先决条件
已经部署好redis tls环境。如未部署好,可参考:Redis 6.0 Docker容器使用SSL/TLS
已知redis tls环境使用的证书:
其中:
ca.crt :服务器证书
ca.key:服务器私钥
redis.crt:客户端证书
redis.key:客户端私钥
证书处理
生成证书p12文件,.p12证书可能既包含公钥也包含私钥,方便统一管理
openssl pkcs12 -export -in redis.crt -certfile ca.crt -inkey redis.key -out certificate_for_red.p12
记住输入的密码,后面解析证书时要用到。
将certificate_for_red.p12拷贝到src/main/resources 目录下
Spring-Data-Redis TLS连接
基于Spring-Data-Redis2.5.5
@Configuration
public class SSLJedisConnectionFactory extends JedisConnectionFactory {
@Value("${spring.redis.host}")
private String host;
@Value("${spring.redis.port}")
private String port;
@Value("${spring.redis.password}")
private String password;
@Value("${spring.redis.ssl}")
private Boolean sslEnable;
// 为创建.p12文件时输入的密码
@Value("${spring.redis.keyStorePassword}")
private String keyStorePassword;
/**
* 重写createRedisPool方法,让其使用SslSocketFactory创建连接池
*
* @return
*/
protected Pool<Jedis> createRedisPool() {
SSLSocketFactory sslSocketFactory=null;
if (sslEnable) {
InputStream fileStream = getClass().getClassLoader().getResourceAsStream("certificate_for_red.p12");
Optional<SSLSocketFactory> sslSocketFactoryOptional = SSLUtil.getSslSocketFactory(fileStream, keyStorePassword);
sslSocketFactory = sslSocketFactoryOptional
.orElseThrow(() -> new RuntimeException("Can't create SSLSocketFactory"));
}
GenericObjectPoolConfig genericObjectPoolConfig = new GenericObjectPoolConfig();
//with ssl config jedis pool
JedisPool pool = new JedisPool(
genericObjectPoolConfig,
host,
Integer.parseInt(port),
2000,
password,
sslEnable,
sslSocketFactory,
new SSLParameters(),
null);
return pool;
}
/**
* create SslSocketFactory
* @param fileStream
* @param password
* @return
*/
private static Optional<SSLSocketFactory> getSslSocketFactory(InputStream fileStream, String password) {
try {
KeyStore clientStore = KeyStore.getInstance("PKCS12");
clientStore.load(fileStream, password.toCharArray());
SSLContext sslContext = SSLContext.getInstance("TLS");
KeyManagerFactory factory = KeyManagerFactory.getInstance("SunX509");
factory.init(clientStore, password.toCharArray());
sslContext.init(factory.getKeyManagers(), new TrustManager[]{new MockTrustManager()}, new SecureRandom());
SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();
return Optional.of(sslSocketFactory);
} catch (UnrecoverableKeyException | CertificateException | KeyStoreException | IOException
| NoSuchAlgorithmException | KeyManagementException ex) {
return Optional.empty();
}
}
}
public class MockTrustManager implements X509TrustManager {
public MockTrustManager() {
}
public void checkClientTrusted(X509Certificate[] arg0, String arg1) {
}
public void checkServerTrusted(X509Certificate[] arg0, String arg1) {
}
public X509Certificate[] getAcceptedIssuers() {
return null;
}
}
Redisson 连接
在Pom.xml引入
<dependency>
<groupId>org.redisson</groupId>
<artifactId>redisson</artifactId>
<version>3.20.0</version>
</dependency>
@Configuration
public class RedissonConfig {
@Value("${spring.redis.host}")
private String host;
@Value("${spring.redis.port}")
private String port;
@Value("${spring.redis.password}")
private String password;
// 为创建.p12文件时输入的密码
@Value("${spring.redis.keyStorePassword}")
private String keyStorePassword;
@Value("${spring.redis.ssl}")
private Boolean sslEnable;
@Bean
public RedissonClient getRedisson() {
Config config = new Config();
if (sslEnable) {
ClassLoader classLoader = getClass().getClassLoader();
URL keyStoreUrl = classLoader.getResource("certificate_for_red.p12");
config.useSingleServer().setSslProvider(SslProvider.OPENSSL).setSslKeystore(keyStoreUrl).
setSslKeystorePassword(keyStorePassword).
//不校验域名 Unverified domain name
setSslEnableEndpointIdentification(false).
setAddress("rediss://" + host + ":" + port).setPassword(password);
}else {
// non-SSL
config.useSingleServer().setAddress("redis://" + host + ":" + port).setPassword(password);
}
return Redisson.create(config);
}
}