Java keystore implements SSL two-way authentication [client is php and java]

1. First build the server-side environment:

Preparation work: a tomcat6, jdk7, openssl, javawebservice test project

2. Construction process:

Reference http://blog.csdn.net/chow__zh/article/details/ 8998499

1.1 Generate server certificate

keytool -genkey -v -alias tomcat -keyalg RSA -keystore D:/SSL/server/tomcat.keystore -dname "CN=127.0.0.1,OU=zlj,O=zlj, L=Peking,ST=Peking,C=CN" -validity 3650 -storepass zljzlj -keypass zljzlj

Note:
keytool is the certificate generation tool provided by JDK. For the usage of all parameters, see keytool –help
-genkey Create new Certificate
-v details
-alias tomcat uses "tomcat" as the alias of this certificate. Here you can modify it as needed
-keyalg RSA specified algorithm
-keystore D:/SSL/server/tomcat.keystore save path and file name
-dname "CN=127.0.0.1,OU=zlj,O=zlj,L=Peking ,ST=Peking,C=CN" The identity of the certificate issuer. The CN here must be consistent with the access domain name after issuance. But since we issue the certificate ourselves, there will still be a warning if you access it in a browser.
-validity 3650 Certificate validity period, in days
-storepass zljzlj Certificate access password
-keypass zljzlj Certificate private key
1.2 Generate client certificate
Execute command:
keytool ‐genkey ‐v ‐alias client ‐keyalg RSA ‐ storetype PKCS12 ‐keystore D:/SSL/client/client.p12 ‐dname "CN=client,OU=zlj,O=zlj,L=bj,ST=bj,C=CN" ‐validity 3650 ‐storepass client ‐keypass client
Description:
Parameter description is the same as above. The -dname certificate issuer identity here can be different from the previous one. So far, these two certificates have no relationship. The next thing to do is to establish a trust relationship between the two.
1.3 Export client certificate
Execute command:
keytool ‐export ‐alias client ‐keystore D:/SSL/client/client.p12 ‐storetype PKCS12 ‐storepass client ‐rfc ‐file D:/SSL/client/client.cer
Description:
-export Execute export
-file File path of the exported file
1.4 Add the client certificate to the server certificate trust list
Execute command:
keytool ‐import ‐alias client ‐v ‐file D:/SSL/client/client .cer ‐keystore D:/SSL/server/tomcat.keystore ‐storepass zljzlj
Instructions:
The parameter description is the same as before. The password provided here is the access password for the server certificate.
1.5 Export server certificate
Execute command:
keytool -export -alias tomcat -keystore D:/SSL/server/tomcat.keystore -storepass zljzlj -rfc -file D:/SSL/server/tomcat.cer
Instructions:
Export the server certificate. The password provided here is also the password for the server certificate.
1.6 Generate client trust list
Execute command:
keytool -import -file D:/SSL/server/tomcat.cer -storepass zljzlj -keystore D:/SSL/client/client.truststore -alias tomcat –noprompt
Instructions:
Let the client trust the server certificate
2. Configure the server to only allow HTTPS connections
2.1 Configure /conf/server.xml in the Tomcat directory
Xml code Favorite code
maxThreads="150" scheme="https" secure="true" clientAuth="true"
sslProtocol="TLS" keystoreFile="D:/SSL/server/tomcat.keystore"
keystorePass ="zljzlj" truststoreFile="D:/SSL/server/tomcat.keystore"
truststorePass="zljzlj" />
Note:

This content in server.xml was originally commented out. If you want to use https The default port is 443, please modify the port parameter here. ClientAuth="true" specifies two-way certificate authentication.

2. Import client.p12 into the browser’s personal certificate item.

At this time, enter https://127.0.0.1:8443/ and a certificate selection will appear. Click OK and you will be prompted whether the https page is unsafe or not. Click Continue. The server is now set up.

3.java calls the server side to directly load the code:

package test;
import javax.xml.namespace.QName;
import org.apache.axis.client.Call;
import org.apache.axis.client.Service;
import org.apache.axis.encoding.XMLType;
/**
 * 
 * @author gshen
 *
 */
public class TestEcVoteNotice {
 public static void main(String [] args) throws Exception {  
   System.setProperty("javax.net.ssl.trustStorePassword","zljzlj");    
   System.setProperty("javax.net.ssl.keyStoreType","PKCS12") ;    
   System.setProperty("javax.net.ssl.keyStore","D:/SSL/client/client.p12") ;    
   System.setProperty("javax.net.ssl.keyStorePassword","client") ;          
       System.setProperty("javax.net.debug", "all");
       
     //wsdl地址
String endpoint = "https://192.168.1.146:8443/pro/ws/getInfoService?wsdl";
//http://jarfiles.pandaidea.com/ 搜索axis.jar并下载，Service类在axis.jar
Service service = new Service();
//http://jarfiles.pandaidea.com/ 搜索axis.jar并下载，Call类在axis.jar
Call call = null;
try {
call = (Call) service.createCall();
//设置Call的调用地址
call.setTargetEndpointAddress(new java.net.URL(endpoint));
//根据wsdl中 <wsdl:import location="https://192.168.10.24:8443/ShinService/HelloWorld?wsdl=HelloService.wsdl" 
//namespace="http://server.cxf.shinkong.cn/" /> ，
//<wsdl:operation name="findALL">
call.setOperationName(new QName("http://ws.task.xm.com/","sayHello"));  
//参数1对应服务端的@WebParam(name = "tableName") 没有设置名称为arg0
call.addParameter("id", XMLType.SOAP_STRING, javax.xml.rpc.ParameterMode.IN);
           //调用方法的返回值
           call.setReturnType(org.apache.axis.Constants.XSD_STRING);  
           //调用用Operation调用存储过程（以服务端的方法为准）
String res = (String) call.invoke(new Object[] {"1"});  //调用存储过程
System.out.println(res);
} catch (Exception e) {
e.printStackTrace();
System.out.println(e.getMessage());
}
     }  
}

Run directly from the command line or right-click run as. In the server-side project, I directly did log printing, and it will be printed as long as it is called. After execution

Please see the attachment.

Here comes the key point. Next, PHP calls the server. PHP's soapClient only recognizes certificates in DER, PEM or ENG format, so client.p12 must be converted into a pem file that PHP can recognize. At this time, openssl is used. First Enter the cmd command line and type the following code

Java code

openssl pkcs12 -in D:\SSL\client\client.p12 -out D:\SSL\client\client-cer.pem -clcerts

If it prompts that the openssl command is not recognized, it means you have not installed openssl. If the execution is successful, you will be prompted to enter the password of client.p12 first. After entering, you will be asked to enter the export After entering the password of cer.pe, you are done, client-cer.pem is generated successfully! .

Now upload the php code:

Php code

$params = array('id' => '2');  
  
    $local_cert = "./client-cer.pem";  
    set_time_limit(0);  
    try{  
        //ini_set("soap.wsdl_cache_enabled", "0"); // disabling WSDL cache  
        $wsdl='https://192.168.1.146:8443/pro/ws/getInfoService?wsdl';  
    //  echo file_get_contents($wsdl);  
          
        $soap=new SoapClient($wsdl,   
                    array(  
                        'trace'=>true,  
                        'cache_wsdl'=>WSDL_CACHE_NONE,   
                        'soap_version'   => SOAP_1_1,   
                        'local_cert' => $local_cert, //client证书信息  
                        'passphrase'=> 'client', //密码  
                       // 'allow_self_signed'=> true  
                    )  
                );  
        $result=$soap->sayHello($params);  
        $result_json= json_encode($result);  
        $result= json_decode($result_json,true);  
        echo '结果为:' . json_decode($result['return'],true);  
    }catch(Exception $e) {  
        $result['success'] = '0';  
        $result['msg'] = '请求超时';  
        echo $e->getMessage();  
    }  
    echo '>>>>>>>>>>>';

 直接运行，也会出现附件中的结果，打完收工，憋了我整整三天时间，终于搞定了。