server: apache-tomcat-6.0.44 jdk1.7.0_79
client: jdk1.7.0_79

jks是JAVA的keytools证书工具支持的证书私钥格式。 pfx是微软支持的私钥格式。 cer是证书的公钥。

生成:

    keytool -genkey -alias tbb -keyalg RSA -keystore D:\cert\tbb.keystore

    模板:

     keytool -genkey -alias yushan -keypass yushan -keyalg RSA -keysize 1024 -validity 365((默认为90天)) -keystore D:\cert\tbb.keystore -storepass 123456 -dname "CN=(名字与姓氏), OU=(组织单位名称), O=(组织名称), L=(城市或区域名称), ST=(州或省份名称), C=(单位的两字母国家代码)";(中英文即可)

验证:

    keytool -selfcert -alias tbb -keystore D:\cert\tbb.keystore

导出:

    keytool -export -alias tbb -keystore D:\cert\tbb.keystore -storepass 12345678 -rfc -file D:\cert\tbb.cer

转换    cer -> jks

    keytool -import -alias mycert -file D:\cert\tbb.cer -keystore D:\cert\tbb.jks  

keystore信息的查看:

     打印证书的 MD5 指纹

    keytool -list  -v -keystore D:\cert\tbb.keystore -storepass 12345678

    可打印的编码格式输出证书

    keytool -list  -rfc -keystore D:\cert\tbb.keystore -storepass 12345678
生成客户端证书库

keytool -validity 36500 -genkeypair -v -alias client -keyalg RSA -storetype PKCS12 -keystore D:\cert\client.p12 -dname "CN=spring,OU=jiajianfa,O=jiajianfa,L=Wuhan,ST=HuBei,c=cn" -storepass 12345678 -keypass 12345678

从客户端证书库中导出客户端证书

keytool -export -v -alias client -keystore D:\cert\client.p12 -storetype PKCS12 -storepass 12345678 -rfc -file D:\cert\client.cer

将客户端证书导入到服务器证书库(使得服务器信任客户端证书,服务器端用此验证客户端的合法性)

keytool -import -v -alias client -file D:\cert\client.cer -keystore D:\cert\tbb.keystore -storepass 12345678

查看服务端证书中信任的客户端证书

keytool -list -keystore D:\cert\tbb.keystore  -storepass 12345678

tomcat server.xml 配置:

<!-- clientAuth  true:双向认证   false:单向认证-->

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"

               maxThreads="150" scheme="https" secure="true"

               clientAuth="true" sslProtocol="TLS"  keystorePass="12345678" keystoreFile="D:\cert\tbb.keystore"

               truststoreFile="D:\cert\tbb.keystore" truststorePass="12345678"  />
<!--  配置服务端项目web.xml  在<welcome-file-list>之后增加:-->

<!-- 强制SSL配置,即普通的请求也会重定向为SSL请求 -->

    <security-constraint>

        <web-resource-collection>

            <web-resource-name>SSL</web-resource-name>

            <url-pattern>/*</url-pattern><!-- 全站使用SSL <url-pattern>/*</url-pattern>-->

        </web-resource-collection>

        <user-data-constraint>

            <description>SSL required</description>

            <!-- CONFIDENTIAL: 要保证服务器和客户端之间传输的数据不能够被修改,且不能被第三方查看到 -->

            <!-- INTEGRAL: 要保证服务器和client之间传输的数据不能够被修改 -->

            <!-- NONE: 指示容器必须能够在任一的连接上提供数据。(即用HTTP或HTTPS,由客户端来决定)-->

            <transport-guarantee>CONFIDENTIAL</transport-guarantee>

        </user-data-constraint>

    </security-constraint>

单向认证:

import java.io.BufferedReader;

import java.io.InputStreamReader;

import java.io.OutputStream;

import java.net.Authenticator;

import java.net.InetSocketAddress;

import java.net.PasswordAuthentication;

import java.net.Proxy;

import java.net.URL;

import java.util.Date;

import javax.net.ssl.HostnameVerifier;

import javax.net.ssl.HttpsURLConnection;

import javax.net.ssl.SSLSession;

/**

 * @Description https单向认证

 * @author sprinng

 *

 */

public class ClientSendDataSingle {

    /**

     *

     * @param sendurl 请求地址

     * @param res  返回结果

     * @param sendData 参数

     * @param timeOut  超时时间(min)

     * @param useProxy  是否使用代理

     * @param trustStorePath 证书路径

     * @param trustStorePwd 证书密码

     * @return

     * @throws Exception

     */

    public static String send(String sendurl, String res, String sendData, String timeOut, boolean useProxy, String trustStorePath, String trustStorePwd)throws Exception {

        System.setProperty("javax.net.ssl.trustStore", trustStorePath);

        System.setProperty("javax.net.ssl.trustStorePassword", trustStorePwd);

        URL url = new URL(sendurl);

        HttpsURLConnection connection = null;

        HostnameVerifier hv = new HostnameVerifier() {

            public boolean verify(String urlHostName, SSLSession session) {

                return true;

            }

        };

        System.setProperty("java.protocol.handler.pkgs","sun.net.www.protocol");

        HttpsURLConnection.setDefaultHostnameVerifier(hv);

        Date current = new Date(System.currentTimeMillis());

        System.out.println("begint to open connection at " + current);

        //使用代理

        if(useProxy){

            InetSocketAddress isa = new InetSocketAddress(PropertiesUtil.properties.getProperty("proxy_host"), Integer.parseInt(PropertiesUtil.properties.getProperty("proxy_port")));

            Proxy proxy = new Proxy(Proxy.Type.HTTP, isa);

            Authenticator.setDefault(new MyAuthenticator(PropertiesUtil.properties.getProperty("proxy_user"), PropertiesUtil.properties.getProperty("proxy_password")));

            connection = (HttpsURLConnection) url.openConnection(proxy);

        }else{

            connection = (HttpsURLConnection) url.openConnection();

        }

        Date end = new Date(System.currentTimeMillis());

        System.out.println("open connection ok at " + end + ",cost:"+ (end.getTime() - current.getTime()));

        connection.setRequestProperty("Content-Type", "text/xml");

        connection.setDoOutput(true);

        connection.setDoInput(true);

        connection.setRequestMethod("POST");

        connection.setUseCaches(false);

        connection.setReadTimeout(60 * 1000 * Integer.parseInt(timeOut));

        byte data[] = sendData.getBytes();

        current = new Date(System.currentTimeMillis());

        System.out.println("[SSLIX]notifyEai,begint to write data at " + current);

        OutputStream out = connection.getOutputStream();

        out.write(data);

        end = new Date(System.currentTimeMillis());

        System.out.println("write data ok at " + end + ",cost:"  + (end.getTime() - current.getTime()));

        StringBuffer receivedData = new StringBuffer();

        current = new Date(System.currentTimeMillis());

        System.out.println("begint to read data at " + current);

        InputStreamReader inReader = new InputStreamReader(connection.getInputStream(), "UTF-8");

        BufferedReader aReader = new BufferedReader(inReader);

        String aLine;

        while ((aLine = aReader.readLine()) != null) {

            receivedData.append(aLine);

        }

        end = new Date(System.currentTimeMillis());

        System.out.println("read data ok at " + end + ",cost:" + (end.getTime() - current.getTime()));

        System.out.println("开始返回状态码");

        Integer statusCode = connection.getResponseCode();

        System.out.println("返回状态码:" + statusCode);

        aReader.close();

        connection.disconnect();

        res = receivedData.toString();

        return res;

    }

    public static class MyAuthenticator extends Authenticator {

        private String user = "";

        private String password = "";

        public MyAuthenticator(String user, String password) {

            this.user = user;

            this.password = password;

        }

        protected PasswordAuthentication getPasswordAuthentication() {

            return new PasswordAuthentication(user, password.toCharArray());

        }

    }

    public static void main(String[] args) throws Exception {

        System.out.println(ClientSendDataSingle.send("https://localhost:8443/spdbSjptServer", "", "", "5", false, "D:/cert/tbb.jks", "12345678"));

    }

}

双向认证:

import java.io.BufferedReader;

import java.io.InputStreamReader;

import java.io.OutputStream;

import java.net.Authenticator;

import java.net.InetSocketAddress;

import java.net.Proxy;

import java.net.URL;

import java.util.Date;

import javax.net.ssl.HostnameVerifier;

import javax.net.ssl.HttpsURLConnection;

import javax.net.ssl.SSLSession;

import com.pf.util.ClientSendDataSingle.MyAuthenticator;

/**

 *

 * @Description https双向认证

 * @author sprinng

 *

 */

public class ClientSendDataDouble {

    /**

     *

     * @param sendurl 请求地址

     * @param res  返回结果

     * @param sendData 参数

     * @param timeOut  超时时间(min)

     * @param useProxy  是否使用代理

     * @param trustStorePath 服务器证书路径

     * @param trustStorePwd 服务器证书密码

     * @param keyStore 客户端证书路径

     * @param keyStorePwd 客户端证书密码

     * @param keyStoreType 客户端证书类型      如:JKS PKCS12等

     * @return

     * @throws Exception

     */

    public static String send(String sendurl, String res, String sendData, String timeOut, boolean useProxy, String trustStorePath, String trustStorePwd, String keyStore, String keyStorePwd, String keyStoreType) throws Exception {

        //设置客户端证书

        System.setProperty("javax.net.ssl.keyStore", keyStore);

        System.setProperty("javax.net.ssl.keyStorePassword",keyStorePwd);

        System.setProperty("javax.net.ssl.keyStoreType", keyStoreType);

        //设置服务器证书

        System.setProperty("javax.net.ssl.trustStore", trustStorePath);

        System.setProperty("javax.net.ssl.trustStorePassword",  trustStorePwd);

        URL url = new URL(sendurl);

        HttpsURLConnection connection = null;

        HostnameVerifier hv = new HostnameVerifier() {

            public boolean verify(String urlHostName, SSLSession session) {

                return true;

            }

        };

        System.setProperty("java.protocol.handler.pkgs","sun.net.www.protocol");

        HttpsURLConnection.setDefaultHostnameVerifier(hv);

        Date current = new Date(System.currentTimeMillis());

        System.out.println("begint to open connection at " + current);

        if(useProxy){//使用代理

            InetSocketAddress isa = new InetSocketAddress(PropertiesUtil.properties.getProperty("proxy_host"), Integer.parseInt(PropertiesUtil.properties.getProperty("proxy_port")));

            Proxy proxy = new Proxy(Proxy.Type.HTTP, isa);

            Authenticator.setDefault(new MyAuthenticator(PropertiesUtil.properties.getProperty("proxy_user"), PropertiesUtil.properties.getProperty("proxy_password")));

            connection = (HttpsURLConnection) url.openConnection(proxy);

        }else{

            connection = (HttpsURLConnection) url.openConnection();

        }

        Date end = new Date(System.currentTimeMillis());

        System.out.println("open connection ok at " + end + ",cost:"+ (end.getTime() - current.getTime()));

        connection.setRequestProperty("Content-Type", "text/xml");

        connection.setDoOutput(true);

        connection.setDoInput(true);

        connection.setRequestMethod("POST");

        connection.setUseCaches(false);

        connection.setReadTimeout(30000);

        byte data[] = sendData.getBytes();

        current = new Date(System.currentTimeMillis());

        System.out.println("[SSLIX]notifyEai,begint to write data at " + current);

        OutputStream out = connection.getOutputStream();

        out.write(data);

        end = new Date(System.currentTimeMillis());

        System.out.println("write data ok at " + end + ",cost:" + (end.getTime() - current.getTime()));

        StringBuffer receivedData = new StringBuffer();

        current = new Date(System.currentTimeMillis());

        System.out.println("begint to read data at " + current);

        InputStreamReader inReader = new InputStreamReader(connection.getInputStream(), "UTF-8");

        BufferedReader aReader = new BufferedReader(inReader);

        String aLine;

        while ((aLine = aReader.readLine()) != null) {

            receivedData.append(aLine);

        }

        end = new Date(System.currentTimeMillis());

        System.out.println("read data ok at " + end + ",cost:" + (end.getTime() - current.getTime()));

        System.out.println("开始返回状态码");

        Integer statusCode = connection.getResponseCode();

        System.out.println("返回状态码:" + statusCode);

        aReader.close();

        connection.disconnect();

        return receivedData.toString();

    }

    public static void main(String[] args) throws Exception {

        System.out.println(ClientSendDataDouble.send("https://localhost:8443/spdbSjptServer/", "", "", "5", false, "D:/cert/tbb.jks", "12345678", "D:/cert/client.p12", "12345678", "PKCS12"));

    }

}

附:

import java.io.IOException;

import java.util.Properties;

public class PropertiesUtil {

    public static final Properties properties = new Properties();

    static {

         try {

          properties.load(PropertiesUtil.class.getClassLoader().getResourceAsStream("config.properties"));

         } catch (IOException e) {

             ECommonUtil.getLog().error("初始config配置文件失败");

        }

    }

}

java https tomcat 单双认证(含证书生成和代码实现) 原创转载请备注,谢谢O(∩_∩)O的更多相关文章

  1. java实现ssl单/双向认证通信[推荐]

    java实现ssl单/双向认证通信[推荐] 学习了:https://blog.csdn.net/zbuger/article/details/51695582 学习了:https://www.cnbl ...

  2. ionic + asp.net core webapi + keycloak实现前后端用户认证和自动生成客户端代码

    概述 本文使用ionic/angular开发网页前台,asp.net core webapi开发restful service,使用keycloak保护前台页面和后台服务,并且利用open api自动 ...

  3. 一文读懂Https的安全性原理、数字证书、单项认证、双项认证等

    本文引用了作者Smily(博客:blog.csdn.net/qq_20521573)的文章内容,感谢无私分享. 1.前言 目前苹果公司已经强制iOS应用必须使用HTTPS协议开发(详见<苹果即将 ...

  4. Https、OpenSSL自建CA证书及签发证书、nginx单向认证、双向认证及使用Java访问

    0.环境 本文的相关源码位于 https://github.com/dreamingodd/CA-generation-demo 必须安装nginx,必须安装openssl,(用apt-get upd ...

  5. [转帖]nginx配置ssl加密(单/双向认证、部分https)

    nginx配置ssl加密(单/双向认证.部分https) https://segmentfault.com/a/1190000002866627   nginx下配置ssl本来是很简单的,无论是去认证 ...

  6. linux下Tomcat+OpenSSL配置单向&双向认证(自制证书)

    背景 由于ios将在2017年1月1日起强制实施ATS安全策略,所有通讯必须使用https传输,本文只针对自制证书,但目前尚不确定自制证书是否能通过appstore审核. 1.必须支持传输层安全(TL ...

  7. nginx配置ssl加密(单双向认证、部分https)

    nginx配置ssl加密(单双向认证.部分https) nginx下配置ssl本来是很简单的,无论是去认证中心买SSL安全证书还是自签署证书,但最近公司OA的一个需求,得以有个机会实际折腾一番.一开始 ...

  8. Android : 关于HTTPS、TLS/SSL认证以及客户端证书导入方法

    一.HTTPS 简介 HTTPS 全称 HTTP over TLS/SSL(TLS就是SSL的新版本3.1).TLS/SSL是在传输层上层的协议,应用层的下层,作为一个安全层而存在,翻译过来一般叫做传 ...

  9. [从零开始搭网站六]为域名申请免费SSL证书(https),并为Tomcat配置https域名所用的多SSL证书

    点击下面连接查看从零开始搭网站全系列 从零开始搭网站 由于国内的网络环境比较恶劣,运营商流量劫持的情况比较严重,一般表现为别人打开你的网站的时候会弹一些莫名其妙的广告...更过分的会跳转至别的网站. ...

随机推荐

  1. Mac Pro 编译安装 Nginx 1.8.1

    #下载相关源码包,统一放到 /usr/local/src 目录下: http://nginx.org/download/nginx-1.8.1.tar.gz http://zlib.net/zlib- ...

  2. php运行出现Call to undefined function curl_init()的解决方法

    解决方法如下: 1.在php.ini中找到extension=php_curl.dll,去掉前面的分号;,然后将php.ini拷贝到c:\windows. 2.重启IIS服务,或回收应用程序池即可.

  3. Android入门之GPS定位详解

    一.LocationManager LocationMangager,位置管理器.要想操作定位相关设备,必须先定义个LocationManager. LocationManger locationMa ...

  4. MySQL存储引擎概述

    一.MySQL支持插件式存储引擎,默认包括有多种存储引擎,还可以自己定制化引擎,引擎是在表级别设置的. 二.各种存储引擎的特性 (A) MyISAM :不支持事务.不支持外键.访问速度快. 每个MyI ...

  5. Understand:高效代码静态分析神器详解(转)

    之前用Windows系统,一直用source insight查看代码非常方便,但是年前换到mac下面,虽说很多东西都方便了,但是却没有了静态代码分析工具,很幸运,前段时间找到一款比source ins ...

  6. mac 系统通用快捷键(mac 下的应用多数会往这些标准看齐)(转:http://yang3wei.github.io/blog/2013/02/08/chen-ni-yu-mac-chen-ni-yu-xcode/)

    command + w: 关闭当前窗口 command + q: 退出程序 (Google Chrome 有点奇葩,按下之后还需要hold 那么一小会儿才能退出) command + m: 最小化当前 ...

  7. JavaScript获取onclick、onchange等事件值的代码

    这里主要是用到了getAttributeNode()这个方法,它获取的是属性节点,忽略属性和事件的差别,具体示例如下,感兴趣的朋友可以参考下哈希望对大家有所帮助 今天小菜处理下拉菜单级联问题时,想获取 ...

  8. Caffe学习系列(15):添加新层

    如何在Caffe中增加一层新的Layer呢?主要分为四步: (1)在./src/caffe/proto/caffe.proto 中增加对应layer的paramter message: (2)在./i ...

  9. (原创)在service中定时执行网络操作的几点说明

    执行网络操作是耗时操作,即便是在service中也要放到子线程中执行 这里我用到了async-http-client框架来执行异步请求操作 计时用的java原生Timer和TimerTask类 本来这 ...

  10. Python自动化之rabbitmq rpc client端代码分析(原创)

    RPC调用client端解析 import pika import uuid # 建立连接 class FibonacciRpcClient(object): def __init__(self): ...