您的位置: 首页  >  技术问答  >  如何强制tomcat重新加载受信任的证书?

如何强制tomcat重新加载受信任的证书?

分类: 技术问答 2022-04-03 00:16:33

如何强制tomcat重新加载受信任的证书?

问题描述:

我的WebApp将连接器用于2-Way SSL(又称客户端身份验证"):

My WebApp uses a Connector for 2-Way SSL (aka "Client Authentication"):

<Connector port="8084" SSLEnabled="true" maxThreads="10" minSpareThreads="3" maxSpareThreads="5"
             enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true"
             clientAuth="true" truststoreFile="conf/keystore.kst" truststoreType="JCEKS" sslProtocol="TLS" URIEncoding="UTF-8"
             keystoreFile="conf/keystore.kst" keystoreType="JCEKS" keyAlias="myAlias"
             ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA"/>

我的问题是,当Tomcat服务器运行时,我使用新的受信任证书更新了密钥库,甚至从其中删除了受信任证书,连接器都不会注意到更改.

My problem is that while the Tomcat server is running and I update the keystore with new trusted certifictaes , or even delete trusted certificates from it , the connector doesn't notice the changes.

到目前为止我已经尝试过的:

What I've tried so far:

1)停止,重新初始化(反射)并启动连接器-不起作用.

1) Stopping , Re-Initializing (reflection) and starting the Connector - didn't work.

2)实现我自己的SSLContext,以从密钥库重新加载证书. 好吧,这里我缺少在tomcat中注册此SSLContext的部分(因此tomcat将在连接器中使用它来进行新的传入连接)

2) Implementing my own SSLContext that reloads the certificates from the keystore. Well , here I'm missing the part of registering this SSLContext with tomcat (so that tomcat will use it in the connector for new incoming connections)

关于此事的帖子很多,但没有真正的解决方案:

There are many posts on this matter but no real solution:

http://www.delphifaq.com/faq/f5003.shtml

http://jcalcote.wordpress.com/tag/truststore
(本文仅介绍如何从客户端(缺少服务器端)重新创建SSLcontext)

http://jcalcote.wordpress.com/tag/truststore
(This article describes only how to recreate SSLcontext from the client side (missing the server side))

有什么想法吗?

还有另一个相关问题:

但是答案还不够,因为我不想建立一个新的ClassLoader.

but the answer there is not sufficient since I don't want to build a new ClassLoader.

谢谢.

从Tomcat v8.5.24开始,现在有一个解决方案.

There is now a solution to this starting with Tomcat v8.5.24.

他们介绍了两种名为: reloadSslHostConfig(String hostName)-重新加载特定的主机 reloadSslHostConfigs()-重新加载所有

They introduced 2 methods named: reloadSslHostConfig(String hostName) - to reload a specific host reloadSslHostConfigs() - reload all

可以通过多种方式调用它们:

They can be called in various ways:

  1. 使用jmx
  2. 使用经理服务
  3. 通过制定自定义协议-我在研究期间发现了这种方式

方法1和方法2的详细信息可轻松在线获得.

Details of way 1 and way 2 are easily available online.

有关使用方法3的详细信息:

Details of how to go about using way 3:

  1. 创建一个类,扩展您选择的协议,例如. Http11NioProtocol
  2. 覆盖必需的方法,仅在其中调用super即可保持默认行为
  3. 在此类中创建一个线程以不时调用reloadSslHostConfigs方法
  4. 将此类包装在一个jar中,然后将该jar放入tomcat的lib文件夹中
  5. 在server.xml的连接器中编辑协议以使用此自定义协议

在下面找到示例代码:

主协议类:

    package com.myown.connector;

    import java.io.File;
    import java.io.InputStream;
    import java.lang.reflect.Field;
    import java.net.URL;
    import java.net.URLConnection;
    import java.nio.file.StandardCopyOption;
    import java.util.ArrayList;
    import java.util.List;
    import java.util.concurrent.ConcurrentMap;

    import javax.management.MalformedObjectNameException;
    import javax.management.ObjectName;
    import javax.net.ssl.SSLSessionContext;

    import org.apache.coyote.http11.Http11NioProtocol;
    import org.apache.juli.logging.Log;
    import org.apache.juli.logging.LogFactory;
    import org.apache.tomcat.util.modeler.Registry;
    import org.apache.tomcat.util.net.AbstractEndpoint;
    import org.apache.tomcat.util.net.AbstractJsseEndpoint;
    import org.apache.tomcat.util.net.GetSslConfig;
    import org.apache.tomcat.util.net.SSLContext;
    import org.apache.tomcat.util.net.SSLHostConfig;
    import org.apache.tomcat.util.net.SSLHostConfigCertificate;
    import org.apache.tomcat.util.net.SSLImplementation;
    import org.apache.tomcat.util.net.SSLUtil;

    public class ReloadProtocol extends Http11NioProtocol {

        private static final Log log = LogFactory.getLog(Http12ProtocolSSL.class);

        public ReloadProtocol() {
            super();
            RefreshSslConfigThread refresher = new 
                  RefreshSslConfigThread(this.getEndpoint(), this);
            refresher.start();
        }

        @Override
        public void setKeystorePass(String s) {
            super.setKeystorePass(s);
        }

        @Override
        public void setKeyPass(String s) {
            super.setKeyPass(s);
        }

        @Override
        public void setTruststorePass(String p) {
            super.setTruststorePass(p);
        }

        class RefreshSslConfigThread extends Thread {

            AbstractJsseEndpoint<?> abstractJsseEndpoint = null;
            Http11NioProtocol protocol = null;

            public RefreshSslConfigThread(AbstractJsseEndpoint<?> abstractJsseEndpoint, Http11NioProtocol protocol) {
                this.abstractJsseEndpoint = abstractJsseEndpoint;
                this.protocol = protocol;
            }

            public void run() {
                int timeBetweenRefreshesInt = 1000000; // time in milli-seconds
                while (true) {
                    try {
                            abstractJsseEndpoint.reloadSslHostConfigs();
                            System.out.println("Config Updated");
                    } catch (Exception e) {
                        System.out.println("Problem while reloading.");
                    }
                    try {
                        Thread.sleep(timeBetweenRefreshesInt);
                    } catch (InterruptedException e) {
                        System.out.println("Error while sleeping");
                    }
                }
            }
       }
}

server.xml中的连接器应将此作为协议提及:

Connector in server.xml should mention this as the protocol:

<Connector protocol="com.myown.connector.ReloadProtocol"
 ..........

希望这会有所帮助.

相关推荐