我们有一个Web应用程序,SSL证书每100天过期一次,并自动更新。我们必须重新启动服务器,每当它碰巧选择新更新的证书。有没有任何方法tomcat java进程可以自动拿起新的证书,每当证书得到更新。我们有成千上万的机器在我们的集群。
dly7yett1#
如果你已经嵌入了tomcat,那么你可以使用tomcat API来重新加载所有证书。检查:How do I force tomcat to reload trusted certificates?最简单的方法是以编程方式读取密钥库,从中获取SSL上下文并使用它进行连接。
private SSLContext buildSslSocketContext() { logger.info("Started checking for certificates and if it finds the certificates will be loaded….."); String keyStoreLoc = //KEYSTORE LOCATION; String password = //KEYSTORE_PASSWORD; SSLContext context = null; try { // Create a KeyStore containing our trusted CAs KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType()); InputStream in = null; try { in = new FileInputStream(keyStoreLoc); keystore.load(in,password.toCharArray()); }catch(Exception e) { logger.error("Unable to load keystore "+e.getMessage()); }finally { if(in != null) { in.close(); } } // Create a TrustManager that trusts the CAs in our KeyStore String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm(); TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm); tmf.init(keystore); // Create an SSLContext that uses our TrustManager context = SSLContext.getInstance("TLS"); context.init(null, tmf.getTrustManagers(), null); logger.info("Completed loading of certificates."); } catch (Exception e) { logger.error("unable to create ssl context "+e.getMessage()); } return context; } ClientBuilder clientBuilder = null; try { SSLContext sslContext = buildSslSocketContext(); clientBuilder = ClientBuilder.newBuilder(); if (sslContext != null) { clientBuilder.sslContext(sslContext); } else { logger.info("SSL conext is missing"); } client = clientBuilder.build(); //use this client to make http connection }catch(Exception e) { logger.error("unable to get ssl conext for client :"+e.getMessage()); }
private SSLContext buildSslSocketContext() {
logger.info("Started checking for certificates and if it finds the certificates will be loaded…..");
String keyStoreLoc = //KEYSTORE LOCATION;
String password = //KEYSTORE_PASSWORD;
SSLContext context = null;
try {
// Create a KeyStore containing our trusted CAs
KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
InputStream in = null;
in = new FileInputStream(keyStoreLoc);
keystore.load(in,password.toCharArray());
}catch(Exception e) {
logger.error("Unable to load keystore "+e.getMessage());
}finally {
if(in != null) {
in.close();
}
// Create a TrustManager that trusts the CAs in our KeyStore
String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
tmf.init(keystore);
// Create an SSLContext that uses our TrustManager
context = SSLContext.getInstance("TLS");
context.init(null, tmf.getTrustManagers(), null);
logger.info("Completed loading of certificates.");
} catch (Exception e) {
logger.error("unable to create ssl context "+e.getMessage());
return context;
ClientBuilder clientBuilder = null;
SSLContext sslContext = buildSslSocketContext();
clientBuilder = ClientBuilder.newBuilder();
if (sslContext != null) {
clientBuilder.sslContext(sslContext);
} else {
logger.info("SSL conext is missing");
client = clientBuilder.build(); //use this client to make http connection
logger.error("unable to get ssl conext for client :"+e.getMessage());
字符串
fkaflof62#
是的,有一种方法可以在代码的帮助下自动加载证书。您所要做的就是从主机下载证书,并将该证书导入到Tomcat Server的Connector(可以在server.xml中找到)所指向的密钥库中。这可以在称为keytool的工具的帮助下完成。第一个月一旦证书被添加到密钥库中,您就可以初始化SSLContext并将其传递给服务器进行其他后续调用。
SSLContext sslContext = SSLContexts.custom() .loadTrustMaterial(new TrustStrategy() {@Overridepublic boolean isTrusted(X509Certificate[] chain, String authType) throws CertificateException { return true; } }) .loadKeyMaterial(<Keystore-loaded with certificate>,<password of the keystore>) .build();Config config = Config.newConfig();config.withSSLContext(sslContext);`
SSLContext sslContext = SSLContexts.custom()
.loadTrustMaterial(new TrustStrategy() {
@Override
public boolean isTrusted(X509Certificate[] chain, String authType) throws
CertificateException {
return true;
})
.loadKeyMaterial(<Keystore-loaded with certificate>,<password of the keystore>)
.build();
Config config = Config.newConfig();
config.withSSLContext(sslContext);`
字符串此config对象可作为参数传递给函数**.withConfig(config)**以创建客户端调用。
vlurs2pr3#
尝试使用Manager App:1.安装Tomcat Manager应用程序(如果尚未安装)。1.创建Tomcat用户,例如“sslAdmin”,密码为“sslAdminPassword”-在文件conf/tomcat-users.xml的<tomcat-users>部分添加以下两行(如果还不存在):
conf/tomcat-users.xml
<tomcat-users>
<role rolename="manager-script"/><user username="sslAdmin" password="sslAdminPassword" roles="manager-script" />
<role rolename="manager-script"/>
<user username="sslAdmin" password="sslAdminPassword" roles="manager-script" />
字符串1.启动或重新启动Tomcat1.从现在开始,您可以通过以下命令重新加载SSL配置,而无需从命令行重新启动整个服务(请参阅 * 重新加载TLS配置 *):
curl -u sslAdmin:sslAdminPassword http://localhost:8080/manager/text/sslReload
型注意,对于上面的示例,Tomcat必须使用端口8080。
3条答案
按热度按时间dly7yett1#
如果你已经嵌入了tomcat,那么你可以使用tomcat API来重新加载所有证书。检查:How do I force tomcat to reload trusted certificates?最简单的方法是以编程方式读取密钥库,从中获取SSL上下文并使用它进行连接。
字符串
fkaflof62#
是的,有一种方法可以在代码的帮助下自动加载证书。您所要做的就是从主机下载证书,并将该证书导入到Tomcat Server的Connector(可以在server.xml中找到)所指向的密钥库中。这可以在称为keytool的工具的帮助下完成。
第一个月
一旦证书被添加到密钥库中,您就可以初始化SSLContext并将其传递给服务器进行其他后续调用。
字符串
此config对象可作为参数传递给函数**.withConfig(config)**以创建客户端调用。
vlurs2pr3#
尝试使用Manager App:
1.安装Tomcat Manager应用程序(如果尚未安装)。
1.创建Tomcat用户,例如“sslAdmin”,密码为“sslAdminPassword”-在文件
conf/tomcat-users.xml的<tomcat-users>部分添加以下两行(如果还不存在):字符串
1.启动或重新启动Tomcat
1.从现在开始,您可以通过以下命令重新加载SSL配置,而无需从命令行重新启动整个服务(请参阅 * 重新加载TLS配置 *):
型
注意,对于上面的示例,Tomcat必须使用端口8080。