1、详细描述一次加密通讯的过程,结合图示最佳。
发送者:
1)使用单向加密算法提取要发送文件的特征码;
2)使用自己的私钥加密特征码并附加在数据后面;
3)生成用于对称加密的临时密码;
4)用此临时密钥加密数据和已经使用私钥加密后的特征码;
5)使用接收方的公钥加密此临时密钥,附加在对称加密后的数据后方。
接收方:
1)使用自己的私钥解密加密后的临时密钥,从而获得对称密钥;
2)使用对称密钥解密对称加密的数据和私钥加密的特征码密文,从而获得数据和特征码密文;
3)使用发送方的公钥解密特征码密文,从而获得特征码明文;
4)使用与对方同样的单向加密算法计算数据的特征码,并与解密而来的进行比较。
2、描述创建私有CA的过程,以及为客户端发来的证书请求进行办法证书。
本人在两台虚拟机上操作,一个为服务器,一个为客户机
(1)服构建私有CA,生成自签证书(服务器机上)
配置文件 /etc/pki/tls/opessl.cnf
工作目录 /etc/pki/CA
1、生成私钥文件
[root@CentOS7 CA]# ls
certs crl newcerts private
[root@CentOS7 CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 1024 bit long modulus
..++++++
…………….++++++
e is 65537 (0x10001)
[root@CentOS7 CA]# ll private/
总用量 4
-rw——-. 1 root root 1675 5月 4 12:35 cakey.pem
2、生成自签证书
[root@CentOS7 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:ShangHai
Locality Name (eg, city) [Default City]:ShangHai
Organization Name (eg, company) [Default Company Ltd]:Magedu
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server’s hostname) []:ca.magedu.com
Email Address []:caadmin@magedu.com
[root@CentOS7 CA]#
[root@CentOS7 CA]# ls
cacert.pem certs crl newcerts private
3、创建必要文件
[root@CentOS7 CA]# touch serial index.txt
[root@CentOS7 CA]# echo 01 >index.txt
(2)客户机向服务机发送CA请求(客户机上)
生成私钥;
生成证书请求;
将请求发送到CA主机
1、生成私钥
[root@CentOS6 httpd]# cd /etc/httpd
[root@CentOS6 httpd]# ls
conf conf.d logs modules run
[root@CentOS6 httpd]# mkdir ssl
[root@CentOS6 httpd]# (umask 077;openssl genrsa -out httpd.key 1024)
Generating RSA private key, 1024 bit long modulus
..++++++
….++++++
e is 65537 (0x10001)
2、生成证书请求
[root@CentOS6 httpd]# openssl req -new -key httpd.key -out httpd.crs
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:ShangHai
Locality Name (eg, city) [Default City]:ShangHai
Organization Name (eg, company) [Default Company Ltd]:Magedu
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server’s hostname) []:www.magedu.com
Email Address []:webadmin@magedu.com
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
3、将请求发送到CA主机
[root@CentOS6 httpd]# scp httpd.crs root@192.168.0.110:/tmp/
(3)CA主机签署客户机的CA请求,并发给客户机
1、签署证书
[root@CentOS7 CA]# openssl ca -in /tmp/httpd.csr -out certs/httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: May 4 05:45:54 2017 GMT
Not After : May 4 05:45:54 2018 GMT
Subject:
countryName = CN
stateOrProvinceName = ShangHai
organizationName = Magedu
organizationalUnitName = Ops
commonName = www.magedu.com
emailAddress = webadmin@magedu.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
B1:90:08:70:04:35:41:D5:DC:DE:DE:3D:28:6F:99:E6:94:BE:52:65
X509v3 Authority Key Identifier:
keyid:24:41:BF:0F:A2:FC:9B:0F:DB:07:E1:01:8F:1E:CA:D8:B4:50:7F:58
Certificate is to be certified until May 4 05:45:54 2018 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
2、证书发给客户机
[root@CentOS7 CA]# scp certs/httpd.crt root@192.168.0.109:/etc/httpd/ssl/
注:报错如下的话。清空index.txt文件
root@CentOS7 CA]# openssl ca -in /tmp/httpd.csr -out certs/httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
wrong number of fields on line 1 (looking for field 6, got 1, ” left)
2、 描述DNS查询过程以及DNS服务器类别。
客户端在访问一个网址的时候
第一步:查询本地hosts文件
第二步:hosts文件中查询不到时查询本机的缓存
第三步:本地缓存查询不到的时候,查询本机指向的默认DNS服务器
第四步:由默认DNS服务器向根DNS服务器进行递归查询(客户端只查询一次,由指定的DNS服务器进行查询到结果后返回客户端)
4、搭建一套DNS服务器,负责解析magedu.com域名(自行设定主机名及IP)
(1)、能够对一些主机名进行正向解析和逆向解析;
(2)、对子域cdn.magedu.com进行子域授权,子域负责解析对应子域中的主机名;
(3)、为了保证DNS服务系统的高可用性,请设计一套方案,并写出详细的实施过程
1、下载DNS软件包bind
[root@CentOS6 etc]# yum install bind -y
2、修改主配置文件/etc/named.conf
[root@CentOS7 ~]# vim /etc/named.conf
options {
listen-on port 53 { any; }; 修改后
listen-on-v6 port 53 { ::1; };
directory “/var/named”;
dump-file “/var/named/data/cache_dump.db”;
statistics-file “/var/named/data/named_stats.txt”;
memstatistics-file “/var/named/data/named_mem_stats.txt”;
allow-query { any; }; 修改后
/*
3、对文件进行语法检查named-checkconf
[root@CentOS7 ~]# named-checkconf
4、在配置文件/etc/named.rfc1912.zones或/etc/named.conf中添加magedu.com的正向与反向域。
[root@CentOS7 ~]# vim /etc/named.rfc1912.zones
zone “magedu.com” IN {
type master; 注:结尾以分号(;)结束
file “magedu.com.zone”; 注:正向域数据库文件的文件名
};
zone “0.168.192.in-addr.arpa” IN { 注:反向域为IP网络ID反写加.in-addr.arpa
type master;
file “named.192.168.0 “; 注:反向域数据库文件的文件名
};
5、创建正向域数据库文件与反向域数据库文件(在目录/var/named/下创建)
正向域数据库文件
[root@CentOS7 ~]# vim /var/named/magedu.com.zone
$TTL 3600
$ORIGIN magedu.com.
@ IN SOA ns1.magedu.com. dnsadmin.magedu.com. (
2017050401
1H
10M
3D
1D )
@ IN NS ns1.magedu.com.
@ IN MX 10 mail.magedu.com.
ns1 IN A 192.168.0.108
www IN A 192.168.0.110
bbs IN A 192.168.0.111
ftp IN A 192.168.0.112
web IN CNAME ftp
反向域数据库文件
[root@CentOS7 ~]# vim /var/named/named.192.168.0
$TTL 3600
@ IN SOA ns1.magedu.com. dnsadmin.mage.du.com. (
2017050401
1H
10M
3D
1D )
@ IN NS ns1.magedu.com.
108 IN PTR ns1.magedu.com.
110 IN PTR www.magedu.com.
111 IN PTR bbs.magedu.com.
112 IN PTR ftp.magedu.com.
6、修改文件权限及属主,属组
[root@CentOS7 named]# chmod 640 magedu.com.zone named.192.168.0
[root@CentOS7 named]# chown root.named magedu.com.zone named.192.168.0
7、语法检查
[root@CentOS7 named]# named-checkzone magedu.com magedu.com.zone
zone magedu.com/IN: magedu.com/MX ‘mail.magedu.com’ has no address records (A or AAAA)
zone magedu.com/IN: loaded serial 2017050401
OK
[root@CentOS7 named]# named-checkzone 0.168.192.in-addr.arpa named.192.168.0
zone 0.168.192.in-addr.arpa/IN: loaded serial 2017050401
OK
8、重启服务
[root@CentOS7 named]# systemctl restart named.service
9、检测配置
注:要想直接使用配置过的NS,需要在/etc/resolv.conf和 /etc/hosts中进行添加,否则必须在命令中指定。
如:dig -x 192.168.0.110 @192.168.0.108
[root@CentOS7 named]# dig -x 192.168.0.112
; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.3 <<>> -x 192.168.0.112
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41080
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;112.0.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
112.0.168.192.in-addr.arpa. 3600 IN PTR ftp.magedu.com. 能正确解析到
;; AUTHORITY SECTION:
0.168.192.in-addr.arpa. 3600 IN NS ns1.magedu.com.
;; ADDITIONAL SECTION:
ns1.magedu.com. 3600 IN A 192.168.0.108
;; Query time: 2 msec
;; SERVER: 192.168.0.108#53(192.168.0.108)
;; WHEN: 五 5月 05 10:19:29 CST 2017
;; MSG SIZE rcvd: 117
[root@CentOS7 named]# dig bbs.magedu.com
; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.3 <<>> bbs.magedu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47129
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;bbs.magedu.com. IN A
;; ANSWER SECTION:
bbs.magedu.com. 3600 IN A 192.168.0.111 能正确解析到
;; AUTHORITY SECTION:
magedu.com. 3600 IN NS ns1.magedu.com.
;; ADDITIONAL SECTION:
ns1.magedu.com. 3600 IN A 192.168.0.108
;; Query time: 1 msec
;; SERVER: 192.168.0.108#53(192.168.0.108)
;; WHEN: 五 5月 05 10:20:07 CST 2017
;; MSG SIZE rcvd: 93
子域授权
1、在主服务器的文件/var/named/magedu.com.zone中添加一个NS和A记录/
2、在被授权的服务器上安装bind,
修改主配置文件/etc/named.conf
/etc/named.rfc1912.zones添加域
/var/named/目录下创建域文件数据
3、重载主配置文件和区域解析库文件 rndc reload
1、主服务器,
[root@CentOS7 ~]# vim /var/named/magedu.com.zone
cdn IN NS ns3
ns3 IN A 192.168.0.109 添加这两条
2、在被授权的服务器
[root@CentOS6 ~]# vim /etc/named.conf
isten-on port 53 { 192.168.0.109;127.0.0.1; };
allow-query { any; }; 修改的地方
[root@CentOS6 ~]# vim /etc/named.rfc1912.zones
zone “cdn.magedu.com” IN {
type master;
file “cdn.magedu.com”; 添加
};
[root@CentOS6 ~]# vim /var/named/cdn.magedu.com
$TTL 3600
$ORIGIN cdn.magedu.com.
@ IN SOA cdn.magedu.com. admin.cdn.magedu.com. (
2017050501
1H
10M
1D
2H
)
cdn.magedu.com. IN NS ns1
ns1 IN A 192.168.0.109
txt.cdn.magedu.com. IN A 192.168.0.119
cccd IN A 192.168.0.120
3、测试
[root@CentOS7 ~]# dig -t A cccd.cdn.magedu.com @192.168.0.108
; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.3 <<>> -t A cccd.cdn.magedu.com @192.168.0.108
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15179
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;cccd.cdn.magedu.com. IN A
;; ANSWER SECTION:
cccd.cdn.magedu.com. 3600 IN A 192.168.0.120 解析的结果
;; AUTHORITY SECTION:
cdn.magedu.com. 3600 IN NS ns3.magedu.com.
;; ADDITIONAL SECTION:
ns3.magedu.com. 3600 IN A 192.168.0.109
;; Query time: 30 msec
;; SERVER: 192.168.0.108#53(192.168.0.108)
;; WHEN: 五 5月 05 16:41:23 CST 2017
;; MSG SIZE rcvd: 9
[root@CentOS7 ~]#
主从复制配置
前提条件:
从服务器的版本应大于等于主服务器
主服务器:192.168.0.109 CentOS6
从服务器:192.168.0.110 CentOS7
主服务器配置
1、修改主配置文件
[root@CentOS6 ~]# vim /etc/named.conf
listen-on port 53 { 192.168.0.109; }; 修改后
allow-query { any; }; 修改后
notify yes; 添加更新通知
zone “magedu.com” IN {
type master;
file “magedu.com.zone”;
allow-transfer { 192.168.0.110; }; 必须添加这一条
};
zone “0.168.192.in-addr.arpa” IN {
type master;
file “named.192.168.0”;
allow-transfer { 192.168.0.110; }; 必须添加这一条
};
2、 在/var/named下创建定义的区域。同上
注:区域中必须加从服务器IP地址NS记录
3、配置检查,重启
[root@CentOS6 ~]# named-checkconf
[root@CentOS6 ~]# named-checkzone magedu.com /var/named/magedu.com.zone
zone magedu.com/IN: loaded serial 2017050804
OK
[root@CentOS6 ~]# named-checkzone “0.168.192.in-addr.arpa” /var/named/named.192.168.0
zone 0.168.192.in-addr.arpa/IN: loaded serial 2017050801
OK
[root@CentOS6 ~]# service named start
从服务器配置
[root@CentOS7 ~]# vim /etc/named.conf
listen-on port 53 { 192.168.0.110; };
allow-query { any; };
dnssec-enable no;
dnssec-validation no;
zone “magedu.com” IN {
type slave;
file “slaves/magedu.com”;
masters { 192.168.0.109; };
};
zone “0.168.192.in-addr.arpa” IN {
type slave;
file “slaves/named.192.168.0”;
masters { 192.168.0.109; };
};
从服务器查看/var/named/slaves/,是否生成文件
[root@CentOS7 ~]# ll /var/named/slaves/
总用量 8
-rw-r–r– 1 named named 516 5月 8 13:25 magedu.com
-rw-r–r– 1 named named 468 5月 8 13:26 named.192.168.0
原创文章,作者:ning407631632,如若转载,请注明出处:http://www.178linux.com/75000
评论列表(1条)
希望ssl相关的原理和过程图要理解,这两年都在搞全站https,所以这部分还是需要注重的。