webservice安全之数字证书验证
本例采用openssl工具生成证书,应用服务器采用Jboss,利用cxf实现webservice。
首先安装java环境和openssl工具,opeenssl下载地址:
http://www.openssl.org/source/openssl-1.0.0.tar.gz.
然后进入openssl的bin目录下。
注:最好在安装linux环境下,在window环境下可能会出现问题。
在openssl的bin目录下创建文件夹:
mkdir root ---存放根证书目录
cd root
mkdir server ---存放服务端证书
mkdir client ---存放客户端证书
cd ..
创建根证书
创建私钥
openssl genrsa –out root/root-key.pem 1024
创建证书请求openssl req -new -out root/root-req.csr -key root/root-key.pem -subj/C=CN/ST=GuangDong/L=GuangZhou/O="Huashetianzu Technologies Co.Ltd."/OU="Huashetianzu EOMS System Team"/OU="Copyright (c)1998-2008 Huashetianzu Technologies Co. Ltd."/CN="Huashetianzu EOMSRoot Authority"/emailAddress=Huashetianzu@126.com
自签署根证书openssl x509 -req -in root/root-req.csr -out root/root-cert.pem -signkeyroot/root-key.pem -days 3650
导出证书将根证书导出成浏览器可导入的PKCS12格式
openssl pkcs12 -export -clcerts -in root/root-cert.pem -inkeyroot/root-key.pem -out root/root-id.p12
注:此处要输入密码,记下这个密码,以后的配置中会用到这个密码。
创建服务端证书创建私钥openssl genrsa -out root/server/temip-key.pem 1024
创建证书请求openssl req -new -out root/server/temip-req.csr -keyroot/server/temip-key.pem -subj /C=CN/ST=GuangDong/L=GuangZhou/O="HuashetianzuTechnologies Co. Ltd."/OU="Huashetianzu EOMS SystemTeam"/OU="Copyright (c) 1998-2008 Huashetianzu Technologies Co.Ltd."/CN=82.208.35.148/emailAddress=caoguowei.rt@Huashetianzu.com
注:cn如果是本机应该填写localhost,如果是网站则填写域名。
签署服务器端证书openssl x509 -req -in root/server/temip-req.csr -outroot/server/temip-cert.pem -CA root/root-cert.pem -CAkey root/root-key.pem-CAcreateserial -days 3650
导出证书将服务器端证书导出成浏览器可导入的PKCS12格式
openssl pkcs12 -export -clcerts -inroot/server/temip-cert.pem -inkey root/server/temip-key.pem -outroot/server/temip-id.p12
注:此处要输入密码,记下这个密码,以后的配置中会用到这个密码。
将证书导入到JKS文件中keytool -import -v -trustcacerts -storepass changeit -alias temip -fileroot/server/temip-cert.pem -keystore root/server/temip-id.jks
注:输入“y”,然后回车。
创建客户端证书首先创建根证书签发的客户端证书颁发机构的二级证书,再以此二级证书来签发客户端证书
二级证书制作 创建私钥openssl genrsa -out root/client/eomsca-key.pem 1024
创建证书请求openssl req -new -out root/client/eomsca-req.csr -keyroot/client/eomsca-key.pem -subj /C=CN/ST=GuangDong/L=GuangZhou/O="HuashetianzuTechnologies Co. Ltd."/OU="Huashetianzu EOMS SystemTeam"/OU="Copyright (c) 1998-2008 Huashetianzu Technologies Co.Ltd."/CN="Huashetianzu EOMS Secure ServerAuthority"/emailAddress=emip@gd.chinamobile.com -reqexts v3_req
自签署客户端证书openssl x509 -req -in root/client/eomsca-req.csr -outroot/client/eomsca-cert.pem -signkey root/client/eomsca-key.pem -CAroot/root-cert.pem -CAkey root/root-key.pem -CAcreateserial -days 3650
导出证书
将客户端证书导出成浏览器可导入的PKCS12格式
openssl pkcs12 -export -clcerts -in root/client/eomsca-cert.pem-inkey root/client/eomsca-key.pem -out root/client/eomsca-id.p12
注:此处要输入密码,记下这个密码,以后的配置中会用到这个密码。
将证书导入到JKS文件中keytool -import -v -trustcacerts -storepass changeit -alias eomsca -fileroot/client/eomsca-cert.pem -keystore root/client/eomsca-id.jks
注:输入“y”,然后回车。
客户端证书创建客户端证书,并自用根证书签署
创建私钥openssl genrsa -out root/client/hw_Huashetianzu-key.pem 1024
创建证书请求openssl req -new -out root/client/hw_Huashetianzu-req.csr -keyroot/client/hw_Huashetianzu-key.pem -subj/C=CN/ST=GuangDong/L=GuangZhou/O="Huashetianzu Technologies Co.Ltd."/OU="Huashetianzu EOMS System Team"/OU="Copyright (c)1998-2008 Huashetianzu Technologies Co.Ltd."/CN=localhost/emailAddress=emip@gd.chinamobile.com
二级证书签署客户端证书openssl x509 -req -in root/client/hw_Huashetianzu-req.csr-out root/client/hw_Huashetianzu-cert.pem -signkey root/client/hw_Huashetianzu-key.pem-CA root/client/eomsca-cert.pem -CAkey root/client/eomsca-key.pem-CAcreateserial -days 3650
导出证书将客户端证书导出成浏览器可导入的PKCS12格式
openssl pkcs12 -export -clcerts -in root/client/hw_Huashetianzu-cert.pem-inkey root/client/hw_Huashetianzu-key.pem -out root/client/hw_Huashetianzu-id.p12
注:此处要输入密码,记下这个密码,以后的配置中会用到这个密码。
将证书导入到JKS文件中keytool -import -v -trustcacerts -storepass changeit-alias client -file root/client/hw_Huashetianzu-cert.pem -keystoreroot/client/hw_Huashetianzu-id.jks
注:输入“y”,然后回车。
CXFhttps双向配置服务端配置首先把刚才生成的server文件夹下的temip-id.p12文件和client文件夹下的eomsca-id.p12文件拷贝到Jboss的安装目server/default/conf下。然后修改Jboss安装目录下的server\default\deploy\jboss-web.deployer下的server.xml文件,打开server.xml文件,去掉大约在30-40行的注释,修改成如下的内容:
<Connector port="8443" address="0.0.0.0"protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150"scheme="https" secure="true clientAuth="true"sslProtocol="TLS" keystoreFile="conf/temip-id.p12"
keystoreType="PKCS12"keystorePass="服务器端证书的密码"truststoreFile="conf/eomsca-id.p12" truststoreType="PKCS12"truststorePass="客户端证书的密码"/>
注:clientAuth="true" 表示https采用的双向认证,即服务端需要验证客户端,客户端也需要验证服务端。clientAuth=”false”;表示单向认证。如果采用双向认证,还需要把服务器端的证书导入到你所使用的jre路径中,完整命令如下:keytool -import -file temip-cert.pem -keystore %java_home%/jre/lib/security/cacerts 此时,会让你输入keystore的密码,默认密码是“changeit”。
把client文件夹下的hw_Huashetianzu-id.p12证书导入浏览器,在浏览器中输入:https://服务器端ip:8443进行访问。
客户端配置采用代码式
// 创建WebService服务工厂JaxWsProxyFactoryBean factory = new JaxWsProxyFactoryBean();// 注册WebService接口 factory.setServiceClass(CIPB2BServiceAssuranceWorkForceClientManagementPortType.class);String wsdlAdder = getRemeySA_URL(); // 发布接口 factory.setAddress(wsdlAdder);SAAJInInterceptor saajInInterceptor = new SAAJInInterceptor(); List interceptors = new ArrayList(); interceptors.add(saajInInterceptor); factory.setInInterceptors(interceptors);SAAJOutInterceptor saajOutInterceptor = new SAAJOutInterceptor(); List outerceptorList = new ArrayList(); outerceptorList.add(saajOutInterceptor); factory.setOutInterceptors(outerceptorList);CIPB2BServiceAssuranceWorkForceClientManagementPortType cipb2bServiceProvisioningWorkForceClientManagementPortType = (CIPB2BServiceAssuranceWorkForceClientManagementPortType) factory.create();Client proxy = ClientProxy.getClient(cipb2bServiceProvisioningWorkForceClientManagementPortType);HTTPConduit conduit = (HTTPConduit) proxy.getConduit();TLSClientParameters tlsParams = conduit.getTlsClientParameters();if (tlsParams == null){ tlsParams = new TLSClientParameters();}tlsParams.setTrustManagers(getTrustManagers());tlsParams.setKeyManagers(getKeyManagers());tlsParams.setDisableCNCheck(true);tlsParams.setSecureSocketProtocol("SSL");conduit.setTlsClientParameters(tlsParams);private static KeyManager[] getKeyManagers(){InputStream is = null;try{ // 获取默认的 X509算法 String alg = KeyManagerFactory.getDefaultAlgorithm(); // 创建密钥管理工厂 KeyManagerFactory factory = KeyManagerFactory.getInstance(alg); File certFile = new File(KEYMANAGER_PATH); if (!certFile.exists() || !certFile.isFile()) { return null; } is = new FileInputStream(certFile); // 构建以证书相应格式的证书仓库 KeyStore ks = KeyStore.getInstance(KEYSTORE_TYPE); // 加载证书 ks.load(is, KEYMANAGER_PASSWORD.toCharArray()); factory.init(ks, KEYMANAGER_PASSWORD.toCharArray()); KeyManager[] keyms = factory.getKeyManagers(); return keyms; } catch (Exception e) { logger.error("getKeyManagers faiure", e); } finally { if (is != null) { try { is.close(); } catch (IOException e) { logger.error("close failure", e); } } } return null; } private static TrustManager[] getTrustManagers() { // 读取证书仓库输入流 InputStream is = null; try { // 信任仓库的默认算法X509 String alg = TrustManagerFactory.getDefaultAlgorithm(); // 获取信任仓库工厂 TrustManagerFactory factory = TrustManagerFactory.getInstance(alg); // 读取信任仓库 is = new FileInputStream(new File(TRUSTMANAGER_PATH)); // 密钥类型 KeyStore ks = KeyStore.getInstance(TRUSTORE_TYPE); // 加载密钥 ks.load(is, TRUSTMANGER_PASSWORD.toCharArray()); factory.init(ks); TrustManager[] tms = factory.getTrustManagers(); return tms; } catch (Exception e) { logger.error("getTrustManagers failure", e); } finally { if (is != null) { try { is.close(); } catch (IOException e) { logger.error("close Io failure", e); } } } return null; }
<?xml version="1.0" encoding="UTF-8"?><beans xmlns="http://www.springframework.org/schema/beans"xmlns:context="http://www.springframework.org/schema/context"xmlns:jaxws="http://cxf.apache.org/jaxws"xmlns:jaxrs="http://cxf.apache.org/jaxrs"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xmlns:tx="http://www.springframework.org/schema/tx"xmlns:soap="http://cxf.apache.org/bindings/soap" xmlns:sec="http://cxf.apache.org/configuration/security" xmlns:http="http://cxf.apache.org/transports/http/configuration"xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsdhttp://www.springframework.org/schema/contexthttp://www.springframework.org/schema/context/spring-context-3.0.xsdhttp://cxf.apache.org/jaxwshttp://cxf.apache.org/schemas/jaxws.xsdhttp://cxf.apache.org/jaxrshttp://cxf.apache.org/schemas/jaxrs.xsdhttp://cxf.apache.org/bindings/soap http://cxf.apache.org/schemas/configuration/soap.xsdhttp://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsdhttp://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd"><import resource="classpath:META-INF/cxf/cxf.xml" /><import resource="classpath:META-INF/cxf/cxf-extension-soap.xml" /><import resource="classpath:META-INF/cxf/cxf-servlet.xml" /><context:component-scan base-package="com.test" /><!-- webserice接收客户端,address为服务器webservice接口地址 --><jaxws:client id="userService"address="https://10.78.194.92:8443/webserviceserver/service/user" serviceClass="com.test.UserService"/><http:conduit name="*.http-conduit"><http:tlsClientParameters disableCNCheck="true"> <!-- keyPassword客户端证书密码,file为客户端证书位置 --><sec:keyManagers keyPassword="123456789"><sec:keyStore type="PKCS12" password="123456789"file="C:\\Users\\ckf55689\\Desktop\\root\\client\\hw_Huashetianzu-id.p12" /></sec:keyManagers><sec:cipherSuitesFilter><sec:include>.*_EXPORT_.*</sec:include><sec:include>.*_EXPORT1024_.*</sec:include><sec:include>.*_WITH_DES_.*</sec:include><sec:include>.*_WITH_NULL_.*</sec:include><sec:exclude>.*_DH_anon_.*</sec:exclude></sec:cipherSuitesFilter></http:tlsClientParameters></http:conduit></beans>