介绍
SSL和TLS是用户网络通信安全的加密协议。允许客户端和服务器之间通过安全链接通信。
SSL协议的特性:
- 保密:通过SSL链接传输的数据时加密的
- 鉴别:通信双方的身份鉴别,这时可选的,通常是一方需要验证(服务端)
- 完整性:传输数据的完整性检查
配置SSL
Tomcat提供两种方式部署SSL:一种是JSSE,另一种是APR(使用OPENSSL引擎)。前者适用于BIO、NIO、NIO2链接器(8.5版本后,NIO和NIO2支持OPENSSL以适应HTTP/2.0),后者使用APR链接器。在配置的时候最好使用Connector的Protocol属性指定链接器的类名,而不是使用协议名(如HTTP/1.1),否则,Tomcat会自动按照本地配置构造Connector,这样会导致SSL不可用。
1、生成秘钥
Tomcat支持的秘钥有JKS、PKCS11、PKCS12。JKS是Java标准的秘钥库格式,使用keytool命令创建,位于$JAVA_HOME/binx下,创建方法如下:
① Windows系统:
keytool -genkey -alias tomcat -keyalg RSA -keystore C:\cert\mykey.keystore
② Linux操作系统:
[root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# mkdir cert
[root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore /opt/softwares/apache-tomcat-8.5.57/cert/mykey.keystore
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: Tomcat
What is the name of your organizational unit?
[Unknown]: Apache
What is the name of your organization?
[Unknown]: Apache
What is the name of your City or Locality?
[Unknown]: Beijing
What is the name of your State or Province?
[Unknown]: Beijing
What is the two-letter country code for this unit?
[Unknown]: CN
Is CN=Tomcat, OU=Apache, O=Apache, L=Beijing, ST=Beijing, C=CN correct?
[no]: Y
Enter key password for <tomcat>
(RETURN if same as keystore password): (按回车)
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /opt/softwares/apache-tomcat-8.5.57/cert/mykey.keystore -destkeystore /opt/softwares/apache-tomcat-8.5.57/cert/mykey.keystore -deststoretype pkcs12".
2、部署
将生成的秘钥复制到$CATALINA_BASE/conf下,修改server.xml,如下:
[root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# cp cert/mykey.keystore $CATALINA_BASE/conf/
[root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# vim conf/server.xml
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" schema="https" secure="true" SSLEnabled="true" >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig certificateVerification="false" >
<Certificate certificateKeystoreFile="conf/mykey.keystore"
certificateKeystorePassword="mnbvcxzaA0."
type="RSA" />
</SSLHostConfig>
</Connector>
port为SSL链接器端口,如果修改为其他端口,要保证和HTTP链接器的redirectPort属性一致。
8.5版本之前的配置如下:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" schema="https" secure="true" SSLEnabled="true"
KeystoreFile="conf/mykey.keystore"
KeystorePass="mnbvcxzaA0."
clientAuth="false" sslProtocol="TLS" />
3、访问测试
可以看到证书信息
使用openssl命令创建秘钥
测试环境可以使用,生产环境需要向有资质的签发机构(CA)提交证书请求文件,CA返回数字证书
生成根秘钥
[root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# openssl genrsa -out rootkey.pem 2048 Generating RSA private key, 2048 bit long modulus (2 primes) .................................................+++++ ..................................+++++ e is 65537 (0x010001)
创建根证书(用来签发服务器端请求文件)
[root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# openssl req -x509 -new -key rootkey.pem -out root.crt You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Beijing Locality Name (eg, city) [Default City]:Beijing Organization Name (eg, company) [Default Company Ltd]:Apache Organizational Unit Name (eg, section) []:Tomcat Common Name (eg, your name or your server's hostname) []:Tomcat Email Address []:183041251@126.com
创建服务器秘钥
[root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# openssl genrsa -out serverkey.pem 2048 Generating RSA private key, 2048 bit long modulus (2 primes) ...+++++ ..........................................+++++ e is 65537 (0x010001)
创建服务器端证书请求文件
[root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# openssl req -new -key serverkey.pem -out server.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Beijing Locality Name (eg, city) [Default City]:Beijing Organization Name (eg, company) [Default Company Ltd]:Apache Organizational Unit Name (eg, section) []:Tomcat Common Name (eg, your name or your server's hostname) []:Tomcat Email Address []:183041251@126.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:tomcat An optional company name []:Tomcat
用根证书签发服务器端请求文件,生成服务器端证书
[root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# openssl x509 -req -in server.csr -CA root.crt -CAkey rootkey.pem -CAcreateserial -days 365 -out server.crt Signature ok subject=C = CN, ST = Beijing, L = Beijing, O = Apache, OU = Tomcat, CN = Tomcat, emailAddress = 183041251@126.com Getting CA Private Key
将证书导出为pkcs12格式
[root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# openssl pkcs12 -export -in server.crt -inkey serverkey.pem -out server.pkcs12
Enter Export Password: # 自己设置一个导出密码即可
Verifying - Enter Export Password:
生成服务器端秘钥库
[root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# keytool -importkeystore -srckeystore server.pkcs12 -destkeystore mykey.keystore -srcstoretype pkcs12 Importing keystore server.pkcs12 to mykey.keystore... Enter destination keystore password: ## 输入之前创建的秘钥库mykey.keystore的密码即可
Re-enter new password:
Enter source keystore password: ## 输入上一步设置的源秘钥库密码
Entry for alias 1 successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore mykey.keystore -destkeystore mykey.keystore -deststoretype pkcs12".
查看秘钥库包含的证书信息
[root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# keytool -list -v -keystore mykey.keystore
Enter keystore password: ## 输入秘钥库密码
Keystore type: jks
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: 1
Creation date: Sep 12, 2020
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: EMAILADDRESS=183041251@126.com, CN=Tomcat, OU=Tomcat, O=Apache, L=Beijing, ST=Beijing, C=CN
Issuer: EMAILADDRESS=183041251@126.com, CN=Tomcat, OU=Tomcat, O=Apache, L=Beijing, ST=Beijing, C=CN
Serial number: 25100e367ff3f3117f90489ad91605bc08080222
Valid from: Sat Sep 12 18:06:53 CST 2020 until: Sun Sep 12 18:06:53 CST 2021
Certificate fingerprints:
MD5: E7:F4:B6:EE:18:26:FC:92:18:4B:66:EA:DE:9A:20:72
SHA1: 40:D9:E2:15:B6:03:5D:B4:56:38:23:3F:95:B9:35:64:F6:02:B7:80
SHA256: 6E:33:84:44:82:A0:46:B7:D4:49:35:56:74:89:8A:C2:4A:05:95:66:D5:98:D8:2A:0E:01:5E:3D:45:83:5E:B9
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 1
*******************************************
*******************************************
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore mykey.keystore -destkeystore mykey.keystore -deststoretype pkcs12".
将秘钥库文件部署到tomcat中,就可以访问了(注意,不能是APR链接器)
APR链接器配置SSL
配置监听器
[root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# vim conf/server.xml
<!--APR library loader. Documentation at /docs/apr.html --> <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" SSLRandomSeed="builtin" useAprConnector="true" />
APR的证书必须使用OpenSSL,生成方式见上面的操作(只生成自签证书,无需导入秘钥库)。然后添加SSL链接器配置,如下:
[root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# vim conf/server.xml
<Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150" schema="https" secure="true" SSLEnabled="true" >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig >
<Certificate certificateKeyFile="${catalina.base}/conf/serverkey.pem"
certificateFile="${catalina.base}/conf/server.crt"
type="RSA" />
</SSLHostConfig>
</Connector>
certificateKeyFile:用于配置服务器端秘钥
certificateFile:用于配置服务器端证书