nginx + tomcat + java SSL客服端

=====nginx + tomcat + java SSL客服端=======

1. 通过keytool 生成密钥库 【注意 CN 为服务端访问域名地址或者IP地址或者主机名 比如 config.ebnew.com】(密钥库密码为:bidconfig)

keytool -genkey -alias configserver -keystore configstore.jks -keypass bidconfig -storepass bidconfig -keyalg RSA   -validity 7300 -v -dname "CN =config.ebnew.com,O = BID,DC = Server Https,DC = BID,OU = Firefly Technology And Operation"

2. 通过keytool将密钥库导出为P12 (密钥库密码为:bidconfig, p12 密钥库密码为:bidconfig)

keytool -importkeystore -srckeystore configstore.jks -destkeystore config.p12 -srcstoretype JKS -deststoretype PKCS12  -srcstorepass bidconfig -deststorepass bidconfig -srcalias configserver -destalias configserver -srckeypass bidconfig -destkeypass bidconfig -noprompt

3.根据pkcs12 （config.p12） 生成证书请求 config.pem (密码都为 bidconfig. 根据自己需要定义out密码)

 openssl pkcs12 -in config.p12 -out config.pem -passin pass:bidconfig -passout pass:bidconfig

4. 根据p12 密钥库分别导出 服务端私钥，与服务端证书以及客服端证书（双向认证时使用）。 

 openssl pkcs12 -in config.p12  -nodes -nocerts -out server.key

 openssl pkcs12 -in config.p12  -nodes -nokeys -clcerts -out server.crt

 openssl pkcs12 -in config.p12  -nodes -nokeys -cacerts -out client.crt 

5.通过keytool 将服务端证书导入到客服端(java) 密钥库。密钥库密码设置为 liu999,方便java客服端使用

keytool -import -alias configTrustServer -file server.crt -keystore configclient.jks -storepass liu999 

6. 如果是浏览器访问跳过安全检查

keytool -import -file  ./server.crt -keystore "%JAVA_HOME%\jre\lib\security\cacerts" -alias config -trustcacerts

7. nginx 端配置

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header X-Url-Scheme $scheme;    

server {

    listen       443 ssl;

    server_name  localhost;

    ssl         on;

    ssl_protocols SSLv2 SSLv3 TLSv1;

    ssl_certificate  /home/sslkey/server.crt;

    ssl_certificate_key  /home/sslkey/server.key;

    #ssl_client_certificate /home/sslkey/ca.crt;

    #ssl_verify_client on;

    ssl_session_cache shared:SSL:1m;

    ssl_session_timeout  5m;

    ssl_ciphers  HIGH:!aNULL:!MD5;

    ssl_prefer_server_ciphers   on;

    location /config {

        proxy_pass http://192.168.199.152:8080/config;

    }

}

server {

    listen       80;

    server_name   localhost;

    location /config {

       proxy_pass http://192.168.199.152:8080/config;

    }

}

8. 上述配置后，在重新启动服务器的时候，老是让你输入私有key的密码

 openssl rsa -in server.key -out server.key.unsecure

  修改NGINX配置：

  ssl_certificate_key  /home/sslkey/server.key.unsecure;

  

9. tomcat 配置

 <Connector port="8080" protocol="HTTP/1.1"

               connectionTimeout="20000"

               redirectPort="8443" proxyPort="443"/>

10 java 客服端代码

 DefaultHttpClient httpclient = new DefaultHttpClient();

        KeyStore trustStore  = KeyStore.getInstance(KeyStore.getDefaultType());        

        FileInputStream instream = new FileInputStream(new File("com/ssl/http/configclient.jks")); 

        try {

            trustStore.load(instream, "liu999".toCharArray());

        } finally {

            instream.close();

        }

        

        SSLSocketFactory socketFactory = new SSLSocketFactory(trustStore);

        Scheme sch = new Scheme("https", socketFactory, 8443);

        httpclient.getConnectionManager().getSchemeRegistry().register(sch);

        HttpGet httpget = new HttpGet("https://xxxxxx/");

        System.out.println("executing request" + httpget.getRequestLine());

        

        HttpResponse response = httpclient.execute(httpget);

        HttpEntity entity = response.getEntity();

        System.out.println("----------------------------------------");

        System.out.println(response.getStatusLine());

        if (entity != null) {

            System.out.println("Response content length: " + entity.getContentLength());

        }

        if (entity != null) {

            entity.consumeContent();

        }

        // When HttpClient instance is no longer needed, 

        // shut down the connection manager to ensure

        // immediate deallocation of all system resources

        httpclient.getConnectionManager().shutdown();