Configure https mutual authentication on the Tomcat server (use keytool to generate a certificate)

I. Principles of HTTPS

1. Introduction and relationship between HTTP, HTTPS, SSL, and TLS
(1) HTTP: a protocol used to browse webpages. Data transmitted over HTTP is unencrypted (plaintext). Therefore, it is extremely insecure to transmit private information over HTTP.
(2) HTTPS: to ensure encrypted transmission of private data, the SSL/TLS protocol is used to encrypt data transmitted over HTTP, that is, HTTPS.
(3) SSL: the SSL (Secure Sockets Layer) protocol is designed by Netscape and later defined by IETF in RFC 6101. The current version is 3.0.
(4) TLS: TLS can be said to be the secure version of SSL. This is because the IETF has upgraded SSL 3.0, which is defined in RFC 2246. In fact, our current HTTPS uses the TLS protocol.

2. TLS/SSL features

(1) HTTPS requires a handshake between the client (browser) and the server (website) before data transmission. During the handshake, the password information of the encrypted data transmitted by both parties is established.
(2) asymmetric encryption, symmetric encryption, and HASH algorithms are used in TLS/SSL.
The asymmetric encryption algorithm is used to encrypt the generated password during the handshake process. The symmetric encryption algorithm is used to encrypt the actually transmitted data, while the HASH algorithm is used to verify the data integrity.
(3) if any errors occur during the TLS handshake, the encrypted connection is disconnected, thus preventing the transmission of private information.

2. Two-way authentication step 1-certificate generation

The following shows how to use the Tomcat server for two-way authentication over HTTPS. Use keytool to generate a self-signed certificate.
(Note: If a real commercial system is used, we recommend that you use a certificate that is paid for by CA. Because if a self-signed certificate is used, the client verifies the server by throwing it to the user (the user decides whether to trust or not ))

1. Generate a server certificate

(1) open the command console and enter the % JAVA_HOME %/bin directory.

Cd "c: \ Program Files \ Java \ jre1.8.0 _ 60 \ bin"

(2) use keytool to generate a certificate for Tomcat

Keytool-genkey-v-alias tomcat-keyalg RSA-keystore G: \ tomcat. keystore-validity 36500

(Parameter description: "G: \ tomcat. keystore" indicates the path for saving the certificate file. The certificate file name is tomcat. keystore;
"-Validity 36500" indicates the validity period of the certificate. "36500" indicates April 1, 100. The default value is 90 days. "tomcat" indicates the custom certificate name)
Enter the keystore password: keystore password (assuming hangge is used)
What is your first name and last name? It must be the domain name or IP address of the TOMCAT deployment host [such as hangge.com or 10.1.25.119] (the access address you will enter in your browser in the future ), otherwise, a warning window is displayed, prompting that the user certificate does not match the domain. During local development and testing, enter "localhost ".
Enter the <tomcat> key password: press Enter.

2. Generate a client certificate
Generate a certificate for the browser so that the server can verify it. To smoothly import the certificate to IE and Firefox, the certificate format should be PKCS12. Therefore, use the following command to generate the certificate:
1
Keytool-genkey-v-alias mykey-keyalg RSA-storetype PKCS12-keystore G: \ mykey. p12
 
Assume that the client certificate password is "123456.

3. Let the server trust the client certificate
To trust the client certificate on the server, you must add the client certificate as the trust authentication on the server.
(1) because you cannot directly import a certificate Library in PKCS12 format, you must first export the client certificate as a separate CER file and use the following command:
(The client certificate password "123456" is used below ")

Keytool-export-alias mykey-keystore G: \ mykey. p12-storetype PKCS12-storepass 123456-rfc-file G: \ mykey. cer

(2) import the file to the certificate store on the server and add it as a trusted certificate. The command is as follows:

Keytool-import-v-file G: \ mykey. cer-keystore G: \ tomcat. keystore

(3) run the list command to view the server certificate Library. You can see two certificates: server certificate and trusted client certificate:

Keytool-list-keystore G: \ tomcat. keystore

Original article: Configuring https two-way authentication for Tomcat server (using keytool to generate a certificate)

4. Let the client trust the server certificate

Because it is a two-way SSL authentication, the client must also verify the server certificate. Export the server certificate to a separate CER file and provide it to the client. Run the following command:

Keytool-keystore G: \ tomcat. keystore-export-alias tomcat-file G: \ tomcat. cer

5. After the above operation, we generate the following certificate:

3. Two-way authentication step 2-certificate usage

1. Server tomcat configuration

Open/conf/server. xml in the Tomcat root directory, find Connector port = "8443", and modify it as follows:

<Connector port = "8443" protocol = "org. apache. coyote. http11.Http11NioProtocol"
SSLEnabled = "true" maxThreads = "150" scheme = "https"
Secure = "true" clientAuth = "true" sslProtocol = "TLS"
KeystoreFile = "G: \ tomcat. keystore" keystorePass = "hangge"
TruststoreFile = "G: \ tomcat. keystore" truststorePass = "hangge"/>

Attribute description:

ClientAuth: Sets whether to perform bidirectional verification. The default value is false. Setting this parameter to true indicates bidirectional verification.
KeystoreFile: Path of the server certificate file
KeystorePass: server certificate password
TruststoreFile: used to verify the root certificate of the client certificate. In this example, it is the server certificate.
TruststorePass: root certificate password

Test server:

Enter https: // localhost: 8443/in the browser (the following figure shows that tomcat https is enabled successfully. It does not matter if an invalid certificate is reported, because the certificate has not been imported on the client)

2. Import client certificates

(1) double-click "mykey. p12" to import the client certificate

Access the server using the browser again, and the browser will let us select the certificate to use.

 

However, because it is a self-signed certificate, the browser will warn us that it is not secure and choose to continue:

 

You can see that the access is successful (the address bar "certificate error" indicates that there is no two-way authentication yet, but the data is already transmitted over HTTPS ):

 

 

(2) import the server public key certificate (tomcat. cer)

Because it is a self-signed certificate, in order to avoid any security prompt every time. Double-click tomcat. cer to install the server certificate.

Note: Enter the certificate in "trusted root certificate authority"

 

When you access the server again, you will find that there is no unsafe prompt. At the same time, there is a "lock" icon in the address bar of the browser, indicating that the session has passed HTTPS two-way authentication.