1、服务端启用ssl连接
先使用keytool工具生成服务端证书,如:
keytool -genkey -keyalg RSA -alias xxx.xx -keystore catest.keystore
然后生成客户信息证书,并导入信任的证书,如:
keytool -import -alias xxx.xx -keystore client.keystore
最后向tomcat配置文件server.xml中增加如下代码片断
<Connector SSLEnabled="true" clientAuth="false" keystoreFile="conf/catest.keystore" keystorePass="123456" keystoreType="jks"
truststoreFile="conf/client.keystore" truststorePass="123456" truststoreType="jks"
maxThreads="150" port="8443" protocol="HTTP/1.1" scheme="https" secure="true" sslProtocol="TLS"/>
2、cfx客户端连接https,生成客户端api
先查看cfx服务文件wsdl是否可以正确浏览;
然后使用下面命令可以指定证书库,并生成接口api
java -classpath "C:\Program Files\Java\jdk1.6.0_43\lib\tools.jar" -Djavax.net.ssl.trustStore=e:\catest com.sun.tools.internal.ws.WsImport https://localhost:8443/ws/WSPPLOrderService?wsdl -p com.test.api -s ./src
3、客户端cfx文件配置
在spring的bean配置文件中增加下面代码
<http:conduit name="*.http-conduit">
<http:tlsClientParameters disableCNCheck="true" secureSocketProtocol="SSL">
<sec:trustManagers>
<sec:keyStore type="jks" password="xxx" file="/e:/popu.keystore" />
</sec:trustManagers>
<!--双向认证增加下面sec:keyStore标签 -->
<!-- <sec:keyManagers keyPassword="xxx">
<sec:keyStore type="jks" password="xxx" file="/e:/popu.keystore"/>
</sec:keyManagers> -->
<sec:cipherSuitesFilter>
<!-- these filters ensure that a ciphersuite with export-suitable or null encryption is used, but exclude anonymous Diffie-Hellman key change as this is vulnerable to man-in-the-middle attacks -->
<sec:include>.*_EXPORT_.*</sec:include>
<sec:include>.*_EXPORT1024_.*</sec:include>
<sec:include>.*_WITH_DES_.*</sec:include>
<sec:include>.*_WITH_NULL_.*</sec:include>
<sec:exclude>.*_DH_anon_.*</sec:exclude>
</sec:cipherSuitesFilter>
</http:tlsClientParameters>
</http:conduit>
注意http:conduit的name属性后面增加http-conduit
4、linux 下tomcat6要采用apt协议来建connector, protocol要写成org.apache.coyote.http11.Http11Protocol,如下
<Connector SSLEnabled="true" clientAuth="false" keystoreFile="/home/key/ha.keystore"
keystorePass="123456" keystoreType="jks" maxThreads="150" port="8444" protocol="org.apache.coyote.http11.Http11Protocol"
scheme="https" secure="true" sslProtocol="TLS"/>
参考文献
http://kyfxbl.iteye.com/blog/1499668