This example uses the OpenSSL tool to generate the certificate, the application server uses JBoss, uses the CXF to realize the webservice.
First install the Java environment and the OpenSSL tool, Opeenssl download the address:
Http://www.openssl.org/source/openssl-1.0.0.tar.gz.
Then enter the OpenSSL bin directory.
Note: It is best to install a Linux environment that may cause problems in the window environment.
Create a folder in the OpenSSL bin directory:
mkdir Root Certificate Directory---
CD root
mkdir Server---Store a service-side certificate
mkdir Client---to store clients ' certificates
Cd..
To create a root certificate
Create private key
OpenSSL genrsa–out Root/root-key.pem 1024 Create a certificate request
OpenSSL req-new-out root/root-req.csr-key root/root-key.pem-subj/c=cn/st=guangdong/l=guangzhou/o= "Huashetianzu Technologies Co.Ltd. " /ou= "Huashetianzu eoms System Team"/ou= "Copyright (c) 1998-2008 Huashetianzu, Technologies Co., Ltd." /cn= "Huashetianzu eomsroot Authority"/emailaddress=huashetianzu@126.com self-signed root certificate
OpenSSL x509-req-in root/root-req.csr-out root/root-cert.pem-signkeyroot/root-key.pem-days 3650 export Certificate
Export the root certificate into a PKCS12 format that the browser can import
OpenSSL pkcs12-export-clcerts-in root/root-cert.pem-inkeyroot/root-key.pem-out ROOT/ROOT-ID.P12
Note: Here to enter the password, write down this password, in future configuration will use this password. To create a service-side certificate Create private key
OpenSSL genrsa-out Root/server/temip-key.pem 1024 Create a certificate request
OpenSSL req-new-out root/server/temip-req.csr-keyroot/server/temip-key.pem-subj/c=cn/st=guangdong/l=guangzhou/o= "Huashetianzutechnologies Co., Ltd." /ou= "Huashetianzu eoms systemteam"/ou= "Copyright (c) 1998-2008 Huashetianzu. Technologies." /cn=82.208.35.148/emailaddress=caoguowei.rt@huashetianzu.com
Note: CN if is this machine should fill in localhost, if is the website fills in the domain name. signing server-side certificates
OpenSSL x509-req-in root/server/temip-req.csr-outroot/server/temip-cert.pem-ca Root/root-cert.pem-cakey root/ Root-key.pem-cacreateserial-days 3650 Export Certificate
Export a server-side certificate into a PKCS12 format that can be imported by the browser
OpenSSL Pkcs12-export-clcerts-inroot/server/temip-cert.pem-inkey root/server/temip-key.pem-outroot/server/ Temip-id.p12
Note: Here to enter the password, write down this password, in future configuration will use this password. Import a certificate into the JKs file
Keytool-import-v-trustcacerts-storepass Changeit-alias Temip-fileroot/server/temip-cert.pem-keystore root/server/ Temip-id.jks
Note: Enter "Y" and return. To create a client certificate
First, create a level two certificate for the client certification authority that is issued by the root certificate, and then use this second level certificate to issue a client certificate two certificate create a private key
OpenSSL genrsa-out Root/client/eomsca-key.pem 1024 Create a certificate request
OpenSSL req-new-out root/client/eomsca-req.csr-keyroot/client/eomsca-key.pem-subj/c=cn/st=guangdong/l=guangzhou/ o= "Huashetianzutechnologies Co., Ltd." /ou= "Huashetianzu eoms systemteam"/ou= "Copyright (c) 1998-2008 Huashetianzu. Technologies." /cn= "Huashetianzu eoms Secure serverauthority"/emailaddress=emip@gd.chinamobile.com-reqexts v3_req self-signed client certificate
OpenSSL x509-req-in Root/client/eomsca-req.csr-outroot/client/eomsca-cert.pem-signkey Root/client/eomsca-key.pem- Caroot/root-cert.pem-cakey Root/root-key.pem-cacreateserial-days 3650
Export Certificate
Export a client certificate as a PKCS12 format that the browser can import
OpenSSL pkcs12-export-clcerts-in Root/client/eomsca-cert.pem-inkey root/client/eomsca-key.pem-out root/client/ Eomsca-id.p12
Note: Here to enter the password, write down this password, in future configuration will use this password. Import a certificate into the JKs file
Keytool-import-v-trustcacerts-storepass Changeit-alias Eomsca-fileroot/client/eomsca-cert.pem-keystore root/ Client/eomsca-id.jks
Note: Enter "Y" and return. Client Certificate
Create a client certificate and create the private key by signing the root certificate for your own use
OpenSSL genrsa-out Root/client/hw_huashetianzu-key.pem 1024 Create a certificate request
OpenSSL req-new-out root/client/hw_huashetianzu-req.csr-keyroot/client/hw_huashetianzu-key.pem-subj/c=cn/st= guangdong/l=guangzhou/o= "Huashetianzu Technologies Co.Ltd." /ou= "Huashetianzu eoms System Team"/ou= "Copyright (c) 1998-2008 Huashetianzu, technologies." /cn=localhost/emailaddress=emip@gd.chinamobile.com Level Two certificate signing client certificate
OpenSSL x509-req-in root/client/hw_huashetianzu-req.csr-out Root/client/hw_huashetianzu-cert.pem-signkey root/ Client/hw_huashetianzu-key.pem-ca Root/client/eomsca-cert.pem-cakey root/client/eomsca-key.pem-cacreateserial- Days 3650 Export Certificate
Export a client certificate as a PKCS12 format that the browser can import
OpenSSL pkcs12-export-clcerts-in Root/client/hw_huashetianzu-cert.pem-inkey Root/client/hw_huashetianzu-key.pem- Out ROOT/CLIENT/HW_HUASHETIANZU-ID.P12
Note: Here to enter the password, write down this password, in future configuration will use this password. Import a certificate into the JKs file
Keytool-import-v-trustcacerts-storepass Changeit-alias client-file Root/client/hw_huashetianzu-cert.pem- Keystoreroot/client/hw_huashetianzu-id.jks
Note: Enter "Y" and return. Cxfhttps bidirectional configuration Service-side configuration
First, copy the TEMIP-ID.P12 files and the EOMSCA-ID.P12 files under the Client folder under the server folder that you just generated to the JBoss installation server/default/conf. Then modify the Server.xml file under Server\default\deploy\jboss-web.deployer under the JBoss installation directory, open the Server.xml file, remove the comment about 30-40 lines, and modify it to read as follows:
<connector port= "8443" address= "0.0.0.0" protocol= "http/1.1" sslenabled= "true" maxthreads= "scheme=" "https" Secure= ' true clientauth= ' true ' sslprotocol= ' TLS ' keystorefile= ' CONF/TEMIP-ID.P12 '
Keystoretype= "PKCS12" keystorepass= "server-side Certificate Password" truststorefile= "CONF/EOMSCA-ID.P12" truststoretype= "PKCS12" truststorepass= "Password for client certificates"/>
Note: clientauth= "True" indicates the two-way authentication of HTTPS, that is, the server needs to authenticate the client and the client needs to authenticate the server. Clientauth= "False" indicates one-way authentication. If you are using two-way authentication, you will also need to import the server-side certificate into the JRE path you are using, complete with the following command: Keytool-import-file temip-cert.pem-keystore%java_home%/jre/lib/ Security/cacerts at this time, will let you enter the KeyStore password, the default password is "Changeit".
Import the HW_HUASHETIANZU-ID.P12 certificate under the Client folder into the browser and enter it in the browser:https://server-side ip:8443 for access. Client Configuration Adopt code type
Create WebService Service Factory Jaxwsproxyfactorybean factory = new Jaxwsproxyfactorybean ();
Register WebService Interface Factory.setserviceclass (Cipb2bserviceassuranceworkforceclientmanagementporttype.class);
String Wsdladder = Getremeysa_url ();
Publishing Interface factory.setaddress (Wsdladder);
Saajininterceptor saajininterceptor = new Saajininterceptor ();
List interceptors = new ArrayList ();
Interceptors.add (Saajininterceptor);
Factory.setininterceptors (interceptors);
Saajoutinterceptor saajoutinterceptor = new Saajoutinterceptor ();
List outerceptorlist = new ArrayList ();
Outerceptorlist.add (Saajoutinterceptor);
Factory.setoutinterceptors (outerceptorlist); Cipb2bserviceassuranceworkforceclientmanagementporttype Cipb2bserviceprovisioningworkforceclientmanagementporttype = (
Cipb2bserviceassuranceworkforceclientmanagementporttype) factory.create ();
Client proxy = clientproxy.getclient (Cipb2bserviceprovisioningworkforceclientmanagementporttype); Httpconduit ConDuit = (httpconduit) proxy.getconduit ();
Tlsclientparameters tlsparams = Conduit.gettlsclientparameters ();
if (Tlsparams = = null) {tlsparams = new tlsclientparameters ();}
Tlsparams.settrustmanagers (Gettrustmanagers ());
Tlsparams.setkeymanagers (Getkeymanagers ());
Tlsparams.setdisablecncheck (TRUE);
Tlsparams.setsecuresocketprotocol ("SSL");
Conduit.settlsclientparameters (Tlsparams); private static keymanager[] Getkeymanagers () {InputStream is = null; try {//get default X509 algorithm String
ALG = Keymanagerfactory.getdefaultalgorithm ();
Create Key Management factory Keymanagerfactory factory = Keymanagerfactory.getinstance (ALG);
File CertFile = new file (Keymanager_path);
if (!certfile.exists () | | |!certfile.isfile ()) {return null;
is = new FileInputStream (CertFile);
Build a certificate warehouse in a certificate-appropriate format KeyStore KS = Keystore.getinstance (Keystore_type); AddLoad Certificate ks.load (IS, Keymanager_password.tochararray ());
Factory.init (KS, Keymanager_password.tochararray ());
keymanager[] keyms = Factory.getkeymanagers ();
return keyms;
catch (Exception e) {logger.error ("Getkeymanagers faiure", e);
Finally {if (is!= null) {try {
Is.close ();
catch (IOException e) {logger.error ("Close failure", e);
}} return null;
private static trustmanager[] Gettrustmanagers () {//Read certificate warehouse input stream InputStream is = null;
Default algorithm for try {//Trust warehouse X509 String ALG = Trustmanagerfactory.getdefaultalgorithm (); Get Trust Warehouse factory Trustmanagerfactory factory = Trustmanagerfactory.getinstance (ALG);
Read Trust warehouse is = new FileInputStream (new File (Trustmanager_path));
Key type KeyStore KS = Keystore.getinstance (Trustore_type);
Load Key Ks.load (IS, Trustmanger_password.tochararray ());
Factory.init (KS);
trustmanager[] TMS = Factory.gettrustmanagers ();
return TMS;
catch (Exception e) {logger.error ("gettrustmanagers failure", e);
Finally {if (is!= null) {try {
Is.close ();
catch (IOException e) {logger.error ("Close Io failure", e);
}} return null;
}
Spring mode
<?xml version= "1.0" encoding= "UTF-8"?> <beans "xmlns=" xmlns: context= "Http://www.springframework.org/schema/context" xmlns:jaxws= "Http://cxf.apache.org/jaxws" xmlns:jaxrs= " Http://cxf.apache.org/jaxrs "xmlns:xsi=" http://www.w3.org/2001/XMLSchema-instance "xmlns:tx=" http:// Www.springframework.org/schema/tx "xmlns:soap=" Http://cxf.apache.org/bindings/soap "xmlns:sec=" http:// Cxf.apache.org/configuration/security "xmlns:http=" Http://cxf.apache.org/transports/http/configuration "xsi: schemalocation= "Http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/ Spring-beans-3.0.xsd Http://www.springframework.org/schema/context Http://www.springframework.org/schema/context /spring-context-3.0.xsd Http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd http://cxf.apache.org /jaxrs http://cxf.apache.org/schemas/jaxrs.xsd Http://cxf.apache.org/bindings/soap http://cxf.apache.org/schemas/ CoNfiguration/soap.xsd http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/ Security.xsd http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/ Http-conf.xsd "> <import resource=" classpath:meta-inf/cxf/cxf.xml "/> <import resource=" classpath: Meta-inf/cxf/cxf-extension-soap.xml "/> <import resource= classpath:meta-inf/cxf/cxf-servlet.xml"/> < Context:component-scan base-package= "Com.test"/> <!--webserice receive client, address for server WebService interface--> < Jaxws:client id= "UserService" address= "Https://10.78.194.92:8443/webserviceserver/service/user" Com.test.UserService "/>