使用Tomcat的密钥库在Tomcat中进行SSL客户端调用 [英] Make SSL client call in Tomcat using Tomcat's keystore
问题描述
我有一个在Tomcat中运行的Web应用程序,正在对另一个系统进行Web服务调用.我需要使用SSL和客户端身份验证来确保此调用的安全.我托管的Tomcat已经正确配置了特定于环境的信任库和密钥库,因此我需要使用这些存储库来保护自己的调用.这就是我被困住的地方.
I have a web app running in Tomcat that is making a web service call to another system. I need to secure this call with SSL and client authentication. The Tomcat I'm hosted in is already properly configured with a truststore and keystore specific to the environment, so I need to use those stores to secure my own call. This is where I'm stuck.
如何找到配置了Tomcat的密钥库和信任库以进行自己的SSL调用?还是更好,使用这些值生成正确配置的SSLContext或SSLSocketFactory?
How can I locate the keystore and truststore that Tomcat is configured with to make my own SSL call? Or better, generate a properly configured SSLContext or SSLSocketFactory with those values?
我尝试过的事情:
-
我尝试依赖于SSLContext.getDefault().这似乎没有设置.
I tried relying on the SSLContext.getDefault(). That doesn't appear to be set.
我尝试依赖于系统属性:
I tried relying on System properties:
System.getProperty("javax.net.ssl.trustStore");
System.getProperty("javax.net.ssl.trustStorePassword");
System.getProperty("javax.net.ssl.trustStoreType");
System.getProperty( "javax.net.ssl.keyStore");
System.getProperty( "javax.net.ssl.keyStorePassword");
System.getProperty("javax.net.ssl.keyStoreType");
但这似乎是一种脆弱的解决方案,因为不必为Tomcat配置系统属性.在其中一种测试环境中,设置了信任存储信息,但未设置密钥存储变量.它们是在Tomcat的server.xml中定义的.
But this appears to be a brittle solution as Tomcat doesn't have to be configured with system properties. In one of the test environments, the trust store information is set, but the keystore variables aren't. They're defined in Tomcat's server.xml.
有什么简单的方法可以使我忽略吗?
Is there some simple way to do this that I'm overlooking?
已更新:
这个问题很相似,其中一个答案指出SSL可以由OpenSSL \ APR处理,因此这里的任何解决方案都将在很大程度上取决于Tomcat的配置方式.假设使用JSSE,解决方案似乎是:
This question is similar and one of the answers points out that SSL could be handled by OpenSSL\APR, so any solution here will depend heavily on the way Tomcat is configured. Assuming JSSE, the solutions appear to be:
- 确保通过系统属性配置Tomcat.
- 使商店位于服务器上的预定义位置.
- 打包您在战争中的商店副本.
对于上面的前两个,您必须确保安全策略允许访问这些文件.
For the first two above, you'd have to ensure the security policy allows access to those files.
这些真的是我想要做的最佳实践吗?
Are these really the best practices for what I'm trying to do?
推荐答案
我认为,除其他外,您还会混淆入站和出站SSL连接. Server.xml包含入站SSL设置.
I think amongst other things you're confusing inbound and outbound SSL connectivity. Server.xml contains inbound SSL settings.
在Java中使用出站SSL时,应在Tomcat的启动中显式设置javax.net.ssl.trustStore *和javax.net.ssl.keyStore *.请记住,默认情况下,除非您编写自己的密钥管理器,否则密钥库只能包含一个私钥.
When using outbound SSL in Java, javax.net.ssl.trustStore* and javax.net.ssl.keyStore* should be explicitly set in Tomcat's startup. Remember, by default the keystore can only contain one private key unless you code your own keymanager.
大多数众所周知的Web服务库都使用标准HTTP库,这些标准HTTP库使用HTTPConnection/HTTPSConnection或Jakatta HTTPClient,并且如果服务器请求,它将显示来自密钥库的客户端证书.您不需要创建自己的SSLContext.
Most well known webservice libraries use standard HTTP libraries which use HTTPConnection/HTTPSConnection or Jakatta HTTPClient and will present a client cert from the keystore if requested by the server. You shouldn't need to create your own SSLContext.
如果您要终止入站Web服务调用,那么如果需要,我将使用具有SSL和客户端身份验证的Apache HTTP Server.
If you're terminating inbound Webservice calls then I would use Apache HTTP Server with SSL and client auth if required.
为清楚起见进行javax.net.ssl.keyStore指定的密钥库可以包含一个以上的私钥/证书对,但是除非您编写自己的KeyManager,否则您将无法使用其他私钥/证书.在Tomcat中终止入站SSL连接时,这可能是一个问题-您将需要一个私钥/证书用于外部入站连接,并需要另一个私钥/证书用于出站连接.
Edit for clarity: The keystore specified by javax.net.ssl.keyStore can contain more that one private key/cert pair, but you will not be able to use the additional private keys/cert UNLESS you write your own KeyManager. This can be a problem when you're terminating inbound SSL connections in Tomcat - you will need a private key/cert for external inbound connections and another private key/cert for outbound connections.
这篇关于使用Tomcat的密钥库在Tomcat中进行SSL客户端调用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
