注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

我的博客

 
 
 

日志

 
 
关于我

砍过人吸过粉站在路边接过吻 当过兵站过岗耍过流氓入过党 上过班下过岗打过领导得过奖

网易考拉推荐

2010年10月20日  

2010-10-20 14:35:24|  分类: 默认分类 |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |
openacs https的设置

TR069的测试,有一项https SSL测试, 这个一般比较麻烦,一般环境没有,搭这样的环境也要麻烦一点。
下面将我是如何配置openacs https的过程记录下来, 方便自己,也方便有缘人。

一) 思路
    openacs是架设在jboss服务器上的,https严格说来,和openacs没有任何关系。
    建立https连接,其实就是建立jboss的https连接。

二) 实现方法
     jobss的https设置,参考文章:http://community.jboss.org/wiki/sslsetup
     注意的是:这个文章是jboss3.2.3的,我的jboss的是4.4.2.GA的,看这个参考文章要有选择的看,因为jboss的版本不一样。
    但SSL的原理思路以及连接方式是一样的。

    我选择其中最简单的配置方式:1 - SSL enabled on the server - the common case
           配置方式一,是一个简单的单向证书认证,即服务器向客户端发cert证书,客户端用此证书进行连接即可。
                              服务器负责验证SSL的合法性;客户端不做任何验证,也不需要向服务器发送自己的证书

三) 配置实例
    1) 生产证书文件server.keystore
           一个这样的命令即可:
             keytool -genkey -alias serverkeys -keyalg RSA -keystore server.keystore -storepass 123456 -keypass 123456 -dname "CN=localhost, OU=MYOU, O=MYORG, L=MYCITY, ST=MYSTATE, C=MY"

    2) 配置server.xml文件
            说明:由于对jboss不熟悉,我在all目录和default目录都进行了同样的配置,https生效了,也懒得验证到底是哪个目录的配置起作用。
         server.xml文件就改了一个配置, 如下:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" address="${jboss.bind.address}"   
               maxThreads="100" minSpareThreads="5" maxSpareThreads="15"   
               scheme="https" secure="true" clientAuth="false"   
               keystoreFile="${jboss.server.home.dir}/conf/server.keystore"   
               keystorePass="123456" sslProtocol = "TLS" />


3)  将第1)步生成的server.keystore文件拷贝到conf目录下









附录1  server.xml文件完整的内容:

<Server>

  <!--APR library loader. Documentation at /docs/apr.html -->
  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
  <!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -->
  <Listener className="org.apache.catalina.core.JasperListener" />

   <!-- Use a custom version of StandardService that allows the
   connectors to be started independent of the normal lifecycle
   start to allow web apps to be deployed before starting the
   connectors.
   -->
   <Service name="jboss.web">

    <!-- A "Connector" represents an endpoint by which requests are received
         and responses are returned. Documentation at :
         Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
         Java AJP  Connector: /docs/config/ajp.html
         APR (HTTP/AJP) Connector: /docs/apr.html
         Define a non-SSL HTTP/1.1 Connector on port 8080
    -->
    <Connector port="8080" address="${jboss.bind.address}"   
         maxThreads="250" maxHttpHeaderSize="8192"
         emptySessionPath="true" protocol="HTTP/1.1"
         enableLookups="false" redirectPort="8443" acceptCount="100"
         connectionTimeout="20000" disableUploadTimeout="true" />

    <!-- Define a SSL HTTP/1.1 Connector on port 8443
         This connector uses the JSSE configuration, when using APR, the
         connector should be using the OpenSSL style configuration
         described in the APR documentation -->
    <!--
    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" />
    -->
    <!-- SSL/TLS Connector configuration using the admin devl guide keystore-->
    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" address="${jboss.bind.address}"   
               maxThreads="100" minSpareThreads="5" maxSpareThreads="15"   
               scheme="https" secure="true" clientAuth="false"   
               keystoreFile="${jboss.server.home.dir}/conf/server.keystore"   
               keystorePass="123456" sslProtocol = "TLS" />

    <!-- Define an AJP 1.3 Connector on port 8009 -->
    <Connector port="8009" address="${jboss.bind.address}" protocol="AJP/1.3"
         emptySessionPath="true" enableLookups="false" redirectPort="8443" />

      <Engine name="jboss.web" defaultHost="localhost">

         <!-- The JAAS based authentication and authorization realm implementation
         that is compatible with the jboss 3.2.x realm implementation.
         - certificatePrincipal : the class name of the
         org.jboss.security.auth.certs.CertificatePrincipal impl
         used for mapping X509[] cert chains to a Princpal.
         - allRolesMode : how to handle an auth-constraint with a role-name=*,
         one of strict, authOnly, strictAuthOnly
           + strict = Use the strict servlet spec interpretation which requires
           that the user have one of the web-app/security-role/role-name
           + authOnly = Allow any authenticated user
           + strictAuthOnly = Allow any authenticated user only if there are no
           web-app/security-roles
         -->
         <Realm className="org.jboss.web.tomcat.security.JBossSecurityMgrRealm"
            certificatePrincipal="org.jboss.security.auth.certs.SubjectDNMapping"
            allRolesMode="authOnly"
            />
         <!-- A subclass of JBossSecurityMgrRealm that uses the authentication
         behavior of JBossSecurityMgrRealm, but overrides the authorization
         checks to use JACC permissions with the current java.security.Policy
         to determine authorized access.
         - allRolesMode : how to handle an auth-constraint with a role-name=*,
         one of strict, authOnly, strictAuthOnly
           + strict = Use the strict servlet spec interpretation which requires
           that the user have one of the web-app/security-role/role-name
           + authOnly = Allow any authenticated user
           + strictAuthOnly = Allow any authenticated user only if there are no
           web-app/security-roles
         <Realm className="org.jboss.web.tomcat.security.JaccAuthorizationRealm"
            certificatePrincipal="org.jboss.security.auth.certs.SubjectDNMapping"
            allRolesMode="authOnly"
            />
         -->

        <Host name="localhost"
           autoDeploy="false" deployOnStartup="false" deployXML="false"
           configClass="org.jboss.web.tomcat.security.config.JBossContextConfig"
           >

            <!-- Uncomment to enable request dumper. This Valve "logs interesting
                 contents from the specified Request (before processing) and the
                 corresponding Response (after processing). It is especially useful
                 in debugging problems related to headers and cookies."
            -->
            <!--
            <Valve className="org.apache.catalina.valves.RequestDumperValve" />
            -->
 
            <!-- Access logger -->
            <!--
            <Valve className="org.apache.catalina.valves.AccessLogValve"
                prefix="localhost_access_log." suffix=".log"
                pattern="common" directory="${jboss.server.home.dir}/log"
                resolveHosts="false" />
            -->

            <!-- Uncomment to enable single sign-on across web apps
                deployed to this host. Does not provide SSO across a cluster.    
           
                If this valve is used, do not use the JBoss ClusteredSingleSignOn
                valve shown below.
               
                A new configuration attribute is available beginning with
                release 4.0.4:
               
                cookieDomain  configures the domain to which the SSO cookie
                              will be scoped (i.e. the set of hosts to
                              which the cookie will be presented).  By default
                              the cookie is scoped to "/", meaning the host
                              that presented it.  Set cookieDomain to a
                              wider domain (e.g. "xyz.com") to allow an SSO
                              to span more than one hostname.
             -->
            <!--
            <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
            -->

            <!-- Uncomment to enable single sign-on across web apps
               deployed to this host AND to all other hosts in the cluster.
           
               If this valve is used, do not use the standard Tomcat SingleSignOn
               valve shown above.
           
               Valve uses a JBossCache instance to support SSO credential
               caching and replication across the cluster.  The JBossCache
               instance must be configured separately.  By default, the valve
               shares a JBossCache with the service that supports HttpSession
               replication.  See the "jboss-web-cluster-service.xml" file in the
               server/all/deploy directory for cache configuration details.
           
               Besides the attributes supported by the standard Tomcat
               SingleSignOn valve (see the Tomcat docs), this version also
               supports the following attributes:
           
               cookieDomain   see above
           
               treeCacheName  JMX ObjectName of the JBossCache MBean used to
                              support credential caching and replication across
                              the cluster. If not set, the default value is
                              "jboss.cache:service=TomcatClusteringCache", the
                              standard ObjectName of the JBossCache MBean used
                              to support session replication.
            -->
            <!--
            <Valve className="org.jboss.web.tomcat.service.sso.ClusteredSingleSignOn" />
            -->
        
            <!-- Check for unclosed connections and transaction terminated checks
                 in servlets/jsps.
                
                 Important: The dependency on the CachedConnectionManager
                 in META-INF/jboss-service.xml must be uncommented, too
            -->
            <Valve className="org.jboss.web.tomcat.service.jca.CachedConnectionValve"
                cachedConnectionManagerObjectName="jboss.jca:service=CachedConnectionManager"
                transactionManagerObjectName="jboss:service=TransactionManager" />

         </Host>

      </Engine>

   </Service>

</Server>
  评论这张
 
阅读(807)| 评论(0)
推荐 转载

历史上的今天

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2016