簡介:
SSL 協議的3個特性:
保密:通過SSL鏈接傳輸的數據是加密的鑒別:通信雙方的身份鑒別,通常是可選的,但至少有一方需要驗證(通常是服務端)
完成性:傳輸數據的完整性檢查
從性能角度考慮,加密是一項計算昂貴的處理,因此盡量不要講整個Web采用SSL鏈接,實際部署中,選擇有必要進行安全加密的頁面(如存在敏感信息傳輸的頁面)采用SSL通信。
接下來相信介紹一下如何在Tomcat中添加SSL 支持。
注意:
配置Tomcat以支持SSL通常只在其作為獨立的web服務器時才有必要。當Tomcat作為servlet容器運行與Web服務器后端時,只需要配置前置的Web服務器支持SSL即可。Web服務器負載所有的SSL 相關處理,Tomcat 接收到的請求為解密后的數據,而且返回的響應也是明文,有Web 服務器完成加密。
Tomcat實現SSL兩種方式:
一種是JSSE,另一種是APR(默認的OpenSSL引擎)。
JSSE適用於BIO、NIO、NIO2鏈接器(8.5版本之后,NIO、NIO2同時支持OpenSSL,以用於HTTP/2.0), APR適用於APR鏈接器。由於JSSE和APR配置有明顯區別,因此我們最好在Connector的protocol屬性中明確指定鏈接器的類名,而非協議名(如HTTP/1.1),否則,Tomcat會自動按照本地配置構造connector(如果安裝了APR,則適用APR鏈接器,否則使用NIO鏈接器),這樣可能導致SSL不可用。
方法一(簡單粗暴)
在為Tomcat添加SSL配置之前,我們需要先創建一個秘鑰庫。Tomcat支持秘鑰庫有JKS、PKCS11和PKCS112。JKS是Java標准的秘鑰庫格式,由keytool命令行工具創建,該工具位於$JAVA_HOME/bin/目錄下。
1創建秘鑰庫
執行命令如下:
Windows (文件存放於C:\cert目錄,存放路徑也可自己定義):
keytool -genkey -alias tomcat -keyalg RSA -keystore C:\cert\mykey.key.store
Linux(文件存放於/home/liugr/cert目錄,存放路徑也可自己定義):
keytool -genkey -alias tomcat -keyalg RSA -keystore /home/liuge/cert/mykey.keystore
Enter keystore password: 輸入秘鑰庫口令
Re-enter new password: 再次輸入新口令
What is your first and last name? 您的姓氏是什么
[Unknown]: Tomcat
What is the name of your organizational unit? 您的單位名稱
[Unknown]: Apache
What is the name of your organization? 您的組織名稱
[Unknown]: Apache
What is the name of your City or Locality?省份
[Unknown]: Beijing
What is the name of your State or Province?城市
[Unknown]: Beijing
What is the two-letter country code for this unit? 國家代碼
[Unknown]: CN
Is CN=Tomcat, OU=Apache, O=Apache, L=Beijing, ST=Beijing, C=CN correct? 信息是否正確
[no]: y
Enter key password for <tomcat> 輸入Tomcat的秘鑰口令
(RETURN if same as keystore password): 如果和秘鑰庫口令相同,按回車
Re-enter new password:
2 配置server.xml文件
秘鑰庫密碼將在server.xml配置是用到,其他信息作為基本信息,客戶端可以通過瀏覽器查看。命令執行成功后,將生成的mykey.keystore復制到Tomcat的conf目錄下。將默認注釋的SSL鏈接器取消注釋
8.5版本配置如下(server.xml的88行)
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" scheme="https" secure="true" SSLEnabled="true"> <SSLHostConfig> <Certificate certificateKeystoreFile="conf/mykey.keystore" certificateKeystorePassword="123456" ##秘鑰庫口令 type="RSA" /> </SSLHostConfig> </Connector>
鏈接器的protocol設置為org.apache.coyote.http11.Http11NioProtocol,以避免Tomcat自動選擇HTTP鏈接器實現(當然,可以根據需要改為NIO2的實現,不能選擇APR)
CertificateKeystorePassword為創建秘鑰庫是填寫的秘鑰庫文件,port為SSL鏈接器端口,如果要修改為其他端口,必須確保與無SSL得HTTP鏈接器的redirectPort屬性一致。
啟動Tomcat,在瀏覽器中輸入https://ip:8443,瀏覽器會彈出證書提示,接收后才會進入頁面,而且通過瀏覽器還可以查看證書信息。
方法二(婆婆媽媽)
除此以上方法之外,我們還可以通過OpenSSL創建證書並導入到秘鑰庫。
注意:絕大多數Linux系統以及默認安裝了OpenSSL,Windows系統中,如果你安裝了Apache服務器,那樣也可以在安裝目錄的bin文件夾下找到openssl.exe可執行文件。
OpenSSL的命令格式都是 "openssl 命令 命令參數"的形式。
1 執行以下命名生成根秘鑰:
[root@ ~]# openssl genrsa -out rootkey.pem 2048
輸出如下:
Generating RSA private key, 2048 bit long modulus ..................+++ .....+++ e is 65537 (0x10001)
2 創建根證書(用根證書來簽發服務器端請求文件):
[root@ ~]# openssl req -x509 -new -key rootkey.pem -out root.crt
輸出如下:
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Beijing Locality Name (eg, city) [Default City]:Beijing Organization Name (eg, company) [Default Company Ltd]:Apache Organizational Unit Name (eg, section) []:Tomcat Common Name (eg, your name or your server's hostname) []:Tomcat Email Address []:tomcat@apache.com
根據提示,需要輸入國家、省份、城市、以及公司信息等。
3 創建服務器秘鑰:
[root@ ~]# openssl genrsa -out serverkey.pem 2048
輸出如下:
Generating RSA private key, 2048 bit long modulus ............................................................+++ ................................+++ e is 65537 (0x10001)
4 生成服務器端證書的請求文件:
[root@ ~]# openssl req -new -key serverkey.pem -out server.csr
輸出如下:
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Beijing Locality Name (eg, city) [Default City]:Beijing Organization Name (eg, company) [Default Company Ltd]:Apache Organizational Unit Name (eg, section) []:Tomcat Common Name (eg, your name or your server's hostname) []:Tomcat Email Address []:tomcat@apache.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:123456 An optional company name []:Tomcat
同樣,根據提示,需要輸入國家、省份、城市等信息。
5用根證書來簽發服務器端請求文件,生成服務器端證書:
[root@ ~]# openssl x509 -req -in server.csr -CA root.crt -CAkey rootkey.pem -CAcreateserial -days 3650 -out server.crt
輸出如下:
Signature ok subject=/C=CN/ST=Beijing/L=Beijing/O=Apache/OU=Tomcat/CN=Tomcat/emailAddress=tomcat@apache.comf\x08 Getting CA Private Key
以上我們創建的是自簽名證書,多用於開發測試環境。在生產中,我們需要向數字證書頒發機構(CA)提交請求文件(server.csr),CA則返回給我們數字證書。這個過程一般是要收費的。
6 將證書導出為pkcs12格式:
[root@ ~]# openssl pkcs12 -export -in server.crt -inkey serverkey.pem -out server.pkcs12
輸出如下:
Enter Export Password:
Verifying - Enter Export Password:
根據提示輸出一個導出密碼
7 執行keytool命令生成服務端秘鑰庫:
[root@ ~]# keytool -importkeystore -srckeystore server.pkcs12 -destkeystore mykey.keystore -srcstoretype pkcs12
輸出如下
Importing keystore server.pkcs12 to mykey.keystore... Enter destination keystore password: Enter source keystore password: Entry for alias 1 successfully imported. Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
根據提示輸入秘鑰庫密碼已經上一步的導出密碼。
至此,我們創建了一個mykey.keystore秘鑰庫文件
這半天創建的相關文件如下
[root@ ~]# ll total 36 -rw-r--r--. 1 root root 4461 Apr 16 16:41 mykey.keystore -rw-r--r--. 1 root root 1407 Apr 16 16:21 root.crt -rw-r--r--. 1 root root 1679 Apr 16 16:14 rootkey.pem -rw-r--r--. 1 root root 17 Apr 16 16:31 root.srl -rw-r--r--. 1 root root 1289 Apr 16 16:31 server.crt -rw-r--r--. 1 root root 1110 Apr 16 16:28 server.csr -rw-r--r--. 1 root root 1675 Apr 16 16:26 serverkey.pem -rw-r--r--. 1 root root 2517 Apr 16 16:37 server.pkcs12
8 通過keytool的list命令,可以查看其包含的證書信息:
根據提示輸入秘鑰庫密碼后,既輸出秘鑰庫包含的證書信息
[root@ ~]# keytool -list -v -keystore mykey.keystore
輸出如下:
Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 2 entries Alias name: tomcat Creation date: Apr 16, 2018 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=Tomcat, OU=Apache, O=Apache, L=Beijing, ST=Beijing, C=CN Issuer: CN=Tomcat, OU=Apache, O=Apache, L=Beijing, ST=Beijing, C=CN Serial number: 5f59c5e3 Valid from: Mon Apr 16 15:36:30 CST 2018 until: Sun Jul 15 15:36:30 CST 2018 Certificate fingerprints: MD5: 0E:FB:D2:73:54:89:51:9A:20:96:E8:22:2B:92:36:B6 SHA1: 2C:DF:97:E9:88:85:72:0E:15:68:B1:09:19:76:7E:67:FC:A7:F9:12 SHA256: EE:42:E8:96:CE:E1:B5:A6:2C:EC:57:82:44:3A:A8:AD:A3:89:04:01:C8:E8:85:7D:CA:96:B4:E4:63:87:91:49 Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 2048-bit RSA key Version: 3 Extensions: #1: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 3A 8F 05 4C 85 6D 2F EE 1E E6 46 ED AD CC CA A6 :..L.m/...F..... 0010: 06 78 A7 CA .x.. ] ] ******************************************* ******************************************* Alias name: 1 Creation date: Apr 16, 2018 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: EMAILADDRESS=tomcat@apache.com, CN=Tomcat, OU=Tomcat, O=Apache, L=Beijing, ST=Beijing, C=CN Issuer: EMAILADDRESS=tomcat@apache.com, CN=Tomcat, OU=Tomcat, O=Apache, L=Beijing, ST=Beijing, C=CN Serial number: 84802670058ff7d5 Valid from: Mon Apr 16 16:31:46 CST 2018 until: Thu Apr 13 16:31:46 CST 2028 Certificate fingerprints: MD5: 46:F0:86:8A:FB:60:2E:AA:14:E5:AF:7F:8B:05:A2:F5 SHA1: EF:3E:90:08:0D:9E:53:95:4E:4F:36:29:78:05:93:E1:DB:48:CB:A2 SHA256: 8E:B7:51:6D:04:09:24:28:20:68:4F:C3:2A:2E:47:1E:B8:F6:C2:87:D1:55:30:8C:B0:2A:EA:2A:02:8B:09:76 Signature algorithm name: SHA1withRSA Subject Public Key Algorithm: 2048-bit RSA key Version: 1 ******************************************* ******************************************* Warning: The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore mykey.keystore -destkeystore mykey.keystore -deststoretype pkcs12".
9 將mykey.keystore 秘鑰庫文件按照前文說明的方式部署到Tomcat中(非APR鏈接器)。通過瀏覽器可查看證書信息。
10 如果在APR鏈接器配置SSL,首先需要在server.xml的<Server>下添加監聽器AprLifecycleListener:
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on"
SSLRandomSeed="builtin" userAprConnector="true" />
說明:userAprConnector 為8.5版本新屬性,用於啟用Apr Connector,8.5版本之前不必配置,默認自動啟用
然后,添加SSL鏈接器配置如下(Tomcat8.5):
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" scheme="https" secure="true" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="${catalina.base}/conf/serverkey.pem"
certificateFile="${catalina.base}/conf/serverkey.crt"
type="RSA" />
</SSLHostConfig>
</Connector>
certificateKeystoreFile 用於配置服務器端秘鑰
certificateFile用於配置服務器端證書
至此配置完成