1

现在使用 Spring Boot 和在单个微服务中运行的 hsm & mssql jdbc & rest & soap 服务。

MainApplication.java

@SpringBootApplication
public class MainApplication {

    @Autowired
    public Environment env;

    public static void main(String[] args) {
        SpringApplication.run(MainApplication.class, args);
    }

    /**
     * init keystores
     */
    @PostConstruct
    public void keystoresInit() {       
        logger.info("Starting keystores Init");

            // INIT Keystore - soap service
            KeyStore ks = KeyStore.getInstance(env.getProperty("keyserver.ssl.key-store-type"));
            ksFile = new FileInputStream(env.getProperty("keyserver.ssl.key-store"));
            ks.load(ksFile, pass);
            KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
            kmf.init(ks, pass);

            // INIT Truststore
            KeyStore trustKeystore = KeyStore.getInstance(env.getProperty("cacert.ssl.key-store-type"));
            tsFile = new FileInputStream(env.getProperty("cacert.ssl.key-store"));
            trustKeystore.load(tsFile, env.getProperty("cacert.ssl.key-store-password").toCharArray());
            TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            tmf.init(trustKeystore);

            // INIT SSLContext
            SSLContext context = SSLContext.getInstance("TLS");
            context.init(kmf.getKeyManagers(), tmf.getTrustManagers(), new SecureRandom());
            SSLContext.setDefault(context);

            Map<String, String> samplekeys = new HashMap<String, String>();


            CustomSSLContext cssc = CustomSSLContext.getInstance(); //which is used for soap services
            cssc.initSSLContexts(env.getProperty("keyserver.ssl.key-store"),
                    env.getProperty("keyserver.ssl.key-store-type"), pass, samplekeys);

        } catch (Exception e) {
            --
        } finally {
            --
        }

    }

    /**
     * Configuring Hikari datasource and setting password from vault.
     * @return
     */
    @Bean
    @ConfigurationProperties(prefix = "spring.datasource.hikari")
    public DataSource dataSource() {
        HikariDataSource ds = null;
        try {
            password = getting from vault;
            ds = new HikariDataSource();
            ds.setPassword(new String(password));
        } catch (Exception e) {
            --
        } finally {
            --
        }
        return ds;
    }

}

应用程序.yml

keyserver:
  ssl:
    key-store: sample.keystore
    key-store-type: Luna

cacert:
  ssl:
    key-store: cacerts #same cacerts placed in running JDK instance as well
    key-store-password: samplepass
    key-store-type: jks

java.security

security.provider.1=sun.security.provider.Sun
security.provider.2=sun.security.rsa.SunRsaSign
security.provider.3=com.safenetinc.luna.provider.LunaProvider
security.provider.4=sun.security.ec.SunEC
security.provider.5=com.sun.net.ssl.internal.ssl.Provider
security.provider.6=com.sun.crypto.provider.SunJCE
..etc

问题:

  1. Postcontruct 方法初始化了密钥库和信任库,所有连接都使用我在 java.security 文件中配置的 LunaProvider,列为第 3 项(安全提供程序)。SOAP 调用使用的这个 ssl 连接。这很好用。

  2. 数据库 bean 也使用相同的 lunaprovider,我不想在那个 ssl 中工作。因为它会导致很多问题。我需要为数据库使用不同的 ssl 上下文,以便并行工作。我怎么做。

  3. 我有从这项服务传入和传出的休息电话。想知道是否可以为此使用另一个 ssl 上下文?不接触lunapprovider?

提前致谢。

4

0 回答 0