SSL单向认证Java实现 Tomcat篇

单向验证，客户机只验证服务器的证书，服务器不验证客户机的证书。所以只需要生成服务器端的keystore.

1. 以jks格式生成服务器端包含Public key和Private Key的keystore文件，keypass与storepass务必要一样，因为在tomcat server.xml中只配置一个password.

keytool -genkey -alias server -keystore serverKeystore.jks -keypass 123456 -storepass 123456 -keyalg RSA  -keysize 512 -validity 365 -v -dname "CN = W03GCA01A,O = ABC BANK,DC = Server Https,DC = ABC,OU = Firefly Technology And Operation"

2. 从keystore中导出别名为server的服务端证书.

keytool -export -alias server -keystore serverKeystore.jks -storepass 123456 -file server.cer
 
3. 将server.cer导入客户端的信任证书库clientTruststore.jks。
 
 keytool -import -alias trustServer -file server.cer -keystore clientTruststore.jks -storepass 123456
 
 服务器端： serverKeystore.jks
 客户端：   clientTruststore.jks
 
4. 在tomcat 配置server.xml

  <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
                   maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" 
               keystoreFile="keystore/serverKeystore.jks" keystorePass="123456"  />

5. 客户端代码

/**
 * 
 */
package com.ssl.http;

import java.io.File;
import java.io.FileInputStream;
import java.security.KeyStore;

import org.apache.http.HttpEntity;
import org.apache.http.HttpResponse;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.conn.scheme.Scheme;
import org.apache.http.conn.ssl.SSLSocketFactory;
import org.apache.http.impl.client.DefaultHttpClient;

/**
 * 
 * @author kevin
 *
 */
public class ClientOneWaySSL {

    public final static void main(String[] args) throws Exception {
        DefaultHttpClient httpclient = new DefaultHttpClient();

        KeyStore trustStore  = KeyStore.getInstance(KeyStore.getDefaultType());        
        FileInputStream instream = new FileInputStream(new File("com/ssl/http/clientTruststore.jks")); 
        try {
            trustStore.load(instream, "123456".toCharArray());
        } finally {
            instream.close();
        }
        
        SSLSocketFactory socketFactory = new SSLSocketFactory(trustStore);
        Scheme sch = new Scheme("https", socketFactory, 8443);
        httpclient.getConnectionManager().getSchemeRegistry().register(sch);

        HttpGet httpget = new HttpGet("https://w03gca01a/");

        System.out.println("executing request" + httpget.getRequestLine());
        
        HttpResponse response = httpclient.execute(httpget);
        HttpEntity entity = response.getEntity();

        System.out.println("----------------------------------------");
        System.out.println(response.getStatusLine());
        if (entity != null) {
            System.out.println("Response content length: " + entity.getContentLength());
        }
        if (entity != null) {
            entity.consumeContent();
        }

        // When HttpClient instance is no longer needed, 
        // shut down the connection manager to ensure
        // immediate deallocation of all system resources
        httpclient.getConnectionManager().shutdown();        
    }

}

 

6. 运行成功打印如下：

executing requestGET https://w03gca01a/ HTTP/1.1
----------------------------------------
HTTP/1.1 200 OK
Response content length: 7347

 

备注：

A. 如出现如下error，请配置C:\WINDOWS\system32\drivers\etc\hosts, 将“127.0.0.1     w03gca01a” 加在hosts文件中

executing requestGET https://w03gca01a/ HTTP/1.1
Exception in thread "main" javax.net.ssl.SSLException: hostname in certificate didn't match: <w03gca01a> != <localhost>
	at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:220)
	at org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:54)
	

 

B. 本文用到 httpcore-4.0.1.jar httpclient-4.0.1.jar httpmime-4.0.1.jar，下载地址：

http://hc.apache.org/downloads.cgi