以服务server-one和server-two之间使用RestTemplate以https调用为例
一、生成密钥
需要生成server-one和server-two的客户端密钥和一个信任库密钥
1、生成TrustStore(信任库)
keytool -genkey -alias trustkeys -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore trustKeys.p12 -validity 36500
2、生成server-one客户端密钥
keytool -genkey -alias server-one -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore server-one.p12 -validity 36500
3、生成server-two客户端密钥
keytool -genkey -alias server-two -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore server-two.p12 -validity 36500
genkey 表示要创建一个新的密钥。 alias 表示 keystore 的别名。 keyalg 表示使用的加密算法是 RSA ,一种非对称加密算法。 keysize 表示密钥的长度。 keystore 表示生成的密钥存放位置。 validity 表示密钥的有效时间,单位为天。
二、导出客户端公钥添加到信任库
1、导出server-one的公钥
keytool -keystore server-one.p12 -export -alias server-two -file server-one-publicKey.cer
2、导出server-two的公钥
keytool -keystore server-two.p12 -export -alias server-two -file server-two-publicKey.cer
3、添加客户端公钥到信任库
keytool -import -alias server-one -v -file server-one-publicKey.cer -keystore trustKeys.p12
keytool -import -alias server-two -v -file server-two-publicKey.cer -keystore trustKeys.p12
三、配置SpringBoot支持https
1、拷贝相应密钥到resources
2、修改application.yml配置文件
service-one
server:
ssl:
enable: true
client-auth: need #双向认证need
key-store: classpath:ssl/server-one.p12
key-store-password: 123456
key-store-type: PKCS12
key-alias: server-one
trust-store: classpath:ssl/trustKeys.p12
trust-store-password: 123456
trust-store-type: PKCS12
service-two
server:
ssl:
enable: true
client-auth: need #双向认证need
key-store: classpath:ssl/server-two.p12
key-store-password: 123456
key-store-type: PKCS12
key-alias: server-two
trust-store: classpath:ssl/trustKeys.p12
trust-store-password: 123456
trust-store-type: PKCS12
3、配置RestTemplate
pom添加httpclient支持
<dependency>
<groupId>org.apache.httpcomponents</groupId>
<artifactId>httpclient</artifactId>
<version>4.5.13</version>
</dependency>
设置RestTemplate支持https请求
package com.example.serviceone.config;
import org.apache.http.conn.ssl.NoopHostnameVerifier;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
import org.springframework.util.ResourceUtils;
import org.springframework.web.client.RestTemplate;
import javax.net.ssl.*;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.security.*;
import java.security.cert.CertificateException;
import java.time.Duration;
/**
* Created by chenzan on 2021/05/21
*/
@Configuration
public class RestTemplateConfig {
@Value("${server.ssl.key-store}")
String clientPath;
@Value("${server.ssl.key-store-password}")
String clientPass;
@Value("${server.ssl.key-store-type}")
String clientKeyType;
@Value("${server.ssl.trust-store}")
String trustPath;
@Value("${server.ssl.trust-store-password}")
String trustPass;
@Value("${server.ssl.trust-store-type}")
String trustKeyType;
@Bean
public RestTemplate restTemplate() {
RestTemplate restTemplate = null;
try {
HttpComponentsClientHttpRequestFactory requestFactory = new HttpComponentsClientHttpRequestFactory();
// 客户端证书类型
KeyStore clientStore = KeyStore.getInstance(clientKeyType);
// 加载客户端证书,即自己的私钥
clientStore.load(new FileInputStream(ResourceUtils.getFile(clientPath)), clientPass.toCharArray());
// 创建密钥管理工厂实例
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
// 初始化客户端密钥库
keyManagerFactory.init(clientStore, clientPass.toCharArray());
KeyManager[] keyManagers = keyManagerFactory.getKeyManagers();
// 创建信任库管理工厂实例
TrustManagerFactory trustManagerFactory = TrustManagerFactory
.getInstance(TrustManagerFactory.getDefaultAlgorithm());
KeyStore trustStore = KeyStore.getInstance(trustKeyType);
trustStore.load(new FileInputStream(ResourceUtils.getFile(trustPath)), trustPass.toCharArray());
// 初始化信任库
trustManagerFactory.init(trustStore);
TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
// 建立TLS连接
SSLContext sslContext = SSLContext.getInstance("TLS");
// 初始化SSLContext
sslContext.init(keyManagers, trustManagers, new SecureRandom());
// INSTANCE 忽略域名检查
SSLConnectionSocketFactory sslConnectionSocketFactory = new SSLConnectionSocketFactory(sslContext, NoopHostnameVerifier.INSTANCE);
CloseableHttpClient httpclient = HttpClients
.custom()
.setSSLSocketFactory(sslConnectionSocketFactory)
.setSSLHostnameVerifier(new NoopHostnameVerifier())
.build();
requestFactory.setHttpClient(httpclient);
requestFactory.setConnectTimeout((int) Duration.ofSeconds(15).toMillis());
restTemplate = new RestTemplate(requestFactory);
} catch (KeyManagementException | FileNotFoundException | NoSuchAlgorithmException e) {
e.printStackTrace();
} catch (KeyStoreException | CertificateException | UnrecoverableKeyException | IOException e) {
e.printStackTrace();
}
return restTemplate;
}
}
添加测试代码 server-one和server-two分别在Controller添加代码
server-two中
@RestController
public class ServerTwoController {
@RequestMapping("/get")
public String get() {
return "two";
}
}
server-one中
@RestController
public class ServerOneController {
@RequestMapping("/get")
public String get() {
return "one";
}
}
添加test代码
@SpringBootTest
public class ServiceOneApplicationTests {
String url = "https://localhost:8081/server-two/get";
@Autowired
private RestTemplate restTemplate;
@Test
public void testHttpsGet() {
ResponseEntity<String> forEntity = restTemplate.getForEntity(url, String.class);
System.out.println(forEntity.toString());
}
}
执行返回
<200,two,[Content-Type:"text/plain;charset=UTF-8", Content-Length:"3", Date:"Fri, 21 May 2021 08:12:
本文由 GY 创作,采用 知识共享署名4.0 国际许可协议进行许可
本站文章除注明转载/出处外,均为本站原创或翻译,转载前请务必署名
最后编辑时间为:
2022/07/27 14:36