单向SSL的概念:
客户端向服务器发送消息,服务器接到消息后,用服务器端的密钥库中的私钥对数据进行加密,然后把加密后的数据和服务器端的公钥一起发送到客户端,客户端用服务器发送来的公钥对数据解密,然后在用传到客户端的服务器公钥对数据加密传给服务器端,服务器用私钥对数据进行解密,这就完成了客户端和服务器之间通信的安全问题,但是单向认证没有验证客户端的合法性。
不使用apr情况:
(1)产生密钥库
keytool -genkeypair -alias tomcat -keyalg RSA -keysize 1024 -validity 365 -keystore /usr/local/apache-tomcat-6.0.18/keystore
(2)在Connector上配置密钥库
<Connector port="9906" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keystoreFile="/usr/local/apache-tomcat-6.0.18/conf/keystore" keystorePass="123456"/>
使用apr情况:
(1)产生密钥库
openssl genrsa -out rsa-private-key.pem 1024
openssl req -new -x509 -nodes -sha1 -days 365 -key rsa-private-key.pem -out self-signed-cert.pem
(2)在Connector上配置密钥库
<Connector port="9906" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLSv1"
SSLCertificateKeyFile="/usr/local/apache-tomcat-6.0.18/rsa-private-key.pem"
SSLCertificateFile="/usr/local/apache-tomcat-6.0.18/self-signed-cert.pem"/>
注意:
如果connector中未指定protocol="org.apache.coyote.http11.Http11Protocol"在使用apr时,按上述配置会出错,因为不同类型的connector的配置属性不同
java.lang.Exception: No Certificate file specified or invalid file format
at org.apache.tomcat.jni.SSLContext.setCertificate(Native Method)
at org.apache.tomcat.util.net.AprEndpoint.init(AprEndpoint.java:684)
at org.apache.coyote.http11.Http11AprProtocol.init(Http11AprProtocol.java:107)
at org.apache.catalina.connector.Connector.initialize(Connector.java:1058)
at org.apache.catalina.core.StandardService.initialize(StandardService.java:677)
at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:795)
at org.apache.catalina.startup.Catalina.load(Catalina.java:530)
at org.apache.catalina.startup.Catalina.load(Catalina.java:550)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:260)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412)
加上protocol="org.apache.coyote.http11.Http11Protocol"就好了或者使用上述的apr配置
客户端向服务器发送消息,服务器接到消息后,用服务器端的密钥库中的私钥对数据进行加密,然后把加密后的数据和服务器端的公钥一起发送到客户端,客户端用服务器发送来的公钥对数据解密,然后在用传到客户端的服务器公钥对数据加密传给服务器端,服务器用私钥对数据进行解密,这就完成了客户端和服务器之间通信的安全问题,但是单向认证没有验证客户端的合法性。
不使用apr情况:
(1)产生密钥库
keytool -genkeypair -alias tomcat -keyalg RSA -keysize 1024 -validity 365 -keystore /usr/local/apache-tomcat-6.0.18/keystore
(2)在Connector上配置密钥库
<Connector port="9906" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keystoreFile="/usr/local/apache-tomcat-6.0.18/conf/keystore" keystorePass="123456"/>
使用apr情况:
(1)产生密钥库
openssl genrsa -out rsa-private-key.pem 1024
openssl req -new -x509 -nodes -sha1 -days 365 -key rsa-private-key.pem -out self-signed-cert.pem
(2)在Connector上配置密钥库
<Connector port="9906" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLSv1"
SSLCertificateKeyFile="/usr/local/apache-tomcat-6.0.18/rsa-private-key.pem"
SSLCertificateFile="/usr/local/apache-tomcat-6.0.18/self-signed-cert.pem"/>
注意:
如果connector中未指定protocol="org.apache.coyote.http11.Http11Protocol"在使用apr时,按上述配置会出错,因为不同类型的connector的配置属性不同
java.lang.Exception: No Certificate file specified or invalid file format
at org.apache.tomcat.jni.SSLContext.setCertificate(Native Method)
at org.apache.tomcat.util.net.AprEndpoint.init(AprEndpoint.java:684)
at org.apache.coyote.http11.Http11AprProtocol.init(Http11AprProtocol.java:107)
at org.apache.catalina.connector.Connector.initialize(Connector.java:1058)
at org.apache.catalina.core.StandardService.initialize(StandardService.java:677)
at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:795)
at org.apache.catalina.startup.Catalina.load(Catalina.java:530)
at org.apache.catalina.startup.Catalina.load(Catalina.java:550)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:260)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412)
加上protocol="org.apache.coyote.http11.Http11Protocol"就好了或者使用上述的apr配置