vim conf/server.xml <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol" maxThreads="150" schema="https" secure="true" SSLEnabled="true" > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> <SSLHostConfig > <Certificate certificateKeyFile="${catalina.base}/conf/serverkey.pem" certificateFile="${catalina.base}/conf/server.crt" type="RSA" /> </SSLHostConfig> </Connector>
certificateKeyFile:用于配置服务器端秘钥
certificateFile:用于配置服务器端证书
posted on 2020-09-12 19:25 hopeless-dream 阅读(2312) 评论(0) 编辑 收藏 举报