当前位置:theitroad>通过 DOD PKI CAC 进行 Apache 身份验证

通过 DOD PKI CAC 进行 Apache 身份验证

声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow 原文地址: http://stackoverflow.com/questions/834805/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me): StackOverFlow

提示:将鼠标放在中文语句上可以显示对应的英文。显示中英文
时间:2020-09-13 17:34:25  来源:igfitidea点击:

Apache authentication via DOD PKI CAC

apachepkicac

提问by

How does one implement Apache (within Linux) authentication using Department of Defense CAC cards? I've heard it can be done but have not come across any details. Currently we use Windows Active directory for Apache authentication but only using Logins/Passwords. Soon the requirement will to be use CAC cards only. Any hints would be appreciated.

如何使用国防部 CAC 卡实现 Apache(在 Linux 中)身份验证?我听说它可以完成,但没有遇到任何细节。目前我们使用 Windows Active Directory 进行 Apache 身份验证,但仅使用登录名/密码。很快,要求将只使用 CAC 卡。任何提示将不胜感激。

回答by Cuga

Configure Apache Tomcat for 2-way SSL (version 6.0.18)

为 2-way SSL 配置 Apache Tomcat(版本 6.0.18)

  1. Open server.xml in a text editor; located in your tomcat directory at <TOMCAT_HOME>\conf\server.xml
  2. Look for this text block and uncomment it:
  1. 在文本编辑器中打开 server.xml;位于您的 tomcat 目录中<TOMCAT_HOME>\conf\server.xml
  2. 查找此文本块并取消注释:
<Connector port="8443" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25"
               maxSpareThreads="75"
               enableLookups="false"
               disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" />

3. Modify this text block as follows:

<Connector port="8443" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25"
               maxSpareThreads="75"
               enableLookups="false"
               disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" />

3.修改这个文本块如下:

  <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
                 maxThreads="150" scheme="https" secure="true"
                 clientAuth="true" sslProtocol="TLS"
                 keystoreFile="<CERTIFICATES_DIR>\localhost.jks"
                 keystorePass="password"
                 truststoreFile="<CERTIFICATES_DIR>\localhost.jks"
                 trustStorePass="password"/>
  1. Start Tomcat and navigate to https://localhost:8443/using your preferred browser.
  2. The browser will prompt your for your client certificate (Notes: if you are not prompted for your certificate, you can try importing it in IE using tools > internet options > certificates > import). Choose the correct client certificate.
  3. If you see a website, Tomcat is installed and is running correctly. If you see page not found or some other error, Tomcat was installed or configured incorrectly.
  4. Setup Tomcat for client side SSL support. You must also provide tomcat with runtime locations of the trust store and password. You can enable this either via command line or if you run tomcat within your ide: -Djavax.net.ssl.trustStore=C:{somedir}\localhost.jks -Djavax.net.ssl.trustStorePassword=password
  1. 启动 Tomcat 并使用首选浏览器导航到https://localhost:8443/
  2. 浏览器将提示您输入客户端证书(注意:如果没有提示您输入证书,您可以尝试使用工具 > Internet 选项 > 证书 > 导入在 IE 中导入它)。选择正确的客户端证书。
  3. 如果您看到一个网站,则说明 Tomcat 已安装且运行正常。如果您看到页面未找到或出现其他错误,则 Tomcat 安装或配置不正确。
  4. 为客户端 SSL 支持设置 Tomcat。您还必须向 tomcat 提供信任存储和密码的运行时位置。您可以通过命令行或在 ide 中运行 tomcat 来启用此功能: -Djavax.net.ssl.trustStore=C:{somedir}\localhost.jks -Djavax.net.ssl.trustStorePassword=password

Install the Public/Private key certificates to your browser

将公钥/私钥证书安装到您的浏览器

  1. Your browser must be set up to both recognize your certificates as coming form a trusted Certificate Authority and to know how to identify you using a private key.
  1. 您的浏览器必须设置为将您的证书识别为来自受信任的证书颁发机构,并知道如何使用私钥识别您的身份。

Firefox Instructions:

火狐使用说明:

  1. In Firefox's menu, navigate to Tools > Options
  2. Click on the Advanced > Encryption tab > View Certificates button
  3. Click the Authorities tab
  4. Click the Import button
  5. Locate and select the CA certificates you want your browser to recognize as being legit CA's, then click Open
  6. Click all the purposes which you want to trust when signed with this certificate. Options are are websites, email, and software developers.
  7. Click Ok
  1. 在 Firefox 的菜单中,导航到工具 > 选项
  2. 单击高级 > 加密选项卡 > 查看证书按钮
  3. 单击权限选项卡
  4. 单击导入按钮
  5. 找到并选择您希望浏览器识别为合法 CA 的 CA 证书,然后单击打开
  6. 单击使用此证书签名时要信任的所有目的。选项是网站、电子邮件和软件开发人员。
  7. 单击确定

Firefox will now trust content signed with the certs you just installed.

Firefox 现在将信任使用您刚安装的证书签名的内容。

IE Instructions:

IE使用说明:

  1. Navigate to Tools > Internet Options
  2. Choose the Content tab
  3. Click the button labeled Certificates
  4. Click the tab labeled Trusted Root Certification Authorities
  5. Click Import
  6. A wizard launches. Click next then select the certificate file you wish to trust as a CA
  7. Select a certificate store. Click finish
  8. You will see a popup to confirm the install. Click Yes
  1. 导航到工具 > Internet 选项
  2. 选择内容选项卡
  3. 单击标记为证书的按钮
  4. 单击标记为受信任的根证书颁发机构的选项卡
  5. 单击导入
  6. 一个向导启动。单击下一步然后选择您希望作为 CA 信任的证书文件
  7. 选择证书存储。点击完成
  8. 您将看到一个弹出窗口以确认安装。单击是

Internet Explorer will now trust content signed with certs issued by the CA you have just installed.

Internet Explorer 现在将信任由您刚刚安装的 CA 颁发的证书签名的内容。

With PKI encryption, your browser needs to know how to identify you to the server using a Private Key.To do this, you must install your certificates manually. Suffix of the certs imported in this example is .p12 Firefox Instructions:

使用 PKI 加密,您的浏览器需要知道如何使用私钥向服务器识别您的身份。为此,您必须手动安装证书。本例中导入的证书后缀为 .p12 Firefox 说明:

  1. In Firefox's menu, navigate to Tools > Options
  2. Click on the Advanced > Encryption tab > View Certificates button
  3. Click the tab labeled "Your Certificates"
  4. Click Import
  5. Navigate to and select the certificate you wish to choose to identify yourself. Click Open
  6. Enter the password which is used in conjunction with this certificate and click Ok
  1. 在 Firefox 的菜单中,导航到工具 > 选项
  2. 单击高级 > 加密选项卡 > 查看证书按钮
  3. 单击标有“您的证书”的选项卡
  4. 单击导入
  5. 导航到并选择您要选择的证书来标识自己。点击打开
  6. 输入与此证书配合使用的密码,然后单击“确定”

Your certificate is now installed and can be used to identify you to servers using PKI encryption. The above steps may be repeated to install additional certificates if you wish to identify yourself using different identities at different times. IE Instructions:

您的证书现已安装,可用于向使用 PKI 加密的服务器识别您的身份。如果您希望在不同时间使用不同身份来识别自己,则可以重复上述步骤以安装其他证书。IE使用说明:

  1. Navigate to Tools > Internet Options
  2. Choose the Content tab
  3. Click the button labeled Certificates
  4. Select the Personal tab
  5. Click Import
  6. A wizard launches. Click Next..., then select the pki file you wish to use in identifying yourself. Click Next
  7. Type the password for the cert and any options desired
  8. Choose where to store the cert and then click Next > Finish
  1. 导航到工具 > Internet 选项
  2. 选择内容选项卡
  3. 单击标记为证书的按钮
  4. 选择个人标签
  5. 单击导入
  6. 一个向导启动。单击下一步...,然后选择您要用于识别您自己的 pki 文件。点击下一步
  7. 键入证书的密码和所需的任何选项
  8. 选择存储证书的位置,然后单击下一步 > 完成

Your personal certificate is now installed and you can use it to identify yourself to websites using PKI encryption.

您的个人证书现已安装,您可以使用它向使用 PKI 加密的网站表明自己的身份。

相关推荐

apache 仅允许来自特定 IP 的请求

apache 仅允许来自特定 IP 的请求

如何在 Eclipse 中安装 javax 和 apache 插件?

如何在 Eclipse 中安装 javax 和 apache 插件?

在 Apache 中设置反向代理的问题

在 Apache 中设置反向代理的问题

使用身份验证设置 Apache 代理

使用身份验证设置 Apache 代理

相关推荐
最近更新
标签