可信证书内置证书功能添加

2019-06-08 16:51:28 +08:00
parent 5f8a9b43fc
commit 2bee7a7f68
12 changed files with 3914 additions and 162 deletions
--- a/src/main/java/com/nis/domain/configuration/PxyObjTrustedCaCert.java
+++ b/src/main/java/com/nis/domain/configuration/PxyObjTrustedCaCert.java
@@ -20,6 +20,8 @@ public class PxyObjTrustedCaCert extends BaseCfg<PxyObjTrustedCaCert> {
 	private String certFile; 
 	@ExcelField(title="crl_file",sort=4)
 	private String crlFile;
+	@ExcelField(title="built_in",sort=4)//是否内置证书
+	private Integer builtIn;
 	
 	public String getCrlFile() {
 		return crlFile;
@@ -47,6 +49,11 @@ public class PxyObjTrustedCaCert extends BaseCfg<PxyObjTrustedCaCert> {
 	public void setIndexTable(String indexTable) {
 		this.indexTable = indexTable;
 	}
-	
+	public Integer getBuiltIn() {
+		return builtIn;
+	}
+	public void setBuiltIn(Integer builtIn) {
+		this.builtIn = builtIn;
+	}
 	
 }
--- a/src/main/java/com/nis/web/controller/configuration/proxy/PxyObjKeyringController.java
+++ b/src/main/java/com/nis/web/controller/configuration/proxy/PxyObjKeyringController.java
@@ -26,7 +26,7 @@ import javax.net.ssl.TrustManagerFactory;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;

-import org.apache.commons.beanutils.BeanUtils;
+import org.springframework.beans.BeanUtils;
 import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.springframework.mock.web.MockMultipartFile;
 import org.springframework.stereotype.Controller;
@@ -354,7 +354,8 @@ public class PxyObjKeyringController extends BaseController {
 			
 			// 临时文件删除
 			if(!delTempFile) {
-				resultMap.put("certFilePath", filePath);
+				this.certInfoMap.put("certFilePath", filePath);
+				logger.info("证书列表文件目录"+certInfoMap.get("certFilePath"));
 			}else {
 				logger.info("delete file" + filePath);
 				FileUtils.deleteFile(filePath);
@@ -599,6 +600,19 @@ public class PxyObjKeyringController extends BaseController {
 			@ModelAttribute("cfg") PxyObjTrustedCaCert entity, RedirectAttributes redirectAttributes) {
 		Page<PxyObjTrustedCaCert> page = pxyObjKeyringService
 				.findTrustedCertPage(new Page<PxyObjTrustedCaCert>(request, response, "r"), entity);
+		//判断是否存在内置证书，不存在则按钮开放。
+		PxyObjTrustedCaCert searchBuiltIn=new PxyObjTrustedCaCert();
+		searchBuiltIn.setBuiltIn(1);
+		searchBuiltIn.setIsValid(1);
+		searchBuiltIn.setIsAudit(1);
+		Page<PxyObjTrustedCaCert> builtInReslt = pxyObjKeyringService
+				.findTrustedCertPage(new Page<PxyObjTrustedCaCert>(request, response, "r"), searchBuiltIn);
+		if(builtInReslt != null && !StringUtil.isEmpty(builtInReslt.getList())) {
+			model.addAttribute("hasBuiltIn", true);
+		}else {
+			model.addAttribute("hasBuiltIn", false);
+		}
+
 		model.addAttribute("page", page);
 		initPageCondition(model, entity);
 		return "/cfg/intercept/strateagy/trustedCertList";
@@ -845,11 +859,13 @@ public class PxyObjKeyringController extends BaseController {
 	public String trustedCertBuiltIn(Model model, HttpServletRequest request, HttpServletResponse response,
 			@ModelAttribute("cfg") PxyObjTrustedCaCert cfg, MultipartFile crlFileI,
 			RedirectAttributes redirectAttributes) {
+		logger.info("证书列表开始校验");
 		boolean validFlag = true;
 		try {
 			if(crlFileI != null) {
 				//校验证书格式
 				boolean certFileflag = validCertFileContent(crlFileI,null, "-incacert");
+				logger.info("证书列表校验结果"+certFileflag);
 				if (!certFileflag) {
 					addMessage(redirectAttributes, "error", "save_failed");
 					logger.error(crlFileI.getOriginalFilename() + " file non crl file format ");
@@ -871,6 +887,8 @@ public class PxyObjKeyringController extends BaseController {
 			}
 		}
 		
+		logger.info("证书列表开始解析");
+		
 		//2、调用脚本生成pem文件
 		//./cacert.sh tls-ca-bundle.pem  /home/ddm/cacert
 		String certFilePath="";
@@ -878,15 +896,17 @@ public class PxyObjKeyringController extends BaseController {
 		try {
 			if(validFlag && !certInfoMap.isEmpty() && !StringUtil.isEmpty(certInfoMap.get("certFilePath"))) {
 				certFilePath=certInfoMap.get("certFilePath").toString();
+				logger.info("证书列表解析文件"+certFilePath);
 				String cacert = Thread.currentThread().getContextClassLoader()
 						.getResource(File.separator + "shell" + File.separator + Constants.CA_CERT_FILE).getPath();
 				this.execShell("", "chmod", "+x", cacert);
 				logger.info(Constants.CA_CERT_FILE+"脚本分配可执行权限:" + "chmod" + " " + "+x" + " " + cacert);
 						
-				String resultDir = Thread.currentThread().getContextClassLoader()
-						.getResource(File.separator + "shell" + File.separator + Constants.CA_CERT_DIR).getPath();
-				this.execShell(cacert, certFilePath,resultDir);
-				logger.info("内置证书文件生成："+cacert + " " + certFilePath+" "+resultDir);
+				resultDirPath = Thread.currentThread().getContextClassLoader()
+						.getResource(File.separator + Constants.CA_CERT_DIR).getPath();
+				logger.info("证书列表解析结果目录"+resultDirPath);
+				this.execShell(cacert, certFilePath,resultDirPath);
+				logger.info("内置证书文件生成："+cacert + " " + certFilePath+" "+resultDirPath);
 			}
 			//删除临时文件
 			if(!StringUtil.isEmpty(certFilePath)) {
@@ -900,10 +920,12 @@ public class PxyObjKeyringController extends BaseController {
 			LogUtils.saveLog(request, null, e, null);
 		}
 		
+		logger.info("所有证书开始校验");
 		//校验内置证书，并获取issuer信息
 		File fileDir=null;
 		Map<String,String> issuerMap=new HashMap<>();
 		if(validFlag && !StringUtil.isEmpty(resultDirPath)) {
+			logger.info("证书列表文件解析结果目录："+resultDirPath);
 			fileDir=new File(resultDirPath);
 			try {
 				if(validFlag) {
@@ -912,9 +934,10 @@ public class PxyObjKeyringController extends BaseController {
 						MultipartFile multipartFile = new MockMultipartFile(file.getName(),fileInputStream);
 						//校验证书格式
 						boolean validResult = validCertFileContent(multipartFile,null, "-incacert");
+						logger.info("证书校验结果"+validResult);
 						if (validResult && !certInfoMap.isEmpty() && !StringUtil.isEmpty(certInfoMap.get("ca issuer"))) {
 							String issuer=certInfoMap.get("ca issuer").toString();
-							issuerMap.put(file.getName(), certInfoMap.get("ca issuer").toString());
+							issuerMap.put(file.getName(), issuer);
 						}else{
 							addMessage(redirectAttributes, "error", "save_failed");
 							logger.error(crlFileI.getOriginalFilename() + " file non crl file format ");
@@ -939,20 +962,18 @@ public class PxyObjKeyringController extends BaseController {
 		
 		}
 		
+		logger.info("所有证书开始上传minio");
 		List<PxyObjTrustedCaCert> caCertList=new ArrayList<PxyObjTrustedCaCert>();
-		if(validFlag) {
+		if(validFlag && fileDir != null && !StringUtil.isEmpty(fileDir.listFiles())) {
+			int index=1;
 			for (File file : fileDir.listFiles()) {
 				File newFile = null;
 				String filename ="";
 				try {
 					FileInputStream fileInputStream = new FileInputStream(file);
 					MultipartFile multipartFile = new MockMultipartFile(file.getName(),fileInputStream);
-					Date date=new Date();
-					cfg.setCreateTime(date);
-					cfg.setCreatorId(UserUtils.getUser().getId());
-					cfg.setAuditTime(date);
-					cfg.setAuditorId(UserUtils.getUser().getId());
 					PxyObjTrustedCaCert cacertBuitIn=new PxyObjTrustedCaCert();
+					cfg.setBuiltIn(1);
 					BeanUtils.copyProperties(cfg, cacertBuitIn);
 					filename = file.getName();
 					String prefix = FileUtils.getPrefix(filename, false);
@@ -973,10 +994,10 @@ public class PxyObjKeyringController extends BaseController {
 					if (!StringUtil.isEmpty(result)) {
 						ResponseData data = result.getData();
 						crlFileAccessUrl = data.getAccessUrl();
-						cacertBuitIn.setCrlFile(crlFileAccessUrl);
+						cacertBuitIn.setCertFile(crlFileAccessUrl);
 					}
 					cacertBuitIn.setIssuer(issuerMap.get(file.getName()));
-					cacertBuitIn.setCfgDesc(issuerMap.get(file.getName())+"_"+file.getName());
+					cacertBuitIn.setCfgDesc("built-in_cert"+index);
 					caCertList.add(cacertBuitIn);
 				} catch (Exception e) {
 					validFlag = false;
@@ -989,13 +1010,15 @@ public class PxyObjKeyringController extends BaseController {
 						LogUtils.saveLog(request, null, e, null);
 					}
 				}
+				index++;
 			}
+			
 		}	
-		
+		logger.info("所有证书信息开始入库并下发");
 		//入库并下发
 		if(validFlag){
 			try {
-				if(StringUtil.isEmpty(caCertList)){
+				if(!StringUtil.isEmpty(caCertList)){
 					pxyObjKeyringService.caCertSaveAndAudit(caCertList);
 				}
 			}catch (Exception e) {
@@ -1011,122 +1034,6 @@ public class PxyObjKeyringController extends BaseController {
 			}
 		}
 		
-		/*if (e instanceof MaatConvertException) {
-			addMessage(redirectAttributes, "error", "request_service_failed");
-			LogUtils.saveLog(request, null, e, null);
-		}else {
-			addMessage(redirectAttributes, "error", "save_failed");
-			LogUtils.saveLog(request, null, e, null);
-		}
-		*/
-		//3、返回文件成功个数。
-		
-		
-		/*File file = null;
-		boolean validFlag = true;
-		try {
-			if (crlFileI != null) {
-				boolean certFileflag = validCertFileContent(crlFileI,null, "-incrl");
-				if (!certFileflag) {
-					addMessage(redirectAttributes, "error", "save_failed");
-					logger.error(crlFileI.getOriginalFilename() + " file non crl file format ");
-					throw new MultiPartNewException(this.getMsgProp().getProperty("crl_file_error"));
-				}
-			}
-		} catch (Exception e) {
-			validFlag = false;
-			logger.error("证书文件校验失败", e);
-			if (e instanceof MaatConvertException) {
-				addMessage(redirectAttributes, "error", "request_service_failed");
-				LogUtils.saveLog(request, null, e, null);
-			} else if (e instanceof MultiPartNewException) {
-				addMessage(redirectAttributes, "error", e.getMessage());
-				LogUtils.saveLog(request, null, e, null);
-			} else {
-				addMessage(redirectAttributes, "error", "save_failed");
-				LogUtils.saveLog(request, null, e, null);
-			}
-		}
-
-		
-		try {
-			if (validFlag) {
-				validFlag = true;
-				if (crlFileI != null) {
-					// 获取issuer
-					if (certInfoMap != null && certInfoMap.size() > 0) {
-						String issuer = StringUtil.isEmpty(certInfoMap.get("crl issuer")) ? ""
-								: certInfoMap.get("crl issuer").toString();// 颁发者
-						if (cfg != null) {
-							if ((cfg.getCertId() != null && cfg.getCertId() > 0) && (!cfg.getIssuer().equals(issuer))) {
-								logger.error("cert 和 crl的issuser不符合");
-								throw new MultiPartNewException(this.getMsgProp().getProperty("crl_issuer_error"));
-							} else {
-								cfg.setIssuer(issuer);
-							}
-
-						}
-					} else {
-						logger.error("crl的issuser为空");
-						throw new MultiPartNewException(this.getMsgProp().getProperty("crl_issuer_null"));
-					}
-				}
-			}
-		} catch (Exception e) {
-			validFlag = false;
-			logger.error("crl issuer比对失败", e);
-			if (e instanceof MultiPartNewException) {
-				addMessage(redirectAttributes, "error", e.getMessage());
-				LogUtils.saveLog(request, null, e, null);
-			} else {
-				addMessage(redirectAttributes, "error", "save_failed");
-				LogUtils.saveLog(request, null, e, null);
-			}
-		}
-		try {
-			if (validFlag) {
-				if (crlFileI != null) {
-					String filename = crlFileI.getOriginalFilename();
-					String prefix = FileUtils.getPrefix(filename, false);
-					String suffix = FileUtils.getSuffix(filename, false);
-					file = File.createTempFile("file_" + prefix, suffix);
-					crlFileI.transferTo(file);// 复制文件
-					String md5 = FileUtils.getFileMD5(file);
-					Map<String, Object> srcMap = Maps.newHashMap();
-					srcMap.put("filetype", suffix);
-					srcMap.put("datatype", "dbSystem");// 源文件存入数据中心
-					srcMap.put("createTime", new Date());
-					srcMap.put("key", prefix);
-					srcMap.put("fileName", filename);
-					srcMap.put("checksum", md5);
-					ToMaatResult result = ConfigServiceUtil.postFileCfg(null, file, JsonMapper.toJsonString(srcMap));
-					logger.info("可信证书crl 文件上传响应信息：" + JsonMapper.toJsonString(result));
-					String crlFileAccessUrl = null;
-					if (!StringUtil.isEmpty(result)) {
-						ResponseData data = result.getData();
-						crlFileAccessUrl = data.getAccessUrl();
-						cfg.setCrlFile(crlFileAccessUrl);
-					}
-				}
-				pxyObjKeyringService.trustedCrlsaveOrUpdate(cfg);
-
-				addMessage(redirectAttributes, "success", "save_success");
-			}
-
-		} catch (Exception e) {
-			logger.error("crl上传失败", e);
-			if (e instanceof MaatConvertException) {
-				addMessage(redirectAttributes, "error", "request_service_failed");
-				LogUtils.saveLog(request, null, e, null);
-			} else if (e instanceof MultiPartNewException) {
-				addMessage(redirectAttributes, "error", e.getMessage());
-				LogUtils.saveLog(request, null, e, null);
-			} else {
-				addMessage(redirectAttributes, "error", "save_failed");
-				LogUtils.saveLog(request, null, e, null);
-			}
-		}
-*/
 		return "redirect:" + adminPath + "/proxy/intercept/strateagy/trustedCertList?functionId=" + cfg.getFunctionId();
 	}

--- a/src/main/java/com/nis/web/dao/configuration/PxyObjKeyringDao.xml
+++ b/src/main/java/com/nis/web/dao/configuration/PxyObjKeyringDao.xml
@@ -66,6 +66,7 @@
 	    <result column="compile_id" property="compileId" jdbcType="INTEGER" />
 	    <result column="cancel_request_id" property="cancelRequestId" jdbcType="INTEGER" />
 	      <result column="do_log" property="doLog" jdbcType="INTEGER" />
+	      <result column="built_in" property="builtIn" jdbcType="INTEGER" />
 	  </resultMap>
 	  <resultMap id="PxyObjTrustedCaCrlMap" type="com.nis.domain.configuration.PxyObjTrustedCaCrl" >
 	    <id column="cfg_id" property="cfgId" jdbcType="BIGINT" />
@@ -102,7 +103,7 @@
 		,r.is_valid,r.is_audit,r.creator_id,r.create_time,r.editor_id
 		,r.edit_time,r.auditor_id,r.audit_time,r.service_id,r.request_id
 		,r.is_area_effective,r.classify,r.attribute,r.lable
-		,r.area_effective_ids,r.function_id,r.cfg_region_code,r.compile_id,r.cancel_request_id,r.do_log
+		,r.area_effective_ids,r.function_id,r.cfg_region_code,r.compile_id,r.cancel_request_id,r.do_log,r.built_in
 	</sql>
    <sql id="PxyObjTrustedCaCrlColumns">
 		 r.cfg_id,r.cfg_desc
@@ -270,10 +271,14 @@
 	    	<if test="action != null">
 	    		AND r.ACTION=#{action,jdbcType=INTEGER}
 	    	</if>
+	    	<if test="builtIn != null">
+	    		AND r.built_in=#{builtIn,jdbcType=INTEGER}
+	    	</if>
 	    	<choose>
 	    		<!-- 判断是否批量操作 -->
 				<when test="batchValidValue != null and batchValidValue != ''">
 					AND  r.IS_VALID in (${batchValidValue})
+					AND r.built_in !=1
 				</when>
 				<otherwise>
 					<if test="isValid != null">
@@ -525,13 +530,14 @@
 	cfg_type,
 	compile_Id,
    cfg_region_code,
+    built_in,
    do_log
    )values (
   		#{cfgId,jdbcType=VARCHAR},
   		#{cfgDesc,jdbcType=VARCHAR},
   		#{action,jdbcType=INTEGER}, 
-    	0,
-    	0,
+    	#{isValid,jdbcType=INTEGER}, 
+    	#{isAudit,jdbcType=INTEGER}, 
    	#{creatorId,jdbcType=INTEGER}, 
   		#{createTime,jdbcType=TIMESTAMP},
   		#{editorId,jdbcType=INTEGER},
@@ -551,6 +557,7 @@
    	#{cfgType,jdbcType=VARCHAR},
    	#{compileId,jdbcType=INTEGER},
    	#{cfgRegionCode,jdbcType=INTEGER},
+    	#{builtIn,jdbcType=INTEGER},
    	#{doLog,jdbcType=INTEGER}
    )
  </insert>
--- a/src/main/java/com/nis/web/service/configuration/PxyObjKeyringService.java
+++ b/src/main/java/com/nis/web/service/configuration/PxyObjKeyringService.java
@@ -171,6 +171,7 @@ public class PxyObjKeyringService extends BaseService{
 			if(compileIds != null && compileIds.size() >0  && compileIds.get(0) != 0){
 				entity.setCompileId(compileIds.get(0));
 			}
+			entity.setBuiltIn(0);
 			pxyObjKeyringDao.insertPxyObjTrustedCaCert(entity);
 			//修改
 		}else{
@@ -489,6 +490,7 @@ public class PxyObjKeyringService extends BaseService{
 	@Transactional(readOnly=false,rollbackFor=RuntimeException.class)
 	public void caCertSaveAndAudit(List<PxyObjTrustedCaCert>  cfgList){
 		
+		Date date=new Date();
 		//修改主表cert 配置状态
 		for (PxyObjTrustedCaCert cfg : cfgList) {
 			//调用服务接口获取compileId
@@ -503,6 +505,11 @@ public class PxyObjKeyringService extends BaseService{
 			if(compileIds != null && compileIds.size() >0  && compileIds.get(0) != 0){
 				cfg.setCompileId(compileIds.get(0));
 			}
+			cfg.setCreateTime(date);
+			cfg.setCreatorId(UserUtils.getUser().getId());
+			cfg.setAuditTime(date);
+			cfg.setAuditorId(UserUtils.getUser().getId());
+			logger.info("证书名称"+cfg.getCfgDesc());
 			pxyObjKeyringDao.insertPxyObjTrustedCaCert(cfg);
 		}
 		
--- a/src/main/resources/messages/message_en.properties
+++ b/src/main/resources/messages/message_en.properties
@@ -1625,4 +1625,5 @@ ssl_server_side_version=SSL Server Side Version
 ssl_client_side_version=SSL Client Side Version
 ssl_cert_verify=SSL Cert Verify
 stream_trace_id=Stream Trace ID
-ssl_error=SSL Error
+ssl_error=SSL Error
+import_built_cert_file=Import built-in certificate
--- a/src/main/resources/messages/message_ru.properties
+++ b/src/main/resources/messages/message_ru.properties
@@ -1627,4 +1627,5 @@ ssl_server_side_version=SSL Server Side Version
 ssl_client_side_version=SSL Client Side Version
 ssl_cert_verify=SSL Cert Verify
 stream_trace_id=Stream Trace ID
-ssl_error=SSL Error
+ssl_error=SSL Error
+import_built_cert_file=Import built-in certificate
--- a/src/main/resources/messages/message_zh_CN.properties
+++ b/src/main/resources/messages/message_zh_CN.properties
@@ -1625,4 +1625,5 @@ ssl_server_side_version=\u670d\u52a1\u5668\u4fa7SSL\u7248\u672c
 ssl_client_side_version=\u5ba2\u6237\u7aef\u4fa7SSL\u7248\u672c
 ssl_cert_verify=\u8bc1\u4e66\u6821\u9a8c\u7ed3\u679c
 stream_trace_id=\u6d41\u7684\u8ffd\u8e2aID
-ssl_error=SSL\u9519\u8bef\u4fe1\u606f
+ssl_error=SSL\u9519\u8bef\u4fe1\u606f
+import_built_cert_file=\u5BFC\u5165\u5185\u7F6E\u8BC1\u4E66
--- a/src/main/resources/shell/cacert.sh
+++ b/src/main/resources/shell/cacert.sh
@@ -1,25 +1,26 @@
 #!/bin/bash
-if [[ $# != 1 ]];then
-echo "USAGE: cacert file absolute path is required"
-fi
+#if [[ $# != 1 ]];then
+#echo "USAGE: cacert file absolute path is required"
+#fi

 CACERT_FILE=$1
+CACERT_DIR=$2
 #上传接口URL
-CACERT_URL='http://192.168.10.120:8082/v1/policy/profile/trustedcacertobj'
+#CACERT_URL='http://192.168.10.120:8082/v1/policy/profile/trustedcacertobj'
 #TOKEN 获取接口URL
-TOKEN_URL='http://192.168.10.120:8082/v1/user/login?username=admin&password=admin'
+#TOKEN_URL='http://192.168.10.120:8082/v1/user/login?username=admin&password=admin'

 #TOKEN=$(curl -s -X POST $TOKEN_URL|grep 'token'|awk -F':' '{print $2}'|awk -F'"' '{print $2}')

 temp=$(dirname $0)
-CUR_DIR=$(pwd $temp)
+#CUR_DIR=$(pwd $temp)
 #单个证书存放目录
-CACERT_DIR=${CUR_DIR}"/cacert"
+#CACERT_DIR=${CUR_DIR}"/cacert"
 #日志文件
-LOG_FILE=${CUR_DIR}"/cacert.log"
-if [ -e $LOG_FILE ];then
-rm -rf $LOG_FILE
-fi
+#LOG_FILE=${CUR_DIR}"/cacert.log"
+#if [ -e $LOG_FILE ];then
+#rm -rf $LOG_FILE
+#fi
 rm -rf $CACERT_DIR
 if [[ ! -e $CACERT_DIR ]];then
 mkdir -p $CACERT_DIR
@@ -44,10 +45,10 @@ fi
 #result=$(curl $CACERT_URL -s -X POST -F "file=@${path}" -H "Content-Type:multipart/form-data " -H "Authorization:${TOKEN}" -H "File-Desc:{'opAction':'add','certName':'${cacertName}','certId':null,'isValid':1}")
 #newPath=${CACERT_DIR}"/"$cacertName".pem"
 #mv $path $newPath
-TIMESTEMP=$(date '+%Y-%m-%d %H:%M:%S')
+#TIMESTEMP=$(date '+%Y-%m-%d %H:%M:%S')
 #echo "upload [ ${cacertName} ]"
 #echo "[${TIMESTEMP}]upload [ ${cacertName} ] path:[ ${path} ] to [ ${CACERT_URL} ]" >> $LOG_FILE
 #echo "[${TIMESTEMP}]result:"${result} >> $LOG_FILE
-echo "" >> $LOG_FILE
+#echo "" >> $LOG_FILE
 done

--- a/src/main/resources/sql/20190608/alter_trusted_column.sql
+++ b/src/main/resources/sql/20190608/alter_trusted_column.sql
@@ -0,0 +1,4 @@
+#可信证书列表增加是否内置证书属性
+alter table pxy_obj_trusted_ca_cert add  built_in int(1) default 0 comment 'is built-in';
+#修改已有证书为非内置证书
+update pxy_obj_trusted_ca_cert set built_in=0;
--- a/src/main/resources/sql/20190608/tls-ca-bundle.pem
+++ b/src/main/resources/sql/20190608/tls-ca-bundle.pem
--- a/src/main/webapp/WEB-INF/views/cfg/intercept/strateagy/certForm.jsp
+++ b/src/main/webapp/WEB-INF/views/cfg/intercept/strateagy/certForm.jsp
@@ -71,7 +71,7 @@ var submitCrlFrom=function(){
 			<div class="modal-content">
 				<div class="modal-header">
 					<h5 class="modal-title" id="exampleModalLabel">
-						<spring:message code="add_cert_file" />
+						<spring:message code="import_built_cert_file" />
 					</h5>
 					<button type="button" class="close" data-dismiss="modal"
 						aria-label="Close">
@@ -90,7 +90,7 @@ var submitCrlFrom=function(){
 						<input type="hidden" name="isValid" value="1">
 						<input type="hidden" name="isAudit" value="1">
 						<input type="hidden" name="functionId" value="${cfg.functionId }">
-						<input type="hidden" name="serviceId" value="571">
+						<input type="hidden" name="serviceId" value="640">
 						<input type="hidden" name="cfgType" value="PXY_PROFILE_TRUSTED_CA_CERT">
 						<input type="hidden" name="cfgRegionCode" value="">
 						<input type="hidden" name="requestId" value="0">
--- a/src/main/webapp/WEB-INF/views/cfg/intercept/strateagy/trustedCertList.jsp
+++ b/src/main/webapp/WEB-INF/views/cfg/intercept/strateagy/trustedCertList.jsp
@@ -126,12 +126,14 @@
 				<spring:message code="add"></spring:message></button>
 				
 			</shiro:hasPermission>
-			<shiro:hasPermission name="proxy:trustedCert:built-in">
+			
+			<c:if test="${!hasBuiltIn}">
 				<button type="button" class="btn btn-primary"
 					onClick="addCrlFile(this)">
 				<i class="fa fa-plus"></i>
-				<spring:message code="import_crl"></spring:message></button>
-			</shiro:hasPermission>
+				<spring:message code="import_built_cert_file"></spring:message></button>
+			</c:if>
+			
 	</div>

 	<h3 class="page-title">
@@ -374,7 +376,8 @@
 									<th column="cert_name"  class="sort-column r.cfg_desc"><spring:message code="cert_name" /></th>
 									<th column="certificate_file" ><spring:message code="certificate" /> <spring:message code="file" /></th>
 									<th column="issuer" ><spring:message code="issuer"/></th>
-									<th column="crl_file" ><spring:message code="crl"/> <spring:message code="file"/></th>
+									<%--<th column="crl_file" ><spring:message code="crl"/> <spring:message code="file"/></th>--%>
+									<th column="built_in" ><spring:message code="built_in"/></th>
 									<th column="is_audit" ><spring:message code="is_audit"/></th>
 									<%-- <th column="whether_area_block" ><spring:message code="whether_area_block"/></th> --%>
 									<th column="letter" ><spring:message code="letter"/></th>
@@ -394,7 +397,9 @@
 								<c:forEach items="${page.list }" var="cfg" varStatus="status" step="1">
 									<tr>
 									<td>
-										<input type="checkbox" class="i-checks" serviceId="${cfg.serviceId}" id="${cfg.cfgId}" value="${cfg.isAudit}">
+										<c:if test="${cfg.builtIn==0}">
+											<input type="checkbox" class="i-checks" serviceId="${cfg.serviceId}" id="${cfg.cfgId}" value="${cfg.isAudit}">
+										</c:if>
 									</td>
 									<td>
 										<c:set var="crlFile" value="${fns:getTrustedCrlByCerId(cfg.compileId) }"></c:set>
@@ -414,8 +419,8 @@
 											${fn:substring(cfg.issuer,0,20) }
 										</a>
 									</td>
-									<td>
-										<%-- <button class="btn revision popovers purple-stripe " data-content="${crlInfo}"><spring:message code="view"/></button> --%>
+									<%-- <td>
+										<button class="btn revision popovers purple-stripe " data-content="${crlInfo}"><spring:message code="view"/></button>
 										<c:if test="${(cfg.isAudit eq '0') || (cfg.isAudit eq '1')}">
 										<a class="fa fa-cloud-upload" href="javascript:void(0);" onclick="addCrlFile(this);"
 												cfgDesc="${cfg.cfgDesc }"
@@ -439,6 +444,10 @@
 										 class="tooltips" data-flag="false" data-html="true" data-placement="top">
 											${fn:substring(crlFile,0,20) }
 										</a>
+									</td> --%>
+									<td>
+										<c:if test="${cfg.builtIn==0}"><spring:message code="no"/></c:if>
+										<c:if test="${cfg.builtIn==1}"><spring:message code="yes"/></c:if>
 									</td>
 									<td>
 										<c:choose>