First, what is HTTPS
Before talking about HTTPS, say what is Http,http is a protocol that we use when browsing the web. The data transmitted by the HTTP protocol is unencrypted, which is plaintext, so it is very insecure to use the HTTP protocol to transmit private information. To ensure that these private data can be encrypted, Netscape designed the SSL (Secure Sockets Layer) protocol to encrypt the data transmitted by the HTTP protocol, which led to the birth of HTTPS. The current version of SSL is 3.0, defined by the IETF (Internet Engineering Task Force) in RFC 6101, and then the IETF is upgraded to SSL 3.0, so TLS (Transport Layer Security) 1.0, defined in RFC 2246. In fact, we now have HTTPS is the TLS protocol, but because SSL appears earlier, and is still supported by the browser now, so SSL is still synonymous with HTTPS, but whether it is TLS or SSL is the last century thing, The last version of SSL is 3.0, and TLS will inherit the good lineage of SSL and continue to encrypt the service for us. The current version of TLS is 1.2, defined in RFC 5246, and is not widely used for the time being.
Second, the working principle of HTTPS
HTTPS requires a handshake between the client (browser) and the server (Web site) before transmitting the data, which establishes the password information for both parties to encrypt the transmitted data during the handshake. TLS/SSL protocol is not only a set of encrypted transmission protocols, but also an artist-designed artwork, TLS/SSL using asymmetric encryption, symmetric encryption and hash algorithm. A brief description of the handshake process is as follows:
1. The browser sends a set of encryption rules that it supports to the Web site.
2. The website selects a set of cryptographic algorithms and hash algorithms, and sends its own identity information back to the browser in the form of a certificate. The certificate contains information such as the website address, the encrypted public key, and the issuing authority of the certificate.
3. After obtaining the website certificate, the browser will do the following tasks:
A) Verify the legality of the certificate (the issuing authority is legal, the certificate contains the address of the website is consistent with the address being accessed, etc.), if the certificate is trusted, the browser bar will display a small lock, otherwise the certificate is not trusted to prompt.
b) If the certificate is trusted, or if the user accepts an untrusted certificate, the browser generates a random number of passwords and encrypts them with the public key provided in the certificate.
c) Use the agreed hash to calculate the handshake message, encrypt the message with the generated random number, and then send all previously generated information to the Web site.
4. After the Web site receives the data from the browser, do the following:
A) Use your own private key to decrypt the information to remove the password, use the password to decrypt the browser's handshake message, and verify that the hash is consistent with the browser.
b) Encrypt a handshake message with a password and send it to the browser.
5. The browser decrypts and calculates the hash of the handshake message, if it is consistent with the hash of the server, at which point the handshake process ends, and all the communication data will be encrypted by the random password generated by the previous browser and using the symmetric encryption algorithm.
Here the browser and the Web site to send encrypted handshake message and verify, the purpose is to ensure that both sides have obtained a consistent password, and can be normal encryption and decryption of data, for the subsequent transmission of real data to do a test. In addition, HTTPS generally uses the encryption and hashing algorithm as follows:
Asymmetric Encryption algorithm: RSA,DSA/DSS
Symmetric encryption algorithm: Aes,rc4,3des
Hash algorithm: md5,sha1,sha256
The asymmetric encryption algorithm is used to encrypt the generated password during the handshake, and the symmetric encryption algorithm is used to encrypt the data that is actually transmitted, while the hash algorithm is used to verify the integrity of the data. Because the password generated by the browser is the key to the entire data encryption, the asymmetric encryption algorithm is used to encrypt it at the time of transmission. Asymmetric encryption algorithms generate public and private keys, the public key can only be used to encrypt data, so can be transferred at will, and the Web site's private key is used to decrypt the data, so the site will be very careful to keep their private keys to prevent leakage.
If there are any errors during the TLS handshake, the encrypted connection will be disconnected, thereby preventing the transfer of private information.
Configure HTTPS bidirectional authentication with the Tomcat server :
Generate a certificate for the server
Run the console, enter the%java_home%/bin directory, and enter the directory using the following command:
CD "C:\Program Files\java\jdk1.6.0_11\bin"
Using Keytool to generate a certificate for Tomcat, assuming the domain name of the target machine is "localhost", the KeyStore file is stored in "D:\home\tomcat.keystore" and the password is "password", which is generated using the following command:
Keytool-genkey-v-alias tomcat-keyalg rsa-keystore D:\home\tomcat.keystore-validity 36500 (parameter brief description: "D:\home\tomcat.ke Ystore "means to save the path of the certificate file, the certificate file name is Tomcat.keystore;"-validity 36500 "means the certificate validity period, 36500 means 100 years, the default is 90 days" Tomcat "for the custom certificate name).
Fill in the necessary parameters at the command line:
A, enter KeyStore password: Here you need to enter a string greater than 6 characters.
B, "What is your first and last name?" "This is required and must be the domain name of the Tomcat deployment host or ip[, such as: Gbcom.com or 10.1.25.251] (which is the access address you will enter in the browser), or the browser will pop up a warning window prompting the user certificate to not match the domain in which it resides. When you do the development test locally, you should fill in "localhost".
C, what is the name of your organizational unit? "," What is your organization name? "," What is your city or region name? "," What is the name of your state or province? "," What is the two-letter country code for this unit? "Can be filled in as needed or can not fill in the direct return, the system asked" correct? ", enter the letter" Y "with the keyboard if required, otherwise enter" n "to re-fill the information.
D, enter <tomcat> master password, this is more important, will be used in the Tomcat configuration file, it is recommended to enter the same password as KeyStore, set other passwords can also, after completing the above input, the direct return to the location you defined in the second step to find the generated file.
Generate certificates for clients
Generate a certificate for your browser so that the server can verify it. In order to successfully import the certificate into IE and Firefox, the certificate format should be PKCS12, so use the following command to generate:
Keytool-genkey-v-alias mykey-keyalg rsa-storetype pkcs12-keystore D:\home\mykey.p12 (MyKey Custom).
The corresponding certificate inventory is placed in "D:\HOME\MYKEY.P12", and the client's CN can be any value. Double-click the Mykey.p12 file to import the certificate into the browser (client).
- &NBSP;
Let server trust client certificate
Because it is two-way SSL authentication, the server must trust the client certificate, so The client certificate must be added as a trusted authentication for the server. Because you cannot directly import a certificate library in the PKCS12 format, you must first export the client certificate as a separate CER file, using the following command:
Keytool-export-alias mykey-keystore D:\HOME\MYKEY.P12 -storetype pkcs12-storepass password-rfc-file d:\home\mykey.cer
(MyKey for customization is consistent with client-defined MyKey, Password is the password you set). With the above command, the client certificate is exported to the "D:\home\mykey.cer" file.
The next step is to import the file to the server's certificate library and add it as a trusted certificate using the following command:
&NBSP;KEYTOOL-IMPORT-V-file D:\home\mykey.cer- KeyStore D:\home\tomcat.keystore
To view the server's certificate store through the List command, you can see two certificates, one server certificate and one trusted client certificate:
Keytool-list- KeyStore D:\home\tomcat.keystore (Tomcat sets the server-side certificate name for you).
- &NBSP;
Let the client trust the server certificate
Because it is two-way SSL authentication, the client also verifies the server certificate, so the server certificate must be added to the browse " Trusted Root Certification authorities. Because you cannot import a certificate library in the KeyStore format directly, you must first export the server certificate as a separate CER file, using the following command:
Keytool-keystore D:\home\tomcat.keystore-export- Alias Tomcat-file D:\home\tomcat.cer (Tomcat sets the server-side certificate name for you).
With the above command, the server certificate is exported to the "D:\home\tomcat.cer" file. Double-click the Tomcat.cer file, follow the prompts to install the certificate, and fill in the certificate to Trusted root certification authorities.
Configuring the Tomcat Server
Open the/conf/server.xml in the Tomcat root directory and locate the connector port= "8443" configuration section, as follows:
<connector port= "8443" protocol= "Org.apache.coyote.http11.Http11NioProtocol"
Sslenabled= "true" maxthreads= "scheme=" "https"
Secure= "true" Clientauth= "true" sslprotocol= "TLS"
Keystorefile= "D:\\home\\tomcat.keystore" keystorepass= "123456"
Truststorefile= "D:\\home\\tomcat.keystore" truststorepass= "123456"/>
(Tomcat to match the generated server-side certificate name)
Property Description:
ClientAuth: Set whether bidirectional authentication, default = False, set to True for bidirectional authentication
Keystorefile: Server certificate file path
Keystorepass: Server certificate Password
Truststorefile: The root certificate used to authenticate the client certificate, in this case the server certificate
Truststorepass: Root certificate Password
Test
In the browser input: https://localhost:8443/, will pop-up select the client certificate interface, click "OK", will enter the Tomcat homepage, the address bar will have a "lock" icon, indicating that the session has been authenticated through HTTPS two-way, The information transmitted during the next session is encrypted with SSL information.
Statement two:
First step: Generate a certificate for the server
1. Enter the%java_home%/bin directory
2. Use Keytool to generate a certificate for Tomcat, assuming that the target machine's domain name is "localhost", the KeyStore file is stored in "D:\tomcat.keystore", the password is "password", using the following command to generate:
Keytool-genkey-v-alias tomcat-keyalg rsa-keystore D:\tomcat.keystore-validity 36500
(A brief description of the parameter: "D:\home\tomcat.keystore" means to save the path to the certificate file, the certificate file name is Tomcat.keystore; "-validity 36500" means the certificate validity period, 36500 means 100 years, Default value is 90 days)
Fill in the necessary parameters at the command line:
A, enter the KeyStore password: Here you need to enter a string greater than 6 characters
B, "What is your first and last name?" "This is required and must be the domain name of the Tomcat deployment host or ip[, such as: Gbcom.com or 10.1.25.251] (which is the access address you will enter in the browser), or the browser will pop up a warning window prompting the user certificate to not match the domain in which it resides. When you are doing development testing locally, you should fill in "localhost"
C, "What is your organizational unit name?" "," What is your organization name? "," What is your city or region name? "," What is the name of your state or province? "," What is the two-letter country code for this unit? "Can be filled in as needed or can not fill in the direct return, the system asked" correct? , enter the letter "Y" with the keyboard if required, otherwise enter "n" to re-fill the information
D, enter <tomcat> master password, this is more important, will be used in the Tomcat configuration file, the recommended input and KeyStore password consistent, set other password can also
After completing the above input, the direct carriage return will find the resulting file in the location you defined in the second step
Step two: Generate a certificate for the client
Generate a certificate for your browser so that the server can verify it. In order to successfully import the certificate into IE and Firefox, the certificate format should be PKCS12, so use the following command to generate:
Keytool-genkey-v-alias mykey-keyalg rsa-storetype pkcs12-keystore D:\mykey.p12
The corresponding certificate inventory is placed in "D:\MYKEY.P12", and the client's CN can be any value. Double-click the Mykey.p12 file to import the certificate into the browser (client).
Step three: Have the server trust the client certificate
Because it is a two-way SSL authentication, the server must trust the client certificate, so the client certificate must be added as the server's trust authentication. Because you cannot directly import a certificate library in the PKCS12 format, you must first export the client certificate as a separate CER file, using the following command:
Keytool-export-alias mykey-keystore D:\mykey.p12-storetype pkcs12-storepass password-rfc-file D:\mykey.cer
With the above command, the client certificate is exported to the "D:\mykey.cer" file. The next step is to import the file into the certificate Library of the server and add it as a trust certificate:
Keytool-import-v-file D:\mykey.cer-keystore D:\tomcat.keystore
With the list command to view the server's certificate library, you can see two certificates, one server certificate and one trusted client certificate:
Keytool-list-keystore D:\tomcat.keystore
Fourth step: Let the client trust the server certificate
Because it is a two-way SSL authentication, the client also verifies the server certificate, so the server certificate must be added to the Browse Trusted root certification authorities. Because you cannot directly import a certificate library in the KeyStore format, you must first export the server certificate as a separate CER file, using the following command:
Keytool-keystore D:\tomcat.keystore-export-alias Tomcat-file D:\tomcat.cer
With the above command, the server certificate is exported to the "D:\tomcat.cer" file. Double-click the Tomcat.cer file, follow the prompts to install the certificate, and fill in the certificate to Trusted root certification authorities.
Fifth step: Configure the Tomcat server
Open the/conf/server.xml under the Tomcat root directory and locate the following configuration section, as follows:
<connector port= "8443" protocol= "Org.apache.coyote.http11.Http11NioProtocol"
Sslenabled= "true" maxthreads= "scheme=" "https"
Secure= "true" Clientauth= "true" sslprotocol= "TLS"
Keystorefile= "D:\\tomcat.keystore" keystorepass= "password"
Truststorefile= "D:\\tomcat.keystore" truststorepass= "password"/>
Property Description:
ClientAuth: Set whether bidirectional authentication, default = False, set to True for bidirectional authentication
Keystorefile: Server certificate file path
Keystorepass: Server certificate Password
Truststorefile: The root certificate used to authenticate the client certificate, in this case the server certificate
Truststorepass: Root certificate Password
Sixth step: Force HTTPS access
Add the following paragraph to the </welcome-file-list> in Tomcat\conf\web.xml:
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>client Cert users-only area</realm-name>
</login-config>
<security-constraint>
<web-resource-collection >
<web-resource-name >SSL</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
I use the method two did not make, save later (about the certificate in the path under the Mac this directly drag the file to the terminal automatically will be displayed (the default path is generated when the current terminal is located))
Apache Certificate Configuration