亚洲AV无码专区在线电影成人,久久亚洲国产成人亚,国产成人精品日本亚洲语音

转的:果然�?分钟配成TOMCAT使用SSL(https)

我爱�?j��ng)_�� — Mon, 12 Nov 2012 15:17:00 GMT

Setting Up SSL on Tomcat in 5 minutes (https://localhost:8443)

June 30, 2011 | By Loiane

This tutorial will walk you through how to configure SSL (https://localhost:8443 access) on Tomcat in 5 minutes.

For this tutorial you will need:

Java SDK (used version 6 for this tutorial)
Tomcat (used version 7 for this tutorial)

The set up consists in 3 basic steps:

Create a keystore file using Java
Configure Tomcat to use the keystore
Test it
(Bonus ) Configure your app to work with SSL (access through https://localhost:8443/yourApp)

1 – Creating a Keystore file using Java

Fisrt, open the terminal on your computer and type:

Windows:

cd %JAVA_HOME%/bin

Linux or Mac OS:

cd $JAVA_HOME/bin

The $JAVA_HOME on Mac is located on “/System/Library/Frameworks/JavaVM.framework/Versions/{your java version}/Home/”

You will change the current directory to the directory Java is installed on your computer. Inside the Java Home directory, cd to the bin folder. Inside the bin folder there is a file named keytool. This guy is responsible for generating the keystore file for us.

Next, type on the terminal:

keytool -genkey -alias tomcat -keyalg RSA

When you type the command above, it will ask you some questions. First, it will ask you to create a password (My password is “password“):

loiane:bin loiane$ keytool -genkey -alias tomcat -keyalg RSA Enter keystore password:  password Re-enter new password: password What is your first and last name?   [Unknown]:  Loiane Groner What is the name of your organizational unit?   [Unknown]:  home What is the name of your organization?   [Unknown]:  home What is the name of your City or Locality?   [Unknown]:  Sao Paulo What is the name of your State or Province?   [Unknown]:  SP What is the two-letter country code for this unit?   [Unknown]:  BR Is CN=Loiane Groner, OU=home, O=home, L=Sao Paulo, ST=SP, C=BR correct?   [no]:  yes  Enter key password for 	(RETURN if same as keystore password):  password Re-enter new password: password

It will create a .keystore file on your user home directory. On Windows, it will be on: C:\Documents and Settings\[username]; on Mac it will be on /Users/[username] and on Linux will be on /home/[username].

2 – Configuring Tomcat for using the keystore file – SSL config

Open your Tomcat installation directory and open the conf folder. Inside this folder, you will find the server.xml file. Open it.

Find the following declaration:

Uncomment it and modify it to look like the following:

Connector SSLEnabled="true" acceptCount="100" clientAuth="false"     disableUploadTimeout="true" enableLookups="false" maxThreads="25"     port="8443" keystoreFile="/Users/loiane/.keystore" keystorePass="password"     protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https"     secure="true" sslProtocol="TLS" />

Note we add the keystoreFile, keystorePass and changed the protocol declarations.

3 – Let’s test it!

Start tomcat service and try to access https://localhost:8443. You will see Tomcat’s local home page.

Note if you try to access the default 8080 port it will be working too: http://localhost:8080

4 – BONUS - Configuring your app to work with SSL (access through https://localhost:8443/yourApp)

To force your web application to work with SSL, you simply need to add the following code to your web.xml file (before web-app tag ends):

 	 		securedapp 		/* 	 	 		CONFIDENTIAL

The url pattern is set to /* so any page/resource from your application is secure (it can be only accessed with https). The transport-guarantee tag is set to CONFIDENTIAL to make sure your app will work on SSL.

If you want to turn off the SSL, you don’t need to delete the code above from web.xml, simply changeCONFIDENTIAL to NONE.

Reference: http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html (this tutorial is a little confusing, that is why I decided to write another one my own).

Happy Coding!

我爱�?j��ng)_�� 2012-11-12 23:17 发表评论

Perl与Java的SSL通信�C�Z��

我爱�?j��ng)_�� — Mon, 04 Dec 2006 07:20:00 GMT

�?a class="postTitle2" id="viewpost1_TitleUrl" href="/alwayscy/archive/2006/12/03/85161.html">用OpenSSL与JAVA(JSSE)通信一文中所生成的CA证书�?qi��ng)keystore��可以在JAVA和OpenSSL之间通信了，下面以Perl代码��Z��Q�（Perl实际使用了OpenSSL)

下面的CLIENT端可以与前文提到的JAVA服务端通信�Q?br />

#use strict;
use IO::Socket::SSL(debug4);

my ($v_mode, $sock, $buf);

if($ARGV[0] eq "DEBUG") { $IO::Socket::SSL::DEBUG = 1; }

# Check to make sure that we were not accidentally run in the wrong
# directory:
unless (-d "certs") {
    if (-d "../certs") {
    chdir "..";
    } else {
#    die "Please run this example from the IO::Socket::SSL distribution directory!\n";
    }
}

if(!($sock = IO::Socket::SSL->new( PeerAddr => '172.19.149.52',
                   PeerPort => '5555',
                   Proto    => 'tcp',
                   SSL_verify_mode => 0x01,
                   SSL_ca_file => 'mycerts/cacert.pem',
                 ))) {
    warn "unable to create socket: ", &IO::Socket::SSL::errstr, "\n";
    exit(0);
} else {
    warn "connect ($sock).\n" if ($IO::Socket::SSL::DEBUG);
}

# check server cert.
my ($subject_name, $issuer_name, $cipher);
if( ref($sock) eq "IO::Socket::SSL") {
    $subject_name = $sock->peer_certificate("subject");
    $issuer_name = $sock->peer_certificate("issuer");
    $cipher = $sock->get_cipher();
}
warn "cipher: $cipher.\n", "server cert:\n",
    "\t '$subject_name' \n\t '$issuer_name'.\n\n";

print $sock "Knock, knock.\n";

my ($buf) = $sock->getlines;

$sock->close();

print "read: '$buf'.\n";

另外�Q�也�l�出一个PERL的SVR端示例：(x��)

#use strict;
use IO::Socket::SSL(debug4);

my ($sock, $s, $v_mode);

if($ARGV[0] eq "DEBUG") { $IO::Socket::SSL::DEBUG = 1; }

# Check to make sure that we were not accidentally run in the wrong
# directory:
unless (-d "certs") {
    if (-d "../certs") {
    chdir "..";
    } else {
#    die "Please run this example from the IO::Socket::SSL distribution directory!\n";
    }
}

if(!($sock = IO::Socket::SSL->new( Listen => 5,
                   LocalAddr => '10.56.28.35',
                   LocalPort => 9000,
                   Proto     => 'tcp',
                   Reuse     => 1,
                   SSL_use_cert => 1,
                   SSL_verify_mode => 0x00,
                   SSL_cert_file => 'mycerts/cert.pem',
                   SSL_key_file => 'mycerts/key.pem'
                 )) ) {
    warn "unable to create socket: ", &IO::Socket::SSL::errstr, "\n";
    exit(0);
}
warn "socket created: $sock.\n";

while (1) {
  warn "waiting for next connection.\n";

  while(($s = $sock->accept())) {
      my ($peer_cert, $subject_name, $issuer_name, $date, $str);

      if( ! $s ) {
      warn "error: ", $sock->errstr, "\n";
      next;
      }

      warn "connection opened ($s).\n";

      if( ref($sock) eq "IO::Socket::SSL") {
      $subject_name = $s->peer_certificate("subject");
      $issuer_name = $s->peer_certificate("issuer");
      }

      warn "\t subject: '$subject_name'.\n";
      warn "\t issuer: '$issuer_name'.\n";

      my $date = localtime();
      print $s "my date command says it's: '$date'";
      close($s);
      warn "\t connection closed.\n";
  }
}

$sock->close();

warn "loop exited.\n";

在PERL中写SSL的SOCKET�Q�要注意�Q?br />SVR端中�Q?br />       SSL_use_cert => 1,
       SSL_verify_mode => 0x00,
       SSL_cert_file => 'mycerts/cert.pem',
       SSL_key_file => 'mycerts/key.pem'
CLI端是�Q?br />       SSL_verify_mode => 0x01,
       SSL_ca_file => 'mycerts/cacert.pem',
mode�?表示�Q�不认证对端�Q�是1表示要认证对斏V�?img src ="http://m.tkk7.com/alwayscy/aggbug/85368.html" width = "1" height = "1" />

我爱�?j��ng)_�� 2006-12-04 15:20 发表评论

用OpenSSL与JAVA(JSSE)通信

我爱�?j��ng)_�� — Sun, 03 Dec 2006 04:36:00 GMT

摘要: 概念 JAVA使用keystore文�g来存储所有KEY�Q�keystore文�g可以存放多个KEY�Q�访问它需要密码。下面我介绍下如何将用OpenSSL做自�{�֐�的证书一文中介绍的OpenSSL产生的KEY与JAVA的KEY转换后��用，从而达到JAVA与OpenSSL通信的目的。用OpenSSL生成CA根证书，�?P1,V1)此步骤参见用OpenSSL做自�{�֐�的证书一文在JAVA环境下生成自��q��... 阅读全文

我爱�?j��ng)_�� 2006-12-03 12:36 发表评论

我爱�?j��ng)_�� — Fri, 01 Dec 2006 07:20:00 GMT

�q�里抄录LDAP+OpenSSL集中认证配置一文的一部分�Q?br /> 公私钥：(x��)公钥可以唯一解密�U�钥加密�q�的数据�Q�反之亦然。以下用P指代公钥�Q�V指代�U�钥�?br /> SSL�q�程�Q�需要两对公�U�钥(P1,V1),(P2,V2)�Q�假��N��信双方是A和B�Q�B是服务器�Q�A要确认和它通信的是B�Q?br /> A->B: hello
B->A: 用V2加密�q�的P1�Q�即用户证书�Q�A��q��P2解密出P1�Q?br /> A->B: ok
B->A: 用V1加密的一�D�信�?br /> A->B: 用P1加密一个自动生成的K�Q�用之前的P1解密成功�q�段信息则认为B是可信的了）(j��)
B->A: 用K加密的数据（之后两对密钥功能�l�束�Q�由K来加解密数据�Q?br /> �q�里�Q�P2��是�W?方的CA证书�Q�由于非对称加密很慢�Q�所以公�U�钥只是用来保证K的传送安全，之后通信是用K的对�U�加密算法来保证�?br />
��Z��么通过以上�q�程A��p��够确定肯定是B�Q�而不是某个C在假装B了呢�Q�因��个过�E�中�Q�B用V1加密�q�一�D�信息发�l�A�Q�A也成功解开了。我们开头谈到公钥（P1�Q�只可以唯一解密�U�钥�Q�V1�Q�加密过的信息，�q�样A��可以完全相信B是拥有V1的，而V1是严��g��密，只被服务提供公司拥有�Q�所以保证了通信的服务方正确性�?br />
�q�里(P2,V2)��是certificate authority (CA)用来�l�客��L(f��ng)��名用的公�U�钥�?br /> (P1,V1)是客戯��q��公私钥，提交�l�C(j��)A�Q�CA所做的事情��是�?P2,V2)来给客户�?P1,V1)�{�֐��Q�简单吧�Q?br /> V2是CA公司要保密的�Q�而P2��是公用CA证书。用V2加密�q�（�{�֐��q�）(j��)的P1�Q�称为用戯��书，一般被安装在服务器端�?br />
下面我们OpenSSL来做�q�一整�g事情�?br />
先生成CA的公�U�钥(Root Certificate )
准备工作

mkdir CA
cd CA
mkdir newcerts private
echo '01' > serial
touch index.txt

生成配置文�g。由于openssl命��o(h��)行参数太多，所以就用文件来�l�织各种选项�?br /> 其中,req_distinguished_name 节表�C�需要提�C�用戯��入的信息�?br /> v3_ca是有关CA公私钥生成的�Q�v3_req是有关用戯��书生成的�?br /> ca_default是用CA公私钥签名的时候，用户证书的默认信息�?br />
vi ./openssl.cnf

dir = .

[ req ]
default_bits = 1024 # Size of keys
default_keyfile = key.pem # name of generated keys
default_md = md5 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
req_extensions = v3_req

[ req_distinguished_name ]
# Variable name   Prompt string
#----------------------   ----------------------------------
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
commonName = Common Name (hostname, IP, or your name)
commonName_max = 64

# Default values for the above, for consistency and less typing.
# Variable name   Value
#------------------------------   ------------------------------
0.organizationName_default = EB Company
localityName_default = Shen Zhen
stateOrProvinceName_default = Guan Dong
countryName_default = CN

[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always

[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash

[ ca ]
default_ca = CA_default

[ CA_default ]
serial = $dir/serial
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/cacert.pem
private_key = $dir/private/cakey.pem
default_days = 365
default_md = md5
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match

[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

生成CA公私钥：(x��)

openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 3650 -config ./openssl.cnf

�?x��)提�C��入密码，当用它给用户证书�{�֐�旉��要输入，以避免其它�h用它随意产生用户证书�?br /> -days表示有效期，因�ؓ(f��)它是根证书，所以时间一定要很长�Q�否则由它生成的用户证书�Ҏ(gu��)��q�期�?br />
�q�时��q��成了�Q?br /> P1
cacert.pem
V1
private/cakey.pem

查看信息用：(x��)
openssl x509 -in cacert.pem -noout -text

生成P2,V2�Q�即Certificate Signing Request (CSR)
执行�Q?br /> openssl req -new -nodes -out req.pem -config ./openssl.cnf
�q�样��q��成了�Q?br /> P2
req.pem
V2
key.pem

用此命��o(h��)查看�Q?br /> openssl req -in req.pem -text -verify -noout

用CA的私钥V1为P2�{�֐��Q�即生成用户证书
执行�Q?br /> openssl ca -out cert.pem -config ./openssl.cnf -infiles req.pem
生成用户证书�Q?br /> cert.pem
此时�Q�会(x��)拯��一份到newcerts目录下。�ƈ�?x��)更新数据库文�g�Q�index.txt以及(qi��ng)serail文�g
用命令查看：(x��)
openssl x509 -in cert.pem -noout -text -purpose | more

如果要去除可��M��息部分，执行�Q?br /> mv cert.pem tmp.pem
openssl x509 -in tmp.pem -out cert.pem

安装证书
key.pem(V2)和cert.pem(用V1加密�q�的P2�Q�安装到服务�?br /> 有的服务器需要把�q�两个文件连��Z��个，可以执行�Q?br /> cat key.pem cert.pem >key-cert.pem

cacert.pem安装到客��L(f��ng)��

Apache的配�|�：(x��)
File Comment
/home/httpd/html Apache DocumentRoot
/home/httpd/ssl SSL-related files
/home/httpd/ssl/cert.pem Site certificate
/home/httpd/ssl/key.pem Site private key

Stunnel的配�|?br /> stunnel -p /etc/ssl/certs/key-cert.pem

�~�辑�?8.4.26�Q�另有两个例子：(x��)
用OpenSSL与JAVA(JSSE)通信
Perl与Java的SSL通信�C�Z��

我爱�?j��ng)_�� 2006-12-01 15:20 发表评论

在windows下编译openssl

我爱�?j��ng)_�� — Sun, 26 Nov 2006 03:32:00 GMT

�~�译环境�Q?br />VS2005 Express Edition
SDK WIN SVR 2003 SP1
MASM 8.0

�q�入打开sdk�?000�~�译命��o(h��)行，再运行：(x��)
%comspec% /k ""C:\Program Files\Microsoft Visual Studio 8\VC\vcvarsall.bat"" x86

��d��解压目录�Q?br />cd /d "E:\Prj2\ForMe\RefExe\perl+ssl\openssl-0.9.8d"

再编译：(x��)
perl Configure VC-WIN32 --prefix=dist
ms\do_ms
nmake -f ms\ntdll.mak
nmake -f ms\ntdll.mak test
nmake -f ms\ntdll.mak install

完成后，dist目录��是安装好的东西�Q�可以拷贝到别处使用

我爱�?j��ng)_�� 2006-11-26 11:32 发表评论