制作证书
无论是windows还是Linux系统,需要安装JDK(建议1.7版本)
1、生成服务器证书库
keytool-validity 365 -genkey -v -alias server -keyalgRSA -keystore E:\ssl\174\server.keystore -dname"CN=192.168.100.174,OU=tass,O=tass,L=nanjin,ST=jiangsu,c=cn"-storepass tass2013 -keypass tass2013
注:CN:要设定的域名或IP
2、生成客户端证书库
keytool -validity 365 -genkeypair -v -aliasclient -keyalg RSA -storetype PKCS12 -keystore E:\ssl\174\client.p12 -dname"CN=client,OU=tass,O=tass,L=nanjin,ST=Beijing,c=cn" -storepass tass2013-keypass tass2013
3、从客户端证书库中导出客户端证书
keytool -export -v -alias client -keystoreE:\ssl\174\client.p12 -storetype PKCS12 -storepass tass2013 -rfc -file E:\ssl\174\client.cer
4、从服务器证书库中导出服务器证书
keytool -export -v -alias server -keystoreE:\ssl\174\server.keystore -storepass tass2013 -rfc -file E:\ssl\174\server.cer
5、生成客户端信任证书库(由服务端证书生成的证书库)
keytool -import -v -alias server -file E:\ssl\174\server.cer-keystore E:\ssl\174\client.truststore -storepass tass2013
是
6、将客户端证书导入到服务器证书库(使得服务器信任客户端证书)
keytool -import -v -alias client -file E:\ssl\174\client.cer-keystore E:\ssl\174\server.keystore -storepass tass2013
查看证书状态:
keytool -list -keystoreE:\ssl\server.keystore -storepass 123456
修改tomcat配置文件server.xml
将生成的server.keystore服务端证书拷贝到服务器目录:
/opt/smc/apache-tomcat-7.0.40-key/ssl/server.keystore
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
clientAuth="true"
sslProtocol="TLS"
keystoreFile="/opt/smc/apache-tomcat-7.0.40-key/ssl/server.keystore"
keystorePass="123456"
truststoreFile="/opt/smc/apache-tomcat-7.0.40-key/ssl/server.keystore"
truststorePass="123456"
SSLEnabled="true"
maxThreads="150"
scheme="https"
secure="true" />
注:如果设置了clientAuth为true,则需要客户端证书验证,否则访问不了。
客户端导入证书访问
双击客户端证书client.p12点击下一步输入密码即可导入IE浏览器即可实现访问。
Chrome和FireFox需要手工导入才能访问。
Chrome实现:
设置 → 显示高级设置... → 管理证书... → 个人 → 选择证书 → 确定
FireFox实现:
工具 → 选项 → 高级 → 证书 → 查看证书 → 导入 → 选择证书 → 确定
通过程序控制访问
solrj程序通过httpClient代理实现证书的安全访问。
示例代码:
public class DoubleSSL {
private String httpUrl = "https://192.168.100.175:8443/solr";
// 客户端密钥库
private String sslKeyStorePath = "E:/ssl/server.keystore";
private String sslKeyStorePassword = "123456";
// 客户端信任的证书
private String sslTrustStore = "E:/ssl/server.keystore";
private String sslTrustStorePassword = "123456";
public HttpClient testHttpsClient() {
SSLContext sslContext = null;
HttpClient httpClient = null;
try {
KeyStore kstore = KeyStore.getInstance("JKS");
kstore.load(new FileInputStream(sslKeyStorePath), sslKeyStorePassword.toCharArray());
KeyManagerFactory keyFactory =KeyManagerFactory.getInstance("sunx509");
keyFactory.init(kstore, sslKeyStorePassword.toCharArray());
KeyStore tstore = KeyStore.getInstance("jks");
tstore.load(new FileInputStream(sslTrustStore), sslTrustStorePassword.toCharArray());
TrustManager[] tm;
TrustManagerFactory tmf =TrustManagerFactory.getInstance("sunx509");
tmf.init(tstore);
tm = tmf.getTrustManagers();
sslContext = SSLContext.getInstance("SSL");
sslContext.init(keyFactory.getKeyManagers(),tm, null);
} catch (Exceptione) {
e.printStackTrace();
}
try {
httpClient = new DefaultHttpClient();
SSLSocketFactory socketFactory = new SSLSocketFactory(sslContext);
Scheme sch = new Scheme("https", 8443, socketFactory);
httpClient.getConnectionManager().getSchemeRegistry().register(sch);
HttpGet httpGet = new HttpGet(httpUrl);
HttpResponse response =httpClient.execute(httpGet);
System.out.println(response.getStatusLine().getStatusCode());
} catch (Exceptione) {
e.printStackTrace();
}
return httpClient;
}
}