Digital certificate verification for WebService Security __web

Source: Internet
Author: User
Tags soap openssl openssl x509 pkcs12 jboss

This example uses the OpenSSL tool to generate the certificate, the application server uses JBoss, uses the CXF to realize the webservice.

First install the Java environment and the OpenSSL tool, Opeenssl download the address:

Http://www.openssl.org/source/openssl-1.0.0.tar.gz.

Then enter the OpenSSL bin directory.

Note: It is best to install a Linux environment that may cause problems in the window environment.

Create a folder in the OpenSSL bin directory:

mkdir Root Certificate Directory---

CD root

mkdir Server---Store a service-side certificate

mkdir Client---to store clients ' certificates

Cd..

To create a root certificate

Create private key

OpenSSL genrsa–out Root/root-key.pem 1024 Create a certificate request

OpenSSL req-new-out root/root-req.csr-key root/root-key.pem-subj/c=cn/st=guangdong/l=guangzhou/o= "Huashetianzu Technologies Co.Ltd. " /ou= "Huashetianzu eoms System Team"/ou= "Copyright (c) 1998-2008 Huashetianzu, Technologies Co., Ltd." /cn= "Huashetianzu eomsroot Authority"/emailaddress=huashetianzu@126.com self-signed root certificate

OpenSSL x509-req-in root/root-req.csr-out root/root-cert.pem-signkeyroot/root-key.pem-days 3650 export Certificate

Export the root certificate into a PKCS12 format that the browser can import

OpenSSL pkcs12-export-clcerts-in root/root-cert.pem-inkeyroot/root-key.pem-out ROOT/ROOT-ID.P12

Note: Here to enter the password, write down this password, in future configuration will use this password. To create a service-side certificate Create private key

OpenSSL genrsa-out Root/server/temip-key.pem 1024 Create a certificate request

OpenSSL req-new-out root/server/temip-req.csr-keyroot/server/temip-key.pem-subj/c=cn/st=guangdong/l=guangzhou/o= "Huashetianzutechnologies Co., Ltd." /ou= "Huashetianzu eoms systemteam"/ou= "Copyright (c) 1998-2008 Huashetianzu. Technologies." /cn=82.208.35.148/emailaddress=caoguowei.rt@huashetianzu.com

Note: CN if is this machine should fill in localhost, if is the website fills in the domain name. signing server-side certificates

OpenSSL x509-req-in root/server/temip-req.csr-outroot/server/temip-cert.pem-ca Root/root-cert.pem-cakey root/ Root-key.pem-cacreateserial-days 3650 Export Certificate

Export a server-side certificate into a PKCS12 format that can be imported by the browser

OpenSSL Pkcs12-export-clcerts-inroot/server/temip-cert.pem-inkey root/server/temip-key.pem-outroot/server/ Temip-id.p12

Note: Here to enter the password, write down this password, in future configuration will use this password. Import a certificate into the JKs file

Keytool-import-v-trustcacerts-storepass Changeit-alias Temip-fileroot/server/temip-cert.pem-keystore root/server/ Temip-id.jks

Note: Enter "Y" and return. To create a client certificate

First, create a level two certificate for the client certification authority that is issued by the root certificate, and then use this second level certificate to issue a client certificate two certificate create a private key

OpenSSL genrsa-out Root/client/eomsca-key.pem 1024 Create a certificate request

OpenSSL req-new-out root/client/eomsca-req.csr-keyroot/client/eomsca-key.pem-subj/c=cn/st=guangdong/l=guangzhou/ o= "Huashetianzutechnologies Co., Ltd." /ou= "Huashetianzu eoms systemteam"/ou= "Copyright (c) 1998-2008 Huashetianzu. Technologies." /cn= "Huashetianzu eoms Secure serverauthority"/emailaddress=emip@gd.chinamobile.com-reqexts v3_req self-signed client certificate

OpenSSL x509-req-in Root/client/eomsca-req.csr-outroot/client/eomsca-cert.pem-signkey Root/client/eomsca-key.pem- Caroot/root-cert.pem-cakey Root/root-key.pem-cacreateserial-days 3650

Export Certificate

Export a client certificate as a PKCS12 format that the browser can import

OpenSSL pkcs12-export-clcerts-in Root/client/eomsca-cert.pem-inkey root/client/eomsca-key.pem-out root/client/ Eomsca-id.p12

Note: Here to enter the password, write down this password, in future configuration will use this password. Import a certificate into the JKs file

Keytool-import-v-trustcacerts-storepass Changeit-alias Eomsca-fileroot/client/eomsca-cert.pem-keystore root/ Client/eomsca-id.jks

Note: Enter "Y" and return. Client Certificate

Create a client certificate and create the private key by signing the root certificate for your own use

OpenSSL genrsa-out Root/client/hw_huashetianzu-key.pem 1024 Create a certificate request

OpenSSL req-new-out root/client/hw_huashetianzu-req.csr-keyroot/client/hw_huashetianzu-key.pem-subj/c=cn/st= guangdong/l=guangzhou/o= "Huashetianzu Technologies Co.Ltd." /ou= "Huashetianzu eoms System Team"/ou= "Copyright (c) 1998-2008 Huashetianzu, technologies." /cn=localhost/emailaddress=emip@gd.chinamobile.com Level Two certificate signing client certificate

OpenSSL x509-req-in root/client/hw_huashetianzu-req.csr-out Root/client/hw_huashetianzu-cert.pem-signkey root/ Client/hw_huashetianzu-key.pem-ca Root/client/eomsca-cert.pem-cakey root/client/eomsca-key.pem-cacreateserial- Days 3650 Export Certificate

Export a client certificate as a PKCS12 format that the browser can import

OpenSSL pkcs12-export-clcerts-in Root/client/hw_huashetianzu-cert.pem-inkey Root/client/hw_huashetianzu-key.pem- Out ROOT/CLIENT/HW_HUASHETIANZU-ID.P12

Note: Here to enter the password, write down this password, in future configuration will use this password. Import a certificate into the JKs file

Keytool-import-v-trustcacerts-storepass Changeit-alias client-file Root/client/hw_huashetianzu-cert.pem- Keystoreroot/client/hw_huashetianzu-id.jks

Note: Enter "Y" and return. Cxfhttps bidirectional configuration Service-side configuration

First, copy the TEMIP-ID.P12 files and the EOMSCA-ID.P12 files under the Client folder under the server folder that you just generated to the JBoss installation server/default/conf. Then modify the Server.xml file under Server\default\deploy\jboss-web.deployer under the JBoss installation directory, open the Server.xml file, remove the comment about 30-40 lines, and modify it to read as follows:

<connector port= "8443" address= "0.0.0.0" protocol= "http/1.1" sslenabled= "true" maxthreads= "scheme=" "https" Secure= ' true clientauth= ' true ' sslprotocol= ' TLS ' keystorefile= ' CONF/TEMIP-ID.P12 '

Keystoretype= "PKCS12" keystorepass= "server-side Certificate Password" truststorefile= "CONF/EOMSCA-ID.P12" truststoretype= "PKCS12" truststorepass= "Password for client certificates"/>

Note: clientauth= "True" indicates the two-way authentication of HTTPS, that is, the server needs to authenticate the client and the client needs to authenticate the server. Clientauth= "False" indicates one-way authentication. If you are using two-way authentication, you will also need to import the server-side certificate into the JRE path you are using, complete with the following command: Keytool-import-file temip-cert.pem-keystore%java_home%/jre/lib/ Security/cacerts at this time, will let you enter the KeyStore password, the default password is "Changeit".

Import the HW_HUASHETIANZU-ID.P12 certificate under the Client folder into the browser and enter it in the browser:https://server-side ip:8443 for access. Client Configuration Adopt code type

Create WebService Service Factory Jaxwsproxyfactorybean factory = new Jaxwsproxyfactorybean ();
Register WebService Interface Factory.setserviceclass (Cipb2bserviceassuranceworkforceclientmanagementporttype.class);
        String Wsdladder = Getremeysa_url ();
Publishing Interface factory.setaddress (Wsdladder);
        Saajininterceptor saajininterceptor = new Saajininterceptor ();
        List interceptors = new ArrayList ();
        Interceptors.add (Saajininterceptor);
Factory.setininterceptors (interceptors);
        Saajoutinterceptor saajoutinterceptor = new Saajoutinterceptor ();
        List outerceptorlist = new ArrayList ();
        Outerceptorlist.add (Saajoutinterceptor);
Factory.setoutinterceptors (outerceptorlist); Cipb2bserviceassuranceworkforceclientmanagementporttype Cipb2bserviceprovisioningworkforceclientmanagementporttype = (
Cipb2bserviceassuranceworkforceclientmanagementporttype) factory.create ();
Client proxy = clientproxy.getclient (Cipb2bserviceprovisioningworkforceclientmanagementporttype); Httpconduit ConDuit = (httpconduit) proxy.getconduit ();
Tlsclientparameters tlsparams = Conduit.gettlsclientparameters ();

if (Tlsparams = = null) {tlsparams = new tlsclientparameters ();}
Tlsparams.settrustmanagers (Gettrustmanagers ());
Tlsparams.setkeymanagers (Getkeymanagers ());
Tlsparams.setdisablecncheck (TRUE);
Tlsparams.setsecuresocketprotocol ("SSL");
Conduit.settlsclientparameters (Tlsparams); private static keymanager[] Getkeymanagers () {InputStream is = null; try {//get default X509 algorithm String

            ALG = Keymanagerfactory.getdefaultalgorithm ();

            Create Key Management factory Keymanagerfactory factory = Keymanagerfactory.getinstance (ALG);

            File CertFile = new file (Keymanager_path);
            if (!certfile.exists () | | |!certfile.isfile ()) {return null;

            is = new FileInputStream (CertFile);

            Build a certificate warehouse in a certificate-appropriate format KeyStore KS = Keystore.getinstance (Keystore_type); AddLoad Certificate ks.load (IS, Keymanager_password.tochararray ());

            Factory.init (KS, Keymanager_password.tochararray ());

            keymanager[] keyms = Factory.getkeymanagers ();
        return keyms;
        catch (Exception e) {logger.error ("Getkeymanagers faiure", e);
                    Finally {if (is!= null) {try {
                Is.close ();
                catch (IOException e) {logger.error ("Close failure", e);
    }} return null;

        private static trustmanager[] Gettrustmanagers () {//Read certificate warehouse input stream InputStream is = null;

            Default algorithm for try {//Trust warehouse X509 String ALG = Trustmanagerfactory.getdefaultalgorithm (); Get Trust Warehouse factory Trustmanagerfactory factory = Trustmanagerfactory.getinstance (ALG);

            Read Trust warehouse is = new FileInputStream (new File (Trustmanager_path));

            Key type KeyStore KS = Keystore.getinstance (Trustore_type);

            Load Key Ks.load (IS, Trustmanger_password.tochararray ());

            Factory.init (KS);

            trustmanager[] TMS = Factory.gettrustmanagers ();
        return TMS;
        catch (Exception e) {logger.error ("gettrustmanagers failure", e);
                    Finally {if (is!= null) {try {
                Is.close ();
                catch (IOException e) {logger.error ("Close Io failure", e);
    }} return null;
 }


  Spring mode

<?xml version= "1.0" encoding= "UTF-8"?> <beans "xmlns=" xmlns: context= "Http://www.springframework.org/schema/context" xmlns:jaxws= "Http://cxf.apache.org/jaxws" xmlns:jaxrs= " Http://cxf.apache.org/jaxrs "xmlns:xsi=" http://www.w3.org/2001/XMLSchema-instance "xmlns:tx=" http:// Www.springframework.org/schema/tx "xmlns:soap=" Http://cxf.apache.org/bindings/soap "xmlns:sec=" http:// Cxf.apache.org/configuration/security "xmlns:http=" Http://cxf.apache.org/transports/http/configuration "xsi: schemalocation= "Http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/ Spring-beans-3.0.xsd Http://www.springframework.org/schema/context Http://www.springframework.org/schema/context /spring-context-3.0.xsd Http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd http://cxf.apache.org /jaxrs http://cxf.apache.org/schemas/jaxrs.xsd Http://cxf.apache.org/bindings/soap http://cxf.apache.org/schemas/ CoNfiguration/soap.xsd http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/ Security.xsd http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/ Http-conf.xsd "> <import resource=" classpath:meta-inf/cxf/cxf.xml "/> <import resource=" classpath: Meta-inf/cxf/cxf-extension-soap.xml "/> <import resource= classpath:meta-inf/cxf/cxf-servlet.xml"/> < Context:component-scan base-package= "Com.test"/> <!--webserice receive client, address for server WebService interface--> < Jaxws:client id= "UserService" address= "Https://10.78.194.92:8443/webserviceserver/service/user" Com.test.UserService "/>  


 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.