环境
- Red Hat Enterprise Linux (RHEL)
- 6.x
- 7.x
- 红帽企业 Web 服务器 (EWS)
- 2.x
- 红帽 JBoss Web Server (JWS)
- 3.x
- 5.x
- 阿帕奇雄猫
- 6.x
- 7.x
- 8.x
- 9.x
问题
- 在服务器和客户端中设置 ssl
- 如何要求客户端身份验证以及服务器身份验证?
解决方案
首先,按照 如何在 Tomcat 上设置 SSL 中的说明配置服务器。
在服务器使用 SSL 后,使用 certificateVerification="required"
参数:
Java Keystore
<Connector port="8443" minProcessors="5" maxProcessors="75" enableLookups="true"
protocol="org.apache.coyote.http11.Http11Protocol"
disableUploadTimeout="true" acceptCount="100" debug="0" scheme="https" secure="true"
SSLEnabled="true" clientAuth="true" sslProtocol="TLS"
keystoreFile="/full/path/to/tomcat.keystore" keystorePass="keystore_password" />
APR 连接器
<Connector port="8443" maxThreads="200" scheme="https" secure="true" SSLEnabled="true"
protocol="org.apache.coyote.http11.Http11AprProtocol"
SSLCertificateFile="/usr/local/ssl/server.crt"
SSLCertificateKeyFile="/usr/local/ssl/server.key"
clientAuth="required" SSLProtocol="TLSv1"/>
现在需要将服务器的公共证书安装到客户端的密钥库中,反之亦然,允许客户端和服务器在建立安全连接时正确地相互认证和信任:
# Export the Client’s Public Certificate and Import it in to the Server’s Keystore
keytool -exportcert -alias {YourClientKeyAlias} -file {/path/to/your/Client/Certificate}.cer -keystore {YourClientKeystore}.jks -storepass {ChangeThis}
keytool -importcert -keystore {YourServerKeystore}.jks -alias {YourClientCertAlias} -file {/path/to/your/Client/Certificate}.cer -storepass {ChangeThis} -noprompt
# view the contents of the keystore (use -v for verbose output)
keytool -list -keystore YourServerKeystore.jks -storepass {ChangeThis}
# Export the Server’s Public Certificate and Import it in to the Client’s Keystore
keytool -exportcert -alias {YourServerKeyAlias} -file {/path/to/your/Server/Certificate}.cer -keystore {YourServerKeystore.jks} -storepass {ChangeThis}
keytool -importcert -keystore {YourClientKeystore}.jks -alias {YourServerCertAlias} -file {/path/to/your/Server/Certificate}.cer -storepass {ChangeThis} -noprompt
# view the contents of the keystore (use -v for verbose output)
keytool -list -keystore {YourClientKeystore}.jks -storepass {ChangeThis}
keytool -importcert -keystore server.jks -alias clientcert -file client-public.cer -storepass ChangeThis! -noprompt
# view the contents of the keystore (use -v for verbose output)
keytool -list -keystore server.jks -storepass password
诊断步骤
您可以使用以下命令测试服务器的双向 SSL:
$ openssl s_client -connect TomcatHostnameOrIp:8443 -CAfile ServerCertificate.crt -cert ClientCertificate.crt -key ClientKeystore.key
响应应为成功的 GET,如下所示:
GET /application/ HTTP/1.1
Host:TomcatHostnameOrIp