Configure Tomcat 4 to use ssl--3

Configure Tomcat 4 to use SSL
-----------------------
Content:

1. Introduction to Tomcat
2. Introduction to SSL (Server Socket Layer)
3. How the principle of SSL works
4. Configure Tomcat 4.x to use SSL
5. Conclusion

Zhaoliang (b-i-d@163.com) May 2002

Zhaoliang, graduated from Beihang University in 1995. Interested in technologies such as Java EE, J2ME and CORBA, Web service, and more. At present, the main work is the use of Java technology development for distribution enterprises to use the supply chain/sales chain ERP. You can contact the author by e-mail b-i-d@163.com.
----------------------

Currently, there are a lot of information about configuring Tomcat 4 to use one-way SSL authentication (only verifying server certificates), and the process is relatively simple. However, because you configure it to use two-way SSL authentication (and also need to authenticate the client's personal certificate), you need to obtain a personal certificate from the CA in addition to the CA signing the certificate. There is little information on how to do this in conjunction with a specific Web server. The author through some SSL tools in the local implementation of a simple CA function, and on this basis to configure a successful Tomcat two-way authentication, hoping to put some of the experience to share with you. However, by my level limit, the article will inevitably have errors and improper, please forgive us.
1. Introduction to Tomcat
Tomcat is one of the Jakarta of Apache, and as an excellent open source Web application server, fully supports jsp1.2 and servlet2.3 specifications. Because of its advanced technology, stable performance, and free, so loved by the Java enthusiasts and has been part of the software developers recognized, as the current more popular Web application server.

2. Introduction to SSL (Server Socket Layer)
Information on the network passes through other computers during source-host delivery. In general, the middle computer does not listen for passing information. But it is possible to be monitored when using online banking or credit card transactions, leading to the disclosure of personal privacy. Because of the Internet and intranet architectures, there are always people who can read and replace information sent by users. With the continuous development of online payment, people's demand for information security is more and more high. Netscape, therefore, has introduced an SSL protocol designed to deliver information securely on open networks (the Internet), which has been widely used on the web. Then the IETF (ietf.org) standardizes SSL (RFC2246), which is referred to as TLS (transport Layer Security), and technically, TLS1.0 differs very little from SSL3.0.

3. How the principle of SSL works
The SSL protocol uses asymmetric encryption technology to realize the secure transmission of information between the two parties. Can realize the confidentiality of information transmission, integrity, and the conversation both sides can identify each other identity. Unlike the commonly used HTTP protocols, we use the HTTPS protocol when establishing an SSL secure connection with a Web site, which is accessed in a https://ip:port/manner. When we establish an HTTPS connection with a Web site, our browser and Web server have a handshake process to complete the authentication and key exchange to establish a secure connection. The specific process is as follows:

The user's browser sends its SSL version number, encryption settings parameters, session-related data, and other necessary information to the server.
The server sends its SSL version number, encryption settings parameters, session-related data, and other necessary information to the browser, as well as the server's certificate to the browser. If you configure the server's SSL to authenticate the user, you also issue a request requiring the browser to provide a user certificate.
The client checks the server certificate and prompts you not to establish an SSL connection if the check fails. If successful, then continue. The client browser generates PRE-MASTER secret for this session and encrypts it with the server public key and sends it to the server. If the server asks to authenticate the customer, the client will then sign some additional data and send it to the server along with the client certificate.
If the server asks to authenticate the customer, check that the CA that signed the client certificate is trustworthy. If you are not in the trust list, end this session. If checked through, the server decrypts the received pre-master secret with its own private key and uses it to generate master secret for this session through some algorithms.
Both the client and the server use this master secret to generate the session key (symmetric key) for this session. This session key is used when any message is passed at the end of both sides of the SSL handshake. The main reason for this is that symmetric encryption is a lower order of magnitude than asymmetric encryption, and can significantly increase the speed at which both sessions are operating.
The client notifies the server that the message sent thereafter is encrypted using this session key. and notifies the server that the client has completed this SSL handshake.
The server notifies the client that the message sent thereafter is encrypted using this session key. and notifies the client that the server has completed this SSL handshake.
The handshake is over and the session has been established. Both parties use the same session key to add and decrypt information that is sent and received separately.

4. Configure Tomcat 4.x to use SSL

4.1 Packages used

Tomcat 4.0.2
Purpose: Web Server.
Download: http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.3/bin/
JSSE 1.0,2
Use: A secret key pair (KeyStore) used to produce tocmcat.
Download: http://java.sun.com/products/jsse/
Openssl 0.9.9.6
Use: Used to generate CA certificate, signature and generate IE can import pkcs#12 format private key.
Download: http://www.openssl.org/
The above tool installation process can refer to the help, this article is no longer described in detail.

4.2 Establish your own CA

4.2.1 Create working directory
mkdir CA

4.2.2 Generate CA private key and self-signed root certificate
4.2.2.1 Generate CA private key
OpenSSL genrsa-out Ca/ca-key.pem 1024

4.2.2.2 Generate pending signing certificate
OpenSSL req-new-out Ca/ca-req.csr-key Ca/ca-key.pem

4.2.2.3 using CA private key for self-signing
OpenSSL x509-req-in ca/ca-req.csr-out ca/ca-cert.pem-signkey ca/ca-key.pem-days 365

4.3 Set Tomcat 4.x
In this article, the symbol "%jdk_home%" is used to represent the installation location of the JDK, with the symbol "%tcat_home%" to indicate the location of the Tomcat installation.

4.3.1 Create working directory
mkdir Server

4.3.2 Generate server-side certificates
4.3.2.1 Generation KeyPair
%jdk_home%/bin/keytool-genkey-alias tomcat_server-validity 365-keyalg rsa-keysize 1024-keypass changeit-storepass C Hangeit-dname "Cn=localhost, Ou=department, O=company, l=beijing, st=beijing, C=CN"-keystore Server/server_keystore

4.3.2.2 Generate pending signing certificate
%jdk_home%/bin/keytool-certreq-alias tomcat_server-sigalg md5withrsa-file Server/server.csr-keypass Changeit- KeyStore Server/server_keystore-storepass Changeit

4.3.2.3 Signature with CA private key
OpenSSL x509-req-in server/server.csr-out server/server-cert.pem-ca ca/ca-cert.pem-cakey ca/ca-key.pem-days 365
Note: You may be prompted at this point: ca/ca-cert.srl:no such file or directory
Workaround: Copy the APPS/CA-CERT.SRL from the OpenSSL installation directory to the CA directory;

4.3.2.4 Import Trusted CA root certificate to jsse default location (%jdk_root%/jre/security/cacerts)
%jdk_home%/bin/keytool-import-v-trustcacerts-storepass changeit-alias my_ca_root-file ca/ca-cert.pem-keystore%JDK _home%/jre/lib/security/cacerts

4.3.2.5 The server-side certificate after the CA is signed into KeyStore
%jdk_home%/bin/keytool-import-v-trustcacerts-storepass Changeit-alias tomcat_server-file Server/server-cert.pem- KeyStore Server/server_keystore

Note: May prompt: Keytool error: Java.lang.Exception: Unable to create a link from the reply
Workaround: Delete the old CA root certificate
1) Keytool-delete-alias My_ca_root-keystore%jdk_home%/jre/lib/security/cacerts
2 Add a new CA root certificate
Repeat 4.3.2.4
3) Repeat 4.3.2.5

4.3.2.6 View server-side certificates
Keytool-list-keystore%jdk_home%/jre/lib/security/cacerts
Keytool-list-keystore Server/server_keystore

4.3.3 Modify Server.xml enable Tomcat to support SSL
First find the following, and remove the comment. Then modify the reference to the Red section. If configuring Tomcat does not authenticate the customer, you can set the

Clientauth= "false".
<connector classname= "Org.apache.catalina.connector.http.HttpConnector"
Port= "8443" minprocessors= "5" maxprocessors= "75"
Enablelookups= "true"
Acceptcount= "debug=" "0" scheme= "https" secure= "true" >
<factory classname= "Org.apache.catalina.net.SSLServerSocketFactory"
Clientauth= "true" protocol= "TLS"
Keystorefile= "%tcat_home%/conf/server_keystore" keystorepass= "Changeit"
/>

Then copy the file Server/server_keystore to the directory%tcat_home%/conf/.

4.4 Installation of personal certificates in IE
4.4.1 Create working directory
mkdir Client

4.4.2 generate the client private key and sign with the CA private key

4.4.2.1 Generate client private key
OpenSSL genrsa-out Client/client-key.pem 1024

4.4.2.2 Generate pending signing certificate
OpenSSL req-new-out Client/client-req.csr-key Client/client-key.pem

4.4.2.3 Signature with CA private key
OpenSSL x509-req-in client/client-req.csr-out Client/client.crt-signkey Client/client-key.pem

-ca Ca/ca-cert.pem-cakey ca/ca-key.pem-cacreateserial-days 365

4.4.2.4 generate client-side personal certificates
Because JSSE1.0.2 does not fully implement the PKCS#12 format file (read only, not output), it is necessary to use OpenSSL to make the client-side personal certificate (including the private key).
OpenSSL pkcs12-export-clcerts-in Client/client.crt-inkey client/client-key.pem-out client/client.p12

4.4.2.5 Install a trusted root certificate
Rename the Ca/ca-key.pem to Ca/ca-key.cer, and use the "Tools ' Internet option ' content ' Certificate ' import" in client side IE to import the CA root certificate we have generated into the CA that the user trusts.

4.4.3 Install personal Certificate
Import the CLIENT.P12 into the client side IE as a personal certificate, the import process is the same as 4.4.2.5.

4.5 Using the SSL protocol with IE browser to access Tomcat

4.5.1 Start Tomcat 4.x
Perform%tcat_home%/bin/startup.bat boot Tomcat 4.x

4.5.2 use IE to access Tomcat 4.x
Enter https://localhost:8443 in the address bar of IE browser, and you should see the Tomcat welcome page if all the previous actions are correct. The small lock on the status bar is closed, indicating that you have successfully established an SSL secure connection with the server that requires client authentication.

5 Conclusion
Above we have implemented the whole process of SSL for Tomcat 4.x configuration requiring client authentication. For other types of servers, such as Apache,netscape Enterprise server, Websphere,weblogic, and so on, generally only save certificates on the server side slightly different, but they are similar in principle, The configuration can be adjusted on the basis of the method in this article.

Original Address http://www.dedecms.com/web-art/fuwuqi/20060913/26244.html