Tomcat具有单向和双向SSL [英] Tomcat with 1-way and 2-way SSL

问题描述

我有一个服务A使用单向SSL和双向SSL来安全请求服务B.单向SSL由Tomcat配置指定，我提供keystoreFile，keystorePass，启用SSL等。2 -way SSL在客户端（服务A）上使用JSSE实现。我知道这可以在Tomcat server.xml中做类似的（示例在这里： http://blog1.vorburger.ch/2006/08/setting-up-two-way-mutual-ssl-with.html ）。

I have a service A that uses 1-way SSL and also 2-way SSL to make secure requests to service B. 1-way SSL is specified by Tomcat config, I provide keystoreFile, keystorePass, enable SSL, etc. 2-way SSL is implemented using JSSE on the client (service A). I know this could be done similarly in Tomcat server.xml too (example is here: http://blog1.vorburger.ch/2006/08/setting-up-two-way-mutual-ssl-with.html).

我的单向SSL Tomcat配置的一部分：

Part of my 1-way SSL Tomcat configuration:

<Connector port="securePort"
           scheme="https"
           secure="true"
           clientAuth="false"
           sslProtocol="TLS"
           SSLEnabled="true"
           keystoreFile="keystoreFile"
           keystorePass="keystorePass"
           keystoreType="keystoreType"
           ...
/>

有一种方法可以指定单向和双向虽然Tomcat中的同一服务的SSL 。这里的挑战是我在同一个IP上使用2个证书（服务器和客户端一个）。任何提示？

Is there a way to specify both 1-way and 2-way (client side) SSL for the same service in Tomcat though. The challenge here is that I'm using 2 certificates (server and client one) on the same IP. Any hints?

推荐答案

当服务A使用客户端认证向服务B发出SSL请求时，它不是服务器， 。这与在服务A运行的Tomcat服务器上配置客户端身份验证无关。

When service A makes SSL requests with client-authentication to service B, it's not a server, it's a client. This has nothing to do with configuring client authentication on your Tomcat server where service A is running.

您的服务A如何选择其密钥库设置）取决于它的实现和它使用哪些库来建立这些连接。它与任何独立的客户端没有什么特别的不同。

How your service A picks up its keystore settings (which it uses as a client) depends on how it's implemented and which libraries it uses to make these connections. It's not particularly different from any standalone client.

它可能会至少通过系统属性来选择默认设置。您可以在容器中设置 javax.net.ssl.keyStore （和相关的）系统属性（例如通过 JAVA_OPTS 在 catalina.sh 或 .bat ）。但是，这些设置可以在您的容器中运行的所有webapps使用（但是，如果您已经将这些设置用于< Connector /> 配置了不同的密钥库）。

It's likely that it will at least pick up the default settings via the system properties. You can set the javax.net.ssl.keyStore (and related) system properties in the container (e.g. via JAVA_OPTS in catalina.sh or .bat). These settings will however be usable by all the webapps running within your container (but these settings won't be used by your <Connector/> configuration, if you've configured a different keystore there). Affecting all the webapps in your container like this may not always be desirable.

您还可以拥有您的密钥库文件，您的客户端代码可以加载它（例如 WEB-INF ），并将此密钥库作为资源流加载，以初始化您的客户端库使用的 SSLContext 可以使用这样的设置）。另一种可能的方式是通过JNDI传递密钥库。这一切取决于您想如何配置服务的部署以及如何配置它的代码。

You could also have your keystore file where your client code can load it (e.g. somewhere under WEB-INF) and load this keystore as a resource stream to initialise the SSLContext used by your client library (if your client application can use such settings). Another possible way is to pass the keystore via JNDI. All this depends on how you want to configure the deployment of your service and how its code expects to be configured.

这篇关于Tomcat具有单向和双向SSL的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！