配置Tomcat連接密碼設備實現HTTPS

硬件密碼模塊(HSM)可以是密碼機、密碼卡、USBKey，前提是它們有提供PKCS#11接口。
Tomcat(JBoss等J2EE服務器)連接加密機(加密卡,USBKey)等做SSL服務端，通信調用層次大概是HTTPS->JSSE->JCE->PKCS#11->密碼介質。

下面以海泰USBKey爲例，配置基本步驟：
1 寫P11配置文件pkcs11.cfg，內容大概：
name = HtKeyTest
library = C:/Windows/System32/HtPkcs11.dll
slot = 0

2 配置JRE的java.security文件，增加一個提供者：
security.provider.10=sun.security.pkcs11.SunPKCS11 D:/Java/jre6/lib/security/pkcs11.cfg

3 配置Tomcat的server.xml，在SSL配置項：
<Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
      maxThreads="150" scheme="https" secure="true"
      clientAuth="false" sslProtocol="TLS"
      truststoreFile="${catalina.home}/conf/https/cacerts"

      keystoreProvider="SunPKCS11-HtKeyTest"
      keystore="NONE"
      keystoreType="PKCS11"
      keystorePass="12345678"
/>

Tomcat會找到第一個容器裏的證書及密鑰對作爲服務器端證書及密鑰對。然後就可以正常訪問 https://ip/ 了

 

 

一些有用的命令：

keytool命令:
keytool -keystore NONE -storetype PKCS11 -providerName SunPKCS11-HtKeyTest -list

 

Tomcat配置參數說明：

<Connector port="443"
  minSpareThreads="25"
  maxThreads="150"
  maxSpareThreads="75"
  maxHttpHeaderSize="8192"
  enableLookups="false"
  disableUploadTimeout="true"
  acceptCount="100"
  connectionTimeout="60000"

  SSLEnabled="true"
  scheme="https"
  secure="true"
  clientAuth="true"  //"true","want","false". default "false"
  protocol="TLS"  //"TLS","SSL v3". default "TLS"
  ciphers="TLS_RSA_WITH_RC4_128_SHA"

  truststoreProvider="SunJSSE"
  truststoreType="JKS"  //default "JKS"
  truststoreFile="${catalina.home}/conf/https/cacerts"
  truststorePass="12345678" //default "changeit"
  truststoreAlgorithm="PKIX" //"SunX509","PKIX"
  crlFile="netca_indv.crl"

  keystoreProvider="SunPKCS11-HtKeyTest"
  keystoreType="PKCS11"  //"JKS","PKCS12". default "JKS"
  keystore="mykey.jks"
  keyAlias="FCA584CA-D5DC-CB1B-0CDE-38B039424862" //default "server"
  keystorePass="12345678" //default "changeit"
  algorithm="SunX509"  //"SunX509","NewSunX509"
/>
javax.net.ssl.keyStoreType system property

 

REF:
Sun JSSE的配置：http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html
Sun PKCS11 JCE的配置：http://docs.oracle.com/javase/6/docs/technotes/guides/security/p11guide.html
SSL/TLS Configuration HOW-TO: https://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html

Apache Tomcat Configuration Reference -> The HTTP Connector：https://tomcat.apache.org/tomcat-7.0-doc/config/http.html