Contents
Chuẩn bị keystore
Cần chuẩn bị
| Private key của website | website.key |
|---|---|
| Website certificate (được issue) | website.crt |
| Intermediate certificate | inter.crt |
| Root CA certificate | rootca.crt |
Tạo keystore từ private key và certificate
Tạo file .p12 chứa đầy đủ private key và certificate chain, nhập password bảo vệ file .p12
$ cat inter.crt rootca.crt > chain.crt $ openssl pkcs12 -export -in website.crt -inkey website.key -chain -CAfile chain.crt -name "domain" -out website.p12 Enter Export Password: Verifying - Enter Export Password:
Convert từ file .p12 sang .jks là định dạng keystore của Java, nhập password trên khi được hỏi
$ keytool -importkeystore -deststorepass newpassword -destkeystore website.jks -srckeystore website.p12 -srcstoretype PKCS12 Enter source keystore password: Entry for alias dalatcity.org successfully imported. Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
Kết quả chúng ta có file website.jks là keystore chứa private key và certificate chain đầy đủ cho hoạt động của website, được bảo vệ bởi mật khẩu “newpassword” (keystore pass), keypass là mật khẩu ở bước tạo p12
Có thể đổi mật khẩu của key như sau
keytool -keypasswd -alias <key_alias> -keystore <keystore.file>
Kiểm tra
Sử dụng lệnh sau, thấy “Entry type” là “PrivateKeyEntry” và đủ chain of certificate từ website tới root CA là thành công.
# keytool -list -v -keystore website.jks | egrep "^(Owner|Issuer|Entry)" Enter keystore password: Alias name: domain.ext Entry type: PrivateKeyEntry ... Owner: CN=*.domain.ext, O=COMPANY, L=Ha Noi, ST=Ha Noi, C=VN Issuer: CN=GlobalSign Organization Validation CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE Serial number: 77066f2460de12c1540fc543 Valid from: Fri Sep 01 11:02:08 ICT 2017 until: Mon Sep 02 11:02:08 ICT 2019 ... Owner: CN=GlobalSign Organization Validation CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE Issuer: CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE Serial number: 40000000001444ef04247 Valid from: Thu Feb 20 17:00:00 ICT 2014 until: Tue Feb 20 17:00:00 ICT 2024 ... Owner: CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE Issuer: CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE Serial number: 40000000001154b5ac394 Valid from: Tue Sep 01 19:00:00 ICT 1998 until: Fri Jan 28 19:00:00 ICT 2028
Cài đặt SSL cho Oracle WebLogic
Hướng dẫn cài đặt SSL cho Oracle Weblogic Server
Hướng dẫn cài đặt SSL SNI cho Java Tomcat
Bài này áp dụng cho Server Java Tomcat 8 trên CentOS7, để support SSL SNI cần cài đặt thêm APR
Thực hiện
Cài đặt thư viện OpenSSL
yum -y install openssl-devel
Cài đặt thư viện Expat
yum -y install expat-devel
Cài đặt công cụ biên dịch
yum -y groupinstall "Development Tools"
Download và cài đặt APR
wget http://mirror.downloadvn.com/apache/apr/apr-1.6.3.tar.gz tar -xzf apr-1.6.3.tar.gz cd apr-1.6.3 ./configure make make install
Download và cài đặt APR-Utils
wget http://mirror.downloadvn.com/apache/apr/apr-util-1.6.1.tar.gz tar -xzf apr-util-1.6.1.tar.gz cd apr-util-1.6.1 ./configure --with-apr=/usr/local/apr make make install
Cài đặt Tomcat Native library (đi kèm với Tomcat)
cd $CATALINA_HOME/bin tar -zxvf tomcat-native.tar.gz cd tomcat-native-1.2.14-src/native/ ./configure --with-apr=/usr/local/apr --with-java-home=/opt/jdk1.7.0_80 make make install
Cấu hình file config Java Tomcat
vim $CATALINA_HOME/conf/server.xml
<Connector port="443" protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
defaultSSLHostConfigName="www.studytrails.com" >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig hostName="www.studytrails.com">
<Certificate certificateKeyFile="/root/www_studytrails_com/www_studytrails_com.key"
certificateFile="/root/www_studytrails_com/www_studytrails_com.crt"
certificateChainFile="/root/www_studytrails_com/www_studytrails_com.bundle"
type="RSA" />
</SSLHostConfig>
<SSLHostConfig hostName="api.studytrails.com">
<Certificate certificateKeyFile="/root/api_studytrails_com/api_studytrails_com.key"
certificateFile="/root/api_studytrails_com/api_studytrails_com.crt"
certificateChainFile="/root/api_studytrails_com/api_studytrails_com.bundle"
type="RSA" />
</SSLHostConfig>
</Connector>
Khai báo path tới APR trong file khởi động Tomcat
vim $CATALINA_HOME/bin/catalina.sh CATALINA_OPTS="-Djava.library.path=/usr/local/apr/lib"
Khởi động Tomcat và check log, nếu thấy dòng sau là APR đã hoạt động
./catalina.sh start Sep 06, 2013 2:10:09 AM org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR based Apache Tomcat Native library 1.1.27 using APR version 1.4.8. Sep 06, 2013 2:10:09 AM org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true].
Cài đặt từ repository (CentOS7)
Cài đặt Java 7 JDK
$ sudo yum install java-1.7.0-openjdk
Kiểm tra phiên bản java
$ java -version
java version "1.7.0_191" OpenJDK Runtime Environment (rhel-2.6.15.4.el7_5-x86_64 u191-b01) OpenJDK 64-Bit Server VM (build 24.191-b01, mixed mode)
Cài đặt Tomcat 8.5
Tạo user Tomcat
$ sudo useradd -m -U -d /opt/tomcat -s /bin/false tomcat
Download Tomcat
$ wget http://www-us.apache.org/dist/tomcat/tomcat-8/v8.5.33/bin/apache-tomcat-8.5.33.zip $ unzip apache-tomcat-*.zip $ sudo mkdir -p /opt/tomcat $ sudo mv apache-tomcat-8.5.33 /opt/tomcat/ $ sudo ln -s /opt/tomcat/apache-tomcat-8.5.33 /opt/tomcat/latest $ sudo chown -R tomcat: /opt/tomcat $ sudo chmod +x /opt/tomcat/latest/bin/*.sh
Thiết lập system service file
- /etc/systemd/system/tomcat.service
-
[Unit] Description=Tomcat 8.5 servlet container After=network.target [Service] Type=forking User=tomcat Group=tomcat Environment="JAVA_HOME=/usr/lib/jvm/jre" Environment="JAVA_OPTS=-Djava.security.egd=file:///dev/urandom" Environment="CATALINA_BASE=/opt/tomcat/latest" Environment="CATALINA_HOME=/opt/tomcat/latest" Environment="CATALINA_PID=/opt/tomcat/latest/temp/tomcat.pid" Environment="CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC" ExecStart=/opt/tomcat/latest/bin/startup.sh ExecStop=/opt/tomcat/latest/bin/shutdown.sh [Install] WantedBy=multi-user.target
$ sudo systemctl daemon-reload
Enable và start service
$ sudo systemctl enable tomcat $ sudo systemctl start tomcat
Kiểm tra service running
$ sudo systemctl status tomcat
tomcat.service - Tomcat 8.5 servlet container
Loaded: loaded (/etc/systemd/system/tomcat.service; disabled; vendor preset: disabled)
Active: active (running) since Sat 2018-03-31 16:30:48 UTC; 3s ago
Process: 23826 ExecStart=/opt/tomcat/latest/bin/startup.sh (code=exited, status=0/SUCCESS)
Main PID: 23833 (java)
CGroup: /system.slice/tomcat.service
└─23833 /usr/lib/jvm/jre/bin/java -Djava.util.logging.config.file=/opt/tomcat/latest/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.security.egd=fi...
Kiểm tra phiên bản Tomcat
$ java -cp /opt/tomcat/latest/lib/catalina.jar org.apache.catalina.util.ServerInfo
Server version: Apache Tomcat/8.5.23 Server built: Sep 28 2017 10:30:11 UTC Server number: 8.5.23.0 OS Name: Linux OS Version: 3.10.0-862.2.3.el7.x86_64 Architecture: amd64 JVM Version: 1.7.0_191-mockbuild_2018_07_30_15_33-b00 JVM Vendor: Oracle Corporation
Cài đặt các gói cần thiết cho Tomcat SSL
$ sudo yum install apr apr-util tomcat-native
Cấu hình connector
Sử dụng APR với certificate file
- server.xml
-
<Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol" SSLEnabled="true" scheme="https" secure="true" maxThreads="300" acceptCount="1000" maxKeepAliveRequests="1000" defaultSSLHostConfigName="defaultdomain.com" > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> <SSLHostConfig hostName="defaultdomain.com" certificateKeyFile="conf/ssl/website.key" certificateFile="conf/ssl/website.crt" certificateChainFile="conf/ssl/website.chain.crt" /> <SSLHostConfig hostName="anotherdomain.com" certificateKeyFile="conf/ssl/website.key" certificateFile="conf/ssl/website.crt" certificateChainFile="conf/ssl/website.chain.crt" /> </Connector>
Sử dụng Nio với keystore
- server.xml
-
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" scheme="https" secure="true" maxThreads="300" acceptCount="1000" maxKeepAliveRequests="1000" defaultSSLHostConfigName="defaultdomain.com" > <SSLHostConfig hostName="defaultdomain.com" protocols="TLSv1.2,+TLSv1.1"> <Certificate certificateKeyAlias="defaultdomain" certificateKeystoreFile="conf/ssl/website.jks" certificateKeystorePassword="keystorepass" certificateKeyPassword="keypass" type="RSA" /> </SSLHostConfig> <SSLHostConfig hostName="anotherdomain.com" protocols="TLSv1.2,+TLSv1.1" certificateKeyAlias="anotherdomain" certificateKeystoreFile="conf/ssl/website.jks" certificateKeystorePassword="keystorepass" certificateKeyPassword="keypass" type="RSA" > </SSLHostConfig> </Connector>
Sử dụng Nginx làm reverse proxy SSL
Cài đặt Nginx
$ sudo yum install nginx
Config SSL port
- /etc/nginx/conf.d/ssl.conf
-
server { listen 443 ssl http2 default_server; listen [::]:443 ssl http2 default_server; server_name defaultdomain.com anotherdomain.com; root /usr/share/nginx/html; ssl_certificate "/etc/nginx/ssl/server.crt"; ssl_certificate_key "/etc/nginx/ssl/server.key"; ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; # Load configuration files for the default server block. include /etc/nginx/default.d/*.conf; location / { proxy_pass http://localhost:8080; } error_page 404 /404.html; location = /40x.html { } error_page 500 502 503 504 /50x.html; location = /50x.html { } }
Tham khảo: https://linuxize.com/post/install-java-on-centos-7/ https://linuxize.com/post/how-to-install-tomcat-8-5-on-centos-7/
thanks man!