Configure Tomcat 4 to use SSL-3

Configure Tomcat 4 to use SSL
-----------------------
Content:

1. Tomcat Introduction
2. Introduction to SSL (server socket layer)
3. How SSL works
4. Configure Tomcat 4.x to use SSL
5. Conclusion

Zhao Liang (b-i-d@163.com) May 2002

Zhao Liang graduated from Beijing University of Aeronautics and Astronautics in 1995. I am more interested in technologies such as J2EE, J2EE, and CORBA and Web Service. At present, the main work is to use J2EE technology to develop supply chain/sales chain ERP for distribution enterprises. You can contact the author via email b-i-d@163.com.
----------------------

This document describes how to configure Tomcat 4 to use one-way SSL authentication (only verify the server certificate. However, because it is configured to use two-way SSL authentication (also need to verify the client's personal certificate), in addition to the need for Ca to sign the certificate, but also to obtain a personal certificate from the CA. At present, there is very little information about how to operate on a specific web server. I have developed some SSL tools to implement simple ca functions locally, and configured two-way authentication for Tomcat on this basis. I hope to share some of my experiences with you. However, due to my own level, there will inevitably be errors and mistakes in this article. Thank you for your understanding.
1. Tomcat Introduction
Tomcat is a sub-project of Apache Jakarta. As an excellent open-source Web application server, it fully supports jsp1.2 and servlet2.3 specifications. Because of its advanced technology, stable performance, and free of charge, it is favored by Java enthusiasts and recognized by some software developers and has become a popular Web application server.

2. Introduction to SSL (server socket layer)
Information on the network passes through other computers during source-host transmission. Generally, the intermediate computer does not listen for information passing. However, when using an online bank or making a credit card transaction, it may be monitored, resulting in leakage of personal privacy. Due to the Internet and Intranet architecture, some people can read and replace the information sent by users. With the development of online payment, people have higher and higher requirements on information security. Therefore, Netscape proposed the SSL protocol to securely and securely transmit information over an open network (Internet). This protocol has been widely used on the web. Later, ietf.org standardized SSL, namely rfc2246, and called it Transport Layer Security (TLS). Technically, the difference between tls1.0 and SSL3.0 is very small.

3. How SSL works
The SSL protocol uses asymmetric encryption technology to securely transmit information between the two parties. Information Transmission is confidential and complete, and both parties can identify the other party. Different from the common HTTP protocol, we use the HTTPS protocol when establishing an SSL secure connection with the website, that is, access through https: // ip: Port. When we establish an HTTPS connection with a website, we need to shake hands between our browser and the Web server to complete identity authentication and key exchange, so as to establish a secure connection. The specific process is as follows:

Your browser sends the SSL version number, encryption parameters, session-related data, and other necessary information to the server.
The server sends the SSL version number, encryption parameters, session-related data, and other necessary information to the browser, and also sends the server certificate to the browser. If the SSL of the configuration server needs to verify the user identity, you must also send a request asking the browser to provide the user certificate.
The client checks the server certificate. If the check fails, it prompts that an SSL connection cannot be established. If yes, continue. The client browser generates a pre-master secret for this session and sends it to the server after encrypting it with the server public key. If the server requires customer identification, the client must sign other data and send it together with the client certificate to the server.
If the server requires customer identification, check whether the CA that signs the customer certificate is trusted. If the session is not in the Trust List, end the session. If the check succeeds, the server uses its own private key to decrypt the received pre-master secret and uses it to generate the master secret for this session through some algorithms.
Both the client and server use this master secret to generate the session key (symmetric key) for this session ). This session key is used to send any messages after the SSL handshake ends. The main reason for doing so is that symmetric encryption is more than an order of magnitude less computation than asymmetric encryption, which can significantly increase the computing speed of both parties' sessions.
The client notifies the server that all subsequent messages are encrypted using this session key. And notifies the Server client that the SSL handshake has been completed.
The server notifies the client that all subsequent messages are encrypted using this session key. The client server is notified that the SSL handshake has been completed.
The handshake process ends and the session has been established. Both parties use the same session key to encrypt and decrypt the sent and received information respectively.

4. Configure Tomcat 4.x to use SSL

4.1 software packages used

Tomcat 4.0.2
Purpose: Web server.
Download: http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.3/bin/
JSSE 1.0, 2
Purpose: generate the key pair used by tocmcat ).
Download: http://java.sun.com/products/jsse/
OpenSSL 0.9.6
Purpose: generate the CA certificate, signature, and generate the private key in PKCS #12 format that can be imported by IE.
Download: http://www.openssl.org/
For the installation process of the above tools, refer to the built-in help. This article will not detail the installation process.

4.2 create your own ca

4.2.1 create a working directory
Mkdir ca

4.2.2 generate the CA private key and self-Signed root certificate
4.2.2.1 generate the CA private key
OpenSSL genrsa-out Ca/ca-key.pem 1024

4.2.2.2 generate the certificate to be signed
OpenSSL req-New-out Ca/ca-req.csr-key Ca/ca-key.pem

4.2.2.3 use the CA private key for self-Signature
OpenSSL X509-req-in Ca/ca-req.csr-out Ca/ca-cert.pem-signkey Ca/ca-key.pem-days 365

4.3 set Tomcat 4.x
In this article, the "% jdk_home %" symbol is used to indicate the JDK installation location. The "% tcat_home %" symbol is used to indicate the tomcat installation location.

4.3.1 create a working directory
Mkdir Server

4.3.2 generate a server certificate
4.3.2.1 generate keypair
% Jdk_home %/bin/keytool-genkey-alias tomcat_server-validity 365-keyalg RSA-keysize 1024-keypass changeit-storepass changeit-dname "cn = localhost, ou = Department, O = company, L = Beijing, St = Beijing, c = cn "-keystore server/server_keystore

4.3.2.2 generate the certificate to be signed
% Jdk_home %/bin/keytool-certreq-alias tomcat_server-sigalg md5withrsa-File Server/server. CSR-keypass changeit-keystore server/server_keystore-storepass changeit

4.3.2.3 use the CA private key for signature
OpenSSL X509-req-in server/server. CSR-out server/server-cert.pem-ca/ca-cert.pem-Cakey Ca/ca-key.pem-days 365
Note: The prompt Ca/ca-cert.srl: no such file or directory may appear
Solution: copy the apps/ca-cert.srl under the OpenSSL installation directory to the CA directory;

4.3.2.4 import the trusted CA root certificate to the default JSSE location (% jdk_root %/JRE/security/cacerts)
% Jdk_home %/bin/keytool-import-v-trustcacerts-storepass changeit-alias my_ca_root-file ca/ca-cert.pem-keystore % jdk_home %/JRE/lib/security/cacerts

4.3.2.5 import the server certificate signed by the CA to the keystore
% Jdk_home %/bin/keytool-import-v-trustcacerts-storepass changeit-alias tomcat_server-File Server/server-cert.pem-keystore server/server_keystore

Note: The keytool error: Java. Lang. exception: the connection cannot be established from the reply.
Solution: Delete the old CA root certificate.
1) keytool-delete-alias my_ca_root-keystore % jdk_home %/JRE/lib/security/cacerts
2) Add a new CA root certificate
Duplicate 4.3.2.4
3) Duplicate 4.3.2.5

4.3.2.6 view the server certificate
Keytool-list-keystore % jdk_home %/JRE/lib/security/cacerts
Keytool-list-keystore server/server_keystore

4.3.3 modify server. XML to make Tomcat support SSL
First, find the following content and remove the comment. Then, modify the settings by referring to the red section. If Tomcat is configured to not authenticate the customer identity, you can set

Clientauth = "false ".
<Connector classname = "org. Apache. Catalina. connector. http. httpconnector"
Port = "8443" minprocessors = "5" maxprocessors = "75"
Enablelookups = "true"
Acceptcount = "10" DEBUG = "0" Scheme = "HTTPS" secure = "true">
<Factory classname = "org.apache.catalina.net. sslserversocketfactory"
Clientauth = "true" protocol = "TLS"
Keystorefile = "% tcat_home %/CONF/server_keystore" keystorepass = "changeit"
/>

Then copy the file server/server_keystore to the directory % tcat_home %/CONF.

4.4 install a personal certificate in IE
4.4.1 create a working directory
Mkdir Client

4.4.2 generate the client private key and sign it with the CA private key

4.4.2.1 generate the Client Private Key
OpenSSL genrsa-out client/client-key.pem 1024

4.4.2.2 generate the certificate to be signed
OpenSSL req-New-out client/client-req.csr-Key Client/client-key.pem

4.4.2.3 use the CA private key for signature
OpenSSL X509-req-in client/client-req.csr-out client/client. CRT-signkey client/client-key.pem

-Ca/ca-cert.pem-Cakey Ca/ca-key.pem-cacreateserial-days 365

4.4.2.4 generate a client-side personal certificate
Jsse1.0.2 does not fully implement operations on files in PKCS #12 format (only read, not output). Therefore, you need to use OpenSSL to create a client-side certificate (including the private key ).
OpenSSL PKCS12-export-clcerts-in client/client. CRT-inkey client/client-key.pem-out client/client. p12

4.4.2.5 install a trusted root certificate
Rename Ca/ca-key.pem to Ca/ca-key.cer, and use "tool 'Internet options' content 'certificate' import" in client IE to import the CA root certificate we generated, make it a trusted ca.

4.4.3 install a personal certificate
Import client. p12 to IE on the client as a personal certificate. The import process is the same as 4.4.2.5.

4.5 Use SSL protocol to access tomcat in IE browser

4.5.1 start Tomcat 4.x
Run % tcat_home %/bin/startup. BAT to start Tomcat 4.x.

4.5.2 use IE to access Tomcat 4.x
Enter https: // localhost: 8443 in the address bar of the IE browser. If the previous operations are correct, you can see the welcome page of Tomcat. The lock on the status bar is closed, indicating that you have successfully established an SSL secure connection with the server that requires client verification.

5 conclusion
We have implemented the entire SSL process for Tomcat 4.x configuration that requires client verification. For other types of servers, such as Apache, Netscape Enterprise Server, websphere, and WebLogic, the methods for saving certificates on the server are generally slightly different, but their principles are similar, you can make corresponding adjustments based on the methods described in this article.

 

Original address http://www.dedecms.com/web-art/fuwuqi/20060913/26244.html