Deployment – Page 13 – Neohope的网络笔记

openssl获取网站证书及验证证书链

Posted on 2012/08/08 by neohope — No Comments ↓

1、获取网站证书信息

set OPENSSL_CONF=C:\ProgramerTools\OpenSSL-Win64\bin\openssl.cfg
#获取淘宝证书信息
openssl s_client -showcerts -connect www.taobao.com:443
#获取淘宝ssl2证书信息
openssl s_client -showcerts -ssl2 -connect www.taobao.com:443

2、验证证书链
比如，我有一个自签名的三层证书系统：
NMyCA1024（RootCA，自签名认证）
NMySubCA1024（NMySubCA1024是是中级CA，是NMyCA1024认证过的）
Server（Server是服务器证书，是NMySubCA1024认证过的）

可以用如下方法验证证书链：

#会告诉你这是一个自签名证书
openssl verify NMyCA1024.pem

#L1中方的是NMyCA1024的证书
openssl verify -CAfile L1.pem NMySubCA1024.pem

#L2中方的是NMyCA1024及NMySubCA1024的证书
openssl verify -CAfile L2.pem Server.pem

#只用中级证书，会导致证书链不完整，无法通过验证
openssl verify -CAfile NMySubCA1024.pem Server.pem

JKS密码验证

Posted on 2012/08/06 by neohope — No Comments ↓

下面的程序用来验证JKS的文件及密码是否正确

public static URL getStoreURL(String storePath) throws IOException
{
	URL url = null;
	// First see if this is a URL
	try
	{
		url = new URL(storePath);
	}
	catch (MalformedURLException e)
	{
		// Not a URL or a protocol without a handler so...
		// next try to locate this as file path
		File tst = new File(storePath);
		if (tst.exists() == true)
		{
			url = tst.toURL();
		} else
		{
			// not a file either, lastly try to locate this as a classpath
			// resource
			if (url == null)
			{
				ClassLoader loader = Thread.currentThread().getContextClassLoader();
				url = loader.getResource(storePath);
			}
		}
	}
	// Fail if no valid key store was located
	if (url == null)
	{
		String msg = "Failed to find url=" + storePath + " as a URL, file or resource";
		throw new MalformedURLException(msg);
	}
	return url;
}

public static KeyStore loadKeyStore(String storeType, URL storePathURL, String storePassword) throws Exception
{
	KeyStore keyStore = null;
	String provider = null;
	String providerName = null;

	if (provider != null)
	{
		keyStore = KeyStore.getInstance(storeType, provider);
	} else
		if (providerName != null)
		{
			keyStore = KeyStore.getInstance(storeType, providerName);
		} else
		{
			keyStore = KeyStore.getInstance(storeType);
		}
	if (storePathURL == null) { throw new Exception("Can not find store file for url because store url is null."); }
	// now that keystore instance created, need to load data from file
	InputStream keyStoreInputStream = null;
	try
	{
		keyStoreInputStream = storePathURL.openStream();
		// is ok for password to be null, as will just be used to check
		// integrity of store
		char[] password = storePassword != null ? storePassword.toCharArray() : null;
		keyStore.load(keyStoreInputStream, password);
	}
	finally
	{
		if (keyStoreInputStream != null)
		{
			try
			{
				keyStoreInputStream.close();
			}
			catch (IOException e)
			{
				// no op
			}
			keyStoreInputStream = null;
		}
	}
	return keyStore;
}

public static String verifyP12(String p12Path,String p12Pwd)
{
            String ret = "验证成功";
            try
            {
	URL ksURL = getStoreURL(p12Path);
                if(ksURL==null)throw new Exception(p12Path+"文件未找到");
                    
	loadKeyStore("PKCS12",ksURL,p12Pwd);
            }
            catch(Exception ex)
            {
                ret = ex.getMessage();
                ex.printStackTrace();
            }
            return ret;
}

public static String verifyJks(String jksPath,String jksPwd)
{
            String ret = "验证成功";
            try
            {
	URL ksURL = getStoreURL(jksPath);
	loadKeyStore("JKS",ksURL,jksPwd);
                
                if(ksURL==null)throw new Exception(jksPath+"文件未找到");
            }
            catch(Exception ex)
            {
                ret = ex.getMessage();
                ex.printStackTrace();
            }
            
            return ret;
}

AXIS2客户端支持TLS

Posted on 2012/08/06 by neohope — No Comments ↓

只要设置下面几个环境变量就好啦；）

public static final String TRUST_STORE_PASSWORD = "javax.net.ssl.trustStorePassword";
public static final String TRUST_STORE = "javax.net.ssl.trustStore";
public static final String TRUST_STORE_TYPE = "javax.net.ssl.trustStoreType";
public static final String KEY_STORE_TYPE = "javax.net.ssl.keyStoreType";
public static final String KEY_STORE_PASSWORD = "javax.net.ssl.keyStorePassword";
public static final String KEY_STORE = "javax.net.ssl.keyStore";

openssl生成key

Posted on 2012/08/06 by neohope — No Comments ↓

生成私钥及自签名证书（自签名这样就可以咯）

set OPENSSL_CONF=%OPENSSL_HOME%\bin\openssl.cfg
openssl genrsa 1024 > test.key
openssl req -new -x509 -nodes -key test.key -days 1095 -subj "/C=CN/ST=ShangHai/L=ShangHai/O=NEOHOPE/OU=Development/CN=NMyCA1024" > test.pem

生成私钥、证书请求及自签名证书（通常是把csr文件发给第三方机构申请证书，这里仍然是自签名）

set OPENSSL_CONF=%OPENSSL_HOME%\bin\openssl.cfg
openssl genrsa -out test1.key 1024
openssl req -new -key test.key -out test1.csr -subj -subj "/C=CN/ST=ShangHai/L=ShangHai/O=NEOHOPE/OU=Development/CN=NMyCA1024"
openssl x509 -req -days 3650 -in test1.csr -signkey test1.key -out test1.pem

这里请注意，自签名证书的话，上面两种方式是一样的。但这里只有一层，也就是没有CA的存在，如果需要CA及服务器两层的话，就要：
1、生成CA的私钥及证书
2、生成服务器私钥及证书
3、用CA的私钥对服务器证书签名
4、所有客户端信任CA证书

pem转为p12（私钥+证书）

set OPENSSL_CONF=%OPENSSL_HOME%\bin\openssl.cfg
openssl pkcs12 -export -out test.p12 -in test.pem -inkey test.key

pem转为jks的truststore（ca证书）

keytool -import -v -trustcacerts -file test.pem -keystore test.jks -storepass 123456 -alias caRoot
keytool -list -v -keystore test.jks -storepass 123456

p12转为jks的keystore（私钥+证书）

keytool -importkeystore -srckeystore test.p12 -destkeystore test1.jks -srcstoretype PKCS12 -deststoretype JKS -srcstorepass 123456 -deststorepass 123456
keytool -list -v -keystore test1.jks -storepass 123456

这里请注意，jks与p12的密码要设成一样的，否则有些时候会无法使用。

keytool生成key

Posted on 2012/08/06 by neohope — No Comments ↓

生成keystore及cert

#生成私钥
keytool -genkey -validity 10000 -keyalg RSA -dname "CN=neohope OU=neohope O=neohope L=Shanghai C=CN" -keystore node1.jks -alias node1 -keypass password -storepass password 
#导出证书
keytool -export -file node1.crt -keystore node1.jks -alias node1 -keypass password -storepass password 
#生成truststore
keytool -import -trustcacerts -file node1.crt -keystore trust.jks -alias node1 -keypass password -storepass password 
#查看
keytool -list -keystore node1.jks
keytool -list -keystore trust.jks

jks转p12

keytool -importkeystore -srckeystore node1.jks -srcstoretype JKS -deststoretype PKCS12 -destkeystore node1.p12 -srcstorepass password -deststorepass password

JKS与P12证书互转

Posted on 2012/08/06 by neohope — No Comments ↓

::JKS → P12
keytool -importkeystore -srckeystore keystore.jks -srcstoretype JKS -deststoretype PKCS12 -destkeystore keystore.p12

::P12 → JKS
keytool -importkeystore -srckeystore keystore.p12 -srcstoretype PKCS12 -deststoretype JKS -destkeystore keystore.jks

在这里，有一点大家一定要记住，P12的密码和JKS的密码一定要一致，否则很多容器（如Tomcat）无法加载。一般来说，JKS要求密码至少为6位，所以如果P12的密码位数太短，就要修改P12的密码啦：

openssl pkcs12 -in keystore.p12 -out keystore.pem -nodes
openssl pkcs12 -export -out keystore1.p12 -in keystore.pem

JBoss配置TLS

Posted on 2012/08/06 by neohope — No Comments ↓

文件%JBOSS_HOME%\server\default\deploy\jboss-web.deployer\server.xml
增加下面陪孩子

<Connector port="8443" address="${jboss.bind.address}"
          protocol="HTTP/1.1" SSLEnabled="true" 
          maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
      	  emptySessionPath="true"
      	  scheme="https" secure="true" clientAuth="false" 
      	  disableUploadTimeout="true" 
      	  keystoreFile="${jboss.server.home.dir}/conf/node1.jks"
      	  keystorePass="passward"
      	  keyAlias="node1"
      	  sslProtocol = "TLS" />

Tomcat配置TLS

Posted on 2012/08/06 by neohope — No Comments ↓

%TOMCAT_HOME%/conf/server.xml中添加以下配置即可

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
	       clientAuth="false" sslProtocol="TLS"
               keystoreFile="TOMCAT_HOME\conf\AXDS_2012_Keystore.jks"
               keystorePass="password"
	       truststoreFile="TOMCAT_HOME\conf\AXDS_2012_Truststore.jks" 
	       truststorePass="password"            
	       />

Nginx反向代理upstream跳转错误

Posted on 2012/06/28 by neohope — No Comments ↓

前两天架设Nginx反向代理时，用ip hash的方法设置了几个upstream(backend1,backend2,backend3…)

发现有一个网站总是去查找
http://backend2/
最后域名解析失败。
可其他网站都是好的啊。

无奈用Firebug看了一下网页，http header中赫然写着一行
baseurl=http://backend2/

找出jsp文件，发现是MyEclipse生成模板是，会加这么几行

<%
String path = request.getContextPath();
String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/";
%>

<head>
    <base href="<%=basePath%>"]
</head>

IIS文件上传大小限制

Posted on 2012/05/26 by neohope — No Comments ↓

1、首先要修改IIS的配置
编辑文件C:\Windows\System32\inetsrv\config\schema\IIS_schema.xml

<!--修改下面一行，将上传大小调整为1G左右-->
<attribute name="maxAllowedContentLength" type="uint" defaultValue="1000000000" />

2、要调整项目配置
编辑文件Web.config

<configuration>
  <system.web>
    <!--增加下面一行，将上传大小调整为1G左右，上传超时调整为10分钟-->
    <httpRuntime targetFramework="4.5" maxRequestLength="1000000000" executionTimeout="600"/>
  </system.web>
  <system.webServer>
    <directoryBrowse enabled="true"/>
  </system.webServer>
</configuration>