server: apache-tomcat-6.0.44 jdk1.7.0_79
client: jdk1.7.0_79

jks是JAVA的keytools证书工具支持的证书私钥格式。 pfx是微软支持的私钥格式。 cer是证书的公钥。

生成:

    keytool -genkey -alias tbb -keyalg RSA -keystore D:\cert\tbb.keystore

    模板:

     keytool -genkey -alias yushan -keypass yushan -keyalg RSA -keysize 1024 -validity 365((默认为90天)) -keystore D:\cert\tbb.keystore -storepass 123456 -dname "CN=(名字与姓氏), OU=(组织单位名称), O=(组织名称), L=(城市或区域名称), ST=(州或省份名称), C=(单位的两字母国家代码)";(中英文即可)

验证:

    keytool -selfcert -alias tbb -keystore D:\cert\tbb.keystore

导出:

    keytool -export -alias tbb -keystore D:\cert\tbb.keystore -storepass 12345678 -rfc -file D:\cert\tbb.cer

转换    cer -> jks

    keytool -import -alias mycert -file D:\cert\tbb.cer -keystore D:\cert\tbb.jks  

keystore信息的查看:

     打印证书的 MD5 指纹

    keytool -list  -v -keystore D:\cert\tbb.keystore -storepass 12345678

    可打印的编码格式输出证书

    keytool -list  -rfc -keystore D:\cert\tbb.keystore -storepass 12345678
生成客户端证书库

keytool -validity 36500 -genkeypair -v -alias client -keyalg RSA -storetype PKCS12 -keystore D:\cert\client.p12 -dname "CN=spring,OU=jiajianfa,O=jiajianfa,L=Wuhan,ST=HuBei,c=cn" -storepass 12345678 -keypass 12345678

从客户端证书库中导出客户端证书

keytool -export -v -alias client -keystore D:\cert\client.p12 -storetype PKCS12 -storepass 12345678 -rfc -file D:\cert\client.cer

将客户端证书导入到服务器证书库(使得服务器信任客户端证书,服务器端用此验证客户端的合法性)

keytool -import -v -alias client -file D:\cert\client.cer -keystore D:\cert\tbb.keystore -storepass 12345678

查看服务端证书中信任的客户端证书

keytool -list -keystore D:\cert\tbb.keystore  -storepass 12345678

tomcat server.xml 配置:

<!-- clientAuth  true:双向认证   false:单向认证-->

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"

               maxThreads="150" scheme="https" secure="true"

               clientAuth="true" sslProtocol="TLS"  keystorePass="12345678" keystoreFile="D:\cert\tbb.keystore"

               truststoreFile="D:\cert\tbb.keystore" truststorePass="12345678"  />
<!--  配置服务端项目web.xml  在<welcome-file-list>之后增加:-->

<!-- 强制SSL配置,即普通的请求也会重定向为SSL请求 -->

    <security-constraint>

        <web-resource-collection>

            <web-resource-name>SSL</web-resource-name>

            <url-pattern>/*</url-pattern><!-- 全站使用SSL <url-pattern>/*</url-pattern>-->

        </web-resource-collection>

        <user-data-constraint>

            <description>SSL required</description>

            <!-- CONFIDENTIAL: 要保证服务器和客户端之间传输的数据不能够被修改,且不能被第三方查看到 -->

            <!-- INTEGRAL: 要保证服务器和client之间传输的数据不能够被修改 -->

            <!-- NONE: 指示容器必须能够在任一的连接上提供数据。(即用HTTP或HTTPS,由客户端来决定)-->

            <transport-guarantee>CONFIDENTIAL</transport-guarantee>

        </user-data-constraint>

    </security-constraint>

单向认证:

import java.io.BufferedReader;

import java.io.InputStreamReader;

import java.io.OutputStream;

import java.net.Authenticator;

import java.net.InetSocketAddress;

import java.net.PasswordAuthentication;

import java.net.Proxy;

import java.net.URL;

import java.util.Date;

import javax.net.ssl.HostnameVerifier;

import javax.net.ssl.HttpsURLConnection;

import javax.net.ssl.SSLSession;

/**

 * @Description https单向认证

 * @author sprinng

 *

 */

public class ClientSendDataSingle {

    /**

     *

     * @param sendurl 请求地址

     * @param res  返回结果

     * @param sendData 参数

     * @param timeOut  超时时间(min)

     * @param useProxy  是否使用代理

     * @param trustStorePath 证书路径

     * @param trustStorePwd 证书密码

     * @return

     * @throws Exception

     */

    public static String send(String sendurl, String res, String sendData, String timeOut, boolean useProxy, String trustStorePath, String trustStorePwd)throws Exception {

        System.setProperty("javax.net.ssl.trustStore", trustStorePath);

        System.setProperty("javax.net.ssl.trustStorePassword", trustStorePwd);

        URL url = new URL(sendurl);

        HttpsURLConnection connection = null;

        HostnameVerifier hv = new HostnameVerifier() {

            public boolean verify(String urlHostName, SSLSession session) {

                return true;

            }

        };

        System.setProperty("java.protocol.handler.pkgs","sun.net.www.protocol");

        HttpsURLConnection.setDefaultHostnameVerifier(hv);

        Date current = new Date(System.currentTimeMillis());

        System.out.println("begint to open connection at " + current);

        //使用代理

        if(useProxy){

            InetSocketAddress isa = new InetSocketAddress(PropertiesUtil.properties.getProperty("proxy_host"), Integer.parseInt(PropertiesUtil.properties.getProperty("proxy_port")));

            Proxy proxy = new Proxy(Proxy.Type.HTTP, isa);

            Authenticator.setDefault(new MyAuthenticator(PropertiesUtil.properties.getProperty("proxy_user"), PropertiesUtil.properties.getProperty("proxy_password")));

            connection = (HttpsURLConnection) url.openConnection(proxy);

        }else{

            connection = (HttpsURLConnection) url.openConnection();

        }

        Date end = new Date(System.currentTimeMillis());

        System.out.println("open connection ok at " + end + ",cost:"+ (end.getTime() - current.getTime()));

        connection.setRequestProperty("Content-Type", "text/xml");

        connection.setDoOutput(true);

        connection.setDoInput(true);

        connection.setRequestMethod("POST");

        connection.setUseCaches(false);

        connection.setReadTimeout(60 * 1000 * Integer.parseInt(timeOut));

        byte data[] = sendData.getBytes();

        current = new Date(System.currentTimeMillis());

        System.out.println("[SSLIX]notifyEai,begint to write data at " + current);

        OutputStream out = connection.getOutputStream();

        out.write(data);

        end = new Date(System.currentTimeMillis());

        System.out.println("write data ok at " + end + ",cost:"  + (end.getTime() - current.getTime()));

        StringBuffer receivedData = new StringBuffer();

        current = new Date(System.currentTimeMillis());

        System.out.println("begint to read data at " + current);

        InputStreamReader inReader = new InputStreamReader(connection.getInputStream(), "UTF-8");

        BufferedReader aReader = new BufferedReader(inReader);

        String aLine;

        while ((aLine = aReader.readLine()) != null) {

            receivedData.append(aLine);

        }

        end = new Date(System.currentTimeMillis());

        System.out.println("read data ok at " + end + ",cost:" + (end.getTime() - current.getTime()));

        System.out.println("开始返回状态码");

        Integer statusCode = connection.getResponseCode();

        System.out.println("返回状态码:" + statusCode);

        aReader.close();

        connection.disconnect();

        res = receivedData.toString();

        return res;

    }

    public static class MyAuthenticator extends Authenticator {

        private String user = "";

        private String password = "";

        public MyAuthenticator(String user, String password) {

            this.user = user;

            this.password = password;

        }

        protected PasswordAuthentication getPasswordAuthentication() {

            return new PasswordAuthentication(user, password.toCharArray());

        }

    }

    public static void main(String[] args) throws Exception {

        System.out.println(ClientSendDataSingle.send("https://localhost:8443/spdbSjptServer", "", "", "5", false, "D:/cert/tbb.jks", "12345678"));

    }

}

双向认证:

import java.io.BufferedReader;

import java.io.InputStreamReader;

import java.io.OutputStream;

import java.net.Authenticator;

import java.net.InetSocketAddress;

import java.net.Proxy;

import java.net.URL;

import java.util.Date;

import javax.net.ssl.HostnameVerifier;

import javax.net.ssl.HttpsURLConnection;

import javax.net.ssl.SSLSession;

import com.pf.util.ClientSendDataSingle.MyAuthenticator;

/**

 *

 * @Description https双向认证

 * @author sprinng

 *

 */

public class ClientSendDataDouble {

    /**

     *

     * @param sendurl 请求地址

     * @param res  返回结果

     * @param sendData 参数

     * @param timeOut  超时时间(min)

     * @param useProxy  是否使用代理

     * @param trustStorePath 服务器证书路径

     * @param trustStorePwd 服务器证书密码

     * @param keyStore 客户端证书路径

     * @param keyStorePwd 客户端证书密码

     * @param keyStoreType 客户端证书类型      如:JKS PKCS12等

     * @return

     * @throws Exception

     */

    public static String send(String sendurl, String res, String sendData, String timeOut, boolean useProxy, String trustStorePath, String trustStorePwd, String keyStore, String keyStorePwd, String keyStoreType) throws Exception {

        //设置客户端证书

        System.setProperty("javax.net.ssl.keyStore", keyStore);

        System.setProperty("javax.net.ssl.keyStorePassword",keyStorePwd);

        System.setProperty("javax.net.ssl.keyStoreType", keyStoreType);

        //设置服务器证书

        System.setProperty("javax.net.ssl.trustStore", trustStorePath);

        System.setProperty("javax.net.ssl.trustStorePassword",  trustStorePwd);

        URL url = new URL(sendurl);

        HttpsURLConnection connection = null;

        HostnameVerifier hv = new HostnameVerifier() {

            public boolean verify(String urlHostName, SSLSession session) {

                return true;

            }

        };

        System.setProperty("java.protocol.handler.pkgs","sun.net.www.protocol");

        HttpsURLConnection.setDefaultHostnameVerifier(hv);

        Date current = new Date(System.currentTimeMillis());

        System.out.println("begint to open connection at " + current);

        if(useProxy){//使用代理

            InetSocketAddress isa = new InetSocketAddress(PropertiesUtil.properties.getProperty("proxy_host"), Integer.parseInt(PropertiesUtil.properties.getProperty("proxy_port")));

            Proxy proxy = new Proxy(Proxy.Type.HTTP, isa);

            Authenticator.setDefault(new MyAuthenticator(PropertiesUtil.properties.getProperty("proxy_user"), PropertiesUtil.properties.getProperty("proxy_password")));

            connection = (HttpsURLConnection) url.openConnection(proxy);

        }else{

            connection = (HttpsURLConnection) url.openConnection();

        }

        Date end = new Date(System.currentTimeMillis());

        System.out.println("open connection ok at " + end + ",cost:"+ (end.getTime() - current.getTime()));

        connection.setRequestProperty("Content-Type", "text/xml");

        connection.setDoOutput(true);

        connection.setDoInput(true);

        connection.setRequestMethod("POST");

        connection.setUseCaches(false);

        connection.setReadTimeout(30000);

        byte data[] = sendData.getBytes();

        current = new Date(System.currentTimeMillis());

        System.out.println("[SSLIX]notifyEai,begint to write data at " + current);

        OutputStream out = connection.getOutputStream();

        out.write(data);

        end = new Date(System.currentTimeMillis());

        System.out.println("write data ok at " + end + ",cost:" + (end.getTime() - current.getTime()));

        StringBuffer receivedData = new StringBuffer();

        current = new Date(System.currentTimeMillis());

        System.out.println("begint to read data at " + current);

        InputStreamReader inReader = new InputStreamReader(connection.getInputStream(), "UTF-8");

        BufferedReader aReader = new BufferedReader(inReader);

        String aLine;

        while ((aLine = aReader.readLine()) != null) {

            receivedData.append(aLine);

        }

        end = new Date(System.currentTimeMillis());

        System.out.println("read data ok at " + end + ",cost:" + (end.getTime() - current.getTime()));

        System.out.println("开始返回状态码");

        Integer statusCode = connection.getResponseCode();

        System.out.println("返回状态码:" + statusCode);

        aReader.close();

        connection.disconnect();

        return receivedData.toString();

    }

    public static void main(String[] args) throws Exception {

        System.out.println(ClientSendDataDouble.send("https://localhost:8443/spdbSjptServer/", "", "", "5", false, "D:/cert/tbb.jks", "12345678", "D:/cert/client.p12", "12345678", "PKCS12"));

    }

}

附:

import java.io.IOException;

import java.util.Properties;

public class PropertiesUtil {

    public static final Properties properties = new Properties();

    static {

         try {

          properties.load(PropertiesUtil.class.getClassLoader().getResourceAsStream("config.properties"));

         } catch (IOException e) {

             ECommonUtil.getLog().error("初始config配置文件失败");

        }

    }

}

java https tomcat 单双认证(含证书生成和代码实现) 原创转载请备注,谢谢O(∩_∩)O的更多相关文章

  1. java实现ssl单/双向认证通信[推荐]

    java实现ssl单/双向认证通信[推荐] 学习了:https://blog.csdn.net/zbuger/article/details/51695582 学习了:https://www.cnbl ...

  2. ionic + asp.net core webapi + keycloak实现前后端用户认证和自动生成客户端代码

    概述 本文使用ionic/angular开发网页前台,asp.net core webapi开发restful service,使用keycloak保护前台页面和后台服务,并且利用open api自动 ...

  3. 一文读懂Https的安全性原理、数字证书、单项认证、双项认证等

    本文引用了作者Smily(博客:blog.csdn.net/qq_20521573)的文章内容,感谢无私分享. 1.前言 目前苹果公司已经强制iOS应用必须使用HTTPS协议开发(详见<苹果即将 ...

  4. Https、OpenSSL自建CA证书及签发证书、nginx单向认证、双向认证及使用Java访问

    0.环境 本文的相关源码位于 https://github.com/dreamingodd/CA-generation-demo 必须安装nginx,必须安装openssl,(用apt-get upd ...

  5. [转帖]nginx配置ssl加密(单/双向认证、部分https)

    nginx配置ssl加密(单/双向认证.部分https) https://segmentfault.com/a/1190000002866627   nginx下配置ssl本来是很简单的,无论是去认证 ...

  6. linux下Tomcat+OpenSSL配置单向&双向认证(自制证书)

    背景 由于ios将在2017年1月1日起强制实施ATS安全策略,所有通讯必须使用https传输,本文只针对自制证书,但目前尚不确定自制证书是否能通过appstore审核. 1.必须支持传输层安全(TL ...

  7. nginx配置ssl加密(单双向认证、部分https)

    nginx配置ssl加密(单双向认证.部分https) nginx下配置ssl本来是很简单的,无论是去认证中心买SSL安全证书还是自签署证书,但最近公司OA的一个需求,得以有个机会实际折腾一番.一开始 ...

  8. Android : 关于HTTPS、TLS/SSL认证以及客户端证书导入方法

    一.HTTPS 简介 HTTPS 全称 HTTP over TLS/SSL(TLS就是SSL的新版本3.1).TLS/SSL是在传输层上层的协议,应用层的下层,作为一个安全层而存在,翻译过来一般叫做传 ...

  9. [从零开始搭网站六]为域名申请免费SSL证书(https),并为Tomcat配置https域名所用的多SSL证书

    点击下面连接查看从零开始搭网站全系列 从零开始搭网站 由于国内的网络环境比较恶劣,运营商流量劫持的情况比较严重,一般表现为别人打开你的网站的时候会弹一些莫名其妙的广告...更过分的会跳转至别的网站. ...

随机推荐

  1. Ubuntu 12 编译安装 PHP 5.4 及 问题汇总

    参考先前的文章:Ubuntu 14 编译安装 PHP 5.4.45 + Nginx 1.4.7 + MySQL 5.6.26 笔记 安装过程: ############################ ...

  2. Go - 内置函数大全

    Package builtin import "builtin" Overview Index Overview ▾ Package builtin provides docume ...

  3. sja1000芯片can驱动程序

    应用层使用socketCan的方法:http://pan.baidu.com/s/1ntsvbb7#path=%252Floongson1%252Ftools%252Fcan 功能:对can驱动程序的 ...

  4. Android 如何在Eclipse中查看Android API源码 及 support包源码

    当我们阅读android API开发文档时候,上面的每个类,以及类的各个方法都是已经写好的方法和控件,可是我们只是在搬来使用,不知道它的原理,它是如何被实现的.android系统是开源的,所以谷歌官方 ...

  5. 给dos命令“.bat”文件换图标

    最近客户有个需求:给企业建立一个FTP服务器,并且给不同的部门分配不同的目录和管理权限. 这个好实现!直接安装serv-u,进行一番设置,搞定! 不过客户嫌登陆FTP操作麻烦,输入ip,输入账号什么的 ...

  6. 二分图------》Hopcroft-Karp算法 hdu2389

    Hopcroft-Karp算法 该算法由John.E.Hopcroft和Richard M.Karp于1973提出,故称Hopcroft-Karp算法. 原理 为了降低时间复杂度,可以在增广匹配集合M ...

  7. python 内置速度最快算法(堆排)

    import random import time from heapq import heappush, heappop def heapsort(iterable): h = [] for val ...

  8. ndk学习9: 动态使用共享库

    动态使用共享库函数 dll_main      环境介绍 续上节代码 目录结构:   android.mk如下: LOCAL_PATH := $(call my-dir) include $(CLEA ...

  9. Eclipse J2EE LUNA 部署tomcat

  10. JavaScript Coding 模式荟萃

    1.自运行的匿名函数 <script type="text/javascript" src="./js/jquery-1.7.2.js"></ ...