上章 JBoss EAP6.x Domain Cluster + mod_cluster-1.2.6 Load Balancer 說完如何建構 EAP 的 cluster 後,再來說一下SSL;現在的網站與使用者間的資料傳輸安全性,大都已逐漸都加入了 SSL ,而企業級有很多網站,這時可以用 Wildcard SSL Certificate 更加有彈性, SSL 憑證的建置步驟大致如下圖:
瞭解建置與使用步驟後,來實作一下,SSL 的憑證以 https://ssl.comodo.com/wildcard-ssl-certificates.p... 為例作示範
Step 01: 產生私鑰 Private Key,指令 openssl genrsa -out server.key 2048 (不對私鑰作密碼保護)
[root@eap-dev jboss]# pwd /opt/jboss [root@eap-dev jboss]# rpm -qa | grep openssl openssl-1.0.1e-42.el7.x86_64 openssl-libs-1.0.1e-42.el7.x86_64 [root@eap-dev jboss]# openssl genrsa -out server.key 2048 Generating RSA private key, 2048 bit long modulus ............+++ ...........................+++ e is 65537 (0x10001) |
註:若 option 有加入 -des3 則代表要對私鑰作密碼保護如下
[root@eap-dev jboss]# openssl genrsa -des3 -out server.key 2048 Generating RSA private key, 2048 bit long modulus ....+++ .........+++ e is 65537 (0x10001) Enter pass phrase for server.key: Verifying - Enter pass phrase for server.key: |
Step 02:產生CSR檔,並填入憑證資料,指令 openssl req –new –key server.key –out xxx.CSR
[root@eap-dev jboss]# openssl req -new -key server.key -out EAP-DEV.CSR You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:TW State or Province Name (full name) []:Taiwan Locality Name (eg, city) [Default City]:Taichung Organization Name (eg, company) [Default Company Ltd]:xxxxxx Industrial Corp. Organizational Unit Name (eg, section) []:Information Technology Common Name (eg, your name or your server's hostname) []:*.xxxxxx.com Email Address []:tech.admin@xxxxxx.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: |
產生的 CSR 內容,類似下圖
Step 03: 向CA: comodo.com 申請憑證
COMODO驗證成功後會收到 yourDomainName.crt 和 yourDomainName.ca-bundle 兩個檔案:
a. Step 01: 產生私鑰 Private Key 的 server.key 複製到 /etc/ssl/ssl.key/
b. 由COMODO拿到的兩個檔案: STAR_yourDomainName.crt 和 STAR_yourDomainName.ca-bundle 複製到 /etc/ssl/ssl.crt/
以上三個步驟只要作一次即可,未來只要將這三個檔案: server.key , STAR_yourDomainName.crt 和 STAR_yourDomainName.ca-bundle 複製到其它主機內即可有 SSL 的保護。
Step 04: 修改/opt/jboss/httpd/httpd/conf/httpd.conf,打開註解 Include extra/httpd-ssl.conf,套用ssl 的設定檔。並修改extra/httpd-ssl.conf,修改以下資訊
Listen 443 |
Step 04: 修改/opt/jboss/httpd/httpd/conf/httpd.conf,打開註解 Include extra/httpd-vhosts.conf,套用 vhosts 的設定檔。並修改extra/httpd-vhosts.conf,修改以下資訊
<VirtualHost *:80> ServerAdmin tech.admin@xxxxxx.com DocumentRoot "/opt/jboss/httpd/htdocs/htdocs" ServerName eap-dev.xxxxxx.com ServerAlias www.eap-dev.xxxxxx.com ErrorLog "logs/eap-dev-error_log" CustomLog "logs/eap-dev-access_log" common </VirtualHost> <VirtualHost *:80> ServerAdmin tech.admin@xxxxxx.com DocumentRoot "/opt/jboss/httpd/htdocs/htdocs" ServerName bpm-dev.xxxxxx.com ErrorLog "logs/bpm-dev-error_log" CustomLog "logs/bpm-dev-access_log" common </VirtualHost> |
以上整個建置就完成了.
留言列表