# 单向认证
## server端
step1:为服务端生成秘钥库
```
sudo keytool -genkeypair -alias server_key_pair_1 -validity 365 -keyalg RSA -keystore /usr/local/crm_keystore/server/carfinance.crm.server.keystore
"Enter keystore password",输入要设置的keystore的password,例如输入"carCrm747"
"Re-enter new password:",重复输入"carCrm747"
"What is your first and last name?",注意要输入的是服务的域名或者机器名等,例如输入"localhost"
"What is the name of your organizational unit?",输入无特殊要求,例如输入"carfinance"
"What is the name of your organization?",输入无特殊要求,例如输入"mljr"
"What is the name of your City or Locality?",输入无特殊要求,例如输入"beijing"
"What is the name of your State or Province?",输入无特殊要求,例如输入"beijing"
"What is the two-letter country code for this unit?",输入无特殊要求,例如输入"cn"
"Enter key password for <server_key_pair_1> (RETURN if same as keystore password):",注意server_key_pair_1这个秘钥的password必须和keystore保持一致,所以此处直接回车即可
```
step2:tomcat配置
修改tomcat的server.xml,将下面这段
```
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
This connector uses the NIO implementation that requires the JSSE
style configuration. When using the APR/native implementation, the
OpenSSL style configuration is required as described in the APR/native
documentation -->
<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"/>
-->
```
改为
```
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
This connector uses the NIO implementation that requires the JSSE
style configuration. When using the APR/native implementation, the
OpenSSL style configuration is required as described in the APR/native
documentation -->
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/usr/local/crm_keystore/server/carfinance.crm.server.keystore" keystorePass="carCrm747"/>
```
注意clientAuth="false"表示是单向认证,keystoreFile的值设为服务端keystore的路径,keystorePass是服务端keyStore的密码
## cleint端
无特殊配置
## 验证
step1:用修改过配置后的tomcat启动carfinance-crm-httpsdemo-server模块
step2:使用客户端调用服务端接口
运行carfinance-crm-httpsdemo-client模块的src/test/java目录下的UnilateralHttpsClientTest的testGet()和testPost()方法分别测试https的GET请求和https的POST请求
# 双向认证
## server端
step1:为服务端生成秘钥库,注意事项和单向认证的step1相同
```
sudo keytool -genkeypair -alias server_key_pair_1 -validity 365 -keyalg RSA -keystore /usr/local/crm_keystore/server/carfinance.crm.server.keystore
```
keystore的password设置为"carCrm747"
step2:导出服务端证书
```
sudo keytool -export -alias server_key_pair_1 -validity 365 -file /usr/local/crm_keystore/server/server_key_1.crt -keystore /usr/local/crm_keystore/server/carfinance.crm.server.keystore
```
需要输入keystore密码,输入"carCrm747"
step3:用客户端证书生产服务端信任证书库(客户端证书的生成参考后面的client端部分,这个步骤要在客户端生成证书完成之后进行)
```
sudo keytool -import -alias client_crt -validity 365 -file /usr/local/crm_keystore/client/client_key_1.crt -keystore /usr/local/crm_keystore/server/carfinance.crm.server.truststore
```
注意这个步骤要为truststore设置密码,例如设为"890890"
step4:tomcat配置
修改tomcat的server.xml,将下面这段
```
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
This connector uses the NIO implementation that requires the JSSE
style configuration. When using the APR/native implementation, the
OpenSSL style configuration is required as described in the APR/native
documentation -->
<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"/>
-->
```
改为
```
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
This connector uses the NIO implementation that requires the JSSE
style configuration. When using the APR/native implementation, the
OpenSSL style configuration is required as described in the APR/native
documentation -->
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS"
keystoreFile="/usr/local/crm_keystore/server/carfinance.crm.server.keystore" keystorePass="carCrm747"
truststoreFile="/usr/local/crm_keystore/server/carfinance.crm.server.truststore" truststorePass="890890"/>
```
注意clientAuth="true"表示是双向认证,keystoreFile的值设为服务端keystore的路径,keystorePass是服务端keyStore的密码,truststoreFile是服务端truststore的路径,truststorePass是服务端truststore的密码
## cleint端
step1:为客户端生成秘钥库
```
sudo keytool -genkeypair -alias client_key_pair_1 -validity 365 -keyalg RSA -keystore /usr/local/crm_keystore/client/carfinance.crm.client.keystore
"Enter keystore password",输入要设置的keystore的password,例如输入"123456"
"Re-enter new password:",重复输入"123456"
"What is your first and last name?",输入无特殊要求,例如输入"httpsdemo-client"
"What is the name of your organizational unit?",输入无特殊要求,例如输入"carfinance"
"What is the name of your organization?",输入无特殊要求,例如输入"mljr"
"What is the name of your City or Locality?",输入无特殊要求,例如输入"beijing"
"What is the name of your State or Province?",输入无特殊要求,例如输入"beijing"
"What is the two-letter country code for this unit?",输入无特殊要求,例如输入"cn"
"Enter key password for <client_key_pair_1> (RETURN if same as keystore password):",输入无特殊要求,例如直接回车使用和keystore相同的秘钥
```
step2:导出客户端证书
```
sudo keytool -export -alias client_key_pair_1 -validity 365 -file /usr/local/crm_keystore/client/client_key_1.crt -keystore /usr/local/crm_keystore/client/carfinance.crm.client.keystore
```
需要输入keystore密码,输入"123456"
step3:用服务端证书生成客户端信任证书库(服务端证书的生成参考前面的server端部分,这个步骤要在服务端生成证书完成之后进行)
```
sudo keytool -import -alias server_crt -validity 365 -file /usr/local/crm_keystore/server/server_key_1.crt -keystore /usr/local/crm_keystore/client/carfinance.crm.client.truststore
```
注意这个步骤要为truststore设置密码,例如设为"654321"
## 验证
step1:用修改过配置后的tomcat启动carfinance-crm-httpsdemo-server模块
step2:使用客户端调用服务端接口
运行carfinance-crm-httpsdemo-client模块的src/test/java目录下的UnilateralHttpsClientTest的testGet()和testPost()方法分别测试https的GET请求和https的POST请求,请求失败,因为没有提供服务端信任的客户端证书给服务端
运行carfinance-crm-httpsdemo-client模块的src/test/java目录下的MutualHttpsClientTest的testGet()和testPost()方法分别测试https的GET请求和https的POST请求,请求成功
# 参考
[http client官网](http://hc.apache.org/)
[troubleshoot: httpclient向HTTPS发送数据建立SSL连接时的异常](http://zhuyuehua.iteye.com/blog/1102347)
[troubleshoot: 单向认证中信任自签名证书](http://stackoverflow.com/questions/1828775/how-to-handle-invalid-ssl-certificates-with-apache-httpclient)
[java tomcat 搭建SSL双向认证以及httpclient代码](http://ian.wang/118.htm)
[java tomcat 搭建SSL双向认证以及httpclient代码](http://yuur369.iteye.com/blog/1728058)
[HttpClient如何访问需要提交客户端证书的SSL服务](http://blog.csdn.net/wanglha/article/details/49272551)
[keystore type的使用](http://stackoverflow.com/questions/11536848/keystore-type-which-one-to-use)
## server端
step1:为服务端生成秘钥库
```
sudo keytool -genkeypair -alias server_key_pair_1 -validity 365 -keyalg RSA -keystore /usr/local/crm_keystore/server/carfinance.crm.server.keystore
"Enter keystore password",输入要设置的keystore的password,例如输入"carCrm747"
"Re-enter new password:",重复输入"carCrm747"
"What is your first and last name?",注意要输入的是服务的域名或者机器名等,例如输入"localhost"
"What is the name of your organizational unit?",输入无特殊要求,例如输入"carfinance"
"What is the name of your organization?",输入无特殊要求,例如输入"mljr"
"What is the name of your City or Locality?",输入无特殊要求,例如输入"beijing"
"What is the name of your State or Province?",输入无特殊要求,例如输入"beijing"
"What is the two-letter country code for this unit?",输入无特殊要求,例如输入"cn"
"Enter key password for <server_key_pair_1> (RETURN if same as keystore password):",注意server_key_pair_1这个秘钥的password必须和keystore保持一致,所以此处直接回车即可
```
step2:tomcat配置
修改tomcat的server.xml,将下面这段
```
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
This connector uses the NIO implementation that requires the JSSE
style configuration. When using the APR/native implementation, the
OpenSSL style configuration is required as described in the APR/native
documentation -->
<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"/>
-->
```
改为
```
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
This connector uses the NIO implementation that requires the JSSE
style configuration. When using the APR/native implementation, the
OpenSSL style configuration is required as described in the APR/native
documentation -->
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/usr/local/crm_keystore/server/carfinance.crm.server.keystore" keystorePass="carCrm747"/>
```
注意clientAuth="false"表示是单向认证,keystoreFile的值设为服务端keystore的路径,keystorePass是服务端keyStore的密码
## cleint端
无特殊配置
## 验证
step1:用修改过配置后的tomcat启动carfinance-crm-httpsdemo-server模块
step2:使用客户端调用服务端接口
运行carfinance-crm-httpsdemo-client模块的src/test/java目录下的UnilateralHttpsClientTest的testGet()和testPost()方法分别测试https的GET请求和https的POST请求
# 双向认证
## server端
step1:为服务端生成秘钥库,注意事项和单向认证的step1相同
```
sudo keytool -genkeypair -alias server_key_pair_1 -validity 365 -keyalg RSA -keystore /usr/local/crm_keystore/server/carfinance.crm.server.keystore
```
keystore的password设置为"carCrm747"
step2:导出服务端证书
```
sudo keytool -export -alias server_key_pair_1 -validity 365 -file /usr/local/crm_keystore/server/server_key_1.crt -keystore /usr/local/crm_keystore/server/carfinance.crm.server.keystore
```
需要输入keystore密码,输入"carCrm747"
step3:用客户端证书生产服务端信任证书库(客户端证书的生成参考后面的client端部分,这个步骤要在客户端生成证书完成之后进行)
```
sudo keytool -import -alias client_crt -validity 365 -file /usr/local/crm_keystore/client/client_key_1.crt -keystore /usr/local/crm_keystore/server/carfinance.crm.server.truststore
```
注意这个步骤要为truststore设置密码,例如设为"890890"
step4:tomcat配置
修改tomcat的server.xml,将下面这段
```
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
This connector uses the NIO implementation that requires the JSSE
style configuration. When using the APR/native implementation, the
OpenSSL style configuration is required as described in the APR/native
documentation -->
<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"/>
-->
```
改为
```
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
This connector uses the NIO implementation that requires the JSSE
style configuration. When using the APR/native implementation, the
OpenSSL style configuration is required as described in the APR/native
documentation -->
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS"
keystoreFile="/usr/local/crm_keystore/server/carfinance.crm.server.keystore" keystorePass="carCrm747"
truststoreFile="/usr/local/crm_keystore/server/carfinance.crm.server.truststore" truststorePass="890890"/>
```
注意clientAuth="true"表示是双向认证,keystoreFile的值设为服务端keystore的路径,keystorePass是服务端keyStore的密码,truststoreFile是服务端truststore的路径,truststorePass是服务端truststore的密码
## cleint端
step1:为客户端生成秘钥库
```
sudo keytool -genkeypair -alias client_key_pair_1 -validity 365 -keyalg RSA -keystore /usr/local/crm_keystore/client/carfinance.crm.client.keystore
"Enter keystore password",输入要设置的keystore的password,例如输入"123456"
"Re-enter new password:",重复输入"123456"
"What is your first and last name?",输入无特殊要求,例如输入"httpsdemo-client"
"What is the name of your organizational unit?",输入无特殊要求,例如输入"carfinance"
"What is the name of your organization?",输入无特殊要求,例如输入"mljr"
"What is the name of your City or Locality?",输入无特殊要求,例如输入"beijing"
"What is the name of your State or Province?",输入无特殊要求,例如输入"beijing"
"What is the two-letter country code for this unit?",输入无特殊要求,例如输入"cn"
"Enter key password for <client_key_pair_1> (RETURN if same as keystore password):",输入无特殊要求,例如直接回车使用和keystore相同的秘钥
```
step2:导出客户端证书
```
sudo keytool -export -alias client_key_pair_1 -validity 365 -file /usr/local/crm_keystore/client/client_key_1.crt -keystore /usr/local/crm_keystore/client/carfinance.crm.client.keystore
```
需要输入keystore密码,输入"123456"
step3:用服务端证书生成客户端信任证书库(服务端证书的生成参考前面的server端部分,这个步骤要在服务端生成证书完成之后进行)
```
sudo keytool -import -alias server_crt -validity 365 -file /usr/local/crm_keystore/server/server_key_1.crt -keystore /usr/local/crm_keystore/client/carfinance.crm.client.truststore
```
注意这个步骤要为truststore设置密码,例如设为"654321"
## 验证
step1:用修改过配置后的tomcat启动carfinance-crm-httpsdemo-server模块
step2:使用客户端调用服务端接口
运行carfinance-crm-httpsdemo-client模块的src/test/java目录下的UnilateralHttpsClientTest的testGet()和testPost()方法分别测试https的GET请求和https的POST请求,请求失败,因为没有提供服务端信任的客户端证书给服务端
运行carfinance-crm-httpsdemo-client模块的src/test/java目录下的MutualHttpsClientTest的testGet()和testPost()方法分别测试https的GET请求和https的POST请求,请求成功
# 参考
[http client官网](http://hc.apache.org/)
[troubleshoot: httpclient向HTTPS发送数据建立SSL连接时的异常](http://zhuyuehua.iteye.com/blog/1102347)
[troubleshoot: 单向认证中信任自签名证书](http://stackoverflow.com/questions/1828775/how-to-handle-invalid-ssl-certificates-with-apache-httpclient)
[java tomcat 搭建SSL双向认证以及httpclient代码](http://ian.wang/118.htm)
[java tomcat 搭建SSL双向认证以及httpclient代码](http://yuur369.iteye.com/blog/1728058)
[HttpClient如何访问需要提交客户端证书的SSL服务](http://blog.csdn.net/wanglha/article/details/49272551)
[keystore type的使用](http://stackoverflow.com/questions/11536848/keystore-type-which-one-to-use)
扫一扫
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
