以服務(wù)server-one和server-two之間使用RestTemplate以https調(diào)用為例

一雷激、生成密鑰

需要生成server-one和server-two的客戶端密鑰和一個信任庫密鑰

1理郑、生成TrustStore(信任庫)

keytool -genkey -alias trustkeys -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore trustKeys.p12 -validity 36500

image-20210521153617347.png

2、生成server-one客戶端密鑰

keytool -genkey -alias server-one -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore server-one.p12 -validity 36500

image-20210521153826177.png

3寂殉、生成server-two客戶端密鑰

keytool -genkey -alias server-two -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore server-two.p12 -validity 36500

image-20210521153946789.png

• genkey 表示要創(chuàng)建一個新的密鑰囚巴。
• alias 表示 keystore 的別名。
• keyalg 表示使用的加密算法是 RSA 友扰，一種非對稱加密算法彤叉。
• keysize 表示密鑰的長度。
• keystore 表示生成的密鑰存放位置村怪。
• validity 表示密鑰的有效時間秽浇，單位為天。

二甚负、導(dǎo)出客戶端公鑰添加到信任庫

1柬焕、導(dǎo)出server-one的公鑰

keytool -keystore server-one.p12 -export -alias server-two -file server-one-publicKey.cer

image-20210521154602190.png

2审残、導(dǎo)出server-two的公鑰

keytool -keystore server-two.p12 -export -alias server-two -file server-two-publicKey.cer

image-20210521154637261.png

3、添加客戶端公鑰到信任庫

keytool -import -alias server-one -v -file server-one-publicKey.cer -keystore trustKeys.p12

keytool -import -alias server-two -v -file server-two-publicKey.cer -keystore trustKeys.p12

image-20210521154826052.png

三斑举、配置SpringBoot支持https

1搅轿、拷貝相應(yīng)密鑰到resources

service-one

image-20210521155045950.png

service-two

image-20210521155132357.png

2、修改application.yml配置文件

service-one

server:
  ssl:
    enable: true
    client-auth: need #雙向認證need
    key-store: classpath:ssl/server-one.p12
    key-store-password: 123456
    key-store-type: PKCS12
    key-alias: server-one
    trust-store: classpath:ssl/trustKeys.p12
    trust-store-password: 123456
    trust-store-type: PKCS12

service-two

server:
  ssl:
    enable: true
    client-auth: need #雙向認證need
    key-store: classpath:ssl/server-two.p12
    key-store-password: 123456
    key-store-type: PKCS12
    key-alias: server-two
    trust-store: classpath:ssl/trustKeys.p12
    trust-store-password: 123456
    trust-store-type: PKCS12

3富玷、啟動服務(wù)并驗證https

瀏覽器訪問：https://localhost:8081/server-one/get

image-20210521161739758.png

此時無法訪問

單擊server-one.p12或server-two.p12為瀏覽器安裝證書

安裝后再次訪問

image-20210521162019112.png

點擊確定后即可訪問到頁面

4璧坟、配置RestTemplate

pom添加httpclient支持

<dependency>
    <groupId>org.apache.httpcomponents</groupId>
    <artifactId>httpclient</artifactId>
    <version>4.5.13</version>
</dependency>

設(shè)置RestTemplate支持https請求

package com.example.serviceone.config;

import org.apache.http.conn.ssl.NoopHostnameVerifier;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
import org.springframework.util.ResourceUtils;
import org.springframework.web.client.RestTemplate;

import javax.net.ssl.*;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.security.*;
import java.security.cert.CertificateException;
import java.time.Duration;

/**
 * Created by chenzan on 2021/05/21
 */
@Configuration
public class RestTemplateConfig {
    @Value("${server.ssl.key-store}")
    String clientPath;
    @Value("${server.ssl.key-store-password}")
    String clientPass;
    @Value("${server.ssl.key-store-type}")
    String clientKeyType;
    @Value("${server.ssl.trust-store}")
    String trustPath;
    @Value("${server.ssl.trust-store-password}")
    String trustPass;
    @Value("${server.ssl.trust-store-type}")
    String trustKeyType;

    @Bean
    public RestTemplate restTemplate() {
        RestTemplate restTemplate = null;
        try {
            HttpComponentsClientHttpRequestFactory requestFactory = new HttpComponentsClientHttpRequestFactory();
            // 客戶端證書類型
            KeyStore clientStore = KeyStore.getInstance(clientKeyType);
            // 加載客戶端證書，即自己的私鑰
            clientStore.load(new FileInputStream(ResourceUtils.getFile(clientPath)), clientPass.toCharArray());
            // 創(chuàng)建密鑰管理工廠實例
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
            // 初始化客戶端密鑰庫
            keyManagerFactory.init(clientStore, clientPass.toCharArray());
            KeyManager[] keyManagers = keyManagerFactory.getKeyManagers();

            // 創(chuàng)建信任庫管理工廠實例
            TrustManagerFactory trustManagerFactory = TrustManagerFactory
                    .getInstance(TrustManagerFactory.getDefaultAlgorithm());
            KeyStore trustStore = KeyStore.getInstance(trustKeyType);
            trustStore.load(new FileInputStream(ResourceUtils.getFile(trustPath)), trustPass.toCharArray());

            // 初始化信任庫
            trustManagerFactory.init(trustStore);
            TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
            // 建立TLS連接
            SSLContext sslContext = SSLContext.getInstance("TLS");
            // 初始化SSLContext
            sslContext.init(keyManagers, trustManagers, new SecureRandom());
            // INSTANCE 忽略域名檢查
            SSLConnectionSocketFactory sslConnectionSocketFactory = new SSLConnectionSocketFactory(sslContext, NoopHostnameVerifier.INSTANCE);
            CloseableHttpClient httpclient = HttpClients
                    .custom()
                    .setSSLSocketFactory(sslConnectionSocketFactory)
                    .setSSLHostnameVerifier(new NoopHostnameVerifier())
                    .build();
            requestFactory.setHttpClient(httpclient);
            requestFactory.setConnectTimeout((int) Duration.ofSeconds(15).toMillis());
            restTemplate = new RestTemplate(requestFactory);
        } catch (KeyManagementException | FileNotFoundException | NoSuchAlgorithmException e) {
            e.printStackTrace();
        } catch (KeyStoreException | CertificateException | UnrecoverableKeyException | IOException e) {
            e.printStackTrace();
        }
        return restTemplate;
    }
}

添加測試代碼

server-one和server-two分別在Controller添加代碼

server-two中

@RestController
public class ServerTwoController {

    @RequestMapping("/get")
    public String get() {
        return "two";
    }
}

server-one中

@RestController
public class ServerOneController {

    @RequestMapping("/get")
    public String get() {
        return "one";
    }
}

添加test代碼

@SpringBootTest
public class ServiceOneApplicationTests {
    String url = "https://localhost:8081/server-two/get";
    @Autowired
    private RestTemplate restTemplate;

    @Test
    public void testHttpsGet() {
        ResponseEntity<String> forEntity = restTemplate.getForEntity(url, String.class);
        System.out.println(forEntity.toString());
    }
}

執(zhí)行返回

<200,two,[Content-Type:"text/plain;charset=UTF-8", Content-Length:"3", Date:"Fri, 21 May 2021 08:12:51 GMT", Keep-Alive:"timeout=60", Connection:"keep-alive"]>