Java keystore implements SSL two-way authentication [client is php and java]
1. First build the server-side environment:
Preparation work: a tomcat6, jdk7, openssl, javawebservice test project
2. Construction process:
Reference http://blog.csdn.net/chow__zh/article/details/ 8998499
1.1 Generate server certificate
keytool -genkey -v -alias tomcat -keyalg RSA -keystore D:/SSL/server/tomcat.keystore -dname "CN=127.0.0.1,OU=zlj,O=zlj, L=Peking,ST=Peking,C=CN" -validity 3650 -storepass zljzlj -keypass zljzlj
Note:
keytool is the certificate generation tool provided by JDK. For the usage of all parameters, see keytool –help
-genkey Create new Certificate
-v details
-alias tomcat uses "tomcat" as the alias of this certificate. Here you can modify it as needed
-keyalg RSA specified algorithm
-keystore D:/SSL/server/tomcat.keystore save path and file name
-dname "CN=127.0.0.1,OU=zlj,O=zlj,L=Peking ,ST=Peking,C=CN" The identity of the certificate issuer. The CN here must be consistent with the access domain name after issuance. But since we issue the certificate ourselves, there will still be a warning if you access it in a browser.
-validity 3650 Certificate validity period, in days
-storepass zljzlj Certificate access password
-keypass zljzlj Certificate private key
1.2 Generate client certificate
Execute command:
keytool ‐genkey ‐v ‐alias client ‐keyalg RSA ‐ storetype PKCS12 ‐keystore D:/SSL/client/client.p12 ‐dname "CN=client,OU=zlj,O=zlj,L=bj,ST=bj,C=CN" ‐validity 3650 ‐storepass client ‐keypass client
Description:
Parameter description is the same as above. The -dname certificate issuer identity here can be different from the previous one. So far, these two certificates have no relationship. The next thing to do is to establish a trust relationship between the two.
1.3 Export client certificate
Execute command:
keytool ‐export ‐alias client ‐keystore D:/SSL/client/client.p12 ‐storetype PKCS12 ‐storepass client ‐rfc ‐file D:/SSL/client/client.cer
Description:
-export Execute export
-file File path of the exported file
1.4 Add the client certificate to the server certificate trust list
Execute command:
keytool ‐import ‐alias client ‐v ‐file D:/SSL/client/client .cer ‐keystore D:/SSL/server/tomcat.keystore ‐storepass zljzlj
Instructions:
The parameter description is the same as before. The password provided here is the access password for the server certificate.
1.5 Export server certificate
Execute command:
keytool -export -alias tomcat -keystore D:/SSL/server/tomcat.keystore -storepass zljzlj -rfc -file D:/SSL/server/tomcat.cer
Instructions:
Export the server certificate. The password provided here is also the password for the server certificate.
1.6 Generate client trust list
Execute command:
keytool -import -file D:/SSL/server/tomcat.cer -storepass zljzlj -keystore D:/SSL/client/client.truststore -alias tomcat –noprompt
Instructions:
Let the client trust the server certificate
2. Configure the server to only allow HTTPS connections
2.1 Configure /conf/server.xml in the Tomcat directory
Xml code Favorite code
sslProtocol="TLS" keystoreFile="D:/SSL/server/tomcat.keystore"
keystorePass ="zljzlj" truststoreFile="D:/SSL/server/tomcat.keystore"
truststorePass="zljzlj" />
Note:
This content in server.xml was originally commented out. If you want to use https The default port is 443, please modify the port parameter here. ClientAuth="true" specifies two-way certificate authentication.
2. Import client.p12 into the browser’s personal certificate item.
At this time, enter https://127.0.0.1:8443/ and a certificate selection will appear. Click OK and you will be prompted whether the https page is unsafe or not. Click Continue. The server is now set up.
3.java calls the server side to directly load the code:
package test; import javax.xml.namespace.QName; import org.apache.axis.client.Call; import org.apache.axis.client.Service; import org.apache.axis.encoding.XMLType; /** * * @author gshen * */ public class TestEcVoteNotice { public static void main(String [] args) throws Exception { System.setProperty("javax.net.ssl.trustStorePassword","zljzlj"); System.setProperty("javax.net.ssl.keyStoreType","PKCS12") ; System.setProperty("javax.net.ssl.keyStore","D:/SSL/client/client.p12") ; System.setProperty("javax.net.ssl.keyStorePassword","client") ; System.setProperty("javax.net.debug", "all"); //wsdl地址 String endpoint = "https://192.168.1.146:8443/pro/ws/getInfoService?wsdl"; //http://jarfiles.pandaidea.com/ 搜索axis.jar并下载,Service类在axis.jar Service service = new Service(); //http://jarfiles.pandaidea.com/ 搜索axis.jar并下载,Call类在axis.jar Call call = null; try { call = (Call) service.createCall(); //设置Call的调用地址 call.setTargetEndpointAddress(new java.net.URL(endpoint)); //根据wsdl中 <wsdl:import location="https://192.168.10.24:8443/ShinService/HelloWorld?wsdl=HelloService.wsdl" //namespace="http://server.cxf.shinkong.cn/" /> , //<wsdl:operation name="findALL"> call.setOperationName(new QName("http://ws.task.xm.com/","sayHello")); //参数1对应服务端的@WebParam(name = "tableName") 没有设置名称为arg0 call.addParameter("id", XMLType.SOAP_STRING, javax.xml.rpc.ParameterMode.IN); //调用方法的返回值 call.setReturnType(org.apache.axis.Constants.XSD_STRING); //调用用Operation调用存储过程(以服务端的方法为准) String res = (String) call.invoke(new Object[] {"1"}); //调用存储过程 System.out.println(res); } catch (Exception e) { e.printStackTrace(); System.out.println(e.getMessage()); } } }
Run directly from the command line or right-click run as. In the server-side project, I directly did log printing, and it will be printed as long as it is called. After execution
Please see the attachment.
Here comes the key point. Next, PHP calls the server. PHP's soapClient only recognizes certificates in DER, PEM or ENG format, so client.p12 must be converted into a pem file that PHP can recognize. At this time, openssl is used. First Enter the cmd command line and type the following code
Java code
openssl pkcs12 -in D:\SSL\client\client.p12 -out D:\SSL\client\client-cer.pem -clcerts
If it prompts that the openssl command is not recognized, it means you have not installed openssl. If the execution is successful, you will be prompted to enter the password of client.p12 first. After entering, you will be asked to enter the export After entering the password of cer.pe, you are done, client-cer.pem is generated successfully! .
Now upload the php code:
Php code
$params = array('id' => '2'); $local_cert = "./client-cer.pem"; set_time_limit(0); try{ //ini_set("soap.wsdl_cache_enabled", "0"); // disabling WSDL cache $wsdl='https://192.168.1.146:8443/pro/ws/getInfoService?wsdl'; // echo file_get_contents($wsdl); $soap=new SoapClient($wsdl, array( 'trace'=>true, 'cache_wsdl'=>WSDL_CACHE_NONE, 'soap_version' => SOAP_1_1, 'local_cert' => $local_cert, //client证书信息 'passphrase'=> 'client', //密码 // 'allow_self_signed'=> true ) ); $result=$soap->sayHello($params); $result_json= json_encode($result); $result= json_decode($result_json,true); echo '结果为:' . json_decode($result['return'],true); }catch(Exception $e) { $result['success'] = '0'; $result['msg'] = '请求超时'; echo $e->getMessage(); } echo '>>>>>>>>>>>';
直接运行,也会出现附件中的结果,打完收工,憋了我整整三天时间,终于搞定了。

Hot AI Tools

Undresser.AI Undress
AI-powered app for creating realistic nude photos

AI Clothes Remover
Online AI tool for removing clothes from photos.

Undress AI Tool
Undress images for free

Clothoff.io
AI clothes remover

AI Hentai Generator
Generate AI Hentai for free.

Hot Article

Hot Tools

SecLists
SecLists is the ultimate security tester's companion. It is a collection of various types of lists that are frequently used during security assessments, all in one place. SecLists helps make security testing more efficient and productive by conveniently providing all the lists a security tester might need. List types include usernames, passwords, URLs, fuzzing payloads, sensitive data patterns, web shells, and more. The tester can simply pull this repository onto a new test machine and he will have access to every type of list he needs.

PhpStorm Mac version
The latest (2018.2.1) professional PHP integrated development tool

SAP NetWeaver Server Adapter for Eclipse
Integrate Eclipse with SAP NetWeaver application server.

DVWA
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is very vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, to help web developers better understand the process of securing web applications, and to help teachers/students teach/learn in a classroom environment Web application security. The goal of DVWA is to practice some of the most common web vulnerabilities through a simple and straightforward interface, with varying degrees of difficulty. Please note that this software

SublimeText3 Mac version
God-level code editing software (SublimeText3)