相互身份验证与Web服务 [英] Mutual-authentication with web services

问题描述

目前，我已经成功地实现相互认证的安全性，只要客户端使用Web浏览器的网站，因为浏览器采取一切为你的证书交换的照顾。现在，我需要创建用户可以通过HTTPS访问Web服务，使用由服务器所需的相互身份验证的安全接口。

Currently, I've been successful implementing Mutual Authentication security so long as the client accesses the website using a web browser, because browsers take care of all the certificate exchange for you. Now I need to create a secure interface with which users can access web services over HTTPS, using the mutual authentication required by the server.

首先，是否有任何人的资源，它知道能帮助我？我看了很长一段时间，一无所获。任何其他提示任何人都可以给我如何去这个问题？

First off, are there any resources anyone knows of that can help me with this? I've looked for quite some time and found nothing. Any other tips anyone can give me on how to go about this?

其次，我认为我最大的障碍是我缺乏如何处理证书的理解。我如何接受洽谈服务器的密钥和presenting我自己的关键服务器？这是Java。

Secondly, I think my biggest roadblock is my lack of understanding of how to handle certificates. How do I negotiate accepting the server's key and presenting my own key to the server? This is in Java.

推荐答案

我花了这个很长的时间，但我终于发现，实际工作的例子。它的Glassfish和基于Netbeans的，但我想你可以得到它在其他环境（如Eclipse和Tomcat）的工作，如果你用它打左右。

I spent a long time on this but I finally found an example that actually works. It's Glassfish and Netbeans-based but I guess you could get it working in other environments (e.g. Eclipse and Tomcat) if you played around with it.

<一个href=\"http://java.sun.com/webservices/reference/tutorials/wsit/doc/WSIT_Security9.html#wp162511\">http://java.sun.com/webservices/reference/tutorials/wsit/doc/WSIT_Security9.html#wp162511

我虽然发现的问题是，当你想使用自己的证书，而不是来与GlassFish的pre-安装的。

The problem I've found though is when you want to use your own certificates, not the ones that come pre-installed with glassfish.

注意：我不是一个安全专家。不要将此部署到生产环境！

要做到这一点，我使用NetBeans 6.9，JDK 1.6，GlassFish的3.0.1和OpenSSL V1.0（我使用的是非官方Win32的二进制文件）

To do this I'm using NetBeans 6.9, JDK 1.6, GlassFish 3.0.1 and OpenSSL v1.0 (I'm using the unofficial Win32 binaries)

# Create the CA
mkdir ca server client
cd ca
openssl req -new -x509 -days 3650 -extensions v3_ca -keyout ca.key -out ca.pem
echo 02 > serial.txt
cd ..

# Creating the Server Keystore

openssl req -days 3650 -newkey rsa:1024 -keyout server/server.key -out server/server.req
openssl x509 -extensions usr_cert -extfile C:\testbed\OpenSSL-Win32\bin\openssl.cfg -CA ca/ca.pem -CAkey ca/ca.key -CAserial ca/serial.txt -req -in server/server.req -out server/server.crt
openssl pkcs12 -export -inkey server/server.key -in server/server.crt -out server/server.p12 -name server
keytool -importkeystore -destkeystore server/server.jks -deststoretype jks -srckeystore server/server.p12 -srcstoretype pkcs12
keytool -exportcert -alias server -keystore server/server.jks -file server/server.cer

# Create the Client Keystore

openssl req -days 3650 -newkey rsa:1024 -keyout client/client1.key -out client/client1.req
openssl x509 -extensions usr_cert -extfile C:\testbed\OpenSSL-Win32\bin\openssl.cfg -CA ca/ca.pem -CAkey ca/ca.key -CAserial ca/serial.txt -req -in client/client1.req -out client/client1.crt
openssl pkcs12 -export -inkey client/client1.key -in client/client1.crt -out client/client1.p12 -name client1
keytool -importkeystore -destkeystore client/client1.jks -deststoretype jks -srckeystore client/client1.p12 -srcstoretype pkcs12
keytool -exportcert -alias client1 -keystore client/client1.jks -file client/client1.cer

# Import public keys and certificates into each others keystores

keytool -import -noprompt -trustcacerts -alias client1 -file client/client1.cer -keystore server/server.jks
keytool -import -noprompt -trustcacerts -alias server -file server/server.cer -keystore client/client1.jks
keytool -import -noprompt -trustcacerts -alias my_ca -file ca/ca.pem -keystore server/server.jks
keytool -import -noprompt -trustcacerts -alias my_ca -file ca/ca.pem -keystore client/client1.jks
keytool -import -noprompt -trustcacerts -alias my_ca -file ca/ca.pem -keystore "C:\Program Files\glassfish-3.0.1\glassfish\domains\domain1\config\cacerts.jks"
keytool -import -noprompt -trustcacerts -alias my_ca -file ca/ca.pem -keystore "C:\Program Files\Java\jdk1.6\jre\lib\security\cacerts"
move "C:\Program Files\glassfish-3.0.1\glassfish\domains\domain1\config\keystore.jks" "C:\Program Files\glassfish-3.0.1\glassfish\domains\domain1\config\keystore.jks.backup"
copy server\server.jks "C:\Program Files\glassfish-3.0.1\glassfish\domains\domain1\config\keystore.jks"

在GlassFish管理控制台，在您的HTTP侦听器启用安全性，勾选SSL3，TLS和客户端身份验证框中，设置证书昵称为服务器的密钥存储到config \\ keystore.jks，信任存储到config \\ keystore.jks，信托算法PKIX，并在5离开最大长度证书

In the GlassFish admin console, enable Security on your http-listener, tick the SSL3, TLS and Client Authentication boxes, set the Certificate NickName to server, the Key Store to config\keystore.jks, the Trust Store to config\keystore.jks, the Trust Algorithm to PKIX and leave the Max Certificate Length at 5.

在NetBeans中，创建一个新的Web应用程序项目。内，创建一个新的Web服务。

In NetBeans, create a new Web Application project. Within that, create a new Web Service.

我的Web服务code是这样的：

My Web Service code looked like this:

@WebService()
public class ListProducts {

  @Resource WebServiceContext context;

  @WebMethod(operationName = "listProducts")
  public String listProducts() {
    return context.getUserPrincipal().toString();
  }

}

右键单击Web服务，然后选择编辑Web服务属性。勾选安全服务框，然后选择共同安全证书作为安全机制。点击配置...按钮，勾选加密签名框。现在，取消勾选使用默认开发框，然后点击按钮密钥存储库。设置你的server.jks密钥库的位置，然后选择服务器别名。做同样的信任库配置（虽然你不必在这里选择一个别名）。

Right click on the Web Service and select Edit Web Service Attributes. Tick the Secure Service box and select Mutual Certificates Security as the Security Mechanism. Click on the Configure... button and tick the Encrypt Signature box. Now untick the Use Development Defaults box and then click the Keystore button. Set the location of your server.jks keystore and select the server alias. Do the same for the Truststore configuration (although you don't have to select an alias here).

导入client1.p12客户端证书到浏览器中。 Web服务部署到GlassFish。在浏览器中打开你的Web服务并浏览到通过HTTPS部署WSDL。下载WSDL和任何其他模式。所以，当您使用的WSDL2Java NetBeans将不使用任何远程资源重命名任何引用的模式来本地副本。 （这一段是因为你与批准的证书限制您的WSDL客户端，但是NetBeans的无法远程获取它，因为它没有获得相关证书）。

Import the client1.p12 client certificate into your browser. Deploy your Web Service to Glassfish. Open up your web service in a browser and browse to the deployed WSDL via HTTPS. Download the WSDL and any other schemas. Rename any referenced schemas to local copies so that when you use WSDL2Java NetBeans won't use any remote resources. (This paragraph is because you've restricted your WSDL to clients with an approved certificate but NetBeans can't fetch it remotely because it doesn't have access to the certificate in question).

创建一个新的Java项目。创建一个新的Web服务客户端。系统提示时，点的NetBeans到保存的WSDL文件。导入METRO2.0库文件（ C：\\ Program Files文件\\ NetBeans 6.9中\\企业\\模块\\分机\\ METR \\ web服务 - * JAR ）。我的code是这样的：

Create a new Java Project. Create a new Web Service Client. When prompted, point NetBeans to your saved WSDL file. Import the METRO2.0 library files (C:\Program Files\Netbeans 6.9\enterprise\modules\ext\metr\webservices-*.jar). My code looked like this:

public static void main(String[] args) {
  System.getProperties().put("javax.net.ssl.keyStore", "C:\\NetBeansProjects\\security-04\\ssl\\client\\client1.jks");
  System.getProperties().put("javax.net.ssl.keyStorePassword", "changeit");
  System.getProperties().put("javax.net.ssl.trustStore", "C:\\NetBeansProjects\\security-04\\ssl\\client\\client1.jks");
  System.getProperties().put("javax.net.ssl.trustStorePassword", "changeit");
  System.out.println(new ListProductsService().getListProductsPort().listProducts());
}

复制web服务-api.jar文件到您的Java \\ JDK1.6 \\ JRE \\ lib目录\\ endorsed目录。
在Web服务引用右键单击并选择编辑Web服务属性。将密钥存储位置client1.jks并设置别名客户端1 。设置信任位置client1.jks和别名设置为服务器。

Copy webservices-api.jar into your Java\jdk1.6\jre\lib\endorsed directory. Right-click on the Web Service reference and select Edit Web Service Attributes. Set the keystore location to client1.jks and set the alias to client1. Set the truststore location to client1.jks and set the alias to server.

希望您现在可以运行你的客户，你应该看到像这样的输出：
EMAILADDRESS=bob@anonymous.org，CN =鲍勃·史密斯，OU =东西，O = SomethingElse，L =北京市东城，ST = AnyState，C = US

Hopefully you can now run your client and you should see output like so: EMAILADDRESS=bob@anonymous.org, CN=Bob Smith, OU=Something, O=SomethingElse, L=AnyTown, ST=AnyState, C=US

这篇关于相互身份验证与Web服务的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！