nginx + tomcat + java SSL客服端

=====nginx + tomcat + java SSL客服端=======

1. 經過keytool 生成密鑰庫 【注意 CN 爲服務端訪問域名地址或者IP地址或者主機名 好比 config.ebnew.com】(密鑰庫密碼爲:bidconfig)

keytool -genkey -alias configserver -keystore configstore.jks -keypass bidconfig -storepass bidconfig -keyalg RSA   -validity 7300 -v -dname "CN =config.ebnew.com,O = BID,DC = Server Https,DC = BID,OU = Firefly Technology And Operation"

2. 經過keytool將密鑰庫導出爲P12 (密鑰庫密碼爲:bidconfig, p12 密鑰庫密碼爲:bidconfig)

keytool -importkeystore -srckeystore configstore.jks -destkeystore config.p12 -srcstoretype JKS -deststoretype PKCS12  -srcstorepass bidconfig -deststorepass bidconfig -srcalias configserver -destalias configserver -srckeypass bidconfig -destkeypass bidconfig -noprompt

3.根據pkcs12 （config.p12） 生成證書請求 config.pem (密碼都爲 bidconfig. 根據本身須要定義out密碼)

 openssl pkcs12 -in config.p12 -out config.pem -passin pass:bidconfig -passout pass:bidconfig

4. 根據p12 密鑰庫分別導出 服務端私鑰，與服務端證書以及客服端證書（雙向認證時使用）。 

 openssl pkcs12 -in config.p12  -nodes -nocerts -out server.key

 openssl pkcs12 -in config.p12  -nodes -nokeys -clcerts -out server.crt

 openssl pkcs12 -in config.p12  -nodes -nokeys -cacerts -out client.crt 

5.經過keytool 將服務端證書導入到客服端(java) 密鑰庫。密鑰庫密碼設置爲 liu999,方便java客服端使用

keytool -import -alias configTrustServer -file server.crt -keystore configclient.jks -storepass liu999 

6. 若是是瀏覽器訪問跳過安全檢查

keytool -import -file  ./server.crt -keystore "%JAVA_HOME%\jre\lib\security\cacerts" -alias config -trustcacerts

7. nginx 端配置

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header X-Url-Scheme $scheme;    

server {

    listen       443 ssl;

    server_name  localhost;

    ssl         on;

    ssl_protocols SSLv2 SSLv3 TLSv1;

    ssl_certificate  /home/sslkey/server.crt;

    ssl_certificate_key  /home/sslkey/server.key;

    #ssl_client_certificate /home/sslkey/ca.crt;

    #ssl_verify_client on;

    ssl_session_cache shared:SSL:1m;

    ssl_session_timeout  5m;

    ssl_ciphers  HIGH:!aNULL:!MD5;

    ssl_prefer_server_ciphers   on;

    location /config {

        proxy_pass http://192.168.199.152:8080/config;

    }

}

server {

    listen       80;

    server_name   localhost;

    location /config {

       proxy_pass http://192.168.199.152:8080/config;

    }

}

8. 上述配置後，在從新啓動服務器的時候，總是讓你輸入私有key的密碼

 openssl rsa -in server.key -out server.key.unsecure

  修改NGINX配置：

  ssl_certificate_key  /home/sslkey/server.key.unsecure;

  

9. tomcat 配置

 <Connector port="8080" protocol="HTTP/1.1"

               connectionTimeout="20000"

               redirectPort="8443" proxyPort="443"/>

10 java 客服端代碼

 DefaultHttpClient httpclient = new DefaultHttpClient();

        KeyStore trustStore  = KeyStore.getInstance(KeyStore.getDefaultType());        

        FileInputStream instream = new FileInputStream(new File("com/ssl/http/configclient.jks")); 

        try {

            trustStore.load(instream, "liu999".toCharArray());

        } finally {

            instream.close();

        }

        

        SSLSocketFactory socketFactory = new SSLSocketFactory(trustStore);

        Scheme sch = new Scheme("https", socketFactory, 8443);

        httpclient.getConnectionManager().getSchemeRegistry().register(sch);

        HttpGet httpget = new HttpGet("https://xxxxxx/");

        System.out.println("executing request" + httpget.getRequestLine());

        

        HttpResponse response = httpclient.execute(httpget);

        HttpEntity entity = response.getEntity();

        System.out.println("----------------------------------------");

        System.out.println(response.getStatusLine());

        if (entity != null) {

            System.out.println("Response content length: " + entity.getContentLength());

        }

        if (entity != null) {

            entity.consumeContent();

        }

        // When HttpClient instance is no longer needed, 

        // shut down the connection manager to ensure

        // immediate deallocation of all system resources

        httpclient.getConnectionManager().shutdown();