【trino】trino自签名生成证书

参考文章:
自建CA并生成自签名SSL证书
自签名证书
Keytool 工具的介绍与使用
openssl 命令介绍和使用案例
Java证书存储在哪里查看?

注意:subjectAltName=DNS:it.xiaomi.com, IP:192.168.100.100,必须包含it.xiaomi.com
否则报错:SSLPeerUnverifiedException: *** not verified的错误。

# 1. CA key
openssl genrsa -des3 -out selfca.key 2048
# Enter pass phrase for selfca.key:trino-ts

# Create ca root certificate...
openssl req -new -x509 -days 3650 -key selfca.key -subj "/C=CN/ST=Beijing/L=ChaoYang/O=xiaomi/OU=IT/CN=CA" -out selfca.crt
# Enter pass phrase(password) for selfca.key:trino-ts

# Create server key and certificate signing request..."
openssl genrsa -des3 -out selfca.key 2048
openssl req -newkey rsa:2048 -nodes -keyout server.key -subj "/C=CN/ST=Beijing/L=ChaoYang/O=xiaomi/OU=IT/CN=it.xiaomi.com" -out server.csr
openssl x509 -req -extfile <(printf "subjectAltName=DNS:it.xiaomi.com, IP:192.168.100.100") -days 3650 -in server.csr -CA selfca.crt -CAkey selfca.key -CAcreateserial -out server.crt

# generate pem file
touch server.pem
cat server.key >> server.pem && cat server.crt >> server.pem

# 验证证书
openssl x509 -in selfca.crt -subject -issuer -noout
# subject=C = CN, ST = Beijing, L = ChaoYang, O = xiaomi, OU = IT, CN = CA
# issuer=C = CN, ST = Beijing, L = ChaoYang, O = xiaomi, OU = IT, CN = CA

openssl x509 -in server.pem -subject -issuer -noout 
# subject=C = CN, ST = Beijing, L = ChaoYang, O = xiaomi, OU = IT, CN = it.xiaomi.com
# issuer=C = CN, ST = Beijing, L = ChaoYang, O = xiaomi, OU = IT, CN = CA


openssl verify -CAfile selfca.crt server.crt
# server.crt: OK

# show the subjectAltName that store in crt file
openssl x509 -in server.crt -ext subjectAltName -noout
# DNS:it.xiaomi.com, IP:192.168.100.100

将server.pem复制至trino/etc目录下。

测试jdbc连接:
使用kotlin语言。

import org.junit.jupiter.api.Test
import java.sql.DriverManager
import java.util.Properties

class TrinoJdbcTest {

    @Test
    fun fistHead() {
        println("hello")
    }

    @Test
    fun trinoJDBC() {
        val url = "jdbc:trino://it.xiaomi.com:443/hive"
        val props = Properties()
        props.put("user", "myuser")
        props.put("password", "123456")
        props.put("SSL", "true")
        // (1) no Verification
        // props.put("SSLVerification","NONE") // must set SSL as true!

        // (2) from Self Verificated CA
        // props.put("SSLTrustStorePath","D:\\projects\\trino-jdbc-test\\src\\test\\resources\\selfca.crt")

        // (3) from jvm CA,which is injected with Self Verificated CA
        // keytool -import -v -trustcacerts -alias trino-ts -file D:\projects\trino-jdbc-test\src\test\resources\selfca.crt -storepass changeit -keystore D:\xxx\jdk22.0.2\lib\security\cacerts
        // must provide the password for jvm and it defualt is "changeit"
        // props.put("SSLTrustStorePath","D:\\xxx\\jdk22.0.2\\lib\\security\\cacerts")
        // props.put("SSLTrustStorePassword","changeit")


        // optional client key store
        // openssl pkcs12 -export -out workspace-client.p12 -inkey workspace-client.key -in workspace-client.crt -passout pass:trino-client
        // props.put("SSLKeyStorePath","D:\\projects\\trino-jdbc-test\\src\\test\\resources\\workspace-client.pem") // failed
        // props.put("SSLKeyStorePath","D:\\projects\\trino-jdbc-test\\src\\test\\resources\\workspace-client.p12")
        // props.put("SSLKeyStorePassword","trino-client")
        // maybe use SSLUseSystemKeyStore
        // props.put("SSLUseSystemTrustStore","true")


        Class.forName("io.trino.jdbc.TrinoDriver")
        val conn = DriverManager.getConnection(url, props)
        val stmt = conn.createStatement()
        val query = stmt.executeQuery("show catalogs")
        while (query.next()) {
            val db = query.getString(1)
            println(db)
        }
    }
}
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值