itVincent Blog - Java Working Fun!

tomcat6配置雙向認(rèn)證

1、生成服務(wù)器端證書
Java代碼
keytool -genkey -keyalg RSA -dname "cn=localhost,ou=sango,o=none,l=china,st=beijing,c=cn" -alias server -keypass password -keystore server.jks -storepass password -validity 3650

keytool -genkey -keyalg RSA -dname "cn=localhost,ou=sango,o=none,l=china,st=beijing,c=cn" -alias server -keypass password -keystore server.jks -storepass password -validity 3650
2、生成客戶端證書
Java代碼
keytool -genkey -keyalg RSA -dname "cn=sango,ou=sango,o=none,l=china,st=beijing,c=cn" -alias custom -storetype PKCS12 -keypass password -keystore custom.p12 -storepass password -validity 3650

keytool -genkey -keyalg RSA -dname "cn=sango,ou=sango,o=none,l=china,st=beijing,c=cn" -alias custom -storetype PKCS12 -keypass password -keystore custom.p12 -storepass password -validity 3650
客戶端的CN可以是任意值。
3、由于是雙向SSL認(rèn)證，服務(wù)器必須要信任客戶端證書，因此，必須把客戶端證書添加為服務(wù)器的信任認(rèn)證。由于不能直接將PKCS12格式的證書庫(kù)導(dǎo)入，我們必須先把客戶端證書導(dǎo)出為一個(gè)單獨(dú)的CER文件，使用如下命令，先把客戶端證書導(dǎo)出為一個(gè)單獨(dú)的cer文件：
Java代碼
keytool -export -alias custom -file custom.cer -keystore custom.p12 -storepass password -storetype PKCS12 -rfc

keytool -export -alias custom -file custom.cer -keystore custom.p12 -storepass password -storetype PKCS12 -rfc
然后，添加客戶端證書到服務(wù)器中（將已簽名數(shù)字證書導(dǎo)入密鑰庫(kù)）
Java代碼
keytool -import -v -alias custom -file custom.cer -keystore server.jks -storepass password

keytool -import -v -alias custom -file custom.cer -keystore server.jks -storepass password
4、查看證書內(nèi)容
Java代碼
keytool -list -v -keystore server.jks -storepass password

keytool -list -v -keystore server.jks -storepass password
5、配置tomcat service.xml文件
Xml代碼
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
    maxThreads="150" scheme="https" secure="true"
    clientAuth="true" sslProtocol="TLS"
    keystoreFile="D:/server.jks" keystorePass="password"
    truststoreFile="D:/server.jks" truststorePass="password"
/>

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
    maxThreads="150" scheme="https" secure="true"
    clientAuth="true" sslProtocol="TLS"
    keystoreFile="D:/server.jks" keystorePass="password"
    truststoreFile="D:/server.jks" truststorePass="password"
/>
clientAuth="true"表示雙向認(rèn)證
6、導(dǎo)入客戶端證書到瀏覽器
雙向認(rèn)證需要強(qiáng)制驗(yàn)證客戶端證書。雙擊“custom.p12”即可將證書導(dǎo)入至IE

7、java代碼實(shí)現(xiàn)

DefaultHttpClient httpclient = new DefaultHttpClient();

        KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());  
        FileInputStream instream = new FileInputStream(new File("D:/server.jks"));
        try {
            trustStore.load(instream, "password".toCharArray());
        } finally {
            instream.close();
        }
       
        SSLSocketFactory socketFactory = new SSLSocketFactory(trustStore,"password",trustStore);
        Scheme sch = new Scheme("https", socketFactory, 443);
        httpclient.getConnectionManager().getSchemeRegistry().register(sch);

        HttpGet httpget = new HttpGet("https://localhost:8443/");

        System.out.println("executing request" + httpget.getRequestLine());
       
        HttpResponse response = httpclient.execute(httpget);
        HttpEntity entity = response.getEntity();

        System.out.println("----------------------------------------");
        System.out.println(response.getStatusLine());
        if (entity != null) {
            System.out.println("Response content length: " + entity.getContentLength());
        }
        if (entity != null) {
            entity.consumeContent();
        }
        httpclient.getConnectionManager().shutdown();