HTTPS
1. resource.properties 配置
是否打开Https
# openHttps=true
# 别名
keyAlias=baeldung
# 密文存储地址 /resources/baeldung.p12 下 classpath:baeldung.p12
keyStore=/home/ywjh/ywjhdb/baeldung.jks
# 加密方式
keyStoreType=PKCS12
# 加密密码
keyStorePassword=password111
ciphers=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA
sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2
2. 生成密钥命令
2.1 生成密钥,客户端证书
keytool -genkeypair -alias baeldung -keyalg RSA -keysize 2048 -keystore baeldung.jks -validity 3650 -ext SAN=dns:134.1.1.2,ip:134.1.1.140
keytool -importkeystore -srckeystore baeldung.jks -destkeystore baeldung.jks -deststoretype pkcs12
生成客户端 crt安装
keytool -export -alias baeldung -keystore ./baeldung.jks -storetype PKCS12 -storepass mypassword -rfc -file ./baeldung.crt
2.2 让服务器承认密钥合法。eg:多台服务器,生成多台IP密钥,对服务都信任其密钥
keytool -keystore ./baeldung.jks -export -alias baeldung -file baeldung.cer
cd $JAVA_HOME/jre/lib//security/
keytool -import -alias baeldung -keystore cacerts -file ./baeldung.cer
密码:changeit
查看是否生效:
keytool -list -keystore cacerts -alias baeldung
删除:
keytool -delete -alias baeldung -keystore cacerts
2.3 crt使用:
1.安装证书
2.下一页
3. 将所有的证书都放入下列存储->浏览
3.1 选择 受修信任的根证书颁发机构 -> 确认
4. 下一页 -> 完成
3. application.yml 增加
server:
ssl:
enabled: ${openHttps}
key-alias: ${keyAlias}
key-store: ${keyStore}
key-store-type: ${keyStoreType}
key-store-password: ${keyStorePassword}
enabled-protocols: ${sslEnabledProtocols}
ciphers: ${ciphers}
- tocmat/conf/server.xml 修改配置 如下
<Connector port="8888" protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled="true" maxThreads="150" minProcessors="5" maxprocessors="100"
minSpareThreads="25" maxSpareThreads="75" debug="0" acceptCount="10"
scheme="https" secure="true" clientAuth="false"
classname="org.apache.catalina.SSLServerSocketFactory"
keystoreFile="/XXX/XXX/baeldung.jks" keystorePass="password111" sslProtocol="TLS"
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA"
/>