ssl简单配置

参考:
1.http://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html
2.http://www.eclipse.org/jetty/documentation/current/configuring-ssl.html

keytool -help 获取 keytool 的用法
使用 “keytool -command_name -help” 获取 command_name 的用法
生成密钥对d:\jdk8\bin\keytool -genkeypair -help
从keystore导出证书d:\jdk8\bin\keytool -exportcert -help
导入证书到truststored:\jdk8\bin\keytool -importcert -help

一.tomcat的ssl配置

1.生成密钥对
d:\jdk8\bin\keytool -genkeypair -alias server -keystore server.p12 -storetype PKCS12 -keyalg RSA -storepass changeit -keypass changeit -validity 365 -dname "CN=server, OU=test, O=test, L=TH, ST=GZ, C=CN"

创建一个密钥库文件,并把一个密钥对条目存进去.密钥对条目的详细信息,-alias指定别名,-keyalg指定算法,-keystore指定文件生成位置,-storepass指定密钥库文件管理密码,-keypass指定密钥对密码,-validity指定有效期,指定域的一些信息

2.在server.xml配置.这里使用JSSE配置SSL

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
        maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
        keystoreFile="conf/server.p12" keystorePass="changeit" keystoreType="PKCS12"
        clientAuth="false" sslProtocol="TLS" />

二.jetty的ssl配置

原文:https://examples.javacodegeeks.com/enterprise-java/jetty/jetty-ssl-configuration-example/
1.创建SSL密钥
openssl genrsa -des3 -out jcg.key
密码短语和确认密码短语都输入123456

2.创建证书文件
openssl req -new -x509 -key jcg.key -out jcg.crt
输入上面输入的密码123456
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:gd
Locality Name (eg, city) [Default City]:gz
Organization Name (eg, company) [Default Company Ltd]:test
Organizational Unit Name (eg, section) []:test
Common Name (eg, your name or your server’s hostname) []:admin
Email Address []:admin@qq.com

3.将证书文件转为PKCS12格式
openssl pkcs12 -inkey jcg.key -in jcg.crt -export -out jcg.pkcs12
输入jcg.key的密码短语123456
输入导出密码123456(可以重新设置)
确定导出密码123456

4.到目前为止,为了配置ssl,已创建了密钥和证书,下面将PKCS12文件导入到Jetty的keystore文件
d:\jdk7\bin\keytool -importkeystore -srckeystore jcg.pkcs12 -srcstoretype PKCS12 -destkeystore keystore
输入keystore的密码123456,并再次输入同样密码确认
输入刚才导出pkcs12文件的密码123456

为Jetty启用SSL
jetty是模块架构,意味着可以通过配置文件启用不同的模块.打开JETTY_HOME目录下的start.ini,添加以下两行
–module=ssl
–module=https
Jetty模块是通过JETTY_HOME/etc目录下的XML文件配置的.我们激活jetty-ssl.xml和jetty-https.xml文件来启用此模块.我们通过这些文件可以修改大量设置(如HTTPS端口,keystore位置),对于这个例子，我们没必要作出任何修改.

配置keystore密码,
先混淆密码
a.转到JETTY_HOME/lib目录
b.运行以下java命令
d:\jdk7\bin\java -cp jetty-util-9.2.11.v20150529.jar org.eclipse.jetty.util.security.Password 123456
c.复制生成的代码,它是以OBF开头

在SSL配置设置密码
a.转到JETTY_HOME/modules目录
b.使用文本编辑器打开ssl.mod文件
c.设置jetty.keystore.password, jetty.keymanager.password, jetty.truststorepassword属性
c.保存文件
修改过的行看起来应当类似:
jetty.keystore.password=OBF:19iy19j019j219j419j619j8
jetty.keymanager.password=OBF:19iy19j019j219j419j619j8
jetty.truststore.password=OBF:19iy19j019j219j419j619j8

启动JETTY
a.转到JETTY_HOME目录
b.运行java -jar start.jar

输出日志类似如下:
2015-06-23 23:04:52.940:INFO:oejs.ServerConnector:main: Started ServerConnector@376b4233{HTTP/1.1}{0.0.0.0:8080}
2015-06-23 23:04:53.127:INFO:oejs.ServerConnector:main: Started ServerConnector@4ddced80{SSL-http/1.1}{0.0.0.0:8443}
2015-06-23 23:04:53.127:INFO:oejs.Server:main: Started @1180ms

5.保护web应用程序
在web.xml加入以下内容,使用此配置,我们已定义了在secure目录下的资源是机密的,访问这些资源要在HTTPS端口通过SSL来访问.其它资源通过HTTP访问.此时此刻,我们在src/main/webapp和src/main/webapp/secure目录相应地创建非安全和安全资源

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Secure resources</web-resource-name>
            <url-pattern>/secure/*</url-pattern>
        </web-resource-collection>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>

打包应用并部署到JETTY测试非安全与安全资源

6.嵌入式Jetty启用SSL和HTTPS

package com.javacodegeeks.snippets.enterprise.embeddedjetty;

import org.eclipse.jetty.server.Connector;
import org.eclipse.jetty.server.HttpConfiguration;
import org.eclipse.jetty.server.HttpConnectionFactory;
import org.eclipse.jetty.server.SecureRequestCustomizer;
import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.server.ServerConnector;
import org.eclipse.jetty.server.SslConnectionFactory;
import org.eclipse.jetty.util.ssl.SslContextFactory;
import org.eclipse.jetty.webapp.WebAppContext;

public class EmbeddedJettyMain {

    public static void main(String[] args) throws Exception {

        Server server = new Server();

        // Creating the web application context
        WebAppContext webapp = new WebAppContext();
        webapp.setResourceBase("src/main/webapp");
        server.setHandler(webapp);

        // HTTP Configuration
        HttpConfiguration http = new HttpConfiguration();
        http.addCustomizer(new SecureRequestCustomizer());

        // Configuration for HTTPS redirect
        http.setSecurePort(8443);
        http.setSecureScheme("https");
        ServerConnector connector = new ServerConnector(server);
        connector.addConnectionFactory(new HttpConnectionFactory(http));
        // Setting HTTP port
        connector.setPort(8080);

        // HTTPS configuration
        HttpConfiguration https = new HttpConfiguration();
        https.addCustomizer(new SecureRequestCustomizer());

        // Configuring SSL
        SslContextFactory sslContextFactory = new SslContextFactory();

        // Defining keystore path and passwords
        sslContextFactory.setKeyStorePath(EmbeddedJettyMain.class.getResource("keystore").toExternalForm());
        sslContextFactory.setKeyStorePassword("123456");
        sslContextFactory.setKeyManagerPassword("123456");

        // Configuring the connector
        ServerConnector sslConnector = new ServerConnector(server, new SslConnectionFactory(sslContextFactory, "http/1.1"), new HttpConnectionFactory(https));
        sslConnector.setPort(8443);

        // Setting HTTP and HTTPS connectors
        server.setConnectors(new Connector[]{connector, sslConnector});

        // Starting the Server
        server.start();
        server.join();

    }
}