WSO2 添加 jks 证书实现 https 访问
- 1、部署架构
- 2、公网证书
- 3、局域网证书
- 4、修改 WSO2 产品配置
-
- 4.1、WSO2 APIM
-
- 4.1.1、不使用 nginx 代理
-
- 4.1.1.1、修改 repository/conf/deployment.toml 文件
- 4.1.1.2、修改 repository/deployment/server/webapps/admin/site/public/conf/settings.json 文件
- 4.1.1.3、修改 repository/deployment/server/webapps/devportal/site/public/theme/settings.json 文件
- 4.1.1.4、修改 repository/deployment/server/webapps/publisher/site/public/conf/settings.json 文件
- 4.1.1.5、启动后修改 admin 的 Key Manager 的 token 签发人
- 4.1.2、使用 nginx 代理
- 4.1.4、效果图
- 4.2、WSO2 MI/MI DASHBOARD
- 4.3、WSO2 ESB/EI
1、部署架构
1.1、nginx 代理
1.2、直接部署
2、公网证书
2.1、将证书导出为 PKCS12/PFX 格式,同时提供强密码
需要 crt 和 key 文件
export DOMAIN="wso2.com"
# 导出时需要输入密码,建议密码都设置成一样的
sudo openssl pkcs12 -export -in $DOMAIN.crt -inkey $DOMAIN.key -name "calvinchan" -out $DOMAIN.pfx
2.2、将 PKCS12/PFX 格式的密钥库转换为 Java 密钥库
sudo keytool -importkeystore -srckeystore $DOMAIN.pfx -srcstoretype pkcs12 -destkeystore $DOMAIN.jks -deststoretype pkcs12
2.3、将 jks 文件复制到 wso2 产品的证书目录
export WSO2_APIM_PATH="/app/wso2/wso2am-4.3.0"
export WSO2_MI_DASHBOARD_PATH="/app/wso2/wso2mi-dashboard-4.2.0"
export WSO2_MI_PATH="/app/wso2/wso2mi-4.2.0"
echo "将jks文件复制到apim的证书目录"
# 将jks文件复制到wso2apim的证书目录
sudo cp -rf /app/ssl/$DOMAIN.jks $WSO2_APIM_PATH/repository/resources/security
echo "将jks文件复制到wso2mi的证书目录"
# 将jks文件复制到wso2mi的证书目录
sudo cp -rf /app/ssl/$DOMAIN.jks $WSO2_MI_PATH/repository/resources/security
echo "将jks文件复制到wso2mi-dashboard的证书目录"
# wso2 mi dashboard
sudo cp -rf /app/ssl/$DOMAIN.jks $WSO2_MI_DASHBOARD_PATH/conf/security
2.3、把 crt 证书添加到 WSO2 产品的信任库
echo "删除WSO2 APIM信任库别名为calvinchan的证书"
sudo keytool -delete -alias calvinchan -keystore $WSO2_APIM_PATH/repository/resources/security/client-truststore.jks -storepass wso2carbon
echo "把证书添加到WSO2 APIM信任库"
# 把证书添加到WSO2信任库,wso2carbon是默认 client-truststore.jks 文件的密钥库密码
sudo keytool -import -alias calvinchan -file /app/ssl/$DOMAIN.crt -keystore $WSO2_APIM_PATH/repository/resources/security/client-truststore.jks -storepass wso2carbon
echo "删除WSO2 MI信任库别名为calvinchan的证书"
sudo keytool -delete -alias calvinchan -keystore $WSO2_MI_PATH/repository/resources/security/client-truststore.jks -storepass wso2carbon
echo "把证书添加到WSO2 MI信任库"
# 把证书添加到WSO2信任库,wso2carbon是默认 client-truststore.jks 文件的密钥库密码
sudo keytool -import -alias calvinchan -file /app/ssl/$DOMAIN.crt -keystore $WSO2_MI_PATH/repository/resources/security/client-truststore.jks -storepass wso2carbon
echo "删除WSO2 MI DASHBOARD信任库别名为calvinchan的证书"
sudo keytool -delete -alias calvinchan -keystore $WSO2_MI_DASHBOARD_PATH/conf/security/client-truststore.jks -storepass wso2carbon
echo "把证书添加到WSO2 MI DASHBOARD信任库"
# 把证书添加到WSO2信任库,wso2carbon是默认 client-truststore.jks 文件的密钥库密码
sudo keytool -import -alias calvinchan -file /app/ssl/$DOMAIN.crt -keystore $WSO2_MI_DASHBOARD_PATH/conf/security/client-truststore.jks -storepass wso2carbon
3、局域网证书
3.1、生成局域网内受信任的 ca 证书
# 创建一个目录保存文件
mkdir -p ssl
cd ssl
# wso2要求RSA要大于等于2048
openssl genrsa 4096 > ca.key
# 设置一个环境变量,用于信任CA证书
export SUBJ="/C=CN/ST=ST$RANDOM/O=O$RANDOM/OU=OU$RANDOM/CN=\
CN$RANDOM/emailAddress=$RANDOM@localhost"
# 有效日期从当天到 9999年12月31日
openssl req -new -x509 -days `expr \( \`date -d 99991231 +%s\` - \`date +%s\` \) / 86400 + 1` \
-key ca.key -out ca.pem -subj $SUBJ -extensions v3_ca
3.2、生成局域网内受信任的域名/ IP 证书
export DOMAIN="wxhntmy.com"
# 多个ip用英文逗号隔开
export IPADDR="IP:192.168.100.149,IP:192.168.100.150,IP:192.168.100.160"
# 生成密钥
openssl genrsa 4096 > $DOMAIN.key
openssl req -new -nodes -key $DOMAIN.key -out $DOMAIN.csr -subj $SUBJ
# 使用 CA 签名生成域名或者 IP 地址证书,IP填实际需要使用的IP
openssl x509 -req -days `expr \( \`date -d 99991231 +%s\` - \`date +%s\` \) / 86400 + 1` \
-in $DOMAIN.csr -out $DOMAIN.pem -CA ca.pem -CAkey ca.key -set_serial 0 -extensions \
CUSTOM_STRING_LIKE_SAN_KU\
-extfile <( cat << EOF
[CUSTOM_STRING_LIKE_SAN_KU]
subjectAltName=$IPADDR,DNS:$DOMAIN, DNS:*.$DOMAIN
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
EOF
)
3.3、生成 crt 证书
# 通过 pem 生成 crt
( openssl x509 -noout -text -in ca.pem && cat ca.pem ) > ca.crt
( openssl x509 -noout -text -in $DOMAIN.pem && cat $DOMAIN.pem ) > $DOMAIN.crt
3.4、将证书导出为 PKCS12/PFX 格式,同时提供强密码
需要 crt 和 key 文件
# 导出时需要输入密码,建议密码都设置成一样的,别名是calvinchan
sudo openssl pkcs12 -export -in $DOMAIN.crt -inkey $DOMAIN.key -name "calvinchan" -out $DOMAIN.pfx
3.5、将 PKCS12/PFX 格式的密钥库转换为 Java 密钥库
sudo keytool -importkeystore -srckeystore $DOMAIN.pfx -srcstoretype pkcs12 -destkeystore $DOMAIN.jks -deststoretype pkcs12
3.6、将 jks 文件复制到 wso2 产品的证书目录
export WSO2_APIM_PATH="/app/wso2/wso2am-4.3.0"
export WSO2_MI_DASHBOARD_PATH="/app/wso2/wso2mi-dashboard-4.2.0"
export WSO2_MI_PATH="/app/wso2/wso2mi-4.2.0"
echo "将jks文件复制到apim的证书目录"
# 将jks文件复制到wso2apim的证书目录
sudo cp -rf /app/ssl/$DOMAIN.jks $WSO2_APIM_PATH/repository/resources/security
echo "将jks文件复制到wso2mi的证书目录"
# 将jks文件复制到wso2mi的证书目录
sudo cp -rf /app/ssl/$DOMAIN.jks $WSO2_MI_PATH/repository/resources/security
echo "将jks文件复制到wso2mi-dashboard的证书目录"
# wso2 mi dashboard
sudo cp -rf /app/ssl/$DOMAIN.jks $WSO2_MI_DASHBOARD_PATH/conf/security
3.7、把 crt 证书添加到 WSO2 产品的信任库
echo "删除WSO2 APIM信任库别名为calvinchan的证书"
sudo keytool -delete -alias calvinchan -keystore $WSO2_APIM_PATH/repository/resources/security/client-truststore.jks -storepass wso2carbon
echo "把证书添加到WSO2 APIM信任库"
# 把证书添加到WSO2信任库,wso2carbon是默认 client-truststore.jks 文件的密钥库密码
sudo keytool -import -alias calvinchan -file /app/ssl/$DOMAIN.crt -keystore $WSO2_APIM_PATH/repository/resources/security/client-truststore.jks -storepass wso2carbon
echo "删除WSO2 MI信任库别名为calvinchan的证书"
sudo keytool -delete -alias calvinchan -keystore $WSO2_MI_PATH/repository/resources/security/client-truststore.jks -storepass wso2carbon
echo "把证书添加到WSO2 MI信任库"
# 把证书添加到WSO2信任库,wso2carbon是默认 client-truststore.jks 文件的密钥库密码
sudo keytool -import -alias calvinchan -file /app/ssl/$DOMAIN.crt -keystore $WSO2_MI_PATH/repository/resources/security/client-truststore.jks -storepass wso2carbon
echo "删除WSO2 MI DASHBOARD信任库别名为calvinchan的证书"
sudo keytool -delete -alias calvinchan -keystore $WSO2_MI_DASHBOARD_PATH/conf/security/client-truststore.jks -storepass wso2carbon
echo "把证书添加到WSO2 MI DASHBOARD信任库"
# 把证书添加到WSO2信任库,wso2carbon是默认 client-truststore.jks 文件的密钥库密码
sudo keytool -import -alias calvinchan -file /app/ssl/$DOMAIN.crt -keystore $WSO2_MI_DASHBOARD_PATH/conf/security/client-truststore.jks -storepass wso2carbon
3.8、安装局域网 ca 证书
3.8.1、导入 WIN 11 系统信任库
- 以管理员身份打开 CMD 或 PowerShell,搜索 “命令提示符” → 右键选择 “以管理员身份运行”。
执行导入命令
certutil -addstore "Root" D:\Desktop\fsdownload\ca.crt
参数说明:
-addstore:添加证书到存储区。
“Root”:代表“受信任的根证书颁发机构”。
路径替换为实际证书位置。
成功提示:显示 “证书已添加到存储”。
3.8.2、导入 Java 系统信任库
#先删除再导入
keytool -delete -alias calvinchan -keystore "%JAVA_HOME%\lib\security\cacerts"
keytool -import -alias calvinchan -file D:\Desktop\fsdownload\ca.crt -keystore "%JAVA_HOME%\lib\security\cacerts"
4、修改 WSO2 产品配置
4.1、WSO2 APIM
4.1.1、不使用 nginx 代理
4.1.1.1、修改 repository/conf/deployment.toml 文件
keystore.tls
keystore.primary
keystore.internal
都修改为同一个 jks,password 和 key_password 是导出 jks 时设置的密码
[keystore.tls]
file_name = "wxhntmy.com.jks"
type = "JKS"
password = "123456"
alias = "calvinchan"
key_password = "123456"
[keystore.listener_profile]
bind_address = "192.168.100.160"
[keystore.primary]
file_name = "wxhntmy.com.jks"
type = "JKS"
password = "123456"
alias = "calvinchan"
key_password = "123456"
[keystore.internal]
file_name = "wxhntmy.com.jks"
type = "JKS"
password = "123456"
alias = "calvinchan"
key_password = "123456"
所有的 localhost 都有替换成证书的域名/IP
修改 key_manager 和 idp
[apim.key_manager]
enable_apikey_subscription_validation = true
service_url = "https://192.168.100.160:${mgt.transport.https.port}/services/"
username = "$ref{super_admin.username}"
password = "$ref{super_admin.password}"
pool.init_idle_capacity = 50
pool.max_idle = 100
#key_validation_handler_type = "default"
#key_validation_handler_type = "custom"
#key_validation_handler_impl = "org.wso2.carbon.apimgt.keymgt.handlers.DefaultKeyValidationHandler"
[apim.idp]
server_url = "https://192.168.100.160:${mgt.transport.https.port}"
authorize_endpoint = "https://192.168.100.160:${mgt.transport.https.port}/oauth2/authorize"
oidc_logout_endpoint = "https://192.168.100.160:${mgt.transport.https.port}/oidc/logout"
oidc_check_session_endpoint = "https://192.168.100.160:${mgt.transport.https.port}/oidc/checksession"
修改 devportal
[apim.devportal]
url = "https://192.168.100.160:${mgt.transport.https.port}/devportal"
enable_application_sharing = false
#if application_sharing_type, application_sharing_impl both defined priority goes to application_sharing_impl
#application_sharing_type = "default" #changed type, saml, default #todo: check the new config for rest api
#application_sharing_impl = "org.wso2.carbon.apimgt.impl.SAMLGroupIDExtractorImpl"
#display_multiple_versions = false
#display_deprecated_apis = false
#enable_comments = true
#enable_ratings = true
#enable_forum = true
#enable_anonymous_mode=true
#enable_cross_tenant_subscriptions = true
#default_reserved_username = "apim_reserved_user"
4.1.1.2、修改 repository/deployment/server/webapps/admin/site/public/conf/settings.json 文件
origin.host 修改成证书的域名/IP
4.1.1.3、修改 repository/deployment/server/webapps/devportal/site/public/theme/settings.json 文件
origin.host 修改成证书的域名/IP
4.1.1.4、修改 repository/deployment/server/webapps/publisher/site/public/conf/settings.json 文件
origin.host 修改成证书的域名/IP
4.1.1.5、启动后修改 admin 的 Key Manager 的 token 签发人
访问:
https://192.168.100.160:9443/admin/settings/key-managers/
4.1.2、使用 nginx 代理
4.1.2.1、Nginx Conf
server {
#nginx服务器IP/域名
server_name 192.168.100.150;
listen 443 ssl;
ssl_certificate /app/wxhntmy.com.pem;
ssl_certificate_key /app/wxhntmy.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
location / {
proxy_pass https://192.168.100.160:9443;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;
#重定向到nginx服务器IP/域名
proxy_redirect https://192.168.100.160:9443/ https://192.168.100.150/;
proxy_redirect https://192.168.100.160/ https://192.168.100.150/;
}
}
server {
#nginx服务器IP/域名
server_name 192.168.100.150;
listen 8243 ssl;
ssl_certificate /app/wxhntmy.com.pem;
ssl_certificate_key /app/wxhntmy.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
location / {
proxy_pass https://192.168.100.160:8243;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
server {
#nginx服务器IP/域名
server_name 192.168.100.150;
listen 8280;
location / {
proxy_pass https://192.168.100.160:8280;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
4.1.2.2、修改 repository/conf/deployment.toml 文件
修改 server.hostname,改成证书的域名/IP
[server]
# wso2服务器IP/域名
hostname = "192.168.100.160"
#offset=0
base_path = "${carbon.protocol}://${carbon.host}:${carbon.management.port}"
#discard_empty_caches = false
server_role = "default"
添加 transport.https.properties,端口是 nginx 监听的端口
[transport.https.properties]
proxyPort = 443
修改 devportal
[apim.devportal]
# 修改为nginx服务器,端口是443
url = "https://192.168.100.150/devportal"
#enable_application_sharing = false
#if application_sharing_type, application_sharing_impl both defined priority goes to application_sharing_impl
#application_sharing_type = "default" #changed type, saml, default #todo: check the new config for rest api
#application_sharing_impl = "org.wso2.carbon.apimgt.impl.SAMLGroupIDExtractorImpl"
#display_multiple_versions = false
#display_deprecated_apis = false
#enable_comments = true
#enable_ratings = true
#enable_forum = true
#enable_anonymous_mode=true
#enable_cross_tenant_subscriptions = true
#default_reserved_username = "apim_reserved_user"
修改 apim.gateway.environment
[[apim.gateway.environment]]
name = "Default"
type = "hybrid"
gateway_type = "Regular"
provider = "wso2"
display_in_api_console = true
description = "This is a hybrid gateway that handles both production and sandbox token traffic."
show_as_token_endpoint_url = true
# 修改为nginx服务器,端口是443
service_url = "https://192.168.100.150/services/"
username= "${admin.username}"
password= "${admin.password}"
ws_endpoint = "ws://localhost:9099"
wss_endpoint = "wss://localhost:8099"
# 修改为nginx服务器
http_endpoint = "http://192.168.100.150:${http.nio.port}"
https_endpoint = "https://192.168.100.150:${https.nio.port}"
websub_event_receiver_http_endpoint = "http://localhost:9021"
websub_event_receiver_https_endpoint = "https://localhost:8021"
修改 key_manager
[apim.key_manager]
enable_apikey_subscription_validation = true
# 修改为nginx服务器,端口是443
service_url = "https://192.168.100.150/services/"
username = "$ref{super_admin.username}"
password = "$ref{super_admin.password}"
pool.init_idle_capacity = 50
pool.max_idle = 100
#key_validation_handler_type = "default"
#key_validation_handler_type = "custom"
#key_validation_handler_impl = "org.wso2.carbon.apimgt.keymgt.handlers.DefaultKeyValidationHandler"
修改idp
[apim.idp]
# nginx服务器ip/域名
server_url = "https://192.168.100.150"
authorize_endpoint = "https://192.168.100.150/oauth2/authorize"
oidc_logout_endpoint = "https://192.168.100.150/oidc/logout"
oidc_check_session_endpoint = "https://192.168.100.150/oidc/checksession"
4.1.2.3、启动后修改 admin 的 Key Manager 的 token 签发人
访问:
https://192.168.100.150/admin/settings/key-managers/
issuer 可以解码实际生成的token查看
4.1.4、效果图
4.2、WSO2 MI/MI DASHBOARD
4.2.1、WSO2 MI
修改 conf/deployment.toml 文件
server 的 localhost 替换成证书域名/IP
keystore.tls 修改为导出的 jks,password 和 key_password 是导出 jks 时设置的密码
4.2.2、WSO2 MI DASHBOARD
修改 conf/deployment.toml 文件,keystore替换成生成的 jks 文件,修改完成后重启wso2 mi dashboard
4.2.3、效果图
4.3、WSO2 ESB/EI
4.3.1、创建包含公钥的 jks 证书
#把手动签发的 SSL 证书转换为 jks 密钥库
openssl pkcs12 -export -in wxhntmy.com.crt -inkey wxhntmy.com.key -name "calvinchan" -out calvinchan.pfx
keytool -importkeystore -srckeystore calvinchan.pfx -srcstoretype pkcs12 -destkeystore calvinchan.jks -deststoretype JKS
# 复制证书到wso2
cp -rf /app/ssl/calvinchan.jks /app/wso2/wso2esb-5.0.0/repository/resources/security
#删除证书
keytool -delete -alias calvinchan -keystore /app/wso2/wso2esb-5.0.0/repository/resources/security/client-truststore.jks -storepass wso2carbon
# 把公钥添加到WSO2信任库,wso2carbon是默认 client-truststore.jks 文件的密钥库密码
keytool -import -alias calvinchan -file /app/ssl/wxhntmy.com.pem -keystore /app/wso2/wso2esb-5.0.0/repository/resources/security/client-truststore.jks -storepass wso2carbon
4.3.2、修改 repository/conf/carbon.xml 文件
HostName 和 MgtHostName 都修改成 wso2 服务器的域名或者 ip
<!--
Host name or IP address of the machine hosting this server
e.g. www.wso2.org, 192.168.1.10
This is will become part of the End Point Reference of the
services deployed on this server instance.
-->
<HostName>192.168.100.160</HostName>
<!--
Host name to be used for the Carbon management console
-->
<MgtHostName>192.168.100.160</MgtHostName>
将 KeyStore 修改成 导出的 jks 证书
<KeyStore>
<!-- Keystore file location-->
<Location>${carbon.home}/repository/resources/security/calvinchan.jks</Location>
<!-- Keystore type (JKS/PKCS12 etc.)-->
<Type>JKS</Type>
<!-- Keystore password-->
<Password>123456</Password>
<!-- Private Key alias-->
<KeyAlias>calvinchan</KeyAlias>
<!-- Private Key password-->
<KeyPassword>123456</KeyPassword>
</KeyStore>
4.3.3、修改 repository/conf/tomcat/catalina-server.xml 文件
<!--
optional attributes:
proxyPort="443"
-->
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
port="9443"
bindOnInit="false"
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
maxHttpHeaderSize="8192"
acceptorThreadCount="2"
maxThreads="250"
minSpareThreads="50"
disableUploadTimeout="false"
enableLookups="false"
connectionUploadTimeout="120000"
maxKeepAliveRequests="200"
acceptCount="200"
server="WSO2 Carbon Server"
clientAuth="false"
compression="on"
scheme="https"
secure="true"
SSLEnabled="true"
keystoreFile="${carbon.home}/repository/resources/security/calvinchan.jks"
keystorePass="123456"
compressionMinSize="2048"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/javascript,application/x-javascript,application/javascript,application/xml,text/css,application/xslt+xml,text/xsl,image/gif,image/jpg,image/jpeg"
URIEncoding="UTF-8"/>
4.3.4、修改 repository/conf/axis2/axis2.xml 文件
<transportReceiver name="https" class="org.apache.synapse.transport.passthru.PassThroughHttpSSLListener">
<parameter name="port" locked="false">8243</parameter>
<parameter name="non-blocking" locked="false">true</parameter>
<parameter name="HttpsProtocols">TLSv1,TLSv1.1,TLSv1.2</parameter>
<!--parameter name="bind-address" locked="false">hostname or IP address</parameter-->
<!--parameter name="WSDLEPRPrefix" locked="false">https://apachehost:port/somepath</parameter-->
<parameter name="httpGetProcessor" locked="false">org.wso2.carbon.mediation.transport.handlers.PassThroughNHttpGetProcessor</parameter>
<parameter name="keystore" locked="false">
<KeyStore>
<Location>repository/resources/security/calvinchan.jks</Location>
<Type>JKS</Type>
<Password>123456</Password>
<KeyPassword>123456</KeyPassword>
</KeyStore>
</parameter>
<parameter name="truststore" locked="false">
<TrustStore>
<Location>repository/resources/security/client-truststore.jks</Location>
<Type>JKS</Type>
<Password>wso2carbon</Password>
</TrustStore>
</parameter>
<!--<parameter name="SSLVerifyClient">require</parameter>
supports optional|require or defaults to none -->
</transportReceiver>
<transportSender name="https" class="org.apache.synapse.transport.passthru.PassThroughHttpSSLSender">
<parameter name="non-blocking" locked="false">true</parameter>
<parameter name="keystore" locked="false">
<KeyStore>
<Location>repository/resources/security/calvinchan.jks</Location>
<Type>JKS</Type>
<Password>123456</Password>
<KeyPassword>123456</KeyPassword>
</KeyStore>
</parameter>
<parameter name="truststore" locked="false">
<TrustStore>
<Location>repository/resources/security/client-truststore.jks</Location>
<Type>JKS</Type>
<Password>wso2carbon</Password>
</TrustStore>
</parameter>
<!--<parameter name="HostnameVerifier">DefaultAndLocalhost</parameter>-->
<!--supports Strict|AllowAll|DefaultAndLocalhost or the default if none specified -->
</transportSender>
4.3.5、效果图
