Java+https+tomcat two-way validation instance __java

This article demonstrates https two-way validation instances, and the Web container is tomcat.

I. Preparatory work:

1. Create server KeyStore.

Command: Keytool-genkey-alias server_jks_cennavi-keyalg rsa-keypass 123456-storepass 123456-keystore server.jks-validity 3650.

The Keytool command is as follows:

-genkey creates a default file ". JKs" in the user's home directory, and also produces a Server_jks_cennavi alias, Server_jks_cennavi contains the user's public key, private key, and certificate
-alias Generate aliases
-keystore Specifies the name of the KeyStore (the resulting types of information will not be in the. jks file
-keyalg the algorithm that specifies the key
-validity specify how many days the certificate is valid for creation
-keysize Specify key length
-STOREPASS Specifies the password for the KeyStore
-KEYPASS Specifies the password for the alias entry
-dname Specify certificate owner information

You can see a server.jks file in the corresponding H:\keys\server directory.

3. Export the service-side certificate.

Navigate to the Server H:\keys\server directory: Keytool-export-trustcacerts-alias server_jks_cennavi-file server.cer-keystore Server.jks- Storepass 123456

You can see a server.cer file in the relative H:\keys\server directory.

4. Create client KeyStore.

You can see a client.p12 file in the corresponding H:\keys\client directory.

5. Export the client CER certificate.

Navigate to the Server H:\keys\client directory: Keytool-export-trustcacerts-alias client_p12_cennavi-file client.cer-keystore CLIENT.P12- Storepass 123456-storetype PKCS12

You can see a client.cer file in the relative H:\keys\client directory.

6. Exchange Import server and client certificate as both sides Trust certificate.

Import the client certificate into the service side Keystore:keytool-import-trustcacerts-alias Client_p12_cennavi-file Client.cer-keystore Server.jks

Import the server-side certificate into the client Keystore:keytool-import-trustcacerts-alias server_jks_cennavi-file server.cer-keystore Client.jks

7. Configure server-side Tomcat files under/conf/server.xml.

Setting clientauth= "True" for two-way authentication means that the server also authenticates the client.

Set clientauth= "False" for two-way authentication, which is to verify only the server-side certificate.

8. Start the server program Tomcat service, open IE input access address: Https://localhost:8443/ServerDemo, my test program, the program is very simple inside on an external development of the servlet program piece.

You will find IE Tip: Internet Explore cannot display this interface because we do not have the problem of importing the client CLIENT.P12 certificate into IE.

9. Import the client CLIENT.P12 certificate and double-click client.p12,next-->next--> to enter the private key password.

Open IE again enter access address Https://localhost:8443/ServerDemo, will prompt a dialog box, why will appear this dialog box I am not very clear ....

As shown in figure:

Click OK: You will see that IE has blocked you from continuing access because there is no server-side certificate installed.

Click on the Install Server certificate.

This is the end of it, how to use Java programs to invoke the server side of the open Servlet program slice.

Client code:

Running in the console, you can see the information returned by the server.

I write the first article, writing is not very good, the article may have incorrect place, please friends point out, thank you.

We have any good methods and suggestions please leave a message, thank you.