atit
- 浏览: 34673 次
- 性别:
- 来自: 杭州
-
文章分类
最新评论
-
yonghuming121:
您好,我按照你的做法一步一步做下去,报这样的异常:
2012- ...
实现Tomcat双向认证 -
anranran:
great
宋思明与小三的游戏规则(理解WS-SECURITY) -
zuo_huai:
呵呵…… ,还可以吧
Struts2 整合 JQuery 开发 Web应用程序 -
atit:
我写这篇Blog的时候是2.0.0, 现在已经是2.2.0啦。 ...
Struts2 整合 JQuery 开发 Web应用程序 -
yhjhoo:
很好,周末试一下
开始构建你的第一个Appengine应用 (一)
概念:
SSL: Security Socket Layer Protocol
公钥与私钥:对于OpenSSL, 私钥里面也包括了公钥信息。 所以公钥不需要单独生成。
公钥生成算法: 最流行的与证书相关的为 RSA和DSA.
详述:
要实现SSL双向认证, 你必须同时配置Web服务器证书和客户端证书, 并且需要在服务器和客户端之间正确安装根证书。所以, 要配置好双向SSL, 我们需要有这几样东西。
下面我一点点讲述它的详细步骤, 总共分为六个大步:
准备工作:
创建一个ssl目录, 在ssl里面再创建 ca 目录, client 目录, server 目录, jks目录, 然后定位到ssl目录.
第一大步:生成自签名CA证书
A) 创建CA私钥
zhou@ubuntu:~/ssl$ openssl genrsa -out ca/ca-key.pem 2048
genrsa 的意思就是生成rsa 私钥
-out 参数指的是生成的私钥放哪里
2048这个参数在很多其它网上的文档里面写的都是1024, 我写2048是在openssl.org官方网站里面看到的。
如下:The number 2048 is the size of the key, in bits. Today, 2048 or higher is recommended for RSA keys, as fewer amount of bits is consider insecure or to be insecure pretty soon.
B) 用CA私钥生成CA证书请求
zhou@ubuntu:~/ssl$ openssl req -new -out ca/ca-req.csr -key ca/ca-key.pem
req 的意思是生成CA证书请求
-new 估计是表示用来生成新的证书请求
-out 表示将证书请求文件放到哪里
-key 表示用哪个私钥来生成证书请求
键入回车之后,系统会要求你填写如下一系列的信息:
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank
For some fields there will be a default value, If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn //哪个国家
State or Province Name (full name) [Some-State]:zhejiang //哪个省份
Locality Name (eg, city) []:hangzhou //哪个城市
Organization Name (eg, company) [Internet Widgits Pty Ltd]:lianlian //哪个公司
Organizational Unit Name (eg, section) []:CPT //部门名称
Common Name (eg, YOUR name) []:zhizhang //你的名字
Email Address []:zhouzz@lianlian.com //你的邮箱
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:changeit //密码
An optional company name []:lianlian group //公司还可以叫什么名字
理论上来讲, 生成的证书请求交由CA机构后,它会颁发由CA签发的证书, 我们这里由自签名证书来代替。
C) 用CA私钥和CA证书请求生成CA自签名证书
zhou@ubuntu:~/ssl$ openssl x509 -req -in ca/ca-req.csr -out ca/ca-cert.pem -signkey ca/ca-key.pem -days 1095
键入回车之后,系统提示签名Ok:
Signature ok
subject=/C=cn/ST=zhejiang/L=hangzhou/O=lianlian/OU=CPT/CN=zhizhang/emailAddress=zhouzz@lianlian.com
Getting Private key
第二大步:生成server 证书
A) 创建Server私钥
zhou@ubuntu:~/ssl$ openssl genrsa -out server/server-key.pem 2048
B) 用Server私钥生成Server证书请求
zhou@ubuntu:~/ssl$ openssl req -new -out server/server-req.csr -key server/server-key.pem
键入回车之后,系统会要求你填写如下一系列的信息:
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value, If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:zhejiang
Locality Name (eg, city) []:hangzhou
Organization Name (eg, company) [Internet Widgits Pty Ltd]:lianlian
Organizational Unit Name (eg, section) []:CPT
Common Name (eg, YOUR name) []:localhost //这里应当跟CA证书不一样, 应当是服务器域名或是IP
Email Address []:zhouzz@lianlian.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:changeit
An optional company name []:lianlian group
C) 用Server私钥, Server证书请求, CA私钥和CA证书, 生成Server自签名证书
zhou@ubuntu:~/ssl$ openssl x509 -req -in server/server-req.csr -out server/server-cert.pem -signkey server/server-key.pem -CA ca/ca-cert.pem -CAkey ca/ca-key.pem -CAcreateserial -days 1095
系统返回签名OK
Signature ok
subject=/C=cn/ST=zhejiang/L=hangzhou/O=lianlian/OU=CPT/CN=localhost/emailAddress=zhouzz@lianlian.com
Getting Private key
Getting CA Private Key
D) Server将证书导出成浏览器支持的.p12格式
zhou@ubuntu:~/ssl$ openssl pkcs12 -export -clcerts -in server/server-cert.pem -inkey server/server-key.pem -out server/server.p12
键入指令后,系统会要求输两次密码: changeit
Enter Export Password:
Verifying - Enter Export Password:
第三大步:生成client 证书
A) 创建Client私钥
zhou@ubuntu:~/ssl$ openssl genrsa -out client/client-key.pem 2048
键入回车后返回:
Generating RSA private key, 2048 bit long modulus
.....................................................+++
..............+++
e is 65537 (0x10001)
B) 用Client私钥生成Client证书请求
zhou@ubuntu:~/ssl$ openssl req -new -out client/client-req.csr -key client/client-key.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:zhejiang
Locality Name (eg, city) []:hangzhou
Organization Name (eg, company) [Internet Widgits Pty Ltd]:lianlian
Organizational Unit Name (eg, section) []:CPT
Common Name (eg, YOUR name) []:clienthost //这里我不太清楚具体应当写什么, 我写的是客户端服务器的地址。
Email Address []:zhouzz@lianlian.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:changeit
An optional company name []:lianlian group
C) 用Client私钥, Client证书请求, CA私钥和CA证书, 生成Client自签名证书
zhou@ubuntu:~/ssl$ openssl x509 -req -in client/client-req.csr -out client/client-cert.pem -signkey client/client-key.pem -CA ca/ca-cert.pem -CAkey ca/ca-key.pem -CAcreateserial -days 1095
系统返回签名OK
Signature ok
subject=/C=cn/ST=zhejiang/L=hangzhou/O=lianlian/OU=CPT/CN=clienthost/emailAddress=zhouzz@lianlian.com
Getting Private key
Getting CA Private Key
D) 将Client证书导出成浏览器支持的.p12格式
zhou@ubuntu:~/ssl$ openssl pkcs12 -export -clcerts -in client/client-cert.pem -inkey client/client-key.pem -out client/client.p12
键入指令后,系统会要求输两次密码: changeit
Enter Export Password:
Verifying - Enter Export Password:
有的时候会需要指定别名, 则再加一个参数
zhou@ubuntu:~/ssl$ openssl pkcs12 -export -clcerts -in client/client-cert.pem -inkey client/client-key.pem -out client/client.p12 -name client.lianlian.com
第四大步:根据CA证书生成truststore JKS文件(我猜这简写的意思可能是Java Key Store)
A) 生成truststore文件
zhou@ubuntu:~/ssl$ keytool -keystore jks/truststore.jks -keypass changeit -storepass lianlian.com -alias ca -import -trustcacerts -file ca/ca-cert.pem
键入回事后,提示是否信息此证书,输入yes, 则生成truststore成功。
Owner: EMAILADDRESS=zhouzz@lianlian.com, CN=zhizhang, OU=CPT, O=lianlian, L=hangzhou, ST=zhejiang, C=cn
Issuer: EMAILADDRESS=zhouzz@lianlian.com, CN=zhizhang, OU=CPT, O=lianlian, L=hangzhou, ST=zhejiang, C=cn
Serial number: c14463d09ba37b39
Valid from: Fri Jan 29 03:33:25 PST 2010 until: Mon Jan 28 03:33:25 PST 2013
Certificate fingerprints:
MD5: D6:4A:7E:89:59:27:88:63:B5:28:2C:38:EB:44:B5:B6
SHA1: BA:26:16:C4:4B:1C:0B:65:F2:CB:CD:DB:DF:E1:D1:C3:70:55:0D:2A
Signature algorithm name: SHA1withRSA
Version: 1
Trust this certificate? [no]: yes
Certificate was added to keystore
第五大步:配置Tomcat SSL
tomcat6.0的配置:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS"
keystoreFile="D:\\app\\ssl\\ssl\\server\\server.p12" keystorePass="changeit" keystoreType="PKCS12"
truststoreFile="D:\\app\\ssl\\ssl\\jks\\truststore.jks" truststorePass="lianlian.com" truststoreType="JKS"/>
第六大步:测试Tomat SSL
ca-cert.pem导入至受信任的根证书颁发机构,client.p12导入至个人
访问你的应用https://ip:8443/,如果配置正确的话会出现请求你数字证书的对话框。
多写两句:
如果是Java调用, 确保在通信之前加入如下语句:
System.setProperty("javax.net.ssl.trustStore",
"\path\to\truststore.jks");
System.setProperty("javax.net.ssl.trustStorePassword", "lianlian.com");
System.setProperty("javax.net.ssl.keyStore",
"\path\to\client.p12");
System.setProperty("javax.net.ssl.keyStorePassword", "changeit");
System.setProperty("javax.net.ssl.keyStoreType", "PKCS12");
SSL: Security Socket Layer Protocol
公钥与私钥:对于OpenSSL, 私钥里面也包括了公钥信息。 所以公钥不需要单独生成。
公钥生成算法: 最流行的与证书相关的为 RSA和DSA.
详述:
要实现SSL双向认证, 你必须同时配置Web服务器证书和客户端证书, 并且需要在服务器和客户端之间正确安装根证书。所以, 要配置好双向SSL, 我们需要有这几样东西。
下面我一点点讲述它的详细步骤, 总共分为六个大步:
准备工作:
创建一个ssl目录, 在ssl里面再创建 ca 目录, client 目录, server 目录, jks目录, 然后定位到ssl目录.
第一大步:生成自签名CA证书
A) 创建CA私钥
zhou@ubuntu:~/ssl$ openssl genrsa -out ca/ca-key.pem 2048
genrsa 的意思就是生成rsa 私钥
-out 参数指的是生成的私钥放哪里
2048这个参数在很多其它网上的文档里面写的都是1024, 我写2048是在openssl.org官方网站里面看到的。
如下:The number 2048 is the size of the key, in bits. Today, 2048 or higher is recommended for RSA keys, as fewer amount of bits is consider insecure or to be insecure pretty soon.
B) 用CA私钥生成CA证书请求
zhou@ubuntu:~/ssl$ openssl req -new -out ca/ca-req.csr -key ca/ca-key.pem
req 的意思是生成CA证书请求
-new 估计是表示用来生成新的证书请求
-out 表示将证书请求文件放到哪里
-key 表示用哪个私钥来生成证书请求
键入回车之后,系统会要求你填写如下一系列的信息:
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank
For some fields there will be a default value, If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn //哪个国家
State or Province Name (full name) [Some-State]:zhejiang //哪个省份
Locality Name (eg, city) []:hangzhou //哪个城市
Organization Name (eg, company) [Internet Widgits Pty Ltd]:lianlian //哪个公司
Organizational Unit Name (eg, section) []:CPT //部门名称
Common Name (eg, YOUR name) []:zhizhang //你的名字
Email Address []:zhouzz@lianlian.com //你的邮箱
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:changeit //密码
An optional company name []:lianlian group //公司还可以叫什么名字
理论上来讲, 生成的证书请求交由CA机构后,它会颁发由CA签发的证书, 我们这里由自签名证书来代替。
C) 用CA私钥和CA证书请求生成CA自签名证书
zhou@ubuntu:~/ssl$ openssl x509 -req -in ca/ca-req.csr -out ca/ca-cert.pem -signkey ca/ca-key.pem -days 1095
键入回车之后,系统提示签名Ok:
Signature ok
subject=/C=cn/ST=zhejiang/L=hangzhou/O=lianlian/OU=CPT/CN=zhizhang/emailAddress=zhouzz@lianlian.com
Getting Private key
第二大步:生成server 证书
A) 创建Server私钥
zhou@ubuntu:~/ssl$ openssl genrsa -out server/server-key.pem 2048
B) 用Server私钥生成Server证书请求
zhou@ubuntu:~/ssl$ openssl req -new -out server/server-req.csr -key server/server-key.pem
键入回车之后,系统会要求你填写如下一系列的信息:
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value, If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:zhejiang
Locality Name (eg, city) []:hangzhou
Organization Name (eg, company) [Internet Widgits Pty Ltd]:lianlian
Organizational Unit Name (eg, section) []:CPT
Common Name (eg, YOUR name) []:localhost //这里应当跟CA证书不一样, 应当是服务器域名或是IP
Email Address []:zhouzz@lianlian.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:changeit
An optional company name []:lianlian group
C) 用Server私钥, Server证书请求, CA私钥和CA证书, 生成Server自签名证书
zhou@ubuntu:~/ssl$ openssl x509 -req -in server/server-req.csr -out server/server-cert.pem -signkey server/server-key.pem -CA ca/ca-cert.pem -CAkey ca/ca-key.pem -CAcreateserial -days 1095
系统返回签名OK
Signature ok
subject=/C=cn/ST=zhejiang/L=hangzhou/O=lianlian/OU=CPT/CN=localhost/emailAddress=zhouzz@lianlian.com
Getting Private key
Getting CA Private Key
D) Server将证书导出成浏览器支持的.p12格式
zhou@ubuntu:~/ssl$ openssl pkcs12 -export -clcerts -in server/server-cert.pem -inkey server/server-key.pem -out server/server.p12
键入指令后,系统会要求输两次密码: changeit
Enter Export Password:
Verifying - Enter Export Password:
第三大步:生成client 证书
A) 创建Client私钥
zhou@ubuntu:~/ssl$ openssl genrsa -out client/client-key.pem 2048
键入回车后返回:
Generating RSA private key, 2048 bit long modulus
.....................................................+++
..............+++
e is 65537 (0x10001)
B) 用Client私钥生成Client证书请求
zhou@ubuntu:~/ssl$ openssl req -new -out client/client-req.csr -key client/client-key.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:zhejiang
Locality Name (eg, city) []:hangzhou
Organization Name (eg, company) [Internet Widgits Pty Ltd]:lianlian
Organizational Unit Name (eg, section) []:CPT
Common Name (eg, YOUR name) []:clienthost //这里我不太清楚具体应当写什么, 我写的是客户端服务器的地址。
Email Address []:zhouzz@lianlian.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:changeit
An optional company name []:lianlian group
C) 用Client私钥, Client证书请求, CA私钥和CA证书, 生成Client自签名证书
zhou@ubuntu:~/ssl$ openssl x509 -req -in client/client-req.csr -out client/client-cert.pem -signkey client/client-key.pem -CA ca/ca-cert.pem -CAkey ca/ca-key.pem -CAcreateserial -days 1095
系统返回签名OK
Signature ok
subject=/C=cn/ST=zhejiang/L=hangzhou/O=lianlian/OU=CPT/CN=clienthost/emailAddress=zhouzz@lianlian.com
Getting Private key
Getting CA Private Key
D) 将Client证书导出成浏览器支持的.p12格式
zhou@ubuntu:~/ssl$ openssl pkcs12 -export -clcerts -in client/client-cert.pem -inkey client/client-key.pem -out client/client.p12
键入指令后,系统会要求输两次密码: changeit
Enter Export Password:
Verifying - Enter Export Password:
有的时候会需要指定别名, 则再加一个参数
zhou@ubuntu:~/ssl$ openssl pkcs12 -export -clcerts -in client/client-cert.pem -inkey client/client-key.pem -out client/client.p12 -name client.lianlian.com
第四大步:根据CA证书生成truststore JKS文件(我猜这简写的意思可能是Java Key Store)
A) 生成truststore文件
zhou@ubuntu:~/ssl$ keytool -keystore jks/truststore.jks -keypass changeit -storepass lianlian.com -alias ca -import -trustcacerts -file ca/ca-cert.pem
键入回事后,提示是否信息此证书,输入yes, 则生成truststore成功。
Owner: EMAILADDRESS=zhouzz@lianlian.com, CN=zhizhang, OU=CPT, O=lianlian, L=hangzhou, ST=zhejiang, C=cn
Issuer: EMAILADDRESS=zhouzz@lianlian.com, CN=zhizhang, OU=CPT, O=lianlian, L=hangzhou, ST=zhejiang, C=cn
Serial number: c14463d09ba37b39
Valid from: Fri Jan 29 03:33:25 PST 2010 until: Mon Jan 28 03:33:25 PST 2013
Certificate fingerprints:
MD5: D6:4A:7E:89:59:27:88:63:B5:28:2C:38:EB:44:B5:B6
SHA1: BA:26:16:C4:4B:1C:0B:65:F2:CB:CD:DB:DF:E1:D1:C3:70:55:0D:2A
Signature algorithm name: SHA1withRSA
Version: 1
Trust this certificate? [no]: yes
Certificate was added to keystore
第五大步:配置Tomcat SSL
tomcat6.0的配置:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS"
keystoreFile="D:\\app\\ssl\\ssl\\server\\server.p12" keystorePass="changeit" keystoreType="PKCS12"
truststoreFile="D:\\app\\ssl\\ssl\\jks\\truststore.jks" truststorePass="lianlian.com" truststoreType="JKS"/>
第六大步:测试Tomat SSL
ca-cert.pem导入至受信任的根证书颁发机构,client.p12导入至个人
访问你的应用https://ip:8443/,如果配置正确的话会出现请求你数字证书的对话框。
多写两句:
如果是Java调用, 确保在通信之前加入如下语句:
System.setProperty("javax.net.ssl.trustStore",
"\path\to\truststore.jks");
System.setProperty("javax.net.ssl.trustStorePassword", "lianlian.com");
System.setProperty("javax.net.ssl.keyStore",
"\path\to\client.p12");
System.setProperty("javax.net.ssl.keyStorePassword", "changeit");
System.setProperty("javax.net.ssl.keyStoreType", "PKCS12");
1
顶
顶
1
踩
踩
分享到:
评论
4 楼
yonghuming121
2012-07-05
您好,我按照你的做法一步一步做下去,报这样的异常:
2012-7-5 14:51:24 org.springframework.context.support.AbstractApplicationContext prepareRefresh
信息: Refreshing org.springframework.context.support.ClassPathXmlApplicationContext@1608e05: startup date [Thu Jul 05 14:51:24 CST 2012]; root of context hierarchy
2012-7-5 14:51:25 org.springframework.beans.factory.xml.XmlBeanDefinitionReader loadBeanDefinitions
信息: Loading XML bean definitions from class path resource [beanRefClient.xml]
2012-7-5 14:51:25 org.springframework.beans.factory.support.DefaultListableBeanFactory preInstantiateSingletons
信息: Pre-instantiating singletons in org.springframework.beans.factory.support.DefaultListableBeanFactory@4e280c: defining beans [surveyServiceClient.proxyFactory,surveyServiceClient]; root of factory hierarchy
2012-7-5 14:51:25 org.apache.cxf.service.factory.ReflectionServiceFactoryBean buildServiceFromClass
信息: Creating Service {http://cxf.ws/}ISurveyServiceService from class ws.cxf.ISurveyService
2012-7-5 14:51:26 org.apache.cxf.phase.PhaseInterceptorChain doDefaultLogging
警告: Interceptor for {http://cxf.ws/}ISurveyServiceService#{http://cxf.ws/}vote has thrown exception, unwinding now
org.apache.cxf.interceptor.Fault: Could not send Message.
at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:64)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:262)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:532)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:464)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:367)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:320)
at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:89)
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:134)
at $Proxy31.vote(Unknown Source)
at ws.cxf.client.SurveyServiceClient.main(SurveyServiceClient.java:36)
Caused by: java.net.SocketException: SocketException invoking https://localhost:8443/WSDemo/SurveyWebService: Software caused connection abort: recv failed
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
at java.lang.reflect.Constructor.newInstance(Unknown Source)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.mapException(HTTPConduit.java:1458)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1443)
at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:659)
at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
... 9 more
Caused by: java.net.SocketException: Software caused connection abort: recv failed
at java.net.SocketInputStream.socketRead0(Native Method)
at java.net.SocketInputStream.read(Unknown Source)
at com.sun.net.ssl.internal.ssl.InputRecord.readFully(Unknown Source)
at com.sun.net.ssl.internal.ssl.InputRecord.read(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.waitForClose(Unknown Source)
at com.sun.net.ssl.internal.ssl.HandshakeOutStream.flush(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.sendChangeCipherSpec(Unknown Source)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.sendChangeCipherAndFinish(Unknown Source)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverHelloDone(Unknown Source)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(Unknown Source)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1395)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1337)
at org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:42)
at org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:69)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1415)
... 12 more
Exception in thread "main" javax.xml.ws.WebServiceException: Could not send Message.
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:145)
at $Proxy31.vote(Unknown Source)
at ws.cxf.client.SurveyServiceClient.main(SurveyServiceClient.java:36)
Caused by: java.net.SocketException: SocketException invoking https://localhost:8443/WSDemo/SurveyWebService: Software caused connection abort: recv failed
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
at java.lang.reflect.Constructor.newInstance(Unknown Source)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.mapException(HTTPConduit.java:1458)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1443)
at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:659)
at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:262)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:532)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:464)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:367)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:320)
at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:89)
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:134)
... 2 more
Caused by: java.net.SocketException: Software caused connection abort: recv failed
at java.net.SocketInputStream.socketRead0(Native Method)
at java.net.SocketInputStream.read(Unknown Source)
at com.sun.net.ssl.internal.ssl.InputRecord.readFully(Unknown Source)
at com.sun.net.ssl.internal.ssl.InputRecord.read(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.waitForClose(Unknown Source)
at com.sun.net.ssl.internal.ssl.HandshakeOutStream.flush(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.sendChangeCipherSpec(Unknown Source)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.sendChangeCipherAndFinish(Unknown Source)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverHelloDone(Unknown Source)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(Unknown Source)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1395)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1337)
at org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:42)
at org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:69)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1415)
... 12 more
3 楼
canofy
2010-06-01
恩 问题已经解决了 谢谢
是因为tomcat配置的时候把密码搞错了~~
谢谢了
是因为tomcat配置的时候把密码搞错了~~
谢谢了
2 楼
atit
2010-05-12
第二大步的 D) Server将证书导出成浏览器支持的.p12格式 , 你可能没有输入密码
1 楼
canofy
2010-05-11
我在tomcat6里按照上面的步骤一步一步来,但在启动tomcat时出现以下异常,请问一下你有遇到过这类问题吗?
严重: Failed to load keystore type PKCS12 with path server.p12 due to failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded java.io.IOException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded at com.sun.net.ssl.internal.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1277) at java.security.KeyStore.load(KeyStore.java:1185) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:340) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:259) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:444) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:409) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:125) at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:496) at org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:176) at org.apache.catalina.connector.Connector.initialize(Connector.java:1058) at org.apache.catalina.core.StandardService.initialize(StandardService.java:677) at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:795) at org.apache.catalina.startup.Catalina.load(Catalina.java:530) at org.apache.catalina.startup.Catalina.load(Catalina.java:550) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:260) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412) Caused by: javax.crypto.BadPaddingException: Given final block not properly padded at com.sun.crypto.provider.SunJCE_f.b(DashoA13*..) at com.sun.crypto.provider.SunJCE_f.b(DashoA13*..) at com.sun.crypto.provider.PKCS12PBECipherCore.b(DashoA13*..) at com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_40.engineDoFinal(DashoA13*..) at javax.crypto.Cipher.doFinal(DashoA13*..) at com.sun.net.ssl.internal.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1274) ... 19 more
发表评论
相关推荐
"基于IIS的CA认证实现Tomcat双向认证" 本文主要介绍了基于IIS的CA认证实现Tomcat双向认证的过程,涉及到CA服务器的搭建、证书申请、证书颁发和Tomcat的配置等方面。 CA服务器搭建 在Windows 2008上安装“IIS”和...
通过 Tomcat 实现 SSL 双向认证 Tomcat 是一个流行的开源 Web 服务器,它支持 SSL/TLS 加密协议来确保数据传输的安全性。SSL 双向认证是一种高级的身份验证机制,它需要同时配置 Web 服务器证书和客户端证书,并在...
这是我实战的笔记,全程直播。 #### Tomcat和Openssl构建HTTPS双向认证 ###### ...二、tomcat实现双向认证 1、创建服务器信任的CA证书库 2、配置Tomcat支持HTTPS双向认证(服务器将认证客户端证书)
### Tomcat 实现HTTPS 双向认证通信 #### 概述 本文主要介绍如何在Linux平台上,使用Apache Tomcat、OpenSSL以及Java Keytool来实现HTTPS通信,并进一步完成双向认证的功能。文章假设读者具备基本的Linux操作技能...
Tomcat 实现 SSL 双向认证 Tomcat 是一个流行的开源 Web 应用服务器,而 SSL(Secure Sockets Layer)是一种常用的安全协议,用于确保 Web 应用程序之间的数据传输安全。本文将详细介绍如何在 Tomcat 中实现 SSL ...
以下是实现Tomcat下SSL双向认证的步骤: 1. **生成证书**: - 服务器证书:需要创建一个自签名的服务器证书,或者从权威的证书颁发机构(CA)获取。 - 客户端证书:同样需要为每个客户端生成一个证书,并分发给...
### Tomcat配置SSL双向认证详解 #### 一、SSL双向认证概述 SSL(Secure Sockets Layer,安全套接层)是一种用于确保Web通信安全的技术,它通过加密数据传输来保护信息不被未授权访问。SSL协议的核心是实现客户端与...
本文将深入探讨如何在Android客户端和PC服务端之间实现基于TLS1.2的双向认证。TLS(Transport Layer Security)是一种网络安全协议,用于确保网络通信的安全性,防止中间人攻击和其他形式的数据篡改。 首先,我们要...
【TomcatWebService双向认证】指的是在使用Apache Tomcat服务器和Axis2框架构建Web服务时,实施的一种高级安全机制。这种认证方式要求客户端和服务端都必须提供有效的身份凭证,以确保通信双方的身份得到验证,增强...
通过上述步骤,可以实现Tomcat服务器上HTTPS的双向认证配置。需要注意的是,实际生产环境中建议使用由权威机构颁发的数字证书,以提高安全性。此外,还需要根据实际情况调整证书的有效期、密钥大小等参数。双向认证...
本资源是一个 CentOS 下对 Nginx + Tomcat 配置 SSL 实现服务器 / 客户端双向认证配置示例。详细如何配置请参考博客《图文:CentOS 下对 Nginx + Tomcat 配置 SSL 实现服务器 / 客户端双向认证》,地址是:...
在IT行业中,安全通信是至关重要的,特别是...通过上述步骤,你可以在Tomcat上实现一个完整的SSL双向认证环境,并利用Java和Apache HttpClient进行安全的通信。这个过程对于理解网络安全和提高应用安全性具有重要意义。
本文将深入探讨如何在Tomcat6中实现SSL双向认证,包括证书的生成、配置以及应用。 ### 一、CA证书生成 #### 1. 私钥生成 首先,通过OpenSSL工具生成一个私钥。在命令行中执行以下命令: ```bash C:\OpenSSL\bin>...
Apache Tomcat配置SSL双向认证是实现安全通信的重要步骤,尤其对于需要高度安全性的Web应用程序。在本文中,我们将深入探讨如何在Tomcat 6环境中设置SSL双向认证,确保客户端和服务器之间的通信既加密又经过身份验证...
- **双向SSL认证**:不仅服务端需要认证,客户端也需要提供证书以进行身份验证。这是一种更为安全的通信方式。 - **证书(Certificate)**:是公钥和身份信息绑定的数据结构,由权威的证书颁发机构(CA)签发。 - **...
下面是使用 Keytool 生成证书和配置 Tomcat 实现 HTTPS 双向证书认证的步骤。 第一步:为服务器生成证书 使用 Keytool 生成证书需要在命令行中输入一些必要的参数,包括证书的别名、密钥算法、证书文件的路径和...
- 更多关于Java实现SSL双向认证的信息可参考:“java实现SSL双向认证”。 3. **OpenSSL命令行测试**: - 使用`OpenSSL`命令行工具直接连接到`Tomcat`服务器,以测试SSL双向验证过程。 ```bash openssl s_client...