SSL security solution (RPM)

http://blog.csdn.net/photnman/article/details/388853

Background and partial safety knowledge
In the process of highly secure applications, we will inevitably consider the following security requirements, and then propose various security technologies based on these security requirements:
1. Integrity verification. That prevents our content from being tampered with during the transmission of the network, without losing its authenticity. We can use message digest technology to ensure the integrity of the data. The abstract that the same content is computed with the same algorithm is unique and irreversible, that is, the original content cannot be computed from the digest. At present, the more commonly used algorithms are: MD5, SHA
2. Confidentiality of the stay. That prevents the content from being read by others. We encrypt content using cryptography, which currently has symmetric keys (such as the DES algorithm) and asymmetric keys (such as RSA). Specific knowledge can refer to relevant information J
3. Authentication and access authorization. In layman's terms, the information provided by the visitor is analyzed and judged to determine the identity of the visitor and to determine what authority he has, based on his or her identity. Here we generally use certificate authentication.
4. Non-repudiation of evidence.
5. Evidence of the audit. Record and observe some data operations that are very important to security.

SSL Secure Socket Layer protocol is mainly used to protect the confidentiality and integrity of information transmission by using the public key system and the digital certificate technology, it can not guarantee the non-repudiation of information, it is mainly applicable to the information transmission between point-to-point, common Web server way. For e-commerce applications, the use of SSL guarantees the authenticity, integrity and confidentiality of information. However, because SSL does not digitally sign the application layer's messages, it cannot provide the non-repudiation of the transaction.
In fact, SSL is a technology that allows Web browsers and Web services to communicate over secure connections. On this secure connection, the data is encrypted before it is sent, and then decrypted and processed before the server receives it. Both the browser and the server encrypt all traffic before sending any data. SSL is considered for the following important security considerations:
Ø Authentication: When you first attempt to communicate with a Web server over a secure connection, the server sends a voucher to the browser as a server certificate. The purpose of this certificate is to verify that the site is the one it claims to be. In some cases, the server may require the client to provide a certificate that proves that it is the identity it claims to be (that is, client authentication).
Ø Confidentiality: When data is transmitted through the network on the client and the server, third parties can view and intercept the data. The SSL response is encrypted so that the data is not decrypted by a third party and remains confidential.
Ø Integrity: When data is transferred through the network on the client and the server, third parties can view and intercept the data. SSL ensures that data is not modified by third parties.
The choice of the scheme
In view of the above security requirements, we initially conceived two scenarios:
1. The client abstracts the transmitted data and then digitally signs the transmission again, and the service side then encrypts the data to be decrypted and verified. The algorithm has MD5, and the encryption algorithm has DES,RSA
2. Using SSL, the task of encrypting authentication is given to the protocol processing, and the client and server programs are not processed.

The first scenario is that Java cannot be decrypted because of the result that Delphi encrypts with the same algorithm. Estimation is the cause of the coding, but because of the time problem, so no further research.
The second option is now well-configured. The steps are given in detail below.
Required Software
1. jboss3.2.1 Use: Application Server
2. JDK1.4.1_02 has included the latest version of Jsse. or download Jsse 1.0.3_01 usage: Used to generate a key pair (KeyStore) used by the server.
3. Openssl 0.9.7b use: Used to generate CA certificate, signature and generate IE can import pkcs#12 format private key
Installation of software
1. JBoss (abbreviated)
2. If it is jdk1.4.1_02, the Jsse is already installed.
3. Install Jsse: Copy the Lib/*.jar in the Jsse package to java_home/jre/lib/ext/, and add to the classpath;
4.. Edit the Java_home/jre/lib/security/java.security file, which is mainly added:
Security.provider.1=sun.security.provider.sunsecurity.provider.2=com.sun.net.ssl.internal.ssl.provider
5.5. Make sure that your system has one of the following files:
1) Java_home/jre/lib/security/jssecacerts or
2) Java_home/jre/lib/security/cacerts
In this way, your system is already installed Jsse
6. Openssl 0.9.7b installation (slightly)
SSL configuration steps
1. Establish your own CA certificate (assuming that OpenSSL is installed on C:/openssl)
1) Establish your own CA directory where appropriate, for example: E:/ca
2) My Computer-right-click-〉 Properties-〉 Advanced-〉 environment variable-〉 new->administrator user variable-〉 variable name:openssl_conf-> variable value: C:/OPENSSL/SSL/OPENSSL.CNF
3) Generate CA key
OpenSSL genrsa-out E:/ca/ca-key.pem 1024
Genrsa [Generate Key command]–out[key file output PATH] 1024 [number of key bits]
4) generate the certificate to be signed
OpenSSL req-new-out E:/ca/ca-req.csr-key E:/ca/ca-key.pem
req[Generate certificate Command]-new[new generated]-out[certificate file output path]-key[private key file path]
The console displays and requires you to enter:
Country Name (2 letter code) [AU]:CN
State or province name (full name) [SOME-STATE]:GD
Locality Name (eg, city) []:sz
Organization Name (eg, company) [Internet widgits Pty ltd]:oaking
Organizational Unit Name (eg, section) []:its
Common name (eg, YOUR name) []:itsca
Email Address []:[email protected]

Please enter the following ' extra ' attributes
To is sent with your certificate request
A Challenge Password []:itsca
An optional company name []:oaking
[Note]: bold is the input value. Here we set the password to generate the signing certificate to Itsca
5) Self-signed with CA private key
OpenSSL x509-req-in e:/ca/ca-req.csr-out e:/ca/ca-cert.pem-signkey e:/ca/ca-key.pem-days 365
x509[Issue x509 Certificate Command]-req[Enter the certificate to be issued]-in[enter the certificate file to be issued path]-out[generate X509 certificate file output path]-signkey[self-signed key file path]-days[certificate validity period]–ca[issuance and certificate cakey[Root certificate key file]–-cacreateserial[create serial number]
2. Establishing a server certificate
1). Create a working directory and set up your own server directory under the CA directory
2). Generate Server key pair
Keytool-genkey-alias itsserver-validity 365-keyalg rsa-keysize 1024-keystore e:/ca/server/server_keystore
-genkey[generates a key pair]-alias[key pair alias]-validity[key validity]-keyalg[key algorithm parameter]-keysize[key number]-keypass[key protection password]-storepass[Store password]-dname [Alias-related additional information]-keystore[key store file path]
[note] Tomcat after-alias is the name of the key pair that can be replaced by the name you need;
-keypass and-storepass after the password for the protection password must be 6 bits;
Where CN is the name of the server must be set in the same way as the Web server.
The console displays what we need to enter as follows:
Enter KeyStore Password: itskey
What is your first and last name?
[Unknown]: 192.168.70.95
What is the name of your organizational unit?
[Unknown]: its
What is your organization's name?
[Unknown]: oaking
What is the name of your city or region?
[Unknown]: SZ
What is the name of your state or province?
[Unknown]: GD
What is the two-letter country code for this unit?
[Unknown]: CN
cn=192.168.70.95, Ou=its, o=oaking, L=sz, ST=GD, C=CN right?
[No]: Y
Enter the master password for <itsserver>
(If the KeyStore password is the same, press ENTER):
[note] Bold is the input part. -alias after the Itsserver is the name of the key pair can be replaced with the name of their own needs,-keypass and-storepass password for the protection password must be 6 bits,-keypass and-storepass password for the protection of the password must be 6 bits, Here we set as Itskey, and preferably the same; where CN is the name of the server must be the same as the one set in the Web server.
3). Generate the certificate to be signed
Keytool-certreq-alias itsserver-sigalg md5withrsa-file e:/ca/server/server.csr-keypass itskey-keystore E:/ca/server /server_keystore-storepass Itskey
-certreq[generate a certificate to be signed]-alias[certificate alias]-sigalg[certificate algorithm parameters]-file [generate file Output path]-keypass[key protection password]-keystore[Store file path]-storepass[Store password]
[note] The certificate alias is equal to the above KeyStore alias, Keypass (Master password/key protection password) and Storepass are also consistent with the above
4) Copy the C:/openssl/apps/ca-cert.srl file to the CA directory (must be before 5, the order cannot be reversed)
5) signing with CA private key
OpenSSL x509-req-in e:/ca/server/server.csr-out e:/ca/server/server-cert.pem-ca e:/ca/ca-cert.pem-cakey E:/ca/ Ca-key.pem-days 365
3. Import the CA root certificate and the server certificate into the service side
1) Import the CA root certificate
Keytool-import-v-trustcacerts-storepass itscaroot-alias its_ca_root-file ca-cert.pem-keystore e:/ca/server/cacerts
-import[Import command]-v–trustcacerts[Import Trust certificate]–storepass[store password]-alias[certificate alias]-file[certificate file path]-keystore[import file path]-alias is the alias of the CA root certificate.
[note] The stored password must be at least 6 bits. Here we set the Itscaroot
2) Copy the Cacerts file to the C:/j2sdk1.4.1_01/jre/lib/security directory
3) Import server certificate
Keytool-import-v-trustcacerts-storepass itskey-alias itsserver-file e:/ca/server/server-cert.pem-keystore E:/ca/se Rver/server_keystore
[note] The-storepass at this time enter the password to generate the certificate. -alias is the alias for the server certificate.
4) View Certificate
View CA Certificate Keytool-list-keystore server/cacerts
View server Certificate Keytool-list-keystore Server/server_keystore
4. Configure SSL in jboss3.2.2:
1) Copy the Server_keystore to the jboss3.2.2/server/all/conf directory
2) in ${jboss_home}/server/all/deploy/jbossweb-tomcat41.sar/ The Jboss-service.xml file in the Meta-inf directory removes the comment below and changes the Keystorepass to our keystorepass, as we do with Keystorepass for Itskey:
<connector className = "Org.apache.coyote.tomcat4.CoyoteConnector"
address= "${jboss.bind.address}" port = "8443" scheme = "https" secure = "true" >
<factory classname= "Org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
Keystorefile= "${jboss.server.home.dir}/conf/server_keystore"
Keystorepass= "Itskey"
protocol = "TLS"/>
</Connector>
Then comment out the following paragraph:
<connector classname= "Org.apache.coyote.tomcat4.CoyoteConnector"
address= "${jboss.bind.address}" port= "8080" minprocessors= "5" maxprocessors= "100"
Enablelookups= "true" acceptcount= "ten" debug= "0"
connectiontimeout= "20000" useurivalidationhack= "false"/>
The intent is to block port 8080, which can only be accessed via SSL
In this way, SSL is configured as well.
5. Configuring the IE Client
1) Create your own client directory and create your own client directory under the CA directory
2) Generate client key pair
OpenSSL genrsa-out E:/ca/client/client-key.pem 1024
3) generate the certificate to be signed
OpenSSL req-new-out E:/ca/client/client-req.csr-key E:/ca/client/client-key.pem
The console displays what you want to enter:
Country Name (2 letter code) [AU]:CN
State or province name (full name) [SOME-STATE]:GD
Locality Name (eg, city) []:sz
Organization Name (eg, company) [Internet widgits Pty ltd]:oaking
Organizational Unit Name (eg, section) []:its
Common name (eg, YOUR name) []:192.168.70.163
Email Address []:[email protected]

Please enter the following ' extra ' attributes
To is sent with your certificate request
A Challenge Password []:itsclient
An optional company name []:oaking
[note] The Common name is the name of the client machine
4) signing with CA private key
OpenSSL x509-req-in e:/ca/client/client-req.csr-out E:/ca/client/client-cert.pem-signkey E:/ca/client/ Client-key.pem-ca E:/ca/ca-cert.pem-cakey e:/ca/ca-key.pem-cacreateserial-days 365
5) Generate personal certificates that can be imported by client side
OpenSSL pkcs12-export-clcerts-in E:/ca/client/client-cert.pem-inkey e:/ca/client/client-key.pem-out E:/ca/client/ Client.p12
pkcs12[Generate PKS12 Format certificate command]-export[Export file]-clerts[Export client certificate]-in[input client certificate file path]-inkey[client certificate key file path]-out[ Export PKS12 format file path]
[note] The system will prompt you for a password, which is the private key protection password that is prompted when you import ie, not the same as the 3-step input. Here we enter 123456
6. Select "Use SSL2.0" and "SSL3.0" in the advanced options of Internet Options menu in IE browser.
7. Import the CA certificate and client certificate into IE
1) Import the CA root certificate
Rename the Ca-cert.pem in the directory CA to Ca-cert.cer;
Use < tools >,< Internet Options >,< content >,< certificate >,< import in client side IE, import the CA root certificate we generated into a CA that the user trusts.
2) Import client certificate
Import the client certificate (CLIENT.P12) into the client side of IE as the client certificate, as in the import process
8. Start jboss3.2.1
9. Enter https://localhost:8443 in the address bar of IE browser, if the previous operation is correct, you should be able to see the site static Export page, before this, ie prompts you whether to visit the Security page. While the small lock on the status bar is closed, you have successfully established an SSL secure connection to the server that requires client authentication.

At this point, our SSL configuration is all over. J

SSL security solution (RPM)