上章 JBoss EAP6.x Domain Cluster + mod_cluster-1.2.6 Load Balancer 說完如何建構 EAP 的 cluster 後,再來說一下SSL;現在的網站與使用者間的資料傳輸安全性,大都已逐漸都加入了 SSL ,而企業級有很多網站,這時可以用 Wildcard SSL Certificate 更加有彈性, SSL 憑證的建置步驟大致如下圖:

 

ssl  

 

瞭解建置與使用步驟後,來實作一下,SSL 的憑證以 https://ssl.comodo.com/wildcard-ssl-certificates.p... 為例作示範

Step 01: 產生私鑰 Private Key,指令 openssl genrsa -out server.key 2048 (不對私鑰作密碼保護)

[root@eap-dev jboss]# pwd
/opt/jboss
[root@eap-dev jboss]# rpm -qa | grep openssl
openssl-1.0.1e-42.el7.x86_64
openssl-libs-1.0.1e-42.el7.x86_64

[root@eap-dev jboss]# openssl genrsa -out server.key 2048
Generating RSA private key, 2048 bit long modulus
............+++
...........................+++
e is 65537 (0x10001)

註:若 option 有加入 -des3 則代表要對私鑰作密碼保護如下

[root@eap-dev jboss]# openssl genrsa -des3 -out server.key 2048
Generating RSA private key, 2048 bit long modulus
....+++
.........+++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:

 server-key  

 

Step 02:產生CSR檔,並填入憑證資料,指令 openssl req –new –key server.key –out xxx.CSR

[root@eap-dev jboss]# openssl req -new -key server.key -out EAP-DEV.CSR
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:TW
State or Province Name (full name) []:Taiwan
Locality Name (eg, city) [Default City]:Taichung
Organization Name (eg, company) [Default Company Ltd]:xxxxxx Industrial Corp.
Organizational Unit Name (eg, section) []:Information Technology
Common Name (eg, your name or your server's hostname) []:*.xxxxxx.com
Email Address []:tech.admin@xxxxxx.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

 server-csr  
 

 產生的 CSR 內容,類似下圖

server-csr-content  

 

Step 03: 向CA: comodo.com 申請憑證

 Comodo-ssl-wildcard  

COMODO驗證成功後會收到 yourDomainName.crt 和 yourDomainName.ca-bundle 兩個檔案:

a.  Step 01: 產生私鑰 Private Key 的 server.key 複製到 /etc/ssl/ssl.key/ 

b. 由COMODO拿到的兩個檔案: STAR_yourDomainName.crtSTAR_yourDomainName.ca-bundle 複製到 /etc/ssl/ssl.crt/ 

 

以上三個步驟只要作一次即可,未來只要將這三個檔案: server.keySTAR_yourDomainName.crtSTAR_yourDomainName.ca-bundle 複製到其它主機內即可有 SSL 的保護。

 

Step 04: 修改/opt/jboss/httpd/httpd/conf/httpd.conf,打開註解 Include extra/httpd-ssl.conf,套用ssl 的設定檔。並修改extra/httpd-ssl.conf,修改以下資訊

Listen 443

<VirtualHost _default_:443>

#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
SSLEngine on

#   Server Certificate:
SSLCertificateFile "/etc/ssl/ssl.crt/STAR_xxxxxx_com.crt"

#   Server Private Key:
SSLCertificateKeyFile "/etc/ssl/ssl.key/server.key"

#   Server Certificate Chain:
SSLCertificateChainFile "/etc/ssl/ssl.crt/STAR_xxxxxx_com.ca-bundle"

</VirtualHost>

 

Step 04: 修改/opt/jboss/httpd/httpd/conf/httpd.conf,打開註解 Include extra/httpd-vhosts.conf,套用 vhosts 的設定檔。並修改extra/httpd-vhosts.conf,修改以下資訊

<VirtualHost *:80>
    ServerAdmin tech.admin@xxxxxx.com
    DocumentRoot "/opt/jboss/httpd/htdocs/htdocs"
    ServerName eap-dev.xxxxxx.com
    ServerAlias www.eap-dev.xxxxxx.com
    ErrorLog "logs/eap-dev-error_log"
    CustomLog "logs/eap-dev-access_log" common
</VirtualHost>

<VirtualHost *:80>
    ServerAdmin tech.admin@xxxxxx.com
    DocumentRoot "/opt/jboss/httpd/htdocs/htdocs"
    ServerName bpm-dev.xxxxxx.com
    ErrorLog "logs/bpm-dev-error_log"
    CustomLog "logs/bpm-dev-access_log" common
</VirtualHost>

 

以上整個建置就完成了.  

文章標籤
創作者介紹
MIS

MISTECH 技術手抄本

MIS 發表在 痞客邦 PIXNET 留言(0) 人氣()