From 5b22fda629d206c1cac1f158c0c9d646d2f69d93 Mon Sep 17 00:00:00 2001 From: Shauway Date: Fri, 23 Sep 2016 10:26:13 +0800 Subject: [PATCH] Optimize two way authentication configuration Signed-off-by: Shauway --- .../connectors/configuring-ssl.adoc | 191 +++++++++++++++--- .../connectors/images/certificate-chain.png | Bin 0 -> 6013 bytes 2 files changed, 159 insertions(+), 32 deletions(-) create mode 100644 jetty-documentation/src/main/asciidoc/configuring/connectors/images/certificate-chain.png diff --git a/jetty-documentation/src/main/asciidoc/configuring/connectors/configuring-ssl.adoc b/jetty-documentation/src/main/asciidoc/configuring/connectors/configuring-ssl.adoc index 05116b34bb9..a39d62d4be5 100644 --- a/jetty-documentation/src/main/asciidoc/configuring/connectors/configuring-ssl.adoc +++ b/jetty-documentation/src/main/asciidoc/configuring/connectors/configuring-ssl.adoc @@ -357,38 +357,76 @@ If you imported the key and certificate originally using the PKCS12 method, use [[two-way-authentication]] ==== Two way authentication -First you need load the ssl module. +First you need load the `ssl` module and `https` module. [source%nowrap,ini,linenums] -.start.d/ssl.ini +.$JETTY_BASE/start.d/ssl.ini ---- +# Module: ssl --module=ssl -jetty.secure.port=8443 -jetty.keystore=etc/keystore -jetty.keystore.password=OBF: -jetty.keymanager.password=OBF: -jetty.truststore=etc/truststore -jetty.truststore.password=OBF: + +jetty.ssl.host=0.0.0.0 +jetty.ssl.port=8583 +jetty.sslContext.keyStorePath=etc/keystore +jetty.sslContext.trustStorePath=etc/keystore +jetty.sslContext.keyStorePassword=OBF: +jetty.sslContext.keyManagerPassword=OBF: +jetty.sslContext.trustStorePassword=OBF: +jetty.sslContext.trustStoreType=JKS # enable two way authentication -jetty.ssl.needClientAuth=true +jetty.sslContext.needClientAuth=true +---- + +[source%nowrap,ini,linenums] +.$JETTY_BASE/start.d/https.ini +---- +# Module: https +--module=https ---- [[layout-of-keystore-and-truststore]] ===== Layout of `keystore` and `truststore` -`keystore` only contains the server's private key and certificate. +[[img-certificate-chain]] +image::images/certificate-chain.png[title="Certificate chain", alt="Certificate chain"] + +[literal] +.The structure of KeyStore file +.... +├── PrivateKeyEntry +│   ├── PrivateKey +│   ├── Certificate chain +│   │   ├── Server certificate (end entity) +│   │   ├── Intermediary CA certificate +│   │   └── Root CA certificate +├── TrustedCertEntry +│   └── Intermediary CA certificate +└── TrustedCertEntry +    └── Root CA certificate +.... + +[TIP] +==== +└── PrivateKeyEntry + +    └── Certificate chain + +       ├── Intermediary CA certificate + +       └── Root CA certificate + +are optional +==== + [source%nowrap,plain,linenums] ---- -$ keytool -list -keystore keystore -storetype jks -storepass '' -v +$ cd $JETTY_BASE +$ keytool -list -keystore etc/keystore -storetype jks -storepass '' -v Keystore type: JKS Keystore provider: SUN -Your keystore contains 1 entry +Your keystore contains 3 entries Alias name: *.example.com -Creation date: Sep 12, 2016 +Creation date: Sep 20, 2016 Entry type: PrivateKeyEntry -Certificate chain length: 1 +Certificate chain length: 3 Certificate[1]: Owner: CN=*.example.com, OU=Web Servers, O="Example.com Co.,Ltd.", C=CN Issuer: CN="Example.com Co.,Ltd. ETP CA", OU=CA Center, O="Example.com Co.,Ltd.", C=CN @@ -438,26 +476,98 @@ KeyIdentifier [ ] ] +Certificate[2]: +Owner: CN="Example.com Co.,Ltd. ETP CA", OU=CA Center, O="Example.com Co.,Ltd.", C=CN +Issuer: CN="Example.com Co.,Ltd. Root CA", OU=CA Center, O="Example.com Co.,Ltd.", C=CN +Serial number: f6e7b86f6fdb467f9498fb599310198f +Valid from: Wed Nov 18 00:00:00 CST 2015 until: Sun Nov 18 00:00:00 CST 2035 +Certificate fingerprints: + MD5: ED:A3:91:57:D8:B8:6E:B1:01:58:55:5C:33:14:F5:99 + SHA1: D9:A4:93:9D:A6:F8:A3:F9:FD:85:51:E2:C5:2E:0B:EE:80:E7:D0:22 + SHA256: BF:54:7A:F6:CA:0C:FA:EF:93:B6:6B:6E:2E:D7:44:A8:40:00:EC:69:3A:2C:CC:9A:F7:FE:8E:6F:C0:FA:22:38 + Signature algorithm name: SHA256withRSA + Version: 3 + +Extensions: + +#1: ObjectId: 2.5.29.35 Criticality=false +AuthorityKeyIdentifier [ +KeyIdentifier [ +0000: A6 BD 5F B3 E8 7D 74 3D 20 44 66 1A 16 3B 1B DF .._...t= Df..;.. +0010: E6 E6 04 46 ...F +] +] + +#2: ObjectId: 2.5.29.19 Criticality=true +BasicConstraints:[ + CA:true + PathLen:2147483647 +] + +#3: ObjectId: 2.5.29.15 Criticality=true +KeyUsage [ + Key_CertSign + Crl_Sign +] + +#4: ObjectId: 2.5.29.14 Criticality=false +SubjectKeyIdentifier [ +KeyIdentifier [ +0000: 44 9B AD 31 E7 FE CA D5 5A 8E 17 55 F9 F0 1D 6B D..1....Z..U...k +0010: F5 A5 8F C1 .... +] +] + +Certificate[3]: +Owner: CN="Example.com Co.,Ltd. Root CA", OU=CA Center, O="Example.com Co.,Ltd.", C=CN +Issuer: CN="Example.com Co.,Ltd. Root CA", OU=CA Center, O="Example.com Co.,Ltd.", C=CN +Serial number: f0a45bc9972c458cbeae3f723055f1ac +Valid from: Wed Nov 18 00:00:00 CST 2015 until: Sun Nov 18 00:00:00 CST 2114 +Certificate fingerprints: + MD5: 50:61:62:22:71:60:F7:69:2E:27:42:6B:62:31:82:79 + SHA1: 7A:6D:A6:48:B1:43:03:3B:EA:A0:29:2F:19:65:9C:9B:0E:B1:03:1A + SHA256: 05:3B:9C:5B:8E:18:61:61:D1:9C:AA:0E:8C:B1:EA:44:C2:6E:67:5D:96:30:EC:8C:F6:6F:E1:EC:AD:00:60:F1 + Signature algorithm name: SHA256withRSA + Version: 3 + +Extensions: + +#1: ObjectId: 2.5.29.35 Criticality=false +AuthorityKeyIdentifier [ +KeyIdentifier [ +0000: A6 BD 5F B3 E8 7D 74 3D 20 44 66 1A 16 3B 1B DF .._...t= Df..;.. +0010: E6 E6 04 46 ...F +] +] + +#2: ObjectId: 2.5.29.19 Criticality=true +BasicConstraints:[ + CA:true + PathLen:2147483647 +] + +#3: ObjectId: 2.5.29.15 Criticality=true +KeyUsage [ + Key_CertSign + Crl_Sign +] + +#4: ObjectId: 2.5.29.14 Criticality=false +SubjectKeyIdentifier [ +KeyIdentifier [ +0000: A6 BD 5F B3 E8 7D 74 3D 20 44 66 1A 16 3B 1B DF .._...t= Df..;.. +0010: E6 E6 04 46 ...F +] +] + ******************************************* ******************************************* ----- - -`truststore` contains intermediary CA and root CA. - -[source%nowrap,plain,linenums] ----- -$ keytool -list -keystore truststore -storetype jks -storepass '' -v - -Keystore type: JKS -Keystore provider: SUN - -Your keystore contains 2 entries Alias name: example.com co.,ltd. etp ca -Creation date: Sep 12, 2016 +Creation date: Sep 20, 2016 Entry type: trustedCertEntry Owner: CN="Example.com Co.,Ltd. ETP CA", OU=CA Center, O="Example.com Co.,Ltd.", C=CN @@ -508,7 +618,7 @@ KeyIdentifier [ Alias name: example.com co.,ltd. root ca -Creation date: Sep 12, 2016 +Creation date: Sep 20, 2016 Entry type: trustedCertEntry Owner: CN="Example.com Co.,Ltd. Root CA", OU=CA Center, O="Example.com Co.,Ltd.", C=CN @@ -558,10 +668,27 @@ KeyIdentifier [ ******************************************* ---- -____ -[NOTE] -If you use a keystore which contains only one `PrivateKeyEntry` item as the `keystore` and the `truststore`, you may get a `javax.net.ssl.SSLHandshakeException` with `null cert chain` message. -____ +In addition, you can split `$JETTY/etc/keystore` as two files. +One is `$JETTY/etc/keystore` which only contains the server’s private key and certificate, +the other is `$JETTY/etc/truststore` which contains intermediary CA and root CA. + +[literal] +.The structure of `$JETTY/etc/keystore` +.... +└── PrivateKeyEntry +    ├── PrivateKey +    └── Certificate chain +       └── Server certificate (end entity) +.... + +[literal] +.The structure of `$JETTY/etc/truststore` +.... +├── TrustedCertEntry +│   └── Intermediary CA certificate +└── TrustedCertEntry +    └── Root CA certificate +.... [[configuring-sslcontextfactory]] ==== Configuring the Jetty SslContextFactory diff --git a/jetty-documentation/src/main/asciidoc/configuring/connectors/images/certificate-chain.png b/jetty-documentation/src/main/asciidoc/configuring/connectors/images/certificate-chain.png new file mode 100644 index 0000000000000000000000000000000000000000..6d2a614526f002d422ab4a6b82c5df80a86ffc6e GIT binary patch literal 6013 zcmbW52{hF2{>LTcXU`rYOA=$r78&ag$r@RP7#a*hwnD^YPeRC+nCxk6W8Y;@V=M{T zcayy#Tekc7-SfZqo^$X2{Fm=JW6XKxdA{@gJkRIze!V}DclB@6QgKj`kdV;c(NZ@8 z@1M_Jl%(J<-!1uW@OIuy?T#@eCFS_6!3_BLhr5=!7YWIQ{ z-*@Yi0e6{vI4=COW>jI05m2E)er24ZaZ`gX6rb0)ZWuz@LC4){qAlX*@x?b{(`W-h z$ZIkoKnOo(E3>51?_gj4$h<3BWrDeOH0l#NjLK^+|9*tEj&vir@ zi$I_4_s{z3=|x+L8R+QLKix*!+vg5Aesh#=&ysTJ&B@J`k(Pc{v2M3RMIJS?xR`ra zC@VYLZK5WKVP$A^xolU!0b3BDb8oif|&M&d|f1GVlQ6aOicE;&f#9PfYilU%R^*3O>b6O-(g5 z>|I2ATvFrin6s;^tD>Uf^768nm{^*utEU{?!s6wF6f}CeH(jBK+S|uxy6%a{wQF60 z))XPLT|B6x6--H#zHfBI*FqPF>HV8p4UkhyZl5iOznpK7iO{KCu1E1 z!_9d)B{{ht1j5L`z-&YJj~|ZG=1RHSROwX82MbIgEkE;>kMBTO#m&pec)tw~3o=th zR`7=A7&+a(-Sz3yC#`up-0#CfdU|^2N{d5{hn2rqOPZI6zTm#qj?9!?jVV)zPR9#QJ!(L9S8an>UV?V@XM@xkgVHKF4L>j{UOe z>Eq*rsLaX9>Fn&x%M;Xu@8I^nkW=%j=j7DXq~MV}3f?^~vN{6swO)ji4WH)m8V`Oo z#~hDbBPVH&4g?mj9Fm)pV{BrQn3#Ac_v^QB#s&s`g@uqxi}a)>ieeqHSk&Bo*XfimqVZeRin?UYLxGOu0iJvX1&E zO3=G>|5>1}Zja9QxKWo*373^`1rXM#jR3v$TZtQ14P+3muGEbOq?EL@u1-!)uCBCn zbjZ5o$a7*-cX&7Wl~Xs`^lwtKUgx5_pj!IjxlNoJ8SZ2+zD4T_Ea%fJ4HmK}=9U;SDuSO@VFUv`OL_ zB(gJ8v@w-cRpAj4OxD()k>w#FA#Rg(S6QPrr<)B5uP{)KjgKorq3o_+N5PkH*w?Qa zaAph$cJI|;(a_gdO(-)fok!F@zI%SjS)C(VQ#kR~k*vHDx@5qyp`igDXvRd|1LKd^ z5)d&hbg%gli#p=Z`68c!eOHS*4b;+lG3rvq{cCIMtE2QYC3HctAQ>3C7}cSj`xPmn ztjuF1Bb>Gc(iFq%>C$5pmn!zh32vO%;Ynk1RCYKR8$<5bkFPCu(c4T#~Sj z*3Ta#r=U=Jy45~8*;rKM+WG2|u8;J&Pp@QdSzAvB2a|^0g~PdXUJ9gOwQjJ}WM*cX zmB0gzcfgsmN7x9$Zl!OuM>2_{n#Hp)7##t|8k#sYww+tBbI*vdY&_N0gou47nPoMaL!g$>w~*_l_vGR9e;s z5wib_di*0>R^``6%dg4HUjp?4rls|nfJXH`zCDlgr8o8T+{#e&e^*#)+Z7{vzp9}k za1A@U)_k&4;#vEwkP6=D_hhy;Oi4)z2m%BGS=-#a)~P4RgzhsiFyO&l9(dSr!P%Ie zN6D^^{7riLWp;Ks!Q6)rA1-)4wXhh&r`;405sB8!*39N*O_%o)6csJX%zOZCSTNMf zvC+`fG&M5=RWcN}C@3HR_5Eqn@sg#Zqr-o1W0B~ao106?+XzP|B+L^CH@%j6%E}~h z;mSupLoCJ6GR~~TU%!?IqgX|^h{SF@KHzAd_$5)Kv9WP}e!jlGK2ncsc;I0rsQ6$h z$<)Hk%$7Rrd{-=gXbiXFEw?GCo7?8=*RMfYuqd%{nrYmdx?lY$-QG}Ly?uEwKe9_M zhCm=-j6cda55G|7D=_w(`E;(pSQ}!38Nwxr-f!^rc=}Xc@q(}JjjgoZ_K53&+iBCU z>hjbwzc>2dB+7yGk(AupTEyK-7ZVo#SX#=^MVy$J00ChVv0)cX#(`6yAR*y?xa%6H z^=)iS+l8H(+1Scza(r9|8vXKRo%gzhzrR88IClWMi3O71&A()P9@@|8)^L%D z>Cb1HUyKGHq_?-XgFV>!^~=})?CL`+H|OPb=AFwmik#n{toL~e%`nBRudI|kqZ|0D zqNYZgj62?_-((fDgc%yf#l_7oEol~J4>$sKzAIFLngyB`#U`F1X|IhyAoTTnj}P}c z5JYyayJNaJ_juJ_bRaI$laU4;iwB5ZB#B~x_;75sM#yY2W`$;rs%3g=f> zosUyKESKv0`yYZ+6c7-QUf~0j;QMzN&dLL==#MnFb9&x^D6*{G!ihJlQ<@kX+u7Tj z4-@zHc(}Q%Y9C0c7MY?z(nGoXKv+sf?)Uc250j-~xymL+toh<<>g%oRz40B3VesU( zTRS^DK-o)5+;SAuy}i8wX35CPQjn3+(9#AR5xe+@`tW$L(XMW8%|4rO1R~4cQh*T@ zp^rlkSED3C?}D&fS*62Eu5IMrH#e_+vN}x5DckVbIcFT)aSfkxBfF|1%zJsG9WtT_! zsHLUlT27P7mDjjMz-wT`u5NVc+F)UayX*G~jIUn33cjD4t5IOgE$_MTV<6kJcEU4a z>A&w!Fy@(JY4Vhy zSzTWjg+L~%T+Ob>% z$`OGgT623gf=BZECxPLip$?bxx)hlFd;-tu{)G@)lHU?c5ESY(9nyD1-rqtj!0MOpNdGqbtw=Z9`^ZZlUXXetG=epb&PtnAb5C9C@ zw@eryMmB#z#5uAk=s&R``0se(oBt0`5CQ;l0RRQ^@3CUWKn=P$QdA8|3W7J zGF26A9bqU-WV5Z0dD}vqkA()BDqJ14<#*cybq&QZ7dq7t1oc z?&i~DH{6TkSGj}BO22<($Hy~L{7$0;U+)1v#NAy&P;e>TXR0>v_}1^!sJ*GFDWEN6 zWMo{R$cNA?*%aeFXoDA1v~ycMjuyHT&g4c)QgUOmK7wIob91`F>7I(pr(&ymfT(qW z$9`aE@)R!T1JdBPsBj#(IsNQUC=v^ki(x`B@&jxJ9-;a7P)UljyJZN#2vEr@p@Lg> z$A8v<$y$j_61MW$cZGmoa8MQlJTf*0?38t&&KX+t!VD~iWnI3L6nN4B8i2q`KP{yh z=Nq7>hKFUpRL#i82u2T({j5HW~V0QKn4#`PL`hYr@ zH3cb5b#-Y56?JLaQOgpO9qsPKIgPygBnbmRv8))>Tx9E;nlhG=pX`8S{rt6jFO-3r zw|&+{BDa4?K}{s89Vb92xNs$4!=IJhk2xnai-#||n5fYn+!H7snCG-)Z)Uy_G$v)oRF?HSSAB&2tN^OFwt9<~603q!` zN_Ep#yG=I%_ldh#X%Rr^y*%fks@f7vPOU3A*x%nT-hAY_wQxsUbkx|Jw5@ddWVafR z$G6`LQ)@wBwPv&g_vbS-h7OHEUg(J${r4i43HPMZ-TX!Vrnm1OYjY+ zCx^g8Dj)wEG*CVkNa%J^;?l*uealg6nUR#_4XhqW$n1d+1CCmc4u8)6xtc#ZIvNxd z)IJZ6FAxS`dFUdTxVbYjGV}{X(!S^)?a#+rikS%~T4*YPMKezgF+*>5onxO>#>I4g zC<*I89M96D_7A5|^^2q=rING+gvG_Hc}A8WSZ=UiyhsF<;@Z`# zfQW!LxK7jzlm)_I-vNkpyEq=0r^U0^plk{4>e+qy4*zsCLee-gjXZH*>h1l^R5tURMg9t5;OqD06mDI`{?QDPL|T# z+__F?Lg-zDW53bF%<}~N8UQIGYQRF(0W#4QuA{E54oa_|UtMzYNSa&I=;Wl{D`nrG zSNQouaEqF^Z#y_RD7?dJnU-&+%5lif%gf6{HIl`xhnF84 z8XAU$g{hAM>x#6q`?2#oCWbCdO;riDJLKY5rNl8j&n9O1b9Bbj2;-#-(E2n*lx`}L#XUVb}*I9zle;Ii6>f`S6znE>^H?E?Y@eqK`AiBRH~ zg#|lnYwIwz2NLXoCkGCp{lxh$DJdz?^7-td1s!sf=AyeT#60$EJ|{Tf;?~=@Z+p?o zs2}~jK`Jw=t7-A^YQ_oOc6*!C1fnm{XbdLGNa|L)K3^QHq}gL$bNCcSVIpi|Y56WT z*1*%#)5}ZBa2H4<2nh%>0_%HnbU^1XXdaydl3XlVXTs<`h$KIM8{iRMY1c97AeHwc zt9OPoe-^t>H9VaTJX}u{F%yF~?C*}d@rV8!VnHs-h2B+BAt8Rk<3**U${QNEcpn2Y z2SOju$#`^p91#&wX;Gvnr7!%Qjdv5YrPMO}1>=C>c^Msz$KgP?MEM<_df3H=8iV!qfhnjkjaD z8xNM!D0$;K`9jtC3~g-QTNJ^89oUgOpkfb?^9!To4Fx~m-_MVR;(Tluzve9kh4Qj8 z4o=SVq@JC6lTVJoVxR~%AUy!zrj*b91 zL4E@F7uf<%cyF&h4-Zeg0-ucSnTZY!{V)W`d;_!^nc3KY+4hio_u|D1^Kv8$Gc#yt zaCMbf)&?v5wtNDR4cJkjk!9uOk&oji7j@LGHgsaXO0% z3v2VmF|)9w;+Me1hB}q|I#7Cvjgri>7OJd_TK<~LMHd0f&(3a}o<<*CXt_f!A|POQ zdU6cx8%Qb8F>t`b?CtF-d1ceA;P6M%8~{?UGIl$l1CSEzTx%itljBX)*@>QmY6brJ zA90V*T(!U$^aijn-L3F7Ack34KnQ@L|M1}h(0WicK^xR>cWsnNBwC8y6cYN}RJM%- zWcbk8xo8g&U?T0%`!4RS$CD>TU#OEc)adL2gYF3T1RmiZadwg9;=!LJiftHpQ;ELZLIE@0$C^I-C+Rh@X ze0pGz$H`0HCQ)R19|o&&9hb!^JO^s%@9V36`*uRf`4+!RApas!rI%0Xc$BzUSp^fi zC8eZ9Ljb^_4#%g3hJs?hhhWKguor#>|K}EQD><(;VBVEYN)nau#l44?E*a+~1ZSwp dNJLMlmCUPy5@}~Hg9bXu9Swc;Vl|uKzX6~qlac@c literal 0 HcmV?d00001