The method used is mainly related to the use of keytool openssl plus jdk be signed with a key management
1, weblogic server login user, maintenance ssl working directory
cd / weblogic / sslcert /
mkdir certs Private
echo '100001'> Serial
Touch certindex.txt
Touch openssl.cnf
2, write opesnssl.cnf
OpenSSL configuration file
Working directory
dir = .
[ ca ]
default_ca = CA_default
[ CA_default ]
serial = $dir/serial
database = $dir/certindex.txt
new_certs_dir = $dir/certs
certificate = $dir/cacert.pem
private_key = $dir/private/cakey.pem
default_days = 365
default_md = sha1
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 2048 # Size of keys
default_keyfile = key.pem # name of generated keys
default_md = sha1 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ req_distinguished_name ]
Variable name Prompt string
------------------------- ----------------------------------
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
commonName = Common Name (hostname, IP, or your name)
commonName_max = 64
Default values for the above, for consistency and less typing.
Variable name Value
------------------------ ------------------------------
0.organizationName_default = My Company
organizationalUnitName_default = My Org
emailAddress_default = [email protected]
localityName_default = My Town
stateOrProvinceName_default = My Providence
countryName_default = CN
[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
[ my_v3_ext ]
basicConstraints = CA:true
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
3, own visa book
openssl req -new -x509 -extensions v3_ca -keyout private / cakey.pem -out cacert.pem -days 3650 -config ./openssl.cnf
openssl req -new -nodes -out GCSLevel2CA-req.pem -keyout private/GCSLevel2CA-key.pem -pubkey -days 3650 -config ./openssl.cnf
On the secondary certificate signing
openssl ca -extensions my_v3_ext -out GCSLevel2CA-cert.pem -days 3650 -config ./openssl.cnf -infiles GCSLevel2CA-req.pem
Generate the server certificate request
keytool -genkey -dname "cn=*.cebbank.com.cn, ou=it, o=guilinbank, c=CN" -keyalg RSA -keysize 2048 -alias mykey -keypass password1 -keystore mykeystore.jks -storepass password1 -validity 3650
keytool -export -alias mykey -file mykey.cer -keystore mykeystore.jks -storepass password1
keytool -certreq -alias mykey -file mykey-req.pem -keypass password1 -storetype JKS -keystore mykeystore.jks -storepass password1
openssl ca -policy policy_anything -keyfile private/GCSLevel2CA-key.pem -cert GCSLevel2CA-cert.pem -days 3650 -config ./openssl.cnf -out mykey.pem -infiles mykey-req.pem
openssl crl2pkcs7 -nocrl -certfile mykey.pem -certfile GCSLevel2CA-cert.pem -certfile cacert.pem -outform PEM -out mykey.p7b
4、导出客户端证书
-export -alias -file mykey.cer MyKey the keytool -keystore mykeystore.jks -storepass password1
. 5, certificate import
the keytool -import -alias -file MyKey mykey.p7b -keystore mykeystore.jks
the keytool -list -keystore mykeystore.jks -storepass password1 -v
6, the self-signed certificate into (root user to perform)
/usr/java/jdk1.6.0_16/jre/bin/keytool MyKey -import -alias -file mykey.cer -keystore /usr/java/jdk1.6.0_16 / jre / lib / security / cacerts
when using JVM parameters can be set, but it is not mandatory.
-Djavax.net.ssl.trustStore = / usr / java / jdk1.6.0_16 / jre / lib / security / cacerts -Djavax.net.ssl.trustStorePassword = 'changeit' -Djavax.net.ssl.keyStore == / usr -Djavax.net.ssl.keyStorePassword = /java/jdk1.6.0_16/jre/lib/security/cacerts 'changeit'
. 7, the Weblogic console settings
8, restart the weblogic take effect, so far weblogic opened https services.
9, if the application needs to access, needs to be set at http connection established ignore the certificate, refer to the following codes
. 1, Package org.jasig.cas.client.validation;
. 3, Import java.security.cert.CertificateException;
. 4, Import of java.security.cert.X509Certificate;
. 6, Import javax.net.ssl.X509TrustManager;
. 8, the X509TrustManager {public class HubX509TrustManager the implements
10, @Override
. 11, CheckClientTrusted public void (the X509Certificate [] the arg0, arg1 String) {throws a CertificateException
12 is, the TODO Auto-Generated Method // Stub
13 is,
14,}
15,
16, @Override
. 17, public void checkServerTrusted (the X509Certificate [] the arg0, arg1 String) {throws a CertificateException
18 is, the TODO Auto-// Generated Method Stub
19、
20、 }
21、
22、 @Override
23、 public X509Certificate[] getAcceptedIssuers() {
24、 return null;
25、 }
26、
27、}
28、
package org.jasig.cas.client.validation;
import java.io.BufferedReader;
import java.io.InputStreamReader;
import java.net.HttpURLConnection;
import java.net.URL;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.TrustManager;
/**
CAS certified Class rewriting, modified CAS SERVER HOST address obtained from the database
* /
public abstract class JedaAbstractCasProtocolUrlBasedTicketValidator the extends
JedaAbstractUrlBasedTicketValidator {private static final String HTTPS="https";
protected JedaAbstractCasProtocolUrlBasedTicketValidator(
String casServerUrlPrefix) {
super(casServerUrlPrefix);
}protected final String retrieveResponseFromServer(URL validationUrl,
String ticket) {
HttpURLConnection connection = null;
String str1 = "";
try {
if(validationUrl.getProtocol().toLowerCase().equals(HTTPS)) {
SSLContext sslcontext = SSLContext.getInstance("SSL","SunJSSE");
sslcontext.init(null, new TrustManager[]{new HubX509TrustManager()}, new java.security.SecureRandom());
HostnameVerifier ignoreHostnameVerifier = new HostnameVerifier() {
public boolean verify(String s, SSLSession sslsession) {
System.out.println("WARNING: Hostname is not matched for cert.");
return true;
}
};
// HttpsURLConnection connen = (HttpsURLConnection) validationUrl.openConnection();
// connen.setHostnameVerifier(ignoreHostnameVerifier);
// connen.setSSLSocketFactory(sslcontext.getSocketFactory());
HttpsURLConnection.setDefaultHostnameVerifier(ignoreHostnameVerifier);
HttpsURLConnection.setDefaultSSLSocketFactory(sslcontext.getSocketFactory());
// connection = (HttpsURLConnection) validationUrl.openConnection();
}else {
// connection = (HttpURLConnection) validationUrl.openConnection();
}
String line = null;
connection = (HttpURLConnection) validationUrl.openConnection();
BufferedReader in = new BufferedReader(new InputStreamReader(
connection.getInputStream()));StringBuffer stringBuffer = new StringBuffer(255); synchronized (stringBuffer) { while ((line = in.readLine()) != null) { stringBuffer.append(line); stringBuffer.append("\n"); } str1 = stringBuffer.toString(); if (connection != null) connection.disconnect(); } return str1; } catch (Exception e) { this.log.error(e, e); String line = null; return line; } finally { if (connection != null) connection.disconnect(); }}
}