参考:
1.http://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html
2.http://www.eclipse.org/jetty/documentation/current/configuring-ssl.html
keytool -help
获取 keytool 的用法
使用 “keytool -command_name -help” 获取 command_name 的用法
生成密钥对d:\jdk8\bin\keytool -genkeypair -help
从keystore导出证书d:\jdk8\bin\keytool -exportcert -help
导入证书到truststored:\jdk8\bin\keytool -importcert -help
一.tomcat的ssl配置
1.生成密钥对
d:\jdk8\bin\keytool -genkeypair -alias server -keystore server.p12 -storetype PKCS12 -keyalg RSA -storepass changeit -keypass changeit -validity 365 -dname "CN=server, OU=test, O=test, L=TH, ST=GZ, C=CN"
创建一个密钥库文件,并把一个密钥对条目存进去.密钥对条目的详细信息,-alias指定别名,-keyalg指定算法,-keystore指定文件生成位置,-storepass指定密钥库文件管理密码,-keypass指定密钥对密码,-validity指定有效期,指定域的一些信息
2.在server.xml配置.这里使用JSSE配置SSL
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
keystoreFile="conf/server.p12" keystorePass="changeit" keystoreType="PKCS12"
clientAuth="false" sslProtocol="TLS" />
二.jetty的ssl配置
原文:https://examples.javacodegeeks.com/enterprise-java/jetty/jetty-ssl-configuration-example/
1.创建SSL密钥
openssl genrsa -des3 -out jcg.key
密码短语和确认密码短语都输入123456
2.创建证书文件
openssl req -new -x509 -key jcg.key -out jcg.crt
输入上面输入的密码123456
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:gd
Locality Name (eg, city) [Default City]:gz
Organization Name (eg, company) [Default Company Ltd]:test
Organizational Unit Name (eg, section) []:test
Common Name (eg, your name or your server’s hostname) []:admin
Email Address []:admin@qq.com
3.将证书文件转为PKCS12格式
openssl pkcs12 -inkey jcg.key -in jcg.crt -export -out jcg.pkcs12
输入jcg.key的密码短语123456
输入导出密码123456(可以重新设置)
确定导出密码123456
4.到目前为止,为了配置ssl,已创建了密钥和证书,下面将PKCS12文件导入到Jetty的keystore文件
d:\jdk7\bin\keytool -importkeystore -srckeystore jcg.pkcs12 -srcstoretype PKCS12 -destkeystore keystore
输入keystore的密码123456,并再次输入同样密码确认
输入刚才导出pkcs12文件的密码123456
为Jetty启用SSL
jetty是模块架构,意味着可以通过配置文件启用不同的模块.打开JETTY_HOME目录下的start.ini,添加以下两行
–module=ssl
–module=https
Jetty模块是通过JETTY_HOME/etc目录下的XML文件配置的.我们激活jetty-ssl.xml和jetty-https.xml文件来启用此模块.我们通过这些文件可以修改大量设置(如HTTPS端口,keystore位置),对于这个例子,我们没必要作出任何修改.
配置keystore密码,
先混淆密码
a.转到JETTY_HOME/lib目录
b.运行以下java命令
d:\jdk7\bin\java -cp jetty-util-9.2.11.v20150529.jar org.eclipse.jetty.util.security.Password 123456
c.复制生成的代码,它是以OBF开头
在SSL配置设置密码
a.转到JETTY_HOME/modules目录
b.使用文本编辑器打开ssl.mod文件
c.设置jetty.keystore.password, jetty.keymanager.password, jetty.truststorepassword属性
c.保存文件
修改过的行看起来应当类似:
jetty.keystore.password=OBF:19iy19j019j219j419j619j8
jetty.keymanager.password=OBF:19iy19j019j219j419j619j8
jetty.truststore.password=OBF:19iy19j019j219j419j619j8
启动JETTY
a.转到JETTY_HOME目录
b.运行java -jar start.jar
输出日志类似如下:
2015-06-23 23:04:52.940:INFO:oejs.ServerConnector:main: Started ServerConnector@376b4233{HTTP/1.1}{0.0.0.0:8080}
2015-06-23 23:04:53.127:INFO:oejs.ServerConnector:main: Started ServerConnector@4ddced80{SSL-http/1.1}{0.0.0.0:8443}
2015-06-23 23:04:53.127:INFO:oejs.Server:main: Started @1180ms
5.保护web应用程序
在web.xml加入以下内容,使用此配置,我们已定义了在secure目录下的资源是机密的,访问这些资源要在HTTPS端口通过SSL来访问.其它资源通过HTTP访问.此时此刻,我们在src/main/webapp和src/main/webapp/secure目录相应地创建非安全和安全资源
<security-constraint>
<web-resource-collection>
<web-resource-name>Secure resources</web-resource-name>
<url-pattern>/secure/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
打包应用并部署到JETTY测试非安全与安全资源
6.嵌入式Jetty启用SSL和HTTPS
package com.javacodegeeks.snippets.enterprise.embeddedjetty;
import org.eclipse.jetty.server.Connector;
import org.eclipse.jetty.server.HttpConfiguration;
import org.eclipse.jetty.server.HttpConnectionFactory;
import org.eclipse.jetty.server.SecureRequestCustomizer;
import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.server.ServerConnector;
import org.eclipse.jetty.server.SslConnectionFactory;
import org.eclipse.jetty.util.ssl.SslContextFactory;
import org.eclipse.jetty.webapp.WebAppContext;
public class EmbeddedJettyMain {
public static void main(String[] args) throws Exception {
Server server = new Server();
// Creating the web application context
WebAppContext webapp = new WebAppContext();
webapp.setResourceBase("src/main/webapp");
server.setHandler(webapp);
// HTTP Configuration
HttpConfiguration http = new HttpConfiguration();
http.addCustomizer(new SecureRequestCustomizer());
// Configuration for HTTPS redirect
http.setSecurePort(8443);
http.setSecureScheme("https");
ServerConnector connector = new ServerConnector(server);
connector.addConnectionFactory(new HttpConnectionFactory(http));
// Setting HTTP port
connector.setPort(8080);
// HTTPS configuration
HttpConfiguration https = new HttpConfiguration();
https.addCustomizer(new SecureRequestCustomizer());
// Configuring SSL
SslContextFactory sslContextFactory = new SslContextFactory();
// Defining keystore path and passwords
sslContextFactory.setKeyStorePath(EmbeddedJettyMain.class.getResource("keystore").toExternalForm());
sslContextFactory.setKeyStorePassword("123456");
sslContextFactory.setKeyManagerPassword("123456");
// Configuring the connector
ServerConnector sslConnector = new ServerConnector(server, new SslConnectionFactory(sslContextFactory, "http/1.1"), new HttpConnectionFactory(https));
sslConnector.setPort(8443);
// Setting HTTP and HTTPS connectors
server.setConnectors(new Connector[]{connector, sslConnector});
// Starting the Server
server.start();
server.join();
}
}