SpringDM笔记30-OSGi中使用SSL/STL
?? SSL:Secure Sockets Layer
?? TLS:Transport Layer Security
1.Tomcat中设置SSL
?? server.xml文件:
?? <Server port="8005" shutdown="SHUTDOWN">
?????? <Service name="Catalina">
???????????? <Connector port="8080"/>
???????????? <Connector port="8443" minProcessors="5" maxProcessors="75"
???????????????????? enableLookups="true" disableUploadTimeout="true"
???????????????????? acceptCount="100" debug="0" scheme="https" secure="true"
???????????????????? clientAuth="false" sslProtocol="TLS"/>
?????????????
???????????? <Engine name="Catalina" defaultHost="localhost">
???????????????????? <Host name="localhost" unpackWARs="false" autoDeploy="false"
??????????????????????????????? liveDeploy="false" deployOnStartup="false"
??????????????????????????????? xmlValidation="false" xmlNamespaceAware="false"/>
???????????? </Engine>
??????? </Service>
??? </Server>
2. 创建一个JKS Keystore,使用JDK中提供的工具:keytool(位于bin目录下)
??? 执行命令:keytool -genkey -alias tomcat -keyalg RSA
??? 执行流程:
??? [web@localhost ~]$ keytool -genkey -alias tomcat -keyalg RSA
??? Enter keystore password:? changeit
??? What is your first and last name?
??? [Unknown]:? Daniel Rubio
??? What is the name of your organizational unit?
? ? [Unknown]:? Editorial
??? What is the name of your organization?
??? [Unknown]:? Apress
??? What is the name of your City or Locality?
??? [Unknown]:? Berkeley
??? What is the name of your State or Province?
??? [Unknown]:? CA
??? What is the two-letter country code for this unit?
??? [Unknown]:? US
??? Is CN=Daniel Rubio, OU=Unknown, O=Apress, L=Berkley, ST=CA, C=US correct?
??? [no]:? yes
??? Enter key password for <tomcat>
??? ? ? ? ?? (RETURN if same as keystore password):? changeit
??? [web@localhost ~]$
??? 该命令将在当前操作目录下生成一个命名为tomcat.keystore的二进制文件,该文件需放置在Web容器的根目录
??? 下;在VTS中默认在config目录下有一个keystore文件,其中changeit是Tomcat用于访问JKS keystore 默认
??? 密码。
?
??? 使用一个商业的认证中心创建一个JKS Keystore:
??? openssl pkcs12 -export -in mycert.crt -inkey mykey.key -out mycert.p12 -name tomcat -CAfile
??? myCA.crt -caname root -chain
3. 实现Tomcat SSL的依赖
??? Tomcat5版本中,lib目录下有tomcat-util.jar文件,需要将该文件转换成OSGi格式的:
??? java -jar bnd-0.0.249.jar wrap -output tomcat-util-osgi.jar tomcat-util.jar
4. 创建SSL 配置Fragment
??? 目录结构:
??? TomcatSSLFragment
??????????? MEAT-INF
????????????????? MANIFEST.MF
??????????? conf
????????????????? server.xml
??? 其中server.xml文件 如上,MANIFEST.MF文件:
??? Bundle-Version: 1.0
??? Bundle-SymbolicName: com.apress.springosgi.ch8.ssl
??? Fragment-Host: org.springframework.osgi.catalina.start.osgi
??? Bundle-Name: HelloWorld Spring-OSGi SSL Certificate Configuration
??? Bundle-Vendor: Pro Spring-OSGi
??? Bundle-ManifestVersion: 2
5. 访问路径
??? https://localhost:8443/
