本文详细介绍了如何在Windows环境下配置Apache HTTP Server及WebLogic Server的SSL连接,包括所需软件安装、密钥和证书生成、双向及单向SSL配置等步骤。
The following configurations are based on Windows Systems, and these softwares:
[ apache_2.0.59-win32-x86-no_ssl
[ j2sdk-1_4_2_12
[ jce_policy-1_4_2 (Unlimited Strength Java(TM) Cryptography Extension Policy Files) (optional)
[ platform816_win32 (WebLogic)
[ Win32OpenSSL-0_9_8d
About jce_policy:
With jce_policy-1_4_2, the length of keys you generate with Keytool is unlimited. If you need to generate keys longer than 1024 bits, and you are out of US or Canada , then you will need this policy file, which can be found at the same place as the JDK download at java.sun.com.
When configuring SSL for WebLogic, if you choose Trust as Java Standard Trust, you will need to copy the policy files to %BEA_HOME%/jdk142_11/jre/lib/security/, if you use Sun sdk for your WebLogic Server, or %BEA_HOME%/jrockit81sp6_142_10/jre/lib/security/, if you use JRockit sdk for your WebLogic Server.
2. Getting Private Keys and Certificates Prepared
2.1. Certificate Types
[ PEM
Encoded in base64, Apache can only read this format of certificate.
[ DER
Default type for most browsers, when exporting a certificate from java Keystores, the exported certificate is stored in this format.
[ PKCS#12
Used as client certificate, it contains the private key and the certificate of the client user, and also the certificate of the CA, which signed the client user’s CSR (Certificate Signing Request).
2.2. Tools
[ Keytool
Contained in JDK, supports operations on trusted certificate entries, but not supports operations on key entries except generating new keys.
[ Openssl
Will installing Openssl, ssleay32.dll and libeay32.dll are copied to the system32 directory, which is very important as they get your Apache HTTP Server properly working with SSL.
[ WebLogic Utils
Contained in %BEA_HOME%/weblogic81/server/lib/weblogic.jar . Several classes in its package utils may be useful like CertGen, der2pem, ImportPrivateKey, pem2der. (Uh-huh, BEA also had his classes written with lowercase-initial as its class name, seems not very professional)
[ Write Your Own Tool
If you need to extract private key from Keystore, mybe you can do like this in your tool class:
| import java.io.*; import java.security.*; import java.util.Enumeration; import sun.misc.BASE64Encoder; ……………..
public void extractingPrivateKey(String inKeyStore, String alias, String password, String keyOutFile) {
try { KeyStore keystore = KeyStore.getInstance("JKS"); char[] pass = password.toCharArray(); BASE64Encoder encoder = new BASE64Encoder(); File certificateFile = new File(inKeyStore); keystore.load(new FileInputStream(certificateFile), pass);
// Get private key Key key = keystore.getKey(alias, pass); if (key instanceof PrivateKey) { // Get certificate Certificate cert = keystore.getCertificate(alias);
// Get public key PublicKey publicKey = cert.getPublicKey();
// Get a key pair KeyPair kp = new KeyPair(publicKey, (PrivateKey) key);
PrivateKey privateKey = kp.getPrivate(); String encodedKey = encoder.encode(privateKey.getEncoded());
FileOutputStream out = new FileOutputStream(keyOutFile); out.write("-----BEGIN PRIVATE KEY-----".getBytes()); out.write('/n'); out.write(encodedKey.getBytes()); out.write('/n'); out.write("-----END PRIVATE KEY-----".getBytes()); } } catch (KeyStoreException e) { e.printStackTrace(); } catch (NoSuchAlgorithmException e) { e.printStackTrace(); } catch (CertificateException e) { e.printStackTrace(); } catch (FileNotFoundException e) { e.printStackTrace(); } catch (UnrecoverableKeyException e) { e.printStackTrace(); } catch (IOException e) { e.printStackTrace(); } } |
2.3. Generate Keys and Certificates
Suppose you put your keys and certificates in c:/cert/, as
[ CA
c:/cert/ca.key
c:/cert/ca.crt
[ Server
c:/cert/localhost.key
c:/cert/localhost.crt (make sure to specify the Common Name to be you domain, e.g. eclab.whu.edu.cn)
[ Client
c:/cert/client.key
c:/cert/client.crt
c:/cert/client.p12
2.4. A few frequently used SSL commands
[ Openssl
Generate a new private key and matching Certificate Signing Request
| openssl req -out key.csr -pubkey -new -keyout key.key |
Generate a certificate signing request for an existing private key
| openssl req -out csr.csr -key key.key -new |
Create self-signed certificate
| openssl req -x509 -new -out crt.crt -keyout key.key -days 365 |
Sign a Certificate Signing Request
| openssl x509 -req -in csr.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out cert.crt -days 365 |
Convert DER to PEM
| openssl x509 -inform der -in cert.der –out cert.crt |
[ Keytool
Generate a private key and an initial self-signed certificate as a JKS Keystore
| keytool -genkey -keyalg RSA -alias alias -keystore keystore.jks -storepass password -validity 360 |
Generate a Certificate Signing Request for a key in a JKS Keystore
| keytool -certreq -v -alias alias -keystore keystore.jks -storepass password -file csr.csr |
Import a certificate into a JKS Keystore
| keytool -import -keystore keystore.jks -storepass password -file crt.crt |
List the certificates inside a keystore
| keytool -list -v -keystore keystore.jks |
Show information about a certificate
| keytool -printcert -v -file crt.crt |
3. Configuring Two-Way SSL for Apache HTTP Server
To configure Apache, you will need to.
[ Edit the httpd.conf file to load the ssl module as
LoadModule ssl_module modules/mod_ssl.so
[ Add a ssl.conf file to the directory where the httpd.conf file locates. The ssl.conf file contains:
| Listen 443
AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLMutex default
<VirtualHost _default_:443> DocumentRoot "E:/webapp/webroot/" ServerName localhost:443 ServerAdmin orctom@gmail.com ErrorLog logs/ssl_error_log TransferLog logs/ssl_access_log
SSLEngine on
SSLCertificateFile C:/cert/localhost.crt SSLCertificateKeyFile C:/cert/localhost.key SSLCACertificateFile C:/cert/ca.crt #SSLCARevocationFile C:/cert/ca.crl SSLVerifyClient require SSLVerifyDepth 10 </VirtualHost> |
While configuring your Apache HTTP Server, maybe debug is needed, you can use Openssl as
| openssl s_client –connect localhost:443 |
And you can start the Apache HTTP Server from command-line, so that error messages will be shown if the server is configured with error.
4. Configuring One-Way SSL for WebLogic Server
In WebLogic Server Console:
Server --> Configuration --> Keystores and SSL. Click the Change... link in the Keystore Configuration to configure new Keystore. Here I chose Custom Identity and Java Standard Trust. --> Continue --> Define attributes for the Identity Keystore --> Define attributes for the Trust Keystore --> Continue-->Finish-->Reboot WebLogic Server.
Although you can configure Two-Way SSL for you WebLogic, but One-Way SSL is used between Apache HTTP Server and WebLogic Server (the Apache HTTP Server Plug-In does not support Two-Way SSL), so you can not and you do not need to use Two-Way SSL between Apache HTTP Server and WebLogic Server to force Apache HTTP Server to pass Clients’ Certificates to WebLogic Server.
5. Configuring the Apache HTTP Server Plug-In
[ Copy mod_wl128_20.so from %BEA_HOME%/weblogic81/server/bin/ to %APACHE_HOME%/modules/
WLS 8.1.2 and below does not support 128 bits SSL, and WLS 8.1.3 (with license) does not support unlimited cryptography strength, so at least you should choose WLS 8.1.4, but I haven’t tried WLS 8.1.4 and WLS 8.1.5 yet.
[ Edit the ssl.conf file as:
| Listen 443
AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLMutex default
<VirtualHost _default_:443> DocumentRoot " E:/webapp/webroot/" ServerName localhost:443 ServerAdmin orctom@gmail.com ErrorLog logs/ssl_error_log TransferLog logs/ssl_access_log <IfModule mod_weblogic.c> WebLogicHost localhost WebLogicPort 7002 SecureProxy ON TrustedCAFile "C:/cert/ca.crt"
MatchExpression *.jsp MatchExpression *.html MatchExpression *.htm MatchExpression *.do MatchExpression *.js MatchExpression *.css MatchExpression *.png MatchExpression *.jpg MatchExpression *.gif MatchExpression /auth </IfModule>
SSLEngine on
SSLCertificateFile C:/cert/localhost.crt SSLCertificateKeyFile C:/cert/localhost.key SSLCACertificateFile C:/cert/ca.crt #SSLCARevocationFile C:/cert/ca.crl SSLVerifyClient require SSLVerifyDepth 10
</VirtualHost> |
Set up a demo Web App as
Webroot/Index.jsp
Webroot/ssl/index.jsp
Webroot/WEB-INF/web.xml
Webroot/WEB-INF/weblogic.xml
web.xml:
| <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd"> <web-app> <security-constraint> <web-resource-collection> <web-resource-name>test</web-resource-name> <description>test</description> <url-pattern>/ss./*</url-pattern> </web-resource-collection> <user-data-constraint> <description>This web demands SSL</description> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>CLIENT-CERT</auth-method> </login-config> </web-app> |
weblogic.xml
| <!DOCTYPE weblogic-web-app PUBLIC "-//BEA Systems, Inc.//DTD Web Application 8.1//EN" "http://www.bea.com/servers/wls810/dtd/weblogic810-web-jar.dtd">
<weblogic-web-app> <context-root>/auth</context-root> </weblogic-web-app> |
Deploy the demo war to your WebLogic Server, and visit https://localhost/auth/ and https://localhost/auth/ssl/ with browser as with and without client certificate installed to see whether the configuration is OK!
http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html
http://e-docs.bea.com/wls/docs81/index.html
扫一扫
1039
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
