SpringDM笔记30-OSGi中使用SSL/STL

   SSL:Secure Sockets Layer

   TLS:Transport Layer Security

1.Tomcat中设置SSL

   server.xml文件：

   <Server port="8005" shutdown="SHUTDOWN">
       <Service name="Catalina">
             <Connector port="8080"/>
             <Connector port="8443" minProcessors="5" maxProcessors="75"
                     enableLookups="true" disableUploadTimeout="true"
                     acceptCount="100" debug="0" scheme="https" secure="true"
                     clientAuth="false" sslProtocol="TLS"/>

             
             <Engine name="Catalina" defaultHost="localhost">
                     <Host name="localhost" unpackWARs="false" autoDeploy="false"
                                liveDeploy="false" deployOnStartup="false"
                                xmlValidation="false" xmlNamespaceAware="false"/>
             </Engine>
        </Service>
    </Server>

2. 创建一个JKS Keystore,使用JDK中提供的工具:keytool(位于bin目录下)

    执行命令：keytool -genkey -alias tomcat -keyalg RSA

    执行流程：

    [web@localhost ~]$ keytool -genkey -alias tomcat -keyalg RSA
    Enter keystore password:  changeit
    What is your first and last name?

    [Unknown]:  Daniel Rubio
    What is the name of your organizational unit?
    [Unknown]:  Editorial
    What is the name of your organization?
    [Unknown]:  Apress
    What is the name of your City or Locality?
    [Unknown]:  Berkeley
    What is the name of your State or Province?
    [Unknown]:  CA
    What is the two-letter country code for this unit?
    [Unknown]:  US
    Is CN=Daniel Rubio, OU=Unknown, O=Apress, L=Berkley, ST=CA, C=US correct?
    [no]:  yes
    Enter key password for <tomcat>
             (RETURN if same as keystore password):  changeit
    [web@localhost ~]$

    该命令将在当前操作目录下生成一个命名为tomcat.keystore的二进制文件，该文件需放置在Web容器的根目录

    下；在VTS中默认在config目录下有一个keystore文件，其中changeit是Tomcat用于访问JKS keystore 默认

    密码。

 

    使用一个商业的认证中心创建一个JKS Keystore:

    openssl pkcs12 -export -in mycert.crt -inkey mykey.key -out mycert.p12 -name tomcat -CAfile

    myCA.crt -caname root -chain

3. 实现Tomcat SSL的依赖

    Tomcat5版本中，lib目录下有tomcat-util.jar文件，需要将该文件转换成OSGi格式的：

    java -jar bnd-0.0.249.jar wrap -output tomcat-util-osgi.jar tomcat-util.jar

4. 创建SSL 配置Fragment

    目录结构：

    TomcatSSLFragment

            MEAT-INF

                  MANIFEST.MF

            conf

                  server.xml

    其中server.xml文件 如上，MANIFEST.MF文件：

    Bundle-Version: 1.0
    Bundle-SymbolicName: com.apress.springosgi.ch8.ssl
    Fragment-Host: org.springframework.osgi.catalina.start.osgi
    Bundle-Name: HelloWorld Spring-OSGi SSL Certificate Configuration
    Bundle-Vendor: Pro Spring-OSGi
    Bundle-ManifestVersion: 2

5. 访问路径

    https://localhost:8443/