공인된 인증서를 가지고 있으면 openssl을 통하여 PKCS #12 형식으로 변환하여 톰캣에 적용시킬 수 있음. 

자체적으로 인증서를 생성할경우에는 복잡함. 


ssl.key : 개인키 

ssl.crt : 인증서 

InstantSSL.ca-bundle : 중개자인증서 


0. PKCS #12 형식으로 변환(톰캣에서 인식할수 있게 변환하는 것임) 

openssl pkcs12 -export -in ssl.crt -inkey ssl.key -certfile InstantSSL.ca-bundle -out ssl.p12 -name tomcat 


1. tomcat 5.5 경우 (server.xml) 

<Connector port="8443" 

              maxThreads="150" minSpareThreads="25" maxSpareThreads="75" 

              enableLookups="false" disableUploadTimeout="true" 

              acceptCount="100" debug="0" scheme="https" secure="true" 

              keystoreFile="/경로/client.p12" keystorePass="패스워드" 

              keystoreType="pkcs12" 

              clientAuth="false" sslProtocol="TLS" URIEncoding="KSC5601" /> 


2. tomcat 6 경우 (server.xml) 

<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="off" /> 

<Connector protocol="org.apache.coyote.http11.Http11Protocol" 

                  port="8443" minSpareThreads="5" maxSpareThreads="75" 

                  enableLookups="true" disableUploadTimeout="true" 

                  acceptCount="100" maxThreads="200" 

                  scheme="https" secure="true" SSLEnabled="true" 

                  keystoreFile="/경로/client2.p12" keystorePass="패스워드" 

                  keystoreType="pkcs12" 

                  clientAuth="false" sslProtocol="TLS" URIEncoding="KSC5601"/> 



=================================================================================================== 


[자체적으로 인증서 생성시 SSL 적용방법] 


touch index.txt 

echo "0001" > serial 

echo "0001" > crlnumber 

vi /etc/pki/tls/openssl.cnf 

dir            = .            # Where everything is kept  <-----요부분 . 으로 수정하면 됨. 

certs          = $dir/certs            # Where the issued certs are kept 

crl_dir        = $dir/crl              # Where the issued crl are kept 

database        = $dir/index.txt        # database index file. 


1. CA 및 서버 인증서 생성 


- 자체인증기관 생성 

openssl genrsa -des3 -out ./private/cakey.pem 2048 


openssl req -new -x509 -days 3650 -key ./private/cakey.pem -out ./cacert.pem 


- key 생성 

openssl genrsa -des3 -out certificate-key.pem 1024 


- 인증기관(자체) 보낼 요청 생성 

openssl req -new -days 3650 -key certificate-key.pem -out certificate-req.pem 


- 인증기관(자체) 인증 

openssl ca -in certificate-req.pem -out certificate.pem -notext 


- 톰켓용 변환 

openssl pkcs12 -export -in certificate.pem -inkey certificate-key.pem -certfile ./cacert.pem -out client.p12 -name tomcat 


2. server.xml 설정 

 - Tomcat 5.5 경우      

 <Service name="Catalina"> 

    <Connector port="8443" 

              maxThreads="150" minSpareThreads="25" maxSpareThreads="75" 

              enableLookups="false" disableUploadTimeout="true" 

              acceptCount="100" debug="0" scheme="https" secure="true" 

              keystoreFile="/root/demoCA/client.p12" keystorePass="*******" 

              keystoreType="pkcs12" 

              clientAuth="false" sslProtocol="TLS" URIEncoding="KSC5601" /> 

        <Engine name="Catalina" defaultHost="localhost" debug="0"> 

          <Realm className="org.apache.catalina.realm.UserDatabaseRealm" debug="0" 

                      resourceName="UserDatabase"/> 

          <Host name="localhost" appBase="webapps"> 

              <Context path="/contextName" docBase="/home/altimis/tomcat/webapps/test" 

                                                  reloadable="true"/> 

      </Host> 

    </Engine> 

  </Service> 

  

  

- Tomcat 6 경우      

<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="off" /> 

  

<Connector protocol="org.apache.coyote.http11.Http11Protocol" 

                  port="8443" minSpareThreads="5" maxSpareThreads="75" 

                  enableLookups="true" disableUploadTimeout="true" 

                  acceptCount="100" maxThreads="200" 

                  scheme="https" secure="true" SSLEnabled="true" 

                  keystoreFile="/root/demoCA/client.p12" keystorePass="******" 

                  keystoreType="pkcs12" 

                  clientAuth="false" sslProtocol="TLS" URIEncoding="KSC5601"/>

'job > was' 카테고리의 다른 글

java 메모리 분석  (0) 2018.08.31

+ Recent posts