Hướng dẫn cài đặt SSL cho server Java (keystore)

1
1180

Chuẩn bị keystore

Cần chuẩn bị

Private key của website website.key
Website certificate (được issue) website.crt
Intermediate certificate inter.crt
Root CA certificate rootca.crt

Tạo keystore từ private key và certificate

Tạo file .p12 chứa đầy đủ private key và certificate chain, nhập password bảo vệ file .p12

$ cat inter.crt rootca.crt > chain.crt
$ openssl pkcs12 -export -in website.crt -inkey website.key -chain -CAfile chain.crt -name "domain" -out website.p12
Enter Export Password: 
Verifying - Enter Export Password:

Convert từ file .p12 sang .jks là định dạng keystore của Java, nhập password trên khi được hỏi

$ keytool -importkeystore -deststorepass newpassword -destkeystore website.jks -srckeystore website.p12 -srcstoretype PKCS12
Enter source keystore password:  
Entry for alias dalatcity.org successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled

Kết quả chúng ta có file website.jks là keystore chứa private key và certificate chain đầy đủ cho hoạt động của website, được bảo vệ bởi mật khẩu “newpassword” (keystore pass), keypass là mật khẩu ở bước tạo p12

Có thể đổi mật khẩu của key như sau

keytool -keypasswd -alias <key_alias> -keystore <keystore.file>

Kiểm tra

Sử dụng lệnh sau, thấy “Entry type” là “PrivateKeyEntry” và đủ chain of certificate từ website tới root CA là thành công.

# keytool -list -v -keystore website.jks | egrep "^(Owner|Issuer|Entry)"
Enter keystore password:  
Alias name: domain.ext
Entry type: PrivateKeyEntry
...
Owner: CN=*.domain.ext, O=COMPANY, L=Ha Noi, ST=Ha Noi, C=VN
Issuer: CN=GlobalSign Organization Validation CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE
Serial number: 77066f2460de12c1540fc543
Valid from: Fri Sep 01 11:02:08 ICT 2017 until: Mon Sep 02 11:02:08 ICT 2019
...
Owner: CN=GlobalSign Organization Validation CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE
Issuer: CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE
Serial number: 40000000001444ef04247
Valid from: Thu Feb 20 17:00:00 ICT 2014 until: Tue Feb 20 17:00:00 ICT 2024
...
Owner: CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE
Issuer: CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE
Serial number: 40000000001154b5ac394
Valid from: Tue Sep 01 19:00:00 ICT 1998 until: Fri Jan 28 19:00:00 ICT 2028

Cài đặt SSL cho Oracle WebLogic

Cài đặt SSL cho Tomcat

Hướng dẫn cài đặt SSL cho Oracle Weblogic Server


Hướng dẫn cài đặt SSL SNI cho Java Tomcat

Bài này áp dụng cho Server Java Tomcat 8 trên CentOS7, để support SSL SNI cần cài đặt thêm APR

Thực hiện

Cài đặt thư viện OpenSSL

yum -y install openssl-devel

Cài đặt thư viện Expat

yum -y install expat-devel

Cài đặt công cụ biên dịch

yum -y groupinstall "Development Tools"

Download và cài đặt APR

wget http://mirror.downloadvn.com/apache/apr/apr-1.6.3.tar.gz
tar -xzf apr-1.6.3.tar.gz
cd apr-1.6.3
./configure
make
make install

Download và cài đặt APR-Utils

wget http://mirror.downloadvn.com/apache/apr/apr-util-1.6.1.tar.gz
tar -xzf apr-util-1.6.1.tar.gz
cd apr-util-1.6.1
./configure --with-apr=/usr/local/apr
make
make install

Cài đặt Tomcat Native library (đi kèm với Tomcat)

cd $CATALINA_HOME/bin
tar -zxvf tomcat-native.tar.gz
cd tomcat-native-1.2.14-src/native/
./configure --with-apr=/usr/local/apr --with-java-home=/opt/jdk1.7.0_80
make
make install

Cấu hình file config Java Tomcat

vim $CATALINA_HOME/conf/server.xml
    <Connector port="443" protocol="org.apache.coyote.http11.Http11AprProtocol"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true" 
               defaultSSLHostConfigName="www.studytrails.com" >
 
        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
        <SSLHostConfig hostName="www.studytrails.com">
            <Certificate certificateKeyFile="/root/www_studytrails_com/www_studytrails_com.key"
                         certificateFile="/root/www_studytrails_com/www_studytrails_com.crt"
                         certificateChainFile="/root/www_studytrails_com/www_studytrails_com.bundle"
                         type="RSA" />
        </SSLHostConfig>
        <SSLHostConfig hostName="api.studytrails.com">
           <Certificate certificateKeyFile="/root/api_studytrails_com/api_studytrails_com.key"
                         certificateFile="/root/api_studytrails_com/api_studytrails_com.crt"
                         certificateChainFile="/root/api_studytrails_com/api_studytrails_com.bundle"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>

Khai báo path tới APR trong file khởi động Tomcat

vim $CATALINA_HOME/bin/catalina.sh
CATALINA_OPTS="-Djava.library.path=/usr/local/apr/lib"

Khởi động Tomcat và check log, nếu thấy dòng sau là APR đã hoạt động

./catalina.sh start
Sep 06, 2013 2:10:09 AM org.apache.catalina.core.AprLifecycleListener init
INFO: Loaded APR based Apache Tomcat Native library 1.1.27 using APR version 1.4.8.
Sep 06, 2013 2:10:09 AM org.apache.catalina.core.AprLifecycleListener init
INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true].

Cài đặt từ repository (CentOS7)

Cài đặt Java 7 JDK

$ sudo yum install java-1.7.0-openjdk

Kiểm tra phiên bản java

$ java -version
java version "1.7.0_191"
OpenJDK Runtime Environment (rhel-2.6.15.4.el7_5-x86_64 u191-b01)
OpenJDK 64-Bit Server VM (build 24.191-b01, mixed mode)

Cài đặt Tomcat 8.5

Tạo user Tomcat

$ sudo useradd -m -U -d /opt/tomcat -s /bin/false tomcat

Download Tomcat

$ wget http://www-us.apache.org/dist/tomcat/tomcat-8/v8.5.33/bin/apache-tomcat-8.5.33.zip
$ unzip apache-tomcat-*.zip
$ sudo mkdir -p /opt/tomcat
$ sudo mv apache-tomcat-8.5.33 /opt/tomcat/
$ sudo ln -s /opt/tomcat/apache-tomcat-8.5.33 /opt/tomcat/latest
$ sudo chown -R tomcat: /opt/tomcat
$ sudo chmod +x /opt/tomcat/latest/bin/*.sh

Thiết lập system service file

/etc/systemd/system/tomcat.service
[Unit]
Description=Tomcat 8.5 servlet container
After=network.target

[Service]
Type=forking

User=tomcat
Group=tomcat

Environment="JAVA_HOME=/usr/lib/jvm/jre"
Environment="JAVA_OPTS=-Djava.security.egd=file:///dev/urandom"

Environment="CATALINA_BASE=/opt/tomcat/latest"
Environment="CATALINA_HOME=/opt/tomcat/latest"
Environment="CATALINA_PID=/opt/tomcat/latest/temp/tomcat.pid"
Environment="CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC"

ExecStart=/opt/tomcat/latest/bin/startup.sh
ExecStop=/opt/tomcat/latest/bin/shutdown.sh

[Install]
WantedBy=multi-user.target
$ sudo systemctl daemon-reload

Enable và start service

$ sudo systemctl enable tomcat
$ sudo systemctl start tomcat

Kiểm tra service running

$ sudo systemctl status tomcat
 tomcat.service - Tomcat 8.5 servlet container
   Loaded: loaded (/etc/systemd/system/tomcat.service; disabled; vendor preset: disabled)
   Active: active (running) since Sat 2018-03-31 16:30:48 UTC; 3s ago
  Process: 23826 ExecStart=/opt/tomcat/latest/bin/startup.sh (code=exited, status=0/SUCCESS)
 Main PID: 23833 (java)
   CGroup: /system.slice/tomcat.service
           └─23833 /usr/lib/jvm/jre/bin/java -Djava.util.logging.config.file=/opt/tomcat/latest/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.security.egd=fi...

Kiểm tra phiên bản Tomcat

$ java -cp /opt/tomcat/latest/lib/catalina.jar org.apache.catalina.util.ServerInfo
Server version: Apache Tomcat/8.5.23
Server built:   Sep 28 2017 10:30:11 UTC
Server number:  8.5.23.0
OS Name:        Linux
OS Version:     3.10.0-862.2.3.el7.x86_64
Architecture:   amd64
JVM Version:    1.7.0_191-mockbuild_2018_07_30_15_33-b00
JVM Vendor:     Oracle Corporation

Cài đặt các gói cần thiết cho Tomcat SSL

$ sudo yum install apr apr-util tomcat-native

Cấu hình connector

Sử dụng APR với certificate file

server.xml
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
               SSLEnabled="true" scheme="https" secure="true" 
               maxThreads="300" acceptCount="1000" maxKeepAliveRequests="1000"
               defaultSSLHostConfigName="defaultdomain.com" >
        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
        <SSLHostConfig hostName="defaultdomain.com" certificateKeyFile="conf/ssl/website.key" certificateFile="conf/ssl/website.crt" certificateChainFile="conf/ssl/website.chain.crt" />
        <SSLHostConfig hostName="anotherdomain.com" certificateKeyFile="conf/ssl/website.key" certificateFile="conf/ssl/website.crt" certificateChainFile="conf/ssl/website.chain.crt" />
    </Connector>

Sử dụng Nio với keystore

server.xml
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               SSLEnabled="true" scheme="https" secure="true" 
               maxThreads="300" acceptCount="1000" maxKeepAliveRequests="1000" 
               defaultSSLHostConfigName="defaultdomain.com" >
        <SSLHostConfig hostName="defaultdomain.com" protocols="TLSv1.2,+TLSv1.1">
            <Certificate certificateKeyAlias="defaultdomain"
                         certificateKeystoreFile="conf/ssl/website.jks"
                         certificateKeystorePassword="keystorepass"
                         certificateKeyPassword="keypass"
                         type="RSA" />
        </SSLHostConfig>
        <SSLHostConfig hostName="anotherdomain.com" protocols="TLSv1.2,+TLSv1.1" 
                        certificateKeyAlias="anotherdomain"
                        certificateKeystoreFile="conf/ssl/website.jks" 
                        certificateKeystorePassword="keystorepass" 
                        certificateKeyPassword="keypass" 
                        type="RSA" >
        </SSLHostConfig>
    </Connector>

Sử dụng Nginx làm reverse proxy SSL

Cài đặt Nginx

$ sudo yum install nginx

Config SSL port

/etc/nginx/conf.d/ssl.conf
server {
    listen       443 ssl http2 default_server;
    listen       [::]:443 ssl http2 default_server;
    server_name  defaultdomain.com anotherdomain.com;
    root         /usr/share/nginx/html;

    ssl_certificate "/etc/nginx/ssl/server.crt";
    ssl_certificate_key "/etc/nginx/ssl/server.key";
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout  10m;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;

    # Load configuration files for the default server block.
    include /etc/nginx/default.d/*.conf;

    location / {
        proxy_pass http://localhost:8080;
    }

    error_page 404 /404.html;
        location = /40x.html {
    }

    error_page 500 502 503 504 /50x.html;
        location = /50x.html {
    }
}

Tham khảo: https://linuxize.com/post/install-java-on-centos-7/ https://linuxize.com/post/how-to-install-tomcat-8-5-on-centos-7/

1
Leave a Reply

avatar
1 Comment threads
0 Thread replies
14 Followers
 
Most reacted comment
Hottest comment thread
1 Comment authors
Peter Recent comment authors
  Subscribe  
newest oldest most voted
Notify of
Peter
Guest
Peter

thanks man!