1.生成服務器端所需證書文件 html
#設置變量 set OPENSSL_CONF=openssl.cfg # 生成一個RSA密鑰 openssl genrsa -des3 -out server.key 1024 # 生成一個證書請求 openssl req -new -key server.key -out server.csr # 拷貝一個不須要輸入密碼的密鑰文件 openssl rsa -in server.key -out server_nopwd.key # 本身簽發證書 openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
2.生成cxf調用https webservice 所用的證書文件 java
#從key和crt生成pkcs12格式的keystore openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -name tomcat -CAfile server.crt -caname root -chain #生成須要的keystore keytool -importkeystore -v -srckeystore mycert.p12 -srcstoretype pkcs12 -srcstorepass 123456 -destkeystore tomcat.keystore -deststoretype jks -deststorepass 123456
3.客戶端代碼 web
package cn.net.sunge.gdms.util; import java.io.File; import java.io.FileInputStream; import java.security.KeyStore; import java.util.Map; import javax.net.ssl.KeyManager; import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.TrustManager; import javax.net.ssl.TrustManagerFactory; import org.apache.cxf.configuration.jsse.TLSClientParameters; import org.apache.cxf.endpoint.Client; import org.apache.cxf.frontend.ClientProxy; import org.apache.cxf.jaxws.JaxWsProxyFactoryBean; import org.apache.cxf.transport.http.HTTPConduit; public class WsClientUtil { public static <T> T getInterface(Class<T> clazz, String address) { return getInterface(clazz, address, null); } @SuppressWarnings("unchecked") public static <T> T getInterface(Class<T> clazz, String address, Map<String, Object> properties) { JaxWsProxyFactoryBean factory = new JaxWsProxyFactoryBean(); factory.setAddress(address); factory.setServiceClass(clazz); if (null != properties) { factory.setProperties(properties); } return (T) factory.create(); } public static <T> T getHttpsInterface(Class<T> clazz, String address, String jksPath, String jksPwd) { return getHttpsInterface(clazz, address, jksPath, jksPwd, null); } @SuppressWarnings("unchecked") public static <T> T getHttpsInterface(Class<T> clazz, String address, String jksPath, String jksPwd, Map<String, Object> properties) { JaxWsProxyFactoryBean factory = new JaxWsProxyFactoryBean(); factory.setAddress(address); factory.setServiceClass(clazz); if (null != properties) { factory.setProperties(properties); } T t = (T) factory.create(); configureSSLOnTheClient(t, jksPath, jksPwd); return t; } private static void configureSSLOnTheClient(Object obj, String jksPath, String jksPwd) { File file = new File(jksPath); Client client = ClientProxy.getClient(obj); HTTPConduit httpConduit = (HTTPConduit) client.getConduit(); try { TLSClientParameters tlsParams = new TLSClientParameters(); tlsParams.setDisableCNCheck(true); KeyStore keyStore = KeyStore.getInstance("JKS"); String password = jksPwd; String storePassword = jksPwd; keyStore.load(new FileInputStream(file), storePassword.toCharArray()); TrustManagerFactory trustFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); trustFactory.init(keyStore); TrustManager[] trustManagers = trustFactory.getTrustManagers(); tlsParams.setTrustManagers(trustManagers); keyStore.load(new FileInputStream(file), storePassword.toCharArray()); KeyManagerFactory keyFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); keyFactory.init(keyStore, password.toCharArray()); KeyManager[] keyManagers = keyFactory.getKeyManagers(); tlsParams.setKeyManagers(keyManagers); // FiltersType filtersTypes = new FiltersType(); // filtersTypes.getInclude().add(".*_EXPORT_.*"); // filtersTypes.getInclude().add(".*_EXPORT1024_.*"); // filtersTypes.getInclude().add(".*_WITH_DES_.*"); // filtersTypes.getInclude().add(".*_WITH_NULL_.*"); // filtersTypes.getExclude().add(".*_DH_anon_.*"); // tlsParams.setCipherSuitesFilter(filtersTypes); tlsParams.setDisableCNCheck(true); httpConduit.setTlsClientParameters(tlsParams); } catch (Exception e) { e.printStackTrace(); } } }
參考資料: shell
http://bbs.csdn.net/topics/350150090
http://www.educity.cn/wenda/130283.html
http://blog.csdn.net/kongxx/article/details/7534035
http://bbs.csdn.net/topics/350150090
http://aruld.info/programming-ssl-for-jetty-based-cxf-services/
http://blog.csdn.net/zhangliang605/article/details/24101051
http://zhidao.baidu.com/link?url=YCxDHHSJWpuin3OdnmN9QUj7lauIEAHi2RE6BT0cwk22G3eqbX30Dr-OXcJt0hYCHZcp27e3iAx0xIG8IyInOqzq2YUCDbON78D3rOJ1y_7 apache