Tomcat 中配置SSL

介绍

SSL和TLS是用户网络通信安全的加密协议。允许客户端和服务器之间通过安全链接通信。

SSL协议的特性：

1. 保密：通过SSL链接传输的数据时加密的
2. 鉴别：通信双方的身份鉴别，这时可选的，通常是一方需要验证（服务端）
3. 完整性：传输数据的完整性检查

配置SSL

Tomcat提供两种方式部署SSL：一种是JSSE，另一种是APR（使用OPENSSL引擎）。前者适用于BIO、NIO、NIO2链接器（8.5版本后，NIO和NIO2支持OPENSSL以适应HTTP/2.0），后者使用APR链接器。在配置的时候最好使用Connector的Protocol属性指定链接器的类名，而不是使用协议名（如HTTP/1.1），否则，Tomcat会自动按照本地配置构造Connector，这样会导致SSL不可用。

1、生成秘钥

Tomcat支持的秘钥有JKS、PKCS11、PKCS12。JKS是Java标准的秘钥库格式，使用keytool命令创建，位于$JAVA_HOME/binx下，创建方法如下：

① Windows系统：

keytool -genkey -alias tomcat -keyalg RSA -keystore C:certmykey.keystore

② Linux操作系统：

[root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# mkdir cert
[root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore /opt/softwares/apache-tomcat-8.5.57/cert/mykey.keystore
Enter keystore password:  
Re-enter new password: 
What is your first and last name?
  [Unknown]:  Tomcat
What is the name of your organizational unit?
  [Unknown]:  Apache
What is the name of your organization?
  [Unknown]:  Apache
What is the name of your City or Locality?
  [Unknown]:  Beijing
What is the name of your State or Province?
  [Unknown]:  Beijing
What is the two-letter country code for this unit?
  [Unknown]:  CN
Is CN=Tomcat, OU=Apache, O=Apache, L=Beijing, ST=Beijing, C=CN correct?
  [no]:  Y

Enter key password for <tomcat>
    (RETURN if same as keystore password):  (按回车)

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /opt/softwares/apache-tomcat-8.5.57/cert/mykey.keystore -destkeystore /opt/softwares/apache-tomcat-8.5.57/cert/mykey.keystore -deststoretype pkcs12".

2、部署

将生成的秘钥复制到$CATALINA_BASE/conf下，修改server.xml，如下：

[root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# cp cert/mykey.keystore $CATALINA_BASE/conf/
[root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# vim conf/server.xml 

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" schema="https" secure="true" SSLEnabled="true" >
        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
        <SSLHostConfig certificateVerification="false" >
            <Certificate certificateKeystoreFile="conf/mykey.keystore"
                         certificateKeystorePassword="mnbvcxzaA0."
                         type="RSA" />
        </SSLHostConfig>
    </Connector>

port为SSL链接器端口，如果修改为其他端口，要保证和HTTP链接器的redirectPort属性一致。

8.5版本之前的配置如下：

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" schema="https" secure="true" SSLEnabled="true" 
               KeystoreFile="conf/mykey.keystore"
               KeystorePass="mnbvcxzaA0."
               clientAuth="false"  sslProtocol="TLS" />

配置多证书（8.5版本以前）

<Connector 
       port="8443" maxThreads="200" address="10.0.0.1"
       scheme="https" secure="true" SSLEnabled="true"
       keystoreFile="keystore1.jks" keystorePass="..."
       clientAuth="false" sslProtocol="TLS"/>
<Connector 
       port="8443" maxThreads="200" address="10.0.0.2"
       scheme="https" secure="true" SSLEnabled="true"
       keystoreFile="keystore2.jks" keystorePass="..."
       clientAuth="false" sslProtocol="TLS"/>

3、访问测试

 可以看到证书信息

 使用openssl命令创建秘钥

测试环境可以使用，生产环境需要向有资质的签发机构（CA）提交证书请求文件，CA返回数字证书

生成根秘钥

[root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# openssl genrsa -out rootkey.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.................................................+++++
..................................+++++
e is 65537 (0x010001)

创建根证书（用来签发服务器端请求文件）

[root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# openssl req -x509 -new -key rootkey.pem -out root.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:Apache
Organizational Unit Name (eg, section) []:Tomcat  
Common Name (eg, your name or your server's hostname) []:Tomcat
Email Address []:183041251@126.com

创建服务器秘钥

[root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# openssl genrsa -out serverkey.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
...+++++
..........................................+++++
e is 65537 (0x010001)

创建服务器端证书请求文件

[root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# openssl req -new -key  serverkey.pem -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:Apache
Organizational Unit Name (eg, section) []:Tomcat
Common Name (eg, your name or your server's hostname) []:Tomcat
Email Address []:183041251@126.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:tomcat
An optional company name []:Tomcat

用根证书签发服务器端请求文件，生成服务器端证书

[root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# openssl x509 -req -in server.csr -CA root.crt -CAkey rootkey.pem -CAcreateserial -days 365 -out server.crt
Signature ok
subject=C = CN, ST = Beijing, L = Beijing, O = Apache, OU = Tomcat, CN = Tomcat, emailAddress = 183041251@126.com
Getting CA Private Key

将证书导出为pkcs12格式

[root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# openssl pkcs12 -export -in server.crt -inkey serverkey.pem -out server.pkcs12

Enter Export Password:                              # 自己设置一个导出密码即可

Verifying - Enter Export Password: 

生成服务器端秘钥库

[root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# keytool -importkeystore -srckeystore server.pkcs12 -destkeystore mykey.keystore -srcstoretype pkcs12
Importing keystore server.pkcs12 to mykey.keystore...
Enter destination keystore password:                              ## 输入之前创建的秘钥库mykey.keystore的密码即可 
Re-enter new password: 
Enter source keystore password:                                   ## 输入上一步设置的源秘钥库密码 
Entry for alias 1 successfully imported. 
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled 

Warning: 
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore mykey.keystore -destkeystore mykey.keystore -deststoretype pkcs12".

查看秘钥库包含的证书信息

[root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# keytool -list -v -keystore mykey.keystore
Enter keystore password:                            ## 输入秘钥库密码
Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: 1
Creation date: Sep 12, 2020
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: EMAILADDRESS=183041251@126.com, CN=Tomcat, OU=Tomcat, O=Apache, L=Beijing, ST=Beijing, C=CN
Issuer: EMAILADDRESS=183041251@126.com, CN=Tomcat, OU=Tomcat, O=Apache, L=Beijing, ST=Beijing, C=CN
Serial number: 25100e367ff3f3117f90489ad91605bc08080222
Valid from: Sat Sep 12 18:06:53 CST 2020 until: Sun Sep 12 18:06:53 CST 2021
Certificate fingerprints:
     MD5:  E7:F4:B6:EE:18:26:FC:92:18:4B:66:EA:DE:9A:20:72
     SHA1: 40:D9:E2:15:B6:03:5D:B4:56:38:23:3F:95:B9:35:64:F6:02:B7:80
     SHA256: 6E:33:84:44:82:A0:46:B7:D4:49:35:56:74:89:8A:C2:4A:05:95:66:D5:98:D8:2A:0E:01:5E:3D:45:83:5E:B9
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 1


*******************************************
*******************************************



Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore mykey.keystore -destkeystore mykey.keystore -deststoretype pkcs12".

将秘钥库文件部署到tomcat中，就可以访问了（注意，不能是APR链接器）

APR链接器配置SSL

配置监听器

[root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# vim conf/server.xml 
  <!--APR library loader. Documentation at /docs/apr.html -->
  <Listener className="org.apache.catalina.core.AprLifecycleListener" 
            SSLEngine="on" SSLRandomSeed="builtin" useAprConnector="true" />

APR的证书必须使用OpenSSL，生成方式见上面的操作（只生成自签证书，无需导入秘钥库）。然后添加SSL链接器配置，如下：

[root@iZzm446eh1ux98Z apache-tomcat-8.5.57]# vim conf/server.xml 
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
               maxThreads="150" schema="https" secure="true" SSLEnabled="true" >
        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
        <SSLHostConfig >
                <Certificate certificateKeyFile="${catalina.base}/conf/serverkey.pem"
                             certificateFile="${catalina.base}/conf/server.crt"
                             type="RSA" />
        </SSLHostConfig>
    </Connector>

certificateKeyFile：用于配置服务器端秘钥

certificateFile：用于配置服务器端证书