web项目由http升级https

用到的相关方法主要是使用openssl加jdk的keytool 进行密钥签名与管理

1、服务器登陆weblogic 用户,维护ssl工作目录
cd /weblogic/sslcert/
mkdir certs private
echo '100001' >serial
touch certindex.txt
touch openssl.cnf
2、编写opesnssl.cnf

OpenSSL configuration file

Working directory

dir = .
[ ca ]
default_ca = CA_default

[ CA_default ]
serial = $dir/serial
database = $dir/certindex.txt
new_certs_dir = $dir/certs
certificate = $dir/cacert.pem
private_key = $dir/private/cakey.pem
default_days = 365
default_md = sha1
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match

[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

[ req ]
default_bits = 2048 # Size of keys
default_keyfile = key.pem # name of generated keys
default_md = sha1 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
req_extensions = v3_req

[ req_distinguished_name ]

Variable name Prompt string

------------------------- ----------------------------------

0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
commonName = Common Name (hostname, IP, or your name)
commonName_max = 64

Default values for the above, for consistency and less typing.

Variable name Value

------------------------ ------------------------------

0.organizationName_default = My Company
organizationalUnitName_default = My Org
emailAddress_default = [email protected]
localityName_default = My Town
stateOrProvinceName_default = My Providence
countryName_default = CN

[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always

[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash

[ my_v3_ext ]
basicConstraints = CA:true

[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

3、自己签证书
openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 3650 -config ./openssl.cnf

openssl req -new -nodes -out GCSLevel2CA-req.pem -keyout private/GCSLevel2CA-key.pem -pubkey -days 3650 -config ./openssl.cnf

对二级证书签名

openssl ca -extensions my_v3_ext -out GCSLevel2CA-cert.pem -days 3650 -config ./openssl.cnf -infiles GCSLevel2CA-req.pem

生成服务器证书请求

keytool -genkey -dname "cn=*.cebbank.com.cn, ou=it, o=guilinbank, c=CN" -keyalg RSA -keysize 2048 -alias mykey -keypass password1 -keystore mykeystore.jks -storepass password1 -validity 3650
keytool -export -alias mykey -file mykey.cer -keystore mykeystore.jks -storepass password1
keytool -certreq -alias mykey -file mykey-req.pem -keypass password1 -storetype JKS -keystore mykeystore.jks -storepass password1
openssl ca -policy policy_anything -keyfile private/GCSLevel2CA-key.pem -cert GCSLevel2CA-cert.pem -days 3650 -config ./openssl.cnf -out mykey.pem -infiles mykey-req.pem
openssl crl2pkcs7 -nocrl -certfile mykey.pem -certfile GCSLevel2CA-cert.pem -certfile cacert.pem -outform PEM -out mykey.p7b
4、导出客户端证书
keytool -export -alias mykey -file mykey.cer -keystore mykeystore.jks -storepass password1
5、导入证书
keytool -import -alias mykey -file mykey.p7b -keystore mykeystore.jks
keytool -list -keystore mykeystore.jks -storepass password1 –v
6、把自签名证书导入(root用户执行)
/usr/java/jdk1.6.0_16/jre/bin/keytool -import  -alias mykey -file mykey.cer -keystore /usr/java/jdk1.6.0_16/jre/lib/security/cacerts
在使用时可以设置JVM参数，但不是必选项。
-Djavax.net.ssl.trustStore=/usr/java/jdk1.6.0_16/jre/lib/security/cacerts -Djavax.net.ssl.trustStorePassword='changeit' -Djavax.net.ssl.keyStore==/usr/java/jdk1.6.0_16/jre/lib/security/cacerts -Djavax.net.ssl.keyStorePassword='changeit'
7、Weblogic控制台设置

8、重启weblogic生效，至此weblogic开启了https服务。
9、应用程序如果需要访问，需要在建立http连接的时候设置忽略证书，可参考如下代码
1、package org.jasig.cas.client.validation;
3、import java.security.cert.CertificateException;
4、import java.security.cert.X509Certificate;
6、import javax.net.ssl.X509TrustManager;
8、public class HubX509TrustManager implements X509TrustManager {
10、 @Override
11、 public void checkClientTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {
12、 // TODO Auto-generated method stub
13、
14、 }
15、
16、 @Override
17、 public void checkServerTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {
18、 // TODO Auto-generated method stub
19、
20、 }
21、
22、 @Override
23、 public X509Certificate[] getAcceptedIssuers() {
24、 return null;
25、 }
26、
27、}
28、
package org.jasig.cas.client.validation;
import java.io.BufferedReader;
import java.io.InputStreamReader;
import java.net.HttpURLConnection;
import java.net.URL;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.TrustManager;

/**

• 重写CAS认证的类，修改CAS SERVER HOST地址从数据库获取
  */
  public abstract class JedaAbstractCasProtocolUrlBasedTicketValidator extends
  JedaAbstractUrlBasedTicketValidator {

  private static final String HTTPS="https";

  protected JedaAbstractCasProtocolUrlBasedTicketValidator(
  String casServerUrlPrefix) {
  super(casServerUrlPrefix);
  }

  protected final String retrieveResponseFromServer(URL validationUrl,
  String ticket) {
  HttpURLConnection connection = null;
  String str1 = "";
  try {
  if(validationUrl.getProtocol().toLowerCase().equals(HTTPS)) {
  SSLContext sslcontext = SSLContext.getInstance("SSL","SunJSSE");
  sslcontext.init(null, new TrustManager[]{new HubX509TrustManager()}, new java.security.SecureRandom());
  HostnameVerifier ignoreHostnameVerifier = new HostnameVerifier() {
  public boolean verify(String s, SSLSession sslsession) {
  System.out.println("WARNING: Hostname is not matched for cert.");
  return true;
  }
  };
  // HttpsURLConnection connen = (HttpsURLConnection) validationUrl.openConnection();
  // connen.setHostnameVerifier(ignoreHostnameVerifier);
  // connen.setSSLSocketFactory(sslcontext.getSocketFactory());
  HttpsURLConnection.setDefaultHostnameVerifier(ignoreHostnameVerifier);
  HttpsURLConnection.setDefaultSSLSocketFactory(sslcontext.getSocketFactory());
  // connection = (HttpsURLConnection) validationUrl.openConnection();
  }else {
  // connection = (HttpURLConnection) validationUrl.openConnection();
  }
  String line = null;
  connection = (HttpURLConnection) validationUrl.openConnection();
  BufferedReader in = new BufferedReader(new InputStreamReader(
  connection.getInputStream()));

       StringBuffer stringBuffer = new StringBuffer(255);
  
       synchronized (stringBuffer) {
           while ((line = in.readLine()) != null) {
               stringBuffer.append(line);
               stringBuffer.append("\n");
           }
           str1 = stringBuffer.toString();
  
           if (connection != null)
               connection.disconnect();
       }
       return str1;
   } catch (Exception e) {
       this.log.error(e, e);
       String line = null;
       return line;
   } finally {
       if (connection != null)
           connection.disconnect();
   }

  }
  }