hopeless-dream

导航

Tomcat 中配置SSL

介绍

SSL和TLS是用户网络通信安全的加密协议。允许客户端和服务器之间通过安全链接通信。

SSL协议的特性:

  1. 保密:通过SSL链接传输的数据时加密的
  2. 鉴别:通信双方的身份鉴别,这时可选的,通常是一方需要验证(服务端)
  3. 完整性:传输数据的完整性检查

配置SSL

Tomcat提供两种方式部署SSL:一种是JSSE,另一种是APR(使用OPENSSL引擎)。前者适用于BIO、NIO、NIO2链接器(8.5版本后,NIO和NIO2支持OPENSSL以适应HTTP/2.0),后者使用APR链接器。在配置的时候最好使用Connector的Protocol属性指定链接器的类名,而不是使用协议名(如HTTP/1.1),否则,Tomcat会自动按照本地配置构造Connector,这样会导致SSL不可用。

1、生成秘钥

Tomcat支持的秘钥有JKS、PKCS11、PKCS12。JKS是Java标准的秘钥库格式,使用keytool命令创建,位于$JAVA_HOME/binx下,创建方法如下:

① Windows系统:

keytool -genkey -alias tomcat -keyalg RSA -keystore C:\cert\mykey.keystore

② Linux操作系统:

[root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# mkdir cert
[root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore /opt/softwares/apache-tomcat-8.5.57/cert/mykey.keystore
Enter keystore password:  
Re-enter new password: 
What is your first and last name?
  [Unknown]:  Tomcat
What is the name of your organizational unit?
  [Unknown]:  Apache
What is the name of your organization?
  [Unknown]:  Apache
What is the name of your City or Locality?
  [Unknown]:  Beijing
What is the name of your State or Province?
  [Unknown]:  Beijing
What is the two-letter country code for this unit?
  [Unknown]:  CN
Is CN=Tomcat, OU=Apache, O=Apache, L=Beijing, ST=Beijing, C=CN correct?
  [no]:  Y

Enter key password for <tomcat>
    (RETURN if same as keystore password):  (按回车)

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /opt/softwares/apache-tomcat-8.5.57/cert/mykey.keystore -destkeystore /opt/softwares/apache-tomcat-8.5.57/cert/mykey.keystore -deststoretype pkcs12".

2、部署

将生成的秘钥复制到$CATALINA_BASE/conf下,修改server.xml,如下:

[root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# cp cert/mykey.keystore $CATALINA_BASE/conf/
[root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# vim conf/server.xml 

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" schema="https" secure="true" SSLEnabled="true" >
        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
        <SSLHostConfig certificateVerification="false" >
            <Certificate certificateKeystoreFile="conf/mykey.keystore"
                         certificateKeystorePassword="mnbvcxzaA0."
                         type="RSA" />
        </SSLHostConfig>
    </Connector>

port为SSL链接器端口,如果修改为其他端口,要保证和HTTP链接器的redirectPort属性一致。

8.5版本之前的配置如下:

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" schema="https" secure="true" SSLEnabled="true" 
               KeystoreFile="conf/mykey.keystore"
               KeystorePass="mnbvcxzaA0."
               clientAuth="false"  sslProtocol="TLS" />

配置多证书(8.5版本以前)

<Connector 
       port="8443" maxThreads="200" address="10.0.0.1"
       scheme="https" secure="true" SSLEnabled="true"
       keystoreFile="keystore1.jks" keystorePass="..."
       clientAuth="false" sslProtocol="TLS"/>
<Connector 
       port="8443" maxThreads="200" address="10.0.0.2"
       scheme="https" secure="true" SSLEnabled="true"
       keystoreFile="keystore2.jks" keystorePass="..."
       clientAuth="false" sslProtocol="TLS"/>

 

3、访问测试

 

 可以看到证书信息

 

 使用openssl命令创建秘钥

测试环境可以使用,生产环境需要向有资质的签发机构(CA)提交证书请求文件,CA返回数字证书

生成根秘钥

[root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# openssl genrsa -out rootkey.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.................................................+++++
..................................+++++
e is 65537 (0x010001)

创建根证书(用来签发服务器端请求文件)

[root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# openssl req -x509 -new -key rootkey.pem -out root.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:Apache
Organizational Unit Name (eg, section) []:Tomcat  
Common Name (eg, your name or your server's hostname) []:Tomcat
Email Address []:183041251@126.com

创建服务器秘钥

[root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# openssl genrsa -out serverkey.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
...+++++
..........................................+++++
e is 65537 (0x010001)

创建服务器端证书请求文件

[root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# openssl req -new -key  serverkey.pem -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:Apache
Organizational Unit Name (eg, section) []:Tomcat
Common Name (eg, your name or your server's hostname) []:Tomcat
Email Address []:183041251@126.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:tomcat
An optional company name []:Tomcat

用根证书签发服务器端请求文件,生成服务器端证书

[root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# openssl x509 -req -in server.csr -CA root.crt -CAkey rootkey.pem -CAcreateserial -days 365 -out server.crt
Signature ok
subject=C = CN, ST = Beijing, L = Beijing, O = Apache, OU = Tomcat, CN = Tomcat, emailAddress = 183041251@126.com
Getting CA Private Key

将证书导出为pkcs12格式

[root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# openssl pkcs12 -export -in server.crt -inkey serverkey.pem -out server.pkcs12

Enter Export Password:
# 自己设置一个导出密码即可
Verifying - Enter Export Password: 

生成服务器端秘钥库

[root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# keytool -importkeystore -srckeystore server.pkcs12 -destkeystore mykey.keystore -srcstoretype pkcs12
Importing keystore server.pkcs12 to mykey.keystore...
Enter destination keystore password:                              ## 输入之前创建的秘钥库mykey.keystore的密码即可 
Re
-enter new password:
Enter source keystore password: ## 输入上一步设置的源秘钥库密码
Entry
for alias 1 successfully imported.
Import command completed:
1 entries successfully imported, 0 entries failed or cancelled

Warning:
The JKS keystore uses a proprietary format. It
is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore mykey.keystore -destkeystore mykey.keystore -deststoretype pkcs12".

查看秘钥库包含的证书信息

[root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# keytool -list -v -keystore mykey.keystore
Enter keystore password:                            ## 输入秘钥库密码
Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: 1
Creation date: Sep 12, 2020
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: EMAILADDRESS=183041251@126.com, CN=Tomcat, OU=Tomcat, O=Apache, L=Beijing, ST=Beijing, C=CN
Issuer: EMAILADDRESS=183041251@126.com, CN=Tomcat, OU=Tomcat, O=Apache, L=Beijing, ST=Beijing, C=CN
Serial number: 25100e367ff3f3117f90489ad91605bc08080222
Valid from: Sat Sep 12 18:06:53 CST 2020 until: Sun Sep 12 18:06:53 CST 2021
Certificate fingerprints:
     MD5:  E7:F4:B6:EE:18:26:FC:92:18:4B:66:EA:DE:9A:20:72
     SHA1: 40:D9:E2:15:B6:03:5D:B4:56:38:23:3F:95:B9:35:64:F6:02:B7:80
     SHA256: 6E:33:84:44:82:A0:46:B7:D4:49:35:56:74:89:8A:C2:4A:05:95:66:D5:98:D8:2A:0E:01:5E:3D:45:83:5E:B9
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 1


*******************************************
*******************************************



Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore mykey.keystore -destkeystore mykey.keystore -deststoretype pkcs12".

将秘钥库文件部署到tomcat中,就可以访问了(注意,不能是APR链接器)

APR链接器配置SSL

配置监听器

[root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# vim conf/server.xml 
<!--APR library loader. Documentation at /docs/apr.html --> <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" SSLRandomSeed="builtin" useAprConnector="true" />

APR的证书必须使用OpenSSL,生成方式见上面的操作(只生成自签证书,无需导入秘钥库)。然后添加SSL链接器配置,如下:

[root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# vim conf/server.xml 
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
               maxThreads="150" schema="https" secure="true" SSLEnabled="true" >
        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
        <SSLHostConfig >
                <Certificate certificateKeyFile="${catalina.base}/conf/serverkey.pem"
                             certificateFile="${catalina.base}/conf/server.crt"
                             type="RSA" />
        </SSLHostConfig>
    </Connector>
certificateKeyFile:用于配置服务器端秘钥
certificateFile:用于配置服务器端证书

 

posted on 2020-09-12 19:25  hopeless-dream  阅读(2312)  评论(0编辑  收藏  举报