About Tomcat SSL

Http://www.kuqin.com/shuoit/20140615/340573.html

1SSL One-way authentication concept

When a client (service requester) initiates a request to the service side (service provider), the server side needs to provide authentication to the client. The service side needs to generate a keystore and a server key pair (public and private), the client needs to generate a truststore, and then import the service-side public key certificate.

2keystore and the generation of server key pair

Keytool-genkeypair-aliascertificatekey-keyalgrsa-validity365-keystoreshfqkeystore.jks

This command will then generate a key pair after the KeyStore is generated. RSA is a non-symmetric key algorithm, can also be changed to Keytool support for other key algorithms, 365 represents the validity period of the certificate, you can specify, Shfqkeystore.jks is the name of Keystroe, you can also specify. Open the cmd command line and enter:

Keytool-genkeypair-aliascertificatekey-keyalgrsa-validity365-keystoreshfqkeystore.jks

You will be prompted to enter the KeyStore password, followed by a prompt for information such as name, such as:

Supplemental: Enter <certificatekey> master password, which is the private key that generates the server-side certificate. Service-side private key if the same as KeyStore, press ENTER directly. It is recommended to press enter directly, that is, the server private key and KeyStore password are the same. If the passwords are not the same, start Tomcat after the server Tomcatserver.xml is configured to report a unrecoverablekeyexception: Cannotrecoverkey exception (the configuration of the server-side Tomcatserver.xml is described later).

Keytool will save the generated KeyStore file by default to the C:userslenovo path (under the computer name under the user directory) and all subsequent files will be saved here.

3 Verifying the newly generated Keystor file and certificate information

You can execute the following command:

Keytool-list-v-keystoreshfqkeystore.jks

The following information is displayed,

4 Exporting a Public key certificate

The following command can export a self-signed public key certificate:

Keytool-export-aliascertificatekey-keystoreshfqkeystore.jks-rfc-fileshfqcert.cer

Where Shfqcert.cer is the name of the exported certificate, you can name it casually, Shfqkeystore.jks is the KeyStore file generated in 2.

Executing the above command will require you to enter the Shfqkeystore password, which displays the following information, such as.

5Truststore generation and import of public key certificates

Import the 4 generated public key certificate Shfqcert.cer into Truststore

Keytool-import-aliascertificatekey-fileshfqcert.cer-keystore

Shfqtruststore.jks

Shfqcert.cer is a 4 exported public key certificate, Shfqtruststore.jks can be random, is the generated Truststore file name. This command first generates a truststore and then imports the 4 generated public key certificate Shfqcert.cer.

After executing the KEYTOOL-IMPORT-ALIASCERTIFICATEKEY-FILESHFQCERT.CER-KEYSTORESHFQTRUSTSTORE.JKS, you will first be prompted to enter the Truststore password, such as:

6 Verifying the 5 generated Truststore file

Keytool-list-v-keystoreshfqtruststore.jks

Shfqtruststore.jks is the Truststore file name generated by 5.

So far, KeyStore, Truststore, and public key certificates have all been generated.

7 Configuring Tomcat on the server side

Locate the Server.xml file under the Conf path under the Tomcat installation path

Open Server.xml and find

<!--

<connectorport= "8443" protocol= "http/1.1" sslenabled= "true"

maxthreads= "Scheme=" "https" secure= "true"

Clientauth= "false" sslprotocol= "TLS"/>

-

In such a comment, add the following snippet below the comment:

<connectorsslenabled= "true" acceptcount= "" "Clientauth=" false "

Disableuploadtimeout= "true"

Enablelookups= "false" maxthreads= "25"

Port= "8443" keystorefile= "D:developtoolsapache-tomcat-idmtomcat.keystore" keystorepass= "111111"

Protocol= "Org.apache.coyote.http11.Http11NioProtocol" scheme= "https"

Secure= "true" sslprotocol= "TLS"/>

where clientauth= "false" means SSL one-way authentication, that is, server-side authentication, port= "8443" is the HTTPS access port, keystorefile= "D: Developtoolsapache-tomcat-idmtomcat.keystore "is the save path of the KeyStore generated in the first step, keystorepass=" 111111 "is the KeyStore password generated in the first step.

To this server side has been configured, in order to verify that the configuration is correct, we can verify in the browser. Start Tomcat first, and then enter it in the browser address entry field: https://localhost:8443

If you see one of the following pages, it indicates that the server has been configured successfully.

The "Security certificate for this Web site is not trusted!" appears. "The warning is because the certificate was issued by itself and not by an authoritative CA institution.
Finally, you have to configure your IP address in the Hosts file, map the IP address to a common name, and this common name is "What is your first and last name when you generate the server certificate in step 2nd?" "Enter the name.

8 Client Configuration

Be aware of the client's address when configuring the server: for example, https://shifengqiang:8443/syn/Users

This address protocol format is the HTTPS hostname is Shifengqiang, this shifengqiang is the 2nd step in the generation of server-side certificate required to enter the "what is your first and last name?" Name 8443 is the default port for the HTTPS protocol.

Add this piece of code before the client synchronizes the code to the server-side:

System.setproperty ("java.protocol.handler.pkgs", "Com.sun.net.ssl.internal.www.protocol");

System.setproperty ("java.protocol.handler.pkgs", "Com.ibm.net.ssl.internal.www.protocol");

Stringtruststorepath=

"D:developtoolsapache-tomcat-idmshfqtruststore.jks";

stringtruststorepassword= "Client";

System.setproperty ("Javax.net.ssl.trustStore", Truststorepath);

System.setproperty ("Javax.net.ssl.trustStorePassword", Truststorepassword);

Where Truststorepath is the Truststore path, Truststorepassword is the truststore password. This one-way SSL configuration is complete.

Reference Link: http://zjumty.iteye.com/blog/1885356

In the configuration of the process of reference to the Internet a large number of links, some links are not recorded in the list.

How the HTTPS protocol implements the certificate you create by using the X509trustmanager interface-java/javase

But will report the mistake, please the expert solves thanks
The error message is as follows:
Java.io.IOException:HTTPS hostname wrong:should Be < IP address of the server being called >
At sun.net.www.protocol.https.HttpsClient.checkURLSpoofing (Unknown Source)
At Sun.net.www.protocol.https.HttpsClient.afterConnect (Unknown Source)
At Sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect (Unknown Source)
At Sun.net.www.protocol.http.HttpURLConnection.getInputStream (Unknown Source)
At Sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream (Unknown Source)

------Answer---------

------Other answers (15 points)---------

This is not because the certificate is showing off the hostname, you use the IP bar?
I hear this is different for SSL.

------Other answers (5 points)---------

Mark

About Tomcat SSL