为Web服务设置客户端证书认证
本节讲述了如何配置利用Sun ONE应用服务器使用了客户端证书认证的web服务。
注意
对于客户端,想要使用HTTPS,请执行下面的步骤1-6。
1. 执行Sun.com/source/816-7152-10/wsgjaxrpc.html%20%20This%20file%20was%20not%20retrieved%20by%20Teleport%20Pro,%20because%20it%20is%20addressed%20on%20a%20domain%20or%20path%20outside%20the%20boundaries%20set%20for%20its%20Starting%20Address.%20%20Do%20you%20want%20to%20open%20it%20from%20the%20Server?'))window.location='http://docs.Sun.com/source/816-7152-10/wsgjaxrpc.html#1007940'">ONE; mso-bidi-font-size: 12.0pt; text-underline: nONE">"ONE_and_net/app7/11.2.htm#40#40">ONE; mso-bidi-font-size: 12.0pt; mso-ascii-font-family: Helvetica; mso-hansi-font-family: Helvetica; text-underline: nONE">基于ONE; mso-bidi-font-size: 12.0pt; text-underline: nONE">SSLONE; mso-bidi-font-size: 12.0pt; mso-ascii-font-family: Helvetica; mso-hansi-font-family: Helvetica; text-underline: nONE">的基本认证Sun.com/source/816-7152-10/wsgjaxrpc.html%20%20This%20file%20was%20not%20retrieved%20by%20Teleport%20Pro,%20because%20it%20is%20addressed%20on%20a%20domain%20or%20path%20outside%20the%20boundaries%20set%20for%20its%20Starting%20Address.%20%20Do%20you%20want%20to%20open%20it%20from%20the%20Server?'))window.location='http://docs.Sun.com/source/816-7152-10/wsgjaxrpc.html#1007940'">ONE; mso-bidi-font-size: 12.0pt; text-underline: nONE">".一节中的第一和第二步。
2. 对于基于J2SE的客户端,使用keytool为客户端证书生成密码对。密码对存储在密码库中。以下代码行示范了如何生成密码对。
> keytool -genkey -v -alias clcert -dname 'CN=Test User, OU=testOU, O=testO, L=SCA, S= California , C=US'
-keystore clcerts -keypass changeit
执行命令,显示出如下信息:
Generating 1,024 bit DSA key pair and self-signed certificate (SHA1WithDSA)
for: CN=Test User, OU=testOU, O=testO, L=SCA, ST= California , C=US
Enter key password for <clcert1>
(RETURN if same as keystore password):
[Saving clcerts]
3. Generate a certificate request to be sent to a trusted CA. Use the following keytool command to generate a certificate request:
生成一个将要发送到可信CA的证书请求。使用如下的keytool命令生成证书请求:
>keytool -certreq -v -alias clcert -file clreq -keystore clcerts
输入密码库的密码:changeit
证书请求存储在文件:clreq中
把这个提交给CA
>more clreq
该命令生成以下消息:
-----BEGIN NEW CERTIFICATE REQUEST-----
MIICazCCAigCAQAwZTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExDDAKBgNVBAcT
A1NDQTEOMAwGA1UEChMFdGVzdE8xDzANBgNVBAsTBnRlc3RPVTESMBAGA1UEAxMJVGVzdCBVc2Vy
..
GqdqJvx+mVcgcQkdzap+ykIEcOZ/qQq60rPddF6yK9wnWkez32Y2btGWe598oAAwCwYHKoZIzjgE AwUAAzAAMC0CFQCPf7TuJLJ+zS/HH+fCcKnFAtmKYwIUZM10c56KrScgledImxGzLIKMsGE=
-----END NEW CERTIFICATE REQUEST-----
4. 发送生成的证书请求到一个可信的CA并且请求一个签名证书。关于发送请求到CA的更多信息,请参见CA服务器管理文档。
你可以校验Base64 encoded X.509格式的返回签名文档。注意:该证书是链状的,就象由CA进行了签署。如果你使用pkcs7格式,keytool可能会抱怨证书不是X.509格式的。
> keytool -printcert -v -file clcert.txt
Certificate[1]:
Owner: CN=Certificate Manager, OU=AppServices, O=Sun Microsystems, L=SCA, ST=Californa, C=US
Issuer: CN=Certificate Manager, OU=AppServices, O=Sun Microsystems, L=SCA, ST=Califoria, C=US
Serial number: 1
Valid from: Mon Jun 03 12:00:00 PDT 2002 until: Thu Jun 03 12:00:00 PDT 2004
Certificate fingerprints:
MD5: 6C:8D:A6:E4:55:52:1A:FF:
9D:19:44
:D7:0F:62:66:95
SHA1: 89:B1:0E:7E:8F:56:B2:34:65:46:15:86:53:7E:3E:6B:4F:9D:84:63
Certificate[2]:
Owner: CN=Test User, OU=testOU, O=testO, L=SCA, ST=
California
, C=US
Issuer: CN=Certificate Manager, OU=iWSQA, O=Sun Microsystems, L=SCA, ST=Califoria, C=US
Serial number: 19
Valid from: Thu Sep 12 18:33:54 PDT 2002 until: Fri Sep 12 18:33:54 PDT 2003
Certificate fingerprints:
MD5: 82:09:8A:DC:E2:85:82:B5:56:98:93:81:97:A9:D5:32
SHA1: 1D:7C:F2:F2:ED:79:A3:62:0A:A2:1B:22:74:11:BF:52:CB:8D:9E:BB
5. 用签名证书更新密码库。
> keytool -import -v -trustcacerts -alias clcert -file clcert.txt -keystore clcerts -keypass changeit
显示如下信息:
Certificate was added to keystore
[Saving clcerts]
6. 现在,你必须设置客户端Java虚拟机使用这样的密码库/密码:-Djavax.net.ssl.keyStore=<path-to/clcerts> and -Djavax.net.ssl.keyStorePassword.
如果你在<java>这个ant任务中运行客户端,你可以使用<sysproperty>元素指定密码库/密码。
例如:
<sysproperty key="javax.net.ssl.keyStore"
value="C:/security/clcerts"/>
<sysproperty key="javax.net.ssl.keyStorePassword" value="changeit"/>
7. 为服务器实例激活证书域。
- 在管理界面中,选择左侧面板中的Server instance.
- 点击Security节点并选中Default Realm to Certificate。
关于激活证书域的更多信息,请参见Sun ONE应用服务器管理员指南。
8. 编辑web.xml配置描述文件,配置Web服务应用程序使用CLIENT-CERT认证。
security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>TesterRole</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method> CLIENT-CERT </auth-method>
</login-config>
9. 编辑Sun ONE应用服务器指定的部署描述文件(Sun-web.xml),映射角色到客户端证书的X.509 主用户名称的专有名称。
注释:DN distinguished name专有名称
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE Sun-web-app PUBLIC '-//Sun Microsystems, Inc.//DTD Sun ONE Application Server 7.0 Servlet 2.3//EN'
'http://www.Sun.com/software/SunONE/appServer/dtds/Sun-web-app_2_3-0.dtd'
<Sun-web-ap>
<security-role-mapping>
<role-name>TesterRole</role-name>
<principal-name>CN=Test User, OU=testOU, O=testO, L=SCA, ST= California , C=US</principal-name>
</security-role-mapping>
</Sun-web-app>
10.或者,你可能想要设置一个可选的assign-groups属性,它可以被指定给所有证书用户所属的证书域配置。这使你可以向这个组名进行角色映射,而不必列出主用户名称的专有名称。
- 在管理界面中,选择左侧面板中的Server instance
- 点击并展开Security节点和Realms节点
- 点击certificate realm,并且在右侧面板中点击properties link,添加属性names cert-users,设定它的值为assign-groups。
- 保存并使修改生效。Server.xml反映了配置设定:
<security-service>
<auth-realm name="certificate" classname="com.iplanet.ias.security.auth.realm.certificate .CertificateRealm">
<property value="cert-users" name="assign-groups"/>
</auth-realm>
</security-service>
关于配置证书域的更多信息,请参见Sun ONE应用服务器管理员指南。
11. 重新启动服务器并运行客户端检验客户端证书认证的工作情况。
<script type="text/javascript"> </script> <script type="text/javascript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js"> </script>
302
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
