SSL 单向双向认证配置实例 - HP OpenView Service Manager和Tomcat

0. 如果没有openssl预装，那么你需要自己下载并编译,如果java -version是gnu的，那么要下载并安装Sun的JRE，最好是JDK
1. 下载源代码http://www.openssl.org/source/
2. 我使用CentOS5.2其他Linux/unix操作系统应该类似,以root身份登录
3. 把source解压缩到安装路径，比如/opt/openssl
4. 进入目录编译
./config --prefix=/opt/openssl
5. 安装
make test
make install

配置openssl.cnf
找到openssl.cnf
[root@arsenal14 /]# find / -name openssl.cnf
/etc/pki/tls/openssl.cnf
然后加入你自己的country state等等：

生成自签名的CA根证书
首先生成CA的private key:
[root@arsenal14 tmp]# openssl genrsa -des3 -out ca.pem 2048
Generating RSA private key, 2048 bit long modulus
...............................................................................................................................+++
......................+++
e is 65537 (0x10001)
Enter pass phrase for ca.pem:
Verifying - Enter pass phrase for ca.pem:

然后用这个private key生成CA根证书
[root@arsenal14 tmp]# openssl req -new -key ca.pem -x509 -days 1095 -out ca.cer
Enter pass phrase for ca.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Shanghai]:
Locality Name (eg, city) [Shanghai]:
Organization Name (eg, company) [Hewlett Packard]:
Organizational Unit Name (eg, section) []:GDCC-SMCi
Common Name (eg, your name or your server's hostname) []:arsenal14.asiapacific.hpqcorp.net
Email Address []:daniel.woo@hp.com
注意机器名一定要是这台机器的FDQN

到此为止，我们看看当前目录都有了哪些东西：
[root@arsenal14 tmp]# ls
ca.cer CA根证书
ca.pem CA private key （重要！保密！）

下面是一个真是用例，比如我们要把一台tomcat和一台HP OpenView ServiceManager（下文简称SM）建立mutal authentication.
我们需要
1. 建立一个CA
2. 分别创建tomcat和SM的private/public key pair
3. CA签发tomcat和SM的证书
4. 导入CA证书到tomcat和SM的信任keystore


现在为了做mutual authentication我们还需要对SM和tomcat分别生成private key和证书，然后把证书通过CA签发。

生成SM的private/public key pair[root@arsenal14 tmp]# keytool -genkey -alias smserver -keystore sm.jks
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: tsmcivm8
What is the name of your organizational unit?
[Unknown]:
What is the name of your organization?
[Unknown]:
What is the name of your City or Locality?
[Unknown]:
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]: CN
Is CN=tsmcivm8, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=CN correct?
[no]: y

Enter key password for
(RETURN if same as keystore password):



生成tomcat的private/public key pair

[root@arsenal14 tmp]# keytool -genkey -alias tomcat -keystore tomcat.jks
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: danielnc6400.asiapacific.hpqcorp.net
What is the name of your organizational unit?
[Unknown]:
What is the name of your organization?
[Unknown]:
What is the name of your City or Locality?
[Unknown]:
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]: CN
Is CN=danielnc6400.asiapacific.hpqcorp.net, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=CN correct?
[no]: y

Enter key password for
(RETURN if same as keystore password):
Re-enter new password:


现在多了两个包含private/public key的keystore:
sm.jks 和 tomcat.jks

我们从中导出两个待签发的证书（只包含public key）
sm_req.crs 和 tomcat_req.crs

[root@arsenal14 tmp]# keytool -certreq -alias smserver -keystore sm.jks -file sm_req.crs
Enter key store password: password

[root@arsenal14 tmp]# keytool -certreq -alias tomcat -keystore tomcat.jks -file tomcat_req.crs
Enter key store password: password


然后我们要用CA根证书签发出一个SM的证书，发布给其他系统
[root@arsenal14 tmp]# openssl x509 -req -days 365 -in sm_req.crs -CA ca.cer -CAkey ca.pem -CAcreateserial -out sm.cer
Signature ok
subject=/CN=tsmcivm8/O=HP/OU=GDCC-SMCi/L=Shanghai/ST=Shanghai/C=CN
Getting CA Private Key
Enter pass phrase for ca.pem:

然后我们要用CA根证书签发出一个tomcat的证书，发布给其他系统
[root@arsenal14 tmp]# openssl x509 -req -days 365 -in tomcat_req.crs -CA ca.cer -CAkey ca.pem -CAcreateserial -out tomcat.cer
Signature ok
subject=/CN=danielnc6400.asiapacific.hpqcorp.net/O=HP/OU=GDCC-SMCi/L=Shanghai/ST=Shanghai/C=CN
Getting CA Private Key
Enter pass phrase for ca.pem:


现在又多了两个文件，两个sign好的证书sm.cer 和 tomcat.cer

我们有了这些文件:
ca.cer 根证书
ca.pem 根证书private key
ca.srl
sm.cer 已经签名的sm证书
sm.jks sm server keystore
sm.pem sm private key
sm_req.crs 没用了
tomcat.cer 已经签名的tomcat证书
tomcat.jks tomcat server keystore
tomcat.pem tomcat private key
tomcat_req.crs 没用了

现在把signed好的证书导回keystore
但是之前你必须把CA的根证书导入
[root@arsenal14 tmp]# keytool -cacert -file ca.cer -keystore sm.jks
[root@arsenal14 tmp]# keytool -cacert -file ca.cer -keystore tomcat.jks


然后才能导入CA签发好的证书
keytool -import -file sm.cer -keystore sm.jks -alias smserver
keytool -import -file tocmat.cer -keystore tomcat.jks -alias tomcat

先测试tomcat的单向服务器认证
把tomcat.jks复制到tomcat/conf下
打开tomcat/conf/server.xml,更改https的connector配置
先测试单向tomcat服务器端验证（不要求客户上传验证客户端证书)
minSpareThreads="2" maxSpareThreads="15"
enableLookups="true" disableUploadTimeout="true"
acceptCount="100" maxThreads="100"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="C:/Projects/Tomcat6SM/conf/tomcat.jks" keyAlias="tomcat" keystorePass="password"
clientAuth="false" sslProtocol="TLS"/>

启动tomcat, log应该有
2008-9-18 23:24:38 org.apache.coyote.http11.Http11Protocol start
信息: Starting Coyote HTTP/1.1 on http-443

从FireFox3这个时候访问https://danielnc6400.asiapacific.hpqcorp.net你应该看到这个内容



这是因为你不信任这个证书，下一步我们需要把根证书导入FireFox的trust keystore
Tools->Option->Advanced->Encryption->View Certificates->authorities->Import



导入之后你可以查看所有已经导入的证书



IE直接访问会弹出对话框问你是否信任
IE证书导入更简单，直接double click ca.cer安装根证书
然后再次打开这个URL你会发现IE不在有任何提示，因为IE信任这个根证，所以也信任根证书签发的tomcat的证书。

接下来配置SM的单向server认证
复制sm.jks 到SM安装路径的RUN/security目录下
修改sm.ini如下（sm -helpssl可以显示所有参数的意义）
# SSL configuration
ssl:0
ssl_reqClientAuth:0
sslConnector:1
httpsPort:13443

#
# Certificates
truststoreFile:security/sm.jks
truststorePass:password
keystoreFile:security/sm.jks
keystorePass:password

重新启动服务

然后到客户端打开Windows->Preferences->HP Service Manager->Security
把包含CA根证书的那个keystore全路径写在CA Certificate file里.这里是为了能让客户端验证服务器上的证书是否有效。不过奇怪的是这里没有输入访问keystore的密码的地方,eclipse client怎么打开keystore还是个迷。:-)

然后新建一个链接，hostname一定要填写域名，第二页要勾上Use SSL Encryption，现在你就可以连接上SM了

这个单向配置都没有问题了，我们来尝试把SM和tomcat做mutual authentication
由于双方trust keystore里面都信任ca.cer所以理论上讲现在是自动支持的。

打开SM做个实验，打开Script Library
创建个JS脚本
var url = "https://danielnc6400.asiapacific.hpqcorp.net/index.html";
var headers = new Array();
//headers.push("Authorization: Basic " + base64Encode("administrator:admblabla"));
var resp = doHTTPRequest( "GET", url, headers, null, 10, 10, 10 );
print(resp);

执行脚本输出是：

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<body>
This is a test
</body>
</html>

结束