Original: http://www.cnblogs.com/visec479/p/4152827.html
Configuring SSL bidirectional authentication in Tomcat 6 is fairly easy, and this article describes how to use the Keytool of the JDK to configure two-way SSL authentication for Tomcat. and implement the batch generation certificate system requirements: JDK 5.0
Tomcat 6.0.16
To start the command line:
First step: Generate a certificate for the server using Keytool to generate a certificate for Tomcat, assuming that the domain name of the target machine is localhost or "192.168.1.1", keystore file is stored in the "D:/downloads/tomcat.keystore ", the password is" LOGISCN ", generated using the following command: Keytool-genkey-v-alias tomcat-keyalg rsa-keystore d:/downloads/tomcat.keystore-dname" CN=1 92.168.1.1,OU=LOGISCN,O=LOGIS,L=BEIJING,ST=BEIJING,C=CN "-validity 3650-storepass logiscn-keypass LOGISCN
If the domain name of the server where Tomcat is not "localhost", it should be changed to the corresponding domain name, such as [Url]www.baidu.com[/url] or IP address, otherwise the browser will pop up a warning window, prompting the user certificate does not match the domain.
Step two: Generate a certificate for the clientThe next step is to generate a certificate for the browser so that the server can verify it. Assuming the file is stored in D:/DOWNLOADS/P12/TIANLI.P12, in order to successfully import the certificate into IE and Firefox, the certificate format should be PKCS12, so use the following command to generate: Keytool-genkey-v-alias Tianli-keyalg rsa-storetype pkcs12-keystore d:/downloads/p12/tianli.p12-dname "cn=tianli,ou=logiscn,o=logis,l= BEIJING,ST=BEIJING,C=CN "-validity 3650-storepass tianli-keypass Tianli"-validity for the expiry date, the current setting is 10, Keypass the password used when importing the browser, and if the password is incorrect, it cannot be imported correctly into the browser.
The corresponding certificate inventory is placed in "D:/DOWNLOADS/P12/TIANLI.P12", and the client's CN can be any value. Step three: Have the server trust the client certificate
Because it is a two-way SSL authentication, the server must trust the client certificate, so the client certificate must be added as the server's trust authentication. Since the PKCS12 format certificate library cannot be imported directly, we must first export the client certificate as a separate CER file, using the following command: Keytool-export-alias tianli-keystore d:/downloads/p12/ Tianli.p12-storetype Pkcs12-storepass Tianli-rfc-file D:/downloads/cert/tianli.cer
With the above command, the client certificate is exported to the "D:/downloads/cert/tianli.cer r" file. The next step is to import the file into the certificate Library of the server and add it as a Trust certificate: Keytool-import-alias tianli-v-file d:/downloads/cert/tianli.cer-keystore d:/ Downloads/tomcat.keystore-storepass LOGISCN < Myint.inf because in the import process need to enter Y or N here directly using a file Myint.inf instead of input, Myint.inf is a text file, inside the content only Y and a carriage return
Using the list command to view the server's certificate library, we can see two inputs, one server certificate and one trusted client certificate:
Fourth step: Configure the Tomcat server
Open the/conf/server.xml under the Tomcat root directory and locate the following configuration section, as follows:
Open comments
<connector port= "443" protocol= "http/1.1" sslenabled= "true"
maxthreads= "Scheme=" "https" secure= "true"
Clientauth= "true" sslprotocol= "TLS"
Keystorefile= "D:/downloads/tomcat.keystore" keystorepass= "LOGISCN"
Truststorefile= "D:/downloads/tomcat.keystore" truststorepass= "LOGISCN"
/>
Where ClientAuth Specifies whether the client certificate needs to be validated and if it is set to "false", then one-way SSL authentication, which ends with SSL configuration. If ClientAuth is set to "true" to indicate mandatory two-way SSL authentication, the client certificate must be validated. If ClientAuth is set to "want", it means that the client certificate can be validated, but if the client does not have a valid certificate, it does not force validation. Fifth Step: Import the client certificate
If clientauth= "true" is set, the client certificate needs to be forced to be validated. Double-click "D:/DOWNLOADS/P12/TIANLI.P12" to import the certificate into IE: After importing the certificate, you can start Tomcat and access it with IE. Enter [URL]HTTPS://IPADRESS/[/URL]&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;,HTTPS protocol The default access port is 443. Most of the above are written for reference on-line information. In order to achieve a certificate for each person, if you can repeat the above operation also achieve the purpose, considering the need for a lot of testing, and deployed on different machines, think of the method of using the program to automatically generate commands. The program that generates the command is written using java , and the build command needs to be set up in advance with the following items: 1. basedir the location of the generated command file, the generated command runs after the generated CER and p12 format files, in order to differentiate the storage, need to establish two folders, so need with a basic directory, 2. generated KeyStore file requires a password, for security reasons, different domain name KeyStore require different password. 3. domain address, a warning is issued on integers if the domain address is incorrect. Therefore, for different domains, the addresses are different. Once you have completed the above three settings, you can generate commands. The resulting file consists of 3, all stored under Basedir. 1. myint.inf file, just for the input content is simple including y and a carriage return of 2. conf file, which contains the generated configuration file fragment and a simple instructions for use, the content is as follows <connector port= "443" protocol= "http/1.1" sslenabled= "true" maxthreads= "Scheme=" "https" secure= "true" clientauth= "true" sslprotocol= "TLS" keystorefile= "D :/downloads/tomcat.keystore " keystorepass= "LOGISCN" truststorefile= "D:/ Downloads/tomcat.keystore " truststorepass=" Logiscn "/> Copy directly to the corresponding server.xml when using 3. executable command file Command.bat, before executing the above command, you need to set up two folders, in order to store the generated files in the appropriate location, part of the code is as follows mkdir Cert mkdir p12 Keytool-genkey-v-alias tomcat-keyalg rsa-keystore d:/downloads/tomcat.keystore-dname "CN=localhost,OU=logiscn,O= LOGIS,L=BEIJING,ST=BEIJING,C=CN "-validity 3650-storepass logiscn-keypass logiscn rem for tianli Certificate Generation rem Step two: Generate certificates for clients keytool-genkey-v-alias tianli-keyalg rsa-storetype PKCS12- KeyStore d:/downloads/p12/tianli.p12-dname "CN=TIANLI,OU=LOGISCN,O=LOGIS,L=BEIJING,ST=BEIJING,C=CN"-validity 3650 -storepass tianli-keypass Tianli " rem step three: Have the server trust the client certificate keytool-export-alias tianli-keystore d:/downloads/p12/tianli.p12-storetype Pkcs12-storepass tianli-rfc-file d:/downloads/cert/tianli.cer " keytool-import-alias tianli-v-file d:/downloads/cert/tianli.cer-keystore D:/ Downloads/tomcat.keystore-storepass LOGISCN <myint.infjava The implementation of the program is shown in the attachment, so double-click the execution program to batch generate certificates. Very convenient.
Tomcat to configure HTTPS to generate security certificates