版本信息
linux 4.18.0-193.el8.x86_64
openssl 1.1.1c
keytool jdk1.8.0_202
tomcat 8.5
双向认证:
客户端向服务器发送消息,首先把消息用客户端证书加密然后连同时把客户端证书一起发送到服务器端,
服务器接到消息后用首先用客户端证书把消息解密,然后用服务器私钥把消息加密,把服务器证书和消息一起发送到客户端,
客户端用发来的服务器证书对消息进行解密,然后用服务器的证书对消息加密,然后在用客户端的证书对消息在进行一次加密,连同加密消息和客户端证书一起发送到服务器端,
到服务器端首先用客户端传来的证书对消息进行解密,确保消息是这个客户发来的,然后用服务器端的私钥对消息在进行解密这个便得到了明文数据。
单向认证:
客户端向服务器发送消息,
服务器接到消息后,用服务器端的密钥库中的私钥对数据进行加密,然后把加密后的数据和服务器端的公钥一起发送到客户端,
客户端用服务器发送来的公钥对数据解密,然后在用传到客户端的服务器公钥对数据加密传给服务器端,
服务器用私钥对数据进行解密
1.先查看openssl
openssl version -a
结果
LibreSSL 2.6.5
built on: date not available
platform: information not available
options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)
compiler: information not available
OPENSSLDIR: "/private/etc/ssl"
进入OPENSSLDIR配置的路径 /private/etc/ssl 查看 openssl.cnf文件
cd /private/etc/ssl
vi openssl.cnf
找到CA_default, 后续生成的文件都会在dir配置的路劲下
[ CA_default ]
dir = /home/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial numbe
新建工作目录[CA_default]的dir, certs, crl_dir, database,new_certs_dir, serial
并将‘01’写入serial文件
mkdir certs
mkdir crl
mkdir newcerts
touch index.txt
echo '01'>serial
然后进入openssl, 在控制台输入
cd /etc/pki/CA
openssl
生成CA证书
1,创建私钥
genrsa -out ca-key.pem 1024
2,创建证书请求
req -new -out ca-req.csr -key ca-key.pem
输入
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:ttttaaaa
Organizational Unit Name (eg, section) []:wwwww
Common Name (eg, your name or your server's hostname) []:ca
Email Address []:ca@ca.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
3,自签署证书
x509 -req -in ca-req.csr -out ca-cert.pem -signkey ca-key.pem -days 1095
4,将证书导出成浏览器支持的.p12格式, (执行req报错的话, 退出openssl, 执行quit, 重新进入后执行)
pkcs12 -export -clcerts -in ca-cert.pem -inkey ca-key.pem -out ca.p12
提示输入密码(mima123)
生成server证书
5,创建私钥(执行ca报错的话, 退出openssl, 执行quit, 重新进入后执行)
genrsa -out server-key.pem 1024
创建证书请求
req -new -out server-req.csr -key server-key.pem
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:ttttaaaa
Organizational Unit Name (eg, section) []:wwwww
Common Name (eg, your name or your server's hostname) []:192.168.0.1
Email Address []:315011066@qq.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []: 192.168.0.1
自签署证书
x509 -req -in server-req.csr -out server-cert.pem -signkey server-key.pem -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -days 1095
将证书导出成浏览器支持的.p12格式
pkcs12 -export -clcerts -in server-cert.pem -inkey server-key.pem -out server.p12
密码:mima456
生成client证书
创建私钥
genrsa -out client-key.pem 1024
创建证书
req -new -out client-req.csr -key client-key.pem
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:ttttaaaa
Organizational Unit Name (eg, section) []:wwwww
Common Name (eg, your name or your server's hostname) []:user
Email Address []:user@qq.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
自签署证书
x509 -req -in client-req.csr -out client-cert.pem -signkey client-key.pem -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -days 1095
将证书导出成浏览器支持的.p12格式
pkcs12 -export -clcerts -in client-cert.pem -inkey client-key.pem -out client.p12
密码:mima889
根据ca证书生成jks文件 (java keystore)
quit
cd /home/software/java/jdk1.8.0_202/bin
keytool -keystore truststore.jks -keypass wwwww6677 -storepass wwwww5588 -alias ca -import -trustcacerts -file /etc/pki/CA/ca-cert.pem
配置tomcat ssl
<Connector port="8443" protocol="HTTP/1.1" maxHttpHeaderSize="102400" URIEncoding='UTF-8'
maxThreads="150" SSLEnabled="true" schema="https"
secure="true" clientAuth="true" sslProtocol="TLS"
keystoreFile="/etc/pki/CA/server.p12"
keystoreType="pkcs12"
keystorePass="mima456"
truststoreFile="/home/software/java/jdk1.8.0_202/bin/truststore.jks" truststorePass="wwwww6677" truststoreType="JKS"/>
启动成功后,
将client.p12, ca.p12以及对应的密码 分发给用户, ca.p12导入至受信任的根证书颁发机构,client.p12导入至个人, 只支持IE浏览器, IE可直接访问, 无需从"高级"跳转, 谷歌对个人颁发的证书提示"不安全", 火狐浏览器就毁了吧累了
至此, 即可使用https访问服务
启动tomcat, 如果报错提示"protocol="org.apache.coyote.http11.Http11AprProtocol"需在apr模式下启动
APR:Apache Portable Run-time libraries,Apache可移植执行库
在早期的Apache版本号中。应用程序本身必须可以处理各种详细操作系统平台的细节,并针对不同的平台调用不同的处理函数。
随着Apache的进一步开发。Apache组织决定将这些通用的函数独立出来并发展成为一个新的项目。这样。APR的开发就从Apache中独立出来,Apache不过使用APR而已。
Tomcat Native:这个项目能够让 Tomcat 使用 Apache 的 apr 包来处理包含文件和网络IO操作,以提升性能。
官网介绍:
The Apache Tomcat Native Library is an optional component for use with Apache Tomcat that allows Tomcat to use certain native resources for performance, compatibility, etc.
(大概意思是Tomcat能够利用一些native资源来提高性能和兼容性。)
解决方案
参考https://www.cnblogs.com/blfbuaa/p/6893817.html
Linux下,Tomcat启用APR须要三个组件:
apr
apr-util
tomcat-native.tar.gz(Tomcat自带,在bin文件夹下)
1、查看是否已经安装了apr和apr-util
# rpm -qa apr
apr-1.4.8-3.el7.x86_64
# rpm -qa apr-util
apr-util-1.5.2-6.el7.x86_64
2、查看是否有最新版的apr和apr-util
# yum list | grep apr
apr.x86_64 1.4.8-3.el7 @anaconda
apr-util.x86_64 1.5.2-6.el7 @anaconda
3、假设还没安装,用yum安装:
# yum install apr-devel apr apr-util
4、安装tomcat-native:
搜索tomcat-native安装包:
# yum list | grep tomcat-native
假设已经存在,直接安装:
# yum install tomcat-native
……
正在安装 : tomcat-native-1.1.30-1.el7.x86_64 1/1
验证中 : tomcat-native-1.1.30-1.el7.x86_64 1/1
已安装:
tomcat-native.x86_64 0:1.1.30-1.el7
完成!
查看是否成功安装:
# rpm -qa tomcat-native
tomcat-native-1.1.30-1.el7.x86_64
配置相关的全局变量:
# vi /etc/profile
加入:export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/apr/lib
# source /etc/profile
5、重新启动Tomcat。看看能否够成功使用APR