50,526
社区成员
发帖
与我相关
我的任务
分享关于keystore问题
代码如下红色部分是静态的,每次证书更改后都要重启服务,请问,怎么把它变成动态的,也就是证书更改后不用重启服务的那种:
/**
* 证书连接WIN AD
* @throws Exception
*/
public void connectionWithCert() throws Exception {
System.setProperty ("javax.net.ssl.trustStore",this.keyStorePath);
Properties env = null;
TestResult tr = null;
try {
tr = new TestResult(TestTypes.CONNADCERT);
env = new Properties();
env.put(Context.INITIAL_CONTEXT_FACTORY, SUN_JNDI_PROVIDER);// java.naming.factory.initial
env.put(Context.PROVIDER_URL, "ldaps://"+props.getProperty("ip")+":"+636);
env.put(Context.SECURITY_AUTHENTICATION, "simple");// java.naming.security.authentication
env.put(Context.SECURITY_PRINCIPAL,props.getProperty("userDn"));// java.naming.security.principal
env.put(Context.SECURITY_CREDENTIALS, props.getProperty("password"));// java.naming.security.credentials
env.put(Context.SECURITY_PROTOCOL, "ssl");
tr.setMsg("证书连接WinAD,ip:"+props.getProperty("ip")+",用户名:"+props.getProperty("userDn"));
ctxWithCert = new InitialLdapContext(env, null);
tr.setStateTrue();
} catch (Exception e) {
tr.setMsg(e.getMessage());
e.printStackTrace();
throw e;
}finally{
trmaps.put(TestTypes.CONNADCERT, tr);
}
}
/**
* 证书连接WIN AD
* @throws Exception
*/
public void connectionWithCert() throws Exception {
System.setProperty ("javax.net.ssl.trustStore",this.keyStorePath);
Properties env = null;
TestResult tr = null;
try {
tr = new TestResult(TestTypes.CONNADCERT);
env = new Properties();
env.put(Context.INITIAL_CONTEXT_FACTORY, SUN_JNDI_PROVIDER);// java.naming.factory.initial
env.put(Context.PROVIDER_URL, "ldaps://"+props.getProperty("ip")+":"+636);
env.put(Context.SECURITY_AUTHENTICATION, "simple");// java.naming.security.authentication
env.put(Context.SECURITY_PRINCIPAL,props.getProperty("userDn"));// java.naming.security.principal
env.put(Context.SECURITY_CREDENTIALS, props.getProperty("password"));// java.naming.security.credentials
env.put(Context.SECURITY_PROTOCOL, "ssl");
tr.setMsg("证书连接WinAD,ip:"+props.getProperty("ip")+",用户名:"+props.getProperty("userDn"));
ctxWithCert = new InitialLdapContext(env, null);
tr.setStateTrue();
} catch (Exception e) {
tr.setMsg(e.getMessage());
e.printStackTrace();
throw e;
}finally{
trmaps.put(TestTypes.CONNADCERT, tr);
}
}
...全文
请发表友善的回复…
发表回复
oXingYunXiaoTianShi 2013-02-27
- 打赏
- 举报
/**
* 带证书,账号修改
*/
@Override
public void accModify(String acc,String newPwd)throws Exception {
if(null == ctxWithCert)connectionWithCert();
TestResult tr = null;
try {
tr = new TestResult(TestTypes.MODIFY);
String accountDN = searchAccountByIMappingAttr(acc);
if(accountDN == null){
throw new NotfoundObjectException();
}
logger.info("修改账号:" + acc + ";对应的DN为:" + accountDN);
tr.setMsg("修改账号:"+acc);
ModificationItem[] mods = new ModificationItem[1];
String newQuotedPassword = "\"" + newPwd + "\"";
byte[] newUnicodePassword = newQuotedPassword.getBytes("UTF-16LE");
mods[0] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE,new BasicAttribute("unicodePwd",newUnicodePassword));
ctxWithCert.modifyAttributes(accountDN, mods);
tr.setStateTrue();
} catch (Exception e) {
tr.setMsg(e.getMessage());
e.printStackTrace();
throw e;
}finally{
trmaps.put(TestTypes.MODIFY, tr);
}
}
/**
* 证书连接WIN AD
* @throws Exception
*/
public void connectionWithCert() throws Exception {
Properties env = null;
TestResult tr = null;
try {
tr = new TestResult(TestTypes.CONNADCERT);
env = new Properties();
env.put(Context.INITIAL_CONTEXT_FACTORY, SUN_JNDI_PROVIDER);// java.naming.factory.initial
env.put(Context.PROVIDER_URL, "ldaps://"+props.getProperty("ip")+":"+636);
env.put(Context.SECURITY_AUTHENTICATION, "simple");// java.naming.security.authentication
env.put(Context.SECURITY_PRINCIPAL,props.getProperty("userDn"));// java.naming.security.principal
env.put(Context.SECURITY_CREDENTIALS, props.getProperty("password"));// java.naming.security.credentials
//"java.naming.ldap.factory.socket"属性用于设置套接字工厂对每一个上下文的基础
env.put("java.naming.ldap.factory.socket", "com.ncs.accountmanage.acc_synchronous.util.MySSLSocketFactory");
tr.setMsg("证书连接WinAD,ip:"+props.getProperty("ip")+",用户名:"+props.getProperty("userDn"));
ctxWithCert = new InitialLdapContext(env, null);
tr.setStateTrue();
} catch (Exception e) {
tr.setMsg(e.getMessage());
e.printStackTrace();
throw e;
}finally{
System.getProperty("javax.net.ssl.trustStore"); trmaps.put(TestTypes.CONNADCERT, tr);
}
}
package com.ncs.accountmanage.acc_synchronous.util;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.net.InetAddress;
import java.net.Socket;
import java.security.KeyStore;
import java.security.Security;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import javax.net.SocketFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
/**
* 自定义MySSLSocketFactory得到SSLSocketFactory对象
* @author wxy
*
*/
public class MySSLSocketFactory extends SSLSocketFactory {
/*SSL套接字工厂*/
private SSLSocketFactory factory;
/* 本地密钥存储密码 */
private static String MY_KEYSTORE_PASSWORD = "password";
/* local keystore file (contains the self-signed certificate from the server */
private static String MY_KEYSTORE_PATH = "C:/gr_ks.jks";
/**
* 构造器
*/
public MySSLSocketFactory() {
try {
SSLContext context = getContext();//获取SSLContext
factory = context.getSocketFactory();//得到SSLSocketFactory对象
} catch (Exception ex) {
ex.printStackTrace();
}
}
/**
* Gets a custom SSL Context.
* This is the main working of this class. The following are the steps that make up our
* custom configuration:
*
* 1. Open our keystore file using the password provided
* 2. Create a KeyManagerFactory and TrustManagerFactory using this file
* 3. Initialise a SSLContext using these factories
*
* @return SSLContext
* @throws WebServiceClientConfigException
* @throws Exception
*/
protected SSLContext getContext() throws Exception {
try {
InputStream in = new FileInputStream(MY_KEYSTORE_PATH);//通过当前路径的连接来创建一个 FileInputStream
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());// 返回指定类型的 keystore 对象。
ks.load(in, MY_KEYSTORE_PASSWORD.toCharArray());// 从给定输入流中加载此 KeyStore
in.close();//关闭流
//---------------start 添加证书----------
Security.addProvider(new BouncyCastleProvider());//将提供者添加到下一个可用位置。
X509Certificate cert = (X509Certificate) CertificateFactory.getInstance("X.509", "BC").generateCertificate(new FileInputStream("c:\\dd\\CA_B64.cer"));//获取证书信息
ks.setCertificateEntry("CA_B64", cert);// 将给定可信证书分配给给定别名。
X509Certificate cert2 = (X509Certificate) CertificateFactory.getInstance("X.509", "BC").generateCertificate(new FileInputStream("c:\\dd\\dc.cer"));//获取证书信息
ks.setCertificateEntry("DC", cert2);// 将给定可信证书分配给给定别名。
FileOutputStream out=new FileOutputStream(MY_KEYSTORE_PATH);
ks.store(out,"111111".toCharArray()); //将此 keystore 存储到给定输出流,并用给定密码保护其完整性。
//---------------end 添加证书----------
SSLContext context = SSLContext.getInstance("TLS");// 返回实现指定安全套接字协议的 SSLContext 对象。
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());// 返回充当信任管理器工厂的 TrustManagerFactory 对象。
tmf.init(ks);//用证书授权源和相关的信任材料初始化此工厂。
X509TrustManager defaultTrustManager = (X509TrustManager)tmf.getTrustManagers()[0];//此接口的实例管理使用哪一个 X509 证书来验证远端的安全套接字
SavingTrustManager tm = new SavingTrustManager(defaultTrustManager);
context.init(null, new TrustManager[] {tm}, null);//初始化此上下文。
return context;
} catch (Exception e){
throw new Exception("Error creating context for SSLSocket!", e);
}
}
/**
* X509证书信任管理器类的实现
* @author wxy
*
*/
private static class SavingTrustManager implements X509TrustManager {
private final X509TrustManager tm;
@SuppressWarnings("unused")
private X509Certificate[] chain;
SavingTrustManager(X509TrustManager tm) {
this.tm = tm;
}
/*
* 返回受信任的X509证书数组。
*
*/
public X509Certificate[] getAcceptedIssuers() {
throw new UnsupportedOperationException();
}
/*
* 该方法检查客户端的证书,若不信任该证书则抛出异常。
* 由于我们不需要对客户端进行认证,因此我们只需要执行默认的信任管理器的这个方法。
* JSSE中,默认的信任管理器类为TrustManager。
*
*/
public void checkClientTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
throw new UnsupportedOperationException();
}
/*
* 该方法检查服务器的证书,若不信任该证书同样抛出异常。
* 通过自己实现该方法,可以使之信任我们指定的任何证书。
* 在实现该方法时,也可以简单的不做任何处理,即一个空的函数体,由于不会抛出异常,
* 它就会信任任何证书。
*
*/
public void checkServerTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
this.chain = chain;
tm.checkServerTrusted(chain, authType);
}
}
public static SocketFactory getDefault() {
return new MySSLSocketFactory();
}
public Socket createSocket(Socket socket, String s, int i, boolean flag)
throws IOException {
return factory.createSocket(socket, s, i, flag);
}
public Socket createSocket(InetAddress inaddr, int i, InetAddress inaddr1,
int j) throws IOException {
return factory.createSocket(inaddr, i, inaddr1, j);
}
public Socket createSocket(InetAddress inaddr, int i) throws IOException {
return factory.createSocket(inaddr, i);
}
public Socket createSocket(String s, int i, InetAddress inaddr, int j)
throws IOException {
return factory.createSocket(s, i, inaddr, j);
}
public Socket createSocket(String s, int i) throws IOException {
return factory.createSocket(s, i);
}
public String[] getDefaultCipherSuites() {
return factory.getSupportedCipherSuites();
}
public String[] getSupportedCipherSuites() {
return factory.getSupportedCipherSuites();
}
}
oXingYunXiaoTianShi 2013-02-18
- 打赏
- 举报
大家有没有人知道呀,麻烦告诉一下谢谢
