HSM 与 Apache Tomcat 的 HTTPS 使用 [英] HSM usage with Apache Tomcat for HTTPS
问题描述
我的 HSM(硬件安全模块)存储(或允许使用)私钥,但是,它不支持 PKCS#11 和类似方法.反过来,Apache Tomcat 可能会通过 JKS、PKCS#11 或以编程方式使用证书和密钥.我的目标是在 Web 服务器上启用 HTTPS 支持,但我看不出如何仅通过更改配置文件来实现这一点.
My HSM (Hardware Security Module) stores (or allows to use) private key, however, it does not support PKCS#11 and similar method. In turn, Apache Tomcat might work with certificate and keys either via JKS, PKCS#11 or programmatically. My goal is to enable HTTPS support on a Web server, but I see no way how to achieve that with changes in configuration files only.
我想象了一个选项,我可以将证书存储在 JKS 中,并通过 HSM 供应商提供的 API 获取与其关联的私钥.为此,如果我是对的,我将需要重新实现 JSSEImplementation 和相应的工厂.此外,我还需要实现特定的密钥和信任管理器.
I imagine an option that I could store certificate in JKS, and get private key associated with it via HSM vendor provided API. For that purpose, if I am right, I will need to re-implement JSSEImplementation and corresponding factories. As well, I will need to implement specific Key and Trust Managers.
这是解决此类问题的唯一方法吗?
Is that the only way to solve such problem?
在运行的 Apache Tomcat 独立实例中替换 JSSEImplementation 是否安全,例如,在它启动后立即替换.
Is it safe to replace JSSEImplementation in a running standalone instance of Apache Tomcat, for instance, right after it started.
推荐答案
最后,我只根据 这个 示例.我将 sslImplementationName 属性指向自定义 JSSEImplementation 类名,并扩展 JSSEImplementation 带有自定义 JSSESocketFactory 和 X509KeyManager 类.
Finally, I came up only to the solution below based on this example. I add <Connector> instance to the Tomcat configuration with sslImplementationName property pointing to the custom JSSEImplementation class name, and extend JSSEImplementation with custom JSSESocketFactory and X509KeyManager classes.
Tomcat 配置如下:
Tomcat configuration looks like:
<Connector
protocol="org.apache.coyote.http11.Http11Protocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
clientAuth="true" sslProtocol="TLS" SSLEnabled="true"
sslImplementationName="x.y.z.CustomJSSEImplementation"
keyAlias="alias_of_key_in_HSM_and_cert_in_JKS"
/>
CustomJSSEImplementation 类是:
public class CustomJSSEImplementation extends JSSEImplementation {
@Override
public ServerSocketFactory getServerSocketFactory(AbstractEndpoint endpoint) {
return new CustomSslContextSocketFactory(endpoint);
}
@Override
public SSLUtil getSSLUtil(AbstractEndpoint endpoint) {
return new CustomSslContextSocketFactory(endpoint);
}
}
CustomSslContextSocketFactory 类是:
public class CustomSslContextSocketFactory extends JSSESocketFactory {
public static final AtomicReference<CustomSslContext> customSslContext =
new AtomicReference<CustomSslContext>();
public CustomSslContextSocketFactory(AbstractEndpoint endpoint) {
super(endpoint);
}
@Override
public KeyManager[] getKeyManagers() throws Exception {
return (customSslContext.get() == null ? super.getKeyManagers() : customSslContext.get().getKeyManagers(this));
}
}
CustomSslContext 接口为:
interface CustomSslContext {
KeyManager[] getKeyManagers(JSSESocketFactory factory) throws Exception;
}
HsmKeyManagerImpl 通过 keyAlias 属性引用 HSM 中的私钥,如下所示:
HsmKeyManagerImpl which reference private key in the HSM by an keyAlias property looks like:
public class HsmKeyManagerImpl implements X509KeyManager {
...
@Override
public PrivateKey getPrivateKey(String alias) {
// HSM Vendor specific API calls
}
}
我没有展示如何获取对应于私有的证书的代码,但是由keyAlias属性定义的相同别名是用于从 JKS 获取它.
I didn't show the code how to obtain certificate which corresponds to the private, but the same alias defined by the keyAlias property of the <Connector> is used to get it from the JKS.
这篇关于HSM 与 Apache Tomcat 的 HTTPS 使用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
