Configuring SSL bidirectional authentication in Tomcat 6 is fairly easy, and this article describes how to use the Keytool of the JDK to configure two-way SSL authentication for Tomcat. and realize the requirement of batch generating certificate system: JDK 5.0
Tomcat 6.0.16
To start the command line:
First step: Generate a certificate for the serveruse Keytool to generate a certificate for Tomcat, assuming that the domain name of the target machine is localhost or "192.168.1.1", keystore file is stored in "D:/downloads/tomcat.keystore" and the password is " LOGISCN, use the following command to generate: keytool-genkey-v-alias tomcat-keyalg rsa-keystore d:/downloads/tomcat.keystore-dname "CN=192.168.1.1,OU= LOGISCN,O=LOGIS,L=BEIJING,ST=BEIJING,C=CN "-validity 3650-storepass logiscn-keypass logiscn
if the domain name of the server where Tomcat is not "localhost", it should be changed to the corresponding domain name, such as [Url]www.baidu.com[/url] or IP address, otherwise the browser will pop up a warning window, prompting the user certificate does not match the domain.
Step two: Generate a certificate for the client The next step is to generate a certificate for the browser so that the server can verify it. Assuming the file is stored in D:/DOWNLOADS/P12/TIANLI.P12, in order to successfully import the certificate into IE and Firefox, the certificate format should be PKCS12, so use the following command to generate:keytool-genkey-v-alias tianli-keyalg rsa-storetype pkcs12-keystore d:/downloads/p12/tianli.p12-dname "CN=tianli , OU=LOGISCN,O=LOGIS,L=BEIJING,ST=BEIJING,C=CN "-validity 3650-storepass tianli-keypass Tianli"-validity is the expiration date, the current setting is 10, Keypass is used to import the browser password, if the password is incorrect, it will not be imported into the browser correctly.
The corresponding certificate inventory is placed in "D:/DOWNLOADS/P12/TIANLI.P12", and the client's CN can be any value. Step Three: Have the server trust the client certificate
because it is a two-way SSL authentication, the server must trust the client certificate, so the client certificate must be added as the server's trust authentication. Since the PKCS12 format certificate library cannot be imported directly, we must first export the client certificate as a separate CER file, using the following command:keytool-export-alias tianli-keystore d:/downloads/p12/tianli.p12-storetype pkcs12-storepass tianli-rfc-file D: /downloads/cert/tianli.cer
with the above command, the client certificate is exported to the "D:/downloads/cert/tianli.cer r" file. The next step is to import the file into the certificate Library of the server and add it as a Trust certificate: keytool-import-alias tianli-v-file d:/downloads/cert/tianli.cer-keystore D:/downloads/tomcat.keystore- Storepass LOGISCN <myint.infbecause in the import process need to enter Y or N here directly using a file Myint.inf instead of input, Myint.inf is a text file, inside the content only Y and a carriage return
using the List command to view the server's certificate library, we can see two inputs, one server certificate and one trusted client certificate:
Fourth Step: Configure the Tomcat server
Open the/conf/server.xml under the Tomcat root directory and locate the following configuration section, as follows:
Open Comments
<connector port= "443" protocol= "http/1.1" sslenabled= "true"
maxthreads= "scheme=" "https" secure= "true"
clientauth= "true" sslprotocol= "TLS "
keystorefile= "D:/downloads/tomcat.keystore" keystorepass= "Logiscn "
truststorefile= "D:/downloads/tomcat.keystore" truststorepass= "Logiscn "
/>
where ClientAuth Specifies whether the client certificate needs to be validated and if it is set to "false", then one-way SSL authentication, which ends with SSL configuration. If ClientAuth is set to "true" to indicate mandatory two-way SSL authentication, the client certificate must be validated. If ClientAuth is set to "want", it means that the client certificate can be validated, but if the client does not have a valid certificate, it does not force validation. Fifth Step: Import the client certificate
if Clientauth= "true" is set, the client certificate needs to be forced to be validated. Double-click "D:/DOWNLOADS/P12/TIANLI.P12" to import the certificate into IE: After importing the certificate, you can start Tomcat and access it with IE. Enter [Url]https://ipadress/[/url], the default access port for the HTTPS protocol is 443. Most of the above are written for reference on-line information. in order to achieve a certificate for each person, if you can repeat the above operation also achieve the purpose, considering the need for a lot of testing, and deployed on different machines, think of the method of using the program to automatically generate commands. The program that generates the command is written in Java, and the build command needs to be set up in advance with the following:1. Basedir the location of the generated command file, the generated command runs after the generated CER and p12 format files, in order to differentiate the storage, need to establish two folders, so need with a basic directory,2. The generated KeyStore file requires a password, and for security reasons, the KeyStore of the different domain names requires a different password. 3. Domain address, a warning is issued on integers if the domain address is incorrect. Therefore, for different domains, the addresses are different. Once you have completed the above three settings, you can generate commands. The resulting file consists of 3, all stored under Basedir. 1. Myint.inf file, just for the input content is simple including Y and a carriage return2. conf file, which contains the generated configuration file fragments and a simple instructions for use, the content is as follows<connector port= "443" protocol= "http/1.1" sslenabled= "true"maxthreads= "scheme=" "https" secure= "true"clientauth= "true" sslprotocol= "TLS "keystorefile= "D:/downloads/tomcat.keystore"keystorepass= "LOGISCN"truststorefile= "D:/downloads/tomcat.keystore"truststorepass= "Logiscn"/>copy directly to the appropriate server.xml when used3. Executable command file Command.bat, before executing the above command, you need to create two folders, in order to store the generated files in the appropriate location, part of the code is as follows mkdir certmkdir P12keytool-genkey-v-alias tomcat-keyalg rsa-keystore d:/downloads/tomcat.keystore-dname "CN=LOCALHOST,OU=LOGISCN, O=LOGIS,L=BEIJING,ST=BEIJING,C=CN "-validity 3650-storepass logiscn-keypass logiscnREM generates certificates for Tianlirem Step two: Generate certificates for clientskeytool-genkey-v-alias tianli-keyalg rsa-storetype pkcs12-keystore d:/downloads/p12/tianli.p12-dname "CN=tianl I,OU=LOGISCN,O=LOGIS,L=BEIJING,ST=BEIJING,C=CN "-validity 3650-storepass tianli-keypass Tianli"REM Step three: Let the server trust the client certificatekeytool-export-alias tianli-keystore d:/downloads/p12/tianli.p12-storetype pkcs12-storepass tianli-rfc-file D :/downloads/cert/tianli.cer "keytool-import-alias tianli-v-file d:/downloads/cert/tianli.cer-keystore D:/downloads/tomcat.keystore- Storepass LOGISCN <myint.infthe implementation of the Java program is shown in the attachment, so double-clicking the execution program can generate a batch certificate. Very convenient.
|
This article is based on the attribution 2.5 China mainland license Agreement published, welcome reprint, deduction or for commercial purposes, but must and in the article page obvious location give the original link Dana, Li (including link), the specific operation method can refer here. If you have any questions or authorization to negotiate, please leave a message or add Q Group! |
Tomcat to configure HTTPS to generate security certificates
