按照項目需求進行的相關試驗。
總結下來總體步驟分為3步:
一、證書生成;
二、代碼處理;
三、發布配置。
一、證書生成。
加密方式使用openssl。所有生成及配置過程按照resin4官網的介紹來做的,沒有任何技術含量。
照貼下來:
OpenSSL
OpenSSL is the same SSL implementation that Apache's mod_ssl uses. Since OpenSSL uses the same certificate as Apache, you can get signed certificates using the same method as for Apache's mod_ssl or following the OpenSSL instructions.
Linking to the OpenSSL Libraries on Unix
On Unix systems, Resin's libexec/libresinssl.so JNI library supports SSL using the OpenSSL libraries. Although the ./configure script will detect many configurations, you can specify the openssl location directly:
resin> ./configure --with-openssl=/usr/local/ssl
Obtaining the OpenSSL Libraries on Windows
On Windows systems, the resinssl.dll includes JNI code to use OpenSSL libraries (it was in resin.dll in versions before 3.0). All you need to do is to obtain an OpenSSL binary distribution and install it.
Resin on Windows 32 is compiled against the Win32 binary, you can obtain an installation package http://www.slproweb.com (Shining Light Productions).
Resin on Windows 64 is compiled against a Win64 binary, you can obtain an installation package Dean Lee: /dev/blog.
Once you have run the installation package, you can copy the necessary dll libraries into $RESIN_HOME:
Copying the Windows SSL libraries into $RESIN_HOME
C:\> cd %RESIN_HOME%
C:\resin-4.0.x> copy "C:\Program Files\GnuWin32\bin\libssl32.dll" .\libssl32.dll
C:\resin-4.0.x> copy "C:\Program Files\GnuWin32\bin\libeay32.dll" .\libeay32.dll
Preparing to use OpenSSL for making keys
You can make a keys/ subdirectory of $RESIN_HOME to do your work from and as a place to store your generated keys.
$RESIN_HOME/keys
unix> cd $RESIN_HOME
unix> mkdir keys
unix> cd keys
win> cd %RESIN_HOME%
win> mkdir keys
win> cd keys
Using OpenSSL requires a configuration file. Unix users might find the default configuration file in /usr/ssl/openssl.cnf or /usr/share/ssl/openssl.cnf. Windows users may not have received one with their package.
Either way, it can be valuable to make your own openssl.cnf that is used just for generating the keys to use with Resin. You can use the following as a template for a file $RESIN_HOME/keys/openssl.cnf. You may want to fill in the _default values so you don't have to type them in every time.
$RESIN_HOME/keys/openssl.cnf
[ req ]
default_bits = 1024
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
C = 2 letter Country Code, for example US
C_default =
ST = State or Province
ST_default =
L = City
L_default =
O = Organization Name
O_default =
OU = Organizational Unit Name, for example 'Marketing'
OU_default =
CN = your domain name, for example www.hogwarts.com
CN_default =
emailAddress = an email address
emailAddress_default =
Creating a private key
Create a private key for the server. You will be asked for a password - don't forget it! You will need this password anytime you want to do anything with this private key. But don't pick something you need to keep secret, you will need to put this password in the Resin configuration file.
creating the private key gryffindor.key
unix> openssl genrsa -des3 -out gryffindor.key 1024
win> "C:\Program Files\GnuWin32\bin\openssl.exe" \
genrsa -des3 -out gryffindor.key 1024
Creating a certificate
OpenSSL works by having a signed public key that corresponds to your private key. This signed public key is called a certificate. A certificate is what is sent to the browser.
You can create a self-signed certificate, or get a certificate that is signed by a certificate signer (CA).
Creating a self-signed certificate
You can create a certificate that is self-signed, which is good for testing or for saving you money. Since it is self-signed, browsers will not recognize the signature and will pop up a warning to browser users. Other than this warning, self-signed certificates work well. The browser cannot confirm that the server is who it says it is, but the data between the browser and the client is still encrypted.
creating a self-signed certificate gryffindor.crt
unix> openssl req -config ./openssl.cnf -new -key gryffindor.key \
-x509 -out gryffindor.crt
win> "C:\Program Files\GnuWin32\bin\openssl.exe" req -config ./openssl.cnf \
-new -key gryffindor.key -x509 -out gryffindor.crt
You will be asked to provide some information about the identity of your server, such as the name of your Organization etc. Common Name (CN) is your domain name, like: "www.gryffindor.com".
Creating a certificate request
To get a certificate that is signed by a CA, first you generate a certificate signing request (CSR).
creating a certificate request gryffindor.csr
unix> openssl req -new -config ./openssl.cnf -key gryffindor.key \
-out gryffindor.csr
win> "C:\Program Files\GnuWin32\bin\openssl.exe" req -new \
-config ./openssl.cnf -key gryffindor.key -out gryffindor.csr
You will be asked to provide some information about the identity of your server, such as the name of your Organization etc. Common Name (CN) is your domain name, like: "www.gryffindor.com".
Send the CSR to a certificate signer (CA). You'll use the CA's instructions for Apache because the certificates are identical. Some commercial signers include:
Verisign
Thawte Consulting
You'll receive a gryffindor.crt file.
Most browsers are configured to recognize the signature of signing authorities. Since they recognize the signature, they will not pop up a warning message the way they will with self-signed certificates. The browser can confirm that the server is who it says it is, and the data between the browser and the client is encrypted.
resin.xml - Configuring Resin to use your private key and certificate
The OpenSSL configuration has two tags certificate-file and certificate-key-file. These correspond exactly to mod_ssl's SSLCertificateFile and SSLCertificateKeyFile. So you can use the same certificates (and documentation) from mod_ssl for Resin.
The full set of parameters is in the port configuration.
resin.xml
<resin xmlns="http://caucho.com/ns/resin">
<cluster id="http-tier">
<server id="a" address="192.168.1.12">
<http port="443">
<openssl>
<certificate-file>keys/gryffindor.crt</certificate-file>
<certificate-key-file>keys/gryffindor.key</certificate-key-file>
<password>my-password</password>
</openssl>
</http>
</server>
...
</resin>
The default resin configuration allows you to setup open-ssl in resin.properties.
Setting up open ssl in resin.properties
# OpenSSL certificate configuration
openssl_file : key/gryffindor.crt
openssl_key : keys/gryffindor.key
openssl_password : my-password
Testing SSL with the browser
A quick test is the following JSP.
Secure? <%= request.isSecure() %>
Testing with openssl to test the server
The openssl tool can be used as a client, showing some interesting information about the conversation between the client and the server:
unix$ openssl s_client -connect www.some.host:443 -prexit
Certificate Chains
A certificate chain is used when the signing authority is not an authority trusted by the browser. In this case, the signing authority uses a certificate which is in turn signed by a trusted authority, giving a chain of [your certificate] <-- signed by -- [untrusted signer] <-- signed by -- [trusted signer].
The Resin config parameter certificate-chain-file is used to specify a certificate chain. It is used to reference a file that is a concatenation of:
your certificate file
the intermediate (untrusted) certificate
the root (trusted) certificate.
The certificates must be in that order, and must be in PEM format.
Example certificate chain for Instant SSL
Comodo (http://instantssl.com) is a signing authority that is untrusted by most browsers. Comodo has their certificate signed by GTECyberTrust.
Comodo gives you three certificates:
your_domain.crt (signed by Comodo)
ComodoSecurityServicesCA.crt (signed by GTE CyberTrust)
GTECyberTrustRoot.crt (universally known root)
In addition to this, you have your key, your_domain.key. The contents of the file referred to by certificate-chain-file is a concatenation of the three certificates, in the correct order.
Creating a certificate chain file
$ cat your_domain.crt ComodoSecurityServicesCA.crt GTECyberTrustRoot.crt > chain.txt
resin.xml using a certificate chain file
<http port="443">
<openssl>
<certificate-key-file>keys/your_domain.key</certificate-key-file>
<certificate-file>keys/your_domain.crt</certificate-file>
<certificate-chain-file>keys/chain.txt</certificate-chain-file>
<password>test123</password>
</openssl>
</http>
用中文簡單說下步驟:
1、安裝openssl(下載鏈接看這里http://slproweb.com/products/Win32OpenSSL.html,想進一步研究去http://www.openssl.org/source/),需要注意的是分32bit和64bit,不過我在64bit的win7旗艦版下使用32bit版本,也正常。
安裝完成后,將安裝目錄下的libeay32.dll和libssl32.dll放到你resin服務器根目錄去。
2、通過敲命令行進入你的resin服務器根目錄下keys文件夾 ;
unix> cd $RESIN_HOME
unix> mkdir keys
unix> cd keys
win> cd %RESIN_HOME%
win> mkdir keys
win> cd keys
3、建立一個openssl.cnf文件,按照如下格式:
[ req ]
default_bits = 1024
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
C = 2 letter Country Code, for example US
C_default =
ST = State or Province
ST_default =
L = City
L_default =
O = Organization Name
O_default =
OU = Organizational Unit Name, for example 'Marketing'
OU_default =
CN = your domain name, for example www.hogwarts.com
CN_default =
emailAddress = an email address
emailAddress_default =
default_bits = 1024
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
C = 2 letter Country Code, for example US
C_default =
ST = State or Province
ST_default =
L = City
L_default =
O = Organization Name
O_default =
OU = Organizational Unit Name, for example 'Marketing'
OU_default =
CN = your domain name, for example www.hogwarts.com
CN_default =
emailAddress = an email address
emailAddress_default =
並放置在$RESIN_HOME/keys/目錄下。
4、創建一個私鑰。
unix> openssl genrsa -des3 -out gryffindor.key 1024
win> "openssl安裝目錄\bin\openssl.exe" genrsa -des3 -out gryffindor.key 1024
5、創建簽名憑證。
unix> openssl req -config ./openssl.cnf -new -key gryffindor.key -x509 -out gryffindor.crt
win> "openssl安裝目錄\bin\openssl.exe" req -config ./openssl.cnf -new -key gryffindor.key -x509 -out gryffindor.crt
win> "openssl安裝目錄\bin\openssl.exe" req -config ./openssl.cnf -new -key gryffindor.key -x509 -out gryffindor.crt
6、創建憑證申請。
unix> openssl req -new -config ./openssl.cnf -key gryffindor.key -out gryffindor.csr
win> "openssl安裝目錄\bin\openssl.exe" req -new -config ./openssl.cnf -key gryffindor.key -out gryffindor.csr
win> "openssl安裝目錄\bin\openssl.exe" req -new -config ./openssl.cnf -key gryffindor.key -out gryffindor.csr
7、將生成的文件全部放到resin根目錄\conf\keys\下。
二、代碼處理。
這里的處理主要是為了完成由https向http跳轉的需求。因為相對於http協議,https訪問的開銷較大,所以對於一些沒必要加密的訪問,強制使用http協議。
這里的實現方式很多,我使用的Filter,在web.xml中將不需要使用https協議的url全部強制轉到http信道。
xml的代碼不貼了,跟別的過濾放在一起的(原理就是將匹配的url-pattern通過該濾鏡)。
簡單貼下java里面做判斷的代碼,寫的很簡單,是否會有問題暫未驗證。
if ("https".equals(request.getRequestURL().substring(0, 5))) {
response.sendRedirect("http"
+ request.getRequestURL().replace(0, 5, ""));
return;
response.sendRedirect("http"
+ request.getRequestURL().replace(0, 5, ""));
return;
}
三、發布配置。
主要是這一段配置,加入web.xml中的
<
security-constraint
>
< web-resource-collection >
< web-resource-name >SSL </ web-resource-name >
< url-pattern >*/login.do* </ url-pattern >
</ web-resource-collection >
< user-data-constraint >
< transport-guarantee >CONFIDENTIAL </ transport-guarantee >
</ user-data-constraint > </ security-constraint >
< web-resource-collection >
< web-resource-name >SSL </ web-resource-name >
< url-pattern >*/login.do* </ url-pattern >
</ web-resource-collection >
< user-data-constraint >
< transport-guarantee >CONFIDENTIAL </ transport-guarantee >
</ user-data-constraint > </ security-constraint >
這是強制匹配的url-pattern通過https方式進行訪問,這里大家可以根據需要自己配了。
resin服務期部分的,因為我使用的是默認配置,所以只改了conf/resin.properties中的
# Set HTTP and HTTPS ports.
# Use overrides for individual server control, for example: app-0.http : 8081
app.http : 80
app.https : 443
web.http : 80
web.https : 443
# Use overrides for individual server control, for example: app-0.http : 8081
app.http : 80
app.https : 443
web.http : 80
web.https : 443
打開了80和443,及http和https的默認訪問端口。
# OpenSSL certificate configuration
# Keys are typically stored in the resin configuration directory.
openssl_file : keys/gryffindor.crt
openssl_key : keys/gryffindor.key
openssl_password : 你的密碼
# Keys are typically stored in the resin configuration directory.
openssl_file : keys/gryffindor.crt
openssl_key : keys/gryffindor.key
openssl_password : 你的密碼
配置證書。
提供配置好的文件及localhost的證書供大家測試
http://download.csdn.net/detail/yeahking1981/4570721
至此完成所有相關操作。
附上國際友人提供的http和https協議協同工作,相互跳轉的解決方法。
http://stackoverflow.com/questions/12401292/how-do-i-redirect-https-requests-to-http-in-resin4-0