1、生成服务器证书库
keytool -genkey -alias tomcat -keypass changeit -keyalg RSA -keysize 1024 -validity 365 -keystore /home/tomcat/server.keystore -storepass changeit -dname "CN=10.10.6.100,OU=shixun,O=shixun,L=beijing,ST=beijing,c=cn"
注:CN:要设定的域名或IP
2、生成客户端证书库
keytool -genkey -alias client -keypass changeit -keyalg RSA -keysize 1024 -validity 365 -storetype PKCS12 -keystore /home/tomcat/client.p12 -storepass changeit -dname "CN=client,OU=shixun,O=shixun,L=beijing,ST=beijing,c=cn"
3、导出客户端证书
keytool -export -alias client -keystore /home/tomcat/client.p12 -storetype PKCS12 -keypass changeit -file /home/tomcat/client.cer -storepass changeit
4、让服务器信任客户端证书,将客户端证书导入到服务器证书库
keytool -import -v -file /home/tomcat/client.cer -keystore /home/tomcat/server.keystore -storepass changeit
5、查看服务器证书库,可以看到2个证书文件,一个是服务器证书,一个是受信任的客户端证书:
keytool -list -v -keystore /home/tomcat/server.keystore -storepass changeit
6、通过浏览器导入客户端证书client.p12
双击客户端证书client.p12点击下一步输入密码即可导入IE浏览器即可实现访问。
Chrome和FireFox需要手工导入才能访问。
Chrome实现:
设置 → 显示高级设置... → 管理证书... → 个人 → 选择证书 → 确定
FireFox实现:
工具 → 选项 → 高级 → 证书 → 查看证书 → 导入 → 选择证书 → 确定
通过程序控制访问
solrj程序通过httpClient代理实现证书的安全访问。
示例代码:
public class DoubleSSL { private String httpUrl = "https://192.168.100.175:8443/solr"; // 客户端密钥库 private String sslKeyStorePath = "E:/ssl/server.keystore"; private String sslKeyStorePassword = "changeit"; // 客户端信任的证书 private String sslTrustStore = "E:/ssl/server.keystore"; private String sslTrustStorePassword = "123456"; public HttpClient testHttpsClient() { SSLContext sslContext = null; HttpClient httpClient = null; try { KeyStore kstore = KeyStore.getInstance("JKS"); kstore.load(new FileInputStream(sslKeyStorePath), sslKeyStorePassword.toCharArray()); KeyManagerFactory keyFactory =KeyManagerFactory.getInstance("sunx509"); keyFactory.init(kstore, sslKeyStorePassword.toCharArray()); KeyStore tstore = KeyStore.getInstance("jks"); tstore.load(new FileInputStream(sslTrustStore), sslTrustStorePassword.toCharArray()); TrustManager[] tm; TrustManagerFactory tmf =TrustManagerFactory.getInstance("sunx509"); tmf.init(tstore); tm = tmf.getTrustManagers(); sslContext = SSLContext.getInstance("SSL"); sslContext.init(keyFactory.getKeyManagers(),tm, null); } catch (Exceptione) { e.printStackTrace(); } try { httpClient = new DefaultHttpClient(); SSLSocketFactory socketFactory = new SSLSocketFactory(sslContext); Scheme sch = new Scheme("https", 8443, socketFactory); httpClient.getConnectionManager().getSchemeRegistry().register(sch); HttpGet httpGet = new HttpGet(httpUrl); HttpResponse response =httpClient.execute(httpGet); System.out.println(response.getStatusLine().getStatusCode()); } catch (Exceptione) { e.printStackTrace(); } return httpClient; } }
7、配置tomcat服务器
将生成的server.keystore服务端证书拷贝到tomcat目录,修改tomcat下conf目录下的server.xml文件将8443端口注释打开
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="true" sslProtocol="TLS" keystoreFile="/home/tomcat/server.keystore" keystorePass="changeit" truststoreFile="/home/tomcat/server.keystore" truststorePass="changeit" />
8、设置tomcat强制https访问
在 tomcat /conf/web.xml 中的 </welcome- file-list> 后面加上这
<login-config> <!-- Authorization setting for SSL --> <auth-method>CLIENT-CERT</auth-method> <realm-name>Client Cert Users-only Area</realm-name> </login-config> <security-constraint> <!-- Authorization setting for SSL --> <web-resource-collection> <web-resource-name >SSL</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>
注:如果设置了clientAuth为true,则需要客户端证书验证,否则访问不了。
9、访问tomcat 8080端口会自动跳转到8443端口
http://10.10.6.100:8080
