一、应用场景
最初的部署形式如下图:
由于这种形式无法实现热发布,业务整天都有人在访问,代码更新后只有下班后才能发布,现在为了能实时更新代码,并且实现负债均衡,将引入nginx服务器。
引入nginx服务后的部署图如下:
请求顺序是123478或者125678,所有请求都是通过https的形式,所以接下来需要生成https证书.
二、https所需证书的生成
(一)下载openssl软件及安装配置
1. 安装Openssl
下载地址:http://slproweb.com/products/Win32OpenSSL.html (根据系统选择32位或者64位版本下载安装)。
下载完成后,进行安装,我的安装目录是D:\Program Files\OpenSSL-Win64。
2. 安装ActivePerl (此软件目的为了解析pl文件,部分系统不安装也可以实现本教程的功能,安装该软件目的为了学习perl)。
下载地址:http://www.activestate.com/activeperl/downloads/ (根据系统选择win32或者win64版本下载安装)。
3. 配置环境变量
在环境变量中添加环境变量
变量名: OPENSSL_HOME 变量值:D:\Program Files\OpenSSL-Win64\bin; (变量值为openssl安装位置)
在path变量结尾添加如下 : %OPENSSL_HOME%;
(二)生成ssl证书(本实验的密码统一为123456)
1.首先要生成服务器端的私钥(key文件):
openssl genrsa -des3 -out server.key 1024
运行时会提示输入密码,此密码用于加密key文件
去除key文件口令的命令:
openssl rsa -in server.key -out server.key
D:\SSL\test>openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus (2 primes)
.................+++++
....................+++++
e is 65537 (0x010001)
Enter pass phrase for server.key:此处输入密码123456
Verifying - Enter pass phrase for server.key:此处输入密码123456D:\SSL\test>openssl rsa -in server.key -out server.key
Enter pass phrase for server.key:此处输入密码123456
writing RSA keyD:\SSL\test>
2.openssl req -new -key server.key -out server.csr
生成Certificate Signing Request(CSR),生成的csr文件交给CA签名后形成服务端自己的证书.屏幕上将有提示,依照其指示一步一步输入要求的个人信息即可.如果需要指定配置文件,则可以在文件末尾加上 -config openssl.cnf。
D:\SSL\test>openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:GZ
Locality Name (eg, city) []:GY
Organization Name (eg, company) [Internet Widgits Pty Ltd]:XT
Organizational Unit Name (eg, section) []:KF
Common Name (e.g. server FQDN or YOUR name) []:server
Email Address []:Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:D:\SSL\test>
3.对客户端也作同样的命令生成key及csr文件:
openssl genrsa -des3 -out client.key 1024
openssl req -new -key client.key -out client.csr
D:\SSL\test>openssl genrsa -des3 -out client.key 1024
Generating RSA private key, 1024 bit long modulus (2 primes)
...+++++
............................................................+++++
e is 65537 (0x010001)
Enter pass phrase for client.key:此处输入密码123456
Verifying - Enter pass phrase for client.key:此处输入密码123456D:\SSL\test>openssl req -new -key client.key -out client.csr
Enter pass phrase for client.key:此处输入密码123456
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:GZ
Locality Name (eg, city) []:GY
Organization Name (eg, company) [Internet Widgits Pty Ltd]:XT
Organizational Unit Name (eg, section) []:KF
Common Name (e.g. server FQDN or YOUR name) []:client
Email Address []:Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:D:\SSL\test>
如果需要指定配置文件,则可以在文件末尾加上-config openssl.cnf。
4.CSR文件必须有CA的签名才可形成证书.可将此文件发送到verisign等地方由它验证.自己生成:
openssl req -new -x509 -keyout ca.key -out ca.crt
D:\SSL\test>openssl req -new -x509 -keyout ca.key -out ca.crt
Generating a RSA private key
.................................................................+++++
...............................+++++
writing new private key to 'ca.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:GZ
Locality Name (eg, city) []:GY
Organization Name (eg, company) [Internet Widgits Pty Ltd]:XT
Organizational Unit Name (eg, section) []:KJ
Common Name (e.g. server FQDN or YOUR name) []:ca
Email Address []:D:\SSL\test>
如果需要指定配置文件,则可以在文件末尾加上-config openssl.cnf。
5.用生成的CA的证书为刚才生成的server.csr,client.csr文件签名:
Openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -config openssl.cnf
Openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key -config openssl.cnf
注意: 此时会出错:Using configuration from /usr/share/ssl/openssl.cnf I am unable to access the ./demoCA/newcerts directory ./demoCA/newcerts: No such file or directory
解决方法: 1).mkdir -p ./demoCA/newcerts
2).touch demoCA/index.txt
3).touch demoCA/serial
4).echo 01 > demoCA/serial
注:本解决方法针对linux而言,如果在windows上,只需在证书生成当前目录新建文件夹demoCA,在demoCA文件夹下面新建index.txt和serial两个文件,然后运行命令echo 01 > demoCA/serial,最后再运行命令
Openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key
Openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key
D:\SSL\test>Openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key
Using configuration from C:\Program Files\Common Files\SSL/openssl.cnf
Enter pass phrase for ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jul 8 06:37:04 2019 GMT
Not After : Jul 7 06:37:04 2020 GMT
Subject:
countryName = CN
stateOrProvinceName = GZ
organizationName = XT
organizationalUnitName = KF
commonName = server
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
BD:81:63:FD:53:39:46:AC:2C:22:8D:AA:1C:1A:24:C5:19:15:A9:60
X509v3 Authority Key Identifier:
keyid:6B:35:B1:E7:31:38:FE:85:06:6F:F7:60:1D:31:C1:F1:34:12:1A:46Certificate is to be certified until Jul 7 06:37:04 2020 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base UpdatedD:\SSL\test>Openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key
Using configuration from C:\Program Files\Common Files\SSL/openssl.cnf
Enter pass phrase for ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Jul 8 06:37:49 2019 GMT
Not After : Jul 7 06:37:49 2020 GMT
Subject:
countryName = CN
stateOrProvinceName = GZ
organizationName = XT
organizationalUnitName = KF
commonName = client
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
53:9E:8B:40:26:12:BD:53:4D:C2:F9:B9:37:4A:29:5F:EE:7B:8E:4F
X509v3 Authority Key Identifier:
keyid:6B:35:B1:E7:31:38:FE:85:06:6F:F7:60:1D:31:C1:F1:34:12:1A:46Certificate is to be certified until Jul 7 06:37:49 2020 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
6.合并证书文件(crt)和私钥文件(key)
linux合并命令:
1).cat client.crt client.key > client.pem
2).cat server.crt server.key > server.pem
windows合并命令:
1).typeclient.crt client.key > client.pem
2).type server.crt server.key > server.pem
D:\SSL\test>type client.crt client.key > client.pem
client.crt
client.key
D:\SSL\test>type server.crt server.key > server.pem
server.crt
server.key
D:\SSL\test>
7.合并成pfx证书
1).openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12 -name client
2).openssl pkcs12 -export -clcerts -in server.crt -inkey server.key -out server.p12 -name server
D:\SSL\test>openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12 -name client
Enter pass phrase for client.key:
Enter Export Password:
Verifying - Enter Export Password:D:\SSL\test>openssl pkcs12 -export -clcerts -in server.crt -inkey server.key -out server.p12 -name server
Enter Export Password:
Verifying - Enter Export Password:D:\SSL\test>
8.通过.p12证书生成.keystore证书
1)keytool -importkeystore -srckeystore server.p12 -srcstoretype PKCS12 -deststoretype JKS -destkeystore server.keystore
2)keytool -importkeystore -srckeystore client.p12 -srcstoretype PKCS12 -deststoretype JKS -destkeystore client.keystore
D:\SSL\test>keytool -importkeystore -srckeystore server.p12 -srcstoretype PKCS12 -deststoretype JKS -destkeystore server.keystore
输入目标密钥库口令:
再次输入新口令:
输入源密钥库口令:
已成功导入别名 server 的条目。
已完成导入命令: 1 个条目成功导入, 0 个条目失败或取消D:\SSL\test>keytool -importkeystore -srckeystore client.p12 -srcstoretype PKCS12 -deststoretype JKS -destkeystore client.keystore
输入目标密钥库口令:
再次输入新口令:
输入源密钥库口令:
已成功导入别名 client 的条目。
已完成导入命令: 1 个条目成功导入, 0 个条目失败或取消
D:\SSL\test>
9.从.keystore中导出.cer证书
1)keytool -export -alias server -keystore server.keystore -rfc -file server.cer
2)keytool -export -alias client -keystore client.keystore -rfc -file client.cer
D:\SSL\test>keytool -export -alias server -keystore server.keystore -rfc -file server.cer
输入密钥库口令:
存储在文件 <server.cer> 中的证书D:\SSL\test>keytool -export -alias client -keystore client.keystore -rfc -file client.cer
输入密钥库口令:
存储在文件 <client.cer> 中的证书D:\SSL\test>
10.从ca.crt中导出.cer证书
openssl x509 -in ca.crt -out ca.cer -outform der
D:\SSL\test>openssl x509 -in ca.crt -out ca.cer -outform der
D:\SSL\test>
11.制作信任证书.truststore
1)Keytool -import -alias server -file server.cer -keystore client.truststore
2)Keytool -import -alias ca -file ca.cer -keystore server.truststore
3)Keytool -import -alias ca -file ca.cer -keystore client.truststore
4)Keytool -import -alias client -file client.cer -keystore server.truststore
D:\SSL\test>Keytool -import -alias server -file server.cer -keystore client.truststore
输入密钥库口令:
再次输入新口令:
所有者: CN=server, OU=KF, O=XT, ST=GZ, C=CN
发布者: CN=ca, OU=KJ, O=XT, L=GY, ST=GZ, C=CN
序列号: 1
有效期开始日期: Mon Jul 08 14:37:04 CST 2019, 截止日期: Tue Jul 07 14:37:04 CST 2020
证书指纹:
MD5: 86:96:B1:8E:F0:79:BD:F3:6C:05:62:62:E8:27:38:88
SHA1: C1:F3:36:FC:E7:E7:C4:93:CC:C1:67:36:09:A8:C9:2E:45:11:91:18
SHA256: 4F:1C:04:1A:F3:FF:CE:BB:61:8B:16:36:0D:44:F9:6E:4D:FA:0F:8A:5B:
FE:A8:B4:C9:79:DE:43:0C:3C:A9:77
签名算法名称: SHA256withRSA
版本: 3扩展:
#1: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
0000: 16 1D 4F 70 65 6E 53 53 4C 20 47 65 6E 65 72 61 ..OpenSSL Genera
0010: 74 65 64 20 43 65 72 74 69 66 69 63 61 74 65 ted Certificate
#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 6B 35 B1 E7 31 38 FE 85 06 6F F7 60 1D 31 C1 F1 k5..18...o.`.1..
0010: 34 12 1A 46 4..F
]
]#3: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]#4: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: BD 81 63 FD 53 39 46 AC 2C 22 8D AA 1C 1A 24 C5 ..c.S9F.,"....$.
0010: 19 15 A9 60 ...`
]
]是否信任此证书? [否]: y
证书已添加到密钥库中D:\SSL\test>Keytool -import -alias ca -file ca.cer -keystore server.truststore
输入密钥库口令:
再次输入新口令:
所有者: CN=ca, OU=KJ, O=XT, L=GY, ST=GZ, C=CN
发布者: CN=ca, OU=KJ, O=XT, L=GY, ST=GZ, C=CN
序列号: 67e9301c33c7533ccff67637e4438bf720b52393
有效期开始日期: Mon Jul 08 14:36:08 CST 2019, 截止日期: Wed Aug 07 14:36:08 CST
2019
证书指纹:
MD5: 4D:4B:6E:1F:AE:74:C8:76:2F:6D:FD:09:2D:D9:E8:BF
SHA1: 15:D2:99:5C:20:E1:87:42:7D:D2:75:B1:9C:93:2B:3F:06:1F:32:11
SHA256: C9:31:C3:94:DC:FB:76:56:87:11:BE:06:C5:00:B5:90:26:75:63:07:18:
36:49:7A:7C:92:61:76:16:A7:B6:70
签名算法名称: SHA256withRSA
版本: 3扩展:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 6B 35 B1 E7 31 38 FE 85 06 6F F7 60 1D 31 C1 F1 k5..18...o.`.1..
0010: 34 12 1A 46 4..F
]
]#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 6B 35 B1 E7 31 38 FE 85 06 6F F7 60 1D 31 C1 F1 k5..18...o.`.1..
0010: 34 12 1A 46 4..F
]
]是否信任此证书? [否]: y
证书已添加到密钥库中D:\SSL\test>Keytool -import -alias ca -file ca.cer -keystore client.truststore
输入密钥库口令:
所有者: CN=ca, OU=KJ, O=XT, L=GY, ST=GZ, C=CN
发布者: CN=ca, OU=KJ, O=XT, L=GY, ST=GZ, C=CN
序列号: 67e9301c33c7533ccff67637e4438bf720b52393
有效期开始日期: Mon Jul 08 14:36:08 CST 2019, 截止日期: Wed Aug 07 14:36:08 CST
2019
证书指纹:
MD5: 4D:4B:6E:1F:AE:74:C8:76:2F:6D:FD:09:2D:D9:E8:BF
SHA1: 15:D2:99:5C:20:E1:87:42:7D:D2:75:B1:9C:93:2B:3F:06:1F:32:11
SHA256: C9:31:C3:94:DC:FB:76:56:87:11:BE:06:C5:00:B5:90:26:75:63:07:18:
36:49:7A:7C:92:61:76:16:A7:B6:70
签名算法名称: SHA256withRSA
版本: 3扩展:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 6B 35 B1 E7 31 38 FE 85 06 6F F7 60 1D 31 C1 F1 k5..18...o.`.1..
0010: 34 12 1A 46 4..F
]
]#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 6B 35 B1 E7 31 38 FE 85 06 6F F7 60 1D 31 C1 F1 k5..18...o.`.1..
0010: 34 12 1A 46 4..F
]
]是否信任此证书? [否]: y
证书已添加到密钥库中D:\SSL\test>Keytool -import -alias client -file client.cer -keystore server.truststore
输入密钥库口令:
证书已添加到密钥库中D:\SSL\test>
三、证书在各个环节的部署
(一)tomcat里的配置
修改tomcat的server.xml,把证书集成到被访问的端口上。
<Connector SSLEnabled="true" acceptCount="100" algorithm="SunX509" clientAuth="true"
disableUploadTimeout="true" enableLookups="false" keystoreFile="D:/SSL/test/server.keystore"
keystorePass="123456" maxHttpHeaderSize="8192" maxSpareThreads="75" maxThreads="150" minSpareThreads="25"
port="9001" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true"
sslProtocol="TLS" truststoreFile="D:/SSL/test/server.truststore" truststorePass="123456" truststoreType="JKS" proxyPort="443"/>
(二)nginx配置
修改nginx.conf文件
1、找到该文件中如下代码的位置进行修改:
# HTTPS server # #server { # listen 443 ssl; # server_name localhost; # ssl_certificate cert.pem; # ssl_certificate_key cert.key; # ssl_session_cache shared:SSL:1m; # ssl_session_timeout 5m; # ssl_ciphers HIGH:!aNULL:!MD5; # ssl_prefer_server_ciphers on; # location / { # root html; # index index.html index.htm; # } #}
修改成:
server {
listen 8001 ssl;
server_name server;
ssl_certificate D:/SSL/test/server.cer;
ssl_certificate_key D:/SSL/test/server.key;
ssl_verify_client on;
ssl_verify_depth 2;
ssl_client_certificate D:/SSL/test/ca.crt;
ssl_session_timeout 5m;
#ssl_protocols TLSv1.2;
#ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
client_max_body_size 60M;
client_body_buffer_size 512k;
location / {
root html;
index index.html index.htm;
proxy_pass https://server$request_uri;
#proxy_redirect default;
#proxy_set_header Host $host:$server_port;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# 在双向location下加入:
proxy_set_header X-SSL-Client-Cert $ssl_client_cert;
proxy_ssl_certificate D:/SSL/test/client.crt;
proxy_ssl_certificate_key D:/SSL/test/client.key;
proxy_ssl_trusted_certificate D:/SSL/test/ca.crt;
proxy_ssl_verify on;
proxy_ssl_verify_depth 2;
proxy_ssl_session_reuse on;
}
}
2、增加代码段
upstream server{
server 192.168.1.104:9101;
server 192.168.1.104:9002;
}
附:完整版本如下
#user nobody;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
upstream server{
server 192.168.1.104:9101;
server 192.168.1.104:9002;
}
server {
listen 8002;
server_name server;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
root html;
index index.html index.htm;
proxy_pass http://server;
proxy_redirect default;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
# listen 8000;
# listen somename:8080;
# server_name somename alias another.alias;
# location / {
# root html;
# index index.html index.htm;
# }
#}
# HTTPS server
#
#server {
# listen 443 ssl;
# server_name localhost;
# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 5m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
# location / {
# root html;
# index index.html index.htm;
# }
#}
server {
listen 8001 ssl;
server_name server;
ssl_certificate D:/SSL/test/server.cer;
ssl_certificate_key D:/SSL/test/server.key;
ssl_verify_client on;
ssl_verify_depth 2;
ssl_client_certificate D:/SSL/test/ca.crt;
ssl_session_timeout 5m;
#ssl_protocols TLSv1.2;
#ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
client_max_body_size 60M;
client_body_buffer_size 512k;
location / {
root html;
index index.html index.htm;
proxy_pass https://server$request_uri;
#proxy_redirect default;
#proxy_set_header Host $host:$server_port;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# 在双向location下加入:
proxy_set_header X-SSL-Client-Cert $ssl_client_cert;
proxy_ssl_certificate D:/SSL/test/client.crt;
proxy_ssl_certificate_key D:/SSL/test/client.key;
proxy_ssl_trusted_certificate D:/SSL/test/ca.crt;
proxy_ssl_verify on;
proxy_ssl_verify_depth 2;
proxy_ssl_session_reuse on;
}
}
}
(三)webservice接口里的配置
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:aop="http://www.springframework.org/schema/aop"
xmlns:p="http://www.springframework.org/schema/p" xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:jaxws="http://cxf.apache.org/jaxws" xmlns:jetty="http://cxf.apache.org/transports/http-jetty/configuration"
xmlns:sec="http://cxf.apache.org/configuration/security" xmlns:soap="http://cxf.apache.org/bindings/soap"
xmlns:http="http://cxf.apache.org/transports/http/configuration"xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/tx
http://www.springframework.org/schema/tx/spring-tx-3.0.xsd
http://www.springframework.org/schema/aop
http://www.springframework.org/schema/aop/spring-aop-3.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd
http://cxf.apache.org/jaxws
http://cxf.apache.org/schemas/jaxws.xsd
http://cxf.apache.org/configuration/security
http://cxf.apache.org/schemas/configuration/security.xsd
http://cxf.apache.org/transports/http-jetty/configuration
http://cxf.apache.org/schemas/configuration/http-jetty.xsd
http://cxf.apache.org/transports/http/configuration
http://cxf.apache.org/schemas/configuration/http-conf.xsd
">
<!--CXF配置 -->
<import resource="classpath:META-INF/cxf/cxf.xml" />
<import resource="classpath:META-INF/cxf/cxf-extension-soap.xml" />
<import resource="classpath:META-INF/cxf/cxf-servlet.xml" /><context:property-placeholder location="classpath:param.properties" />
<!-- 接口 -->
<jaxws:endpoint id="microEnterSupp"
implementor="#wbsvice"
address="/MicroEnterSupp" />
<bean id="wbsvice" class="com.iec.app.module.webservice.server.impl.MicroEnterSuppImpl">
<property name="sslPath" value="${sslPath}"></property>
</bean>
<http:conduit name="*.http-conduit">
<http:tlsClientParameters disableCNCheck="true">
<!-- 服务端公钥 -->
<sec:trustManagers>
<!-- 服务器公钥在工程目录keys下 -->
<sec:keyStore type="JKS"
file="${sslPath}/client.truststore" password="123456" />
</sec:trustManagers>
<!-- 客户端私钥 -->
<sec:keyManagers keyPassword="123456">
<!-- 下面的密钥选择一种即可 客户端私钥在工程目录keys下 -->
<sec:keyStore type="JKS" file="${sslPath}/client.keystore"
password="123456" />
</sec:keyManagers>
</http:tlsClientParameters>
</http:conduit>
</beans>
附:
本文参考链接如下:
http://www.aiuxian.com/article/p-2553235.html
整套证书下载地址:
https://pan.baidu.com/s/1aCg6tLD-OQZS0TRd13SbTQ(提取码:ogtu)
整套项目下载地址: