(HTTPS)-https principle and Tomcat configuration HTTPS method

Source: Internet
Author: User
Tags decrypt pkcs12 rfc asymmetric encryption

First, what is HTTPS

Before talking about HTTPS, say what is Http,http is a protocol that we use when browsing the web. The data transmitted by the HTTP protocol is unencrypted, which is plaintext, so it is very insecure to use the HTTP protocol to transmit private information. To ensure that these private data can be encrypted, Netscape designed the SSL (Secure Sockets Layer) protocol to encrypt the data transmitted by the HTTP protocol, which led to the birth of HTTPS. The current version of SSL is 3.0, defined by the IETF (Internet Engineering Task Force) in RFC 6101, and then the IETF is upgraded to SSL 3.0, so TLS (Transport Layer Security) 1.0, defined in RFC 2246. In fact, we now have HTTPS is the TLS protocol, but because SSL appears earlier, and is still supported by the browser now, so SSL is still synonymous with HTTPS, but whether it is TLS or SSL is the last century thing, The last version of SSL is 3.0, and TLS will inherit the good lineage of SSL and continue to encrypt the service for us. The current version of TLS is 1.2, defined in RFC 5246, and is not widely used for the time being.

Second, the working principle of HTTPS

HTTPS requires a handshake between the client (browser) and the server (Web site) before transmitting the data, which establishes the password information for both parties to encrypt the transmitted data during the handshake. TLS/SSL protocol is not only a set of encrypted transmission protocols, but also an artist-designed artwork, TLS/SSL using asymmetric encryption, symmetric encryption and hash algorithm. A brief description of the handshake process is as follows:

1. The browser sends a set of encryption rules that it supports to the Web site.

2. The website selects a set of cryptographic algorithms and hash algorithms, and sends its own identity information back to the browser in the form of a certificate. The certificate contains information such as the website address, the encrypted public key, and the issuing authority of the certificate.

3. After obtaining the website certificate, the browser will do the following tasks:

A) Verify the legality of the certificate (the issuing authority is legal, the certificate contains the address of the website is consistent with the address being accessed, etc.), if the certificate is trusted, the browser bar will display a small lock, otherwise the certificate is not trusted to prompt.

b) If the certificate is trusted, or if the user accepts an untrusted certificate, the browser generates a random number of passwords and encrypts them with the public key provided in the certificate.

c) Use the agreed hash to calculate the handshake message, encrypt the message with the generated random number, and then send all previously generated information to the Web site.

4. After the Web site receives the data from the browser, do the following:

A) Use your own private key to decrypt the information to remove the password, use the password to decrypt the browser's handshake message, and verify that the hash is consistent with the browser.

b) Encrypt a handshake message with a password and send it to the browser.

5. The browser decrypts and calculates the hash of the handshake message, if it is consistent with the hash of the server, at which point the handshake process ends, and all the communication data will be encrypted by the random password generated by the previous browser and using the symmetric encryption algorithm.

Here the browser and the Web site to send encrypted handshake message and verify, the purpose is to ensure that both sides have obtained a consistent password, and can be normal encryption and decryption of data, for the subsequent transmission of real data to do a test. In addition, HTTPS generally uses the encryption and hashing algorithm as follows:

Asymmetric Encryption algorithm: RSA,DSA/DSS

Symmetric encryption algorithm: Aes,rc4,3des

Hash algorithm: md5,sha1,sha256

The asymmetric encryption algorithm is used to encrypt the generated password during the handshake, and the symmetric encryption algorithm is used to encrypt the data that is actually transmitted, while the hash algorithm is used to verify the integrity of the data. Because the password generated by the browser is the key to the entire data encryption, the asymmetric encryption algorithm is used to encrypt it at the time of transmission. Asymmetric encryption algorithms generate public and private keys, the public key can only be used to encrypt data, so can be transferred at will, and the Web site's private key is used to decrypt the data, so the site will be very careful to keep their private keys to prevent leakage.

If there are any errors during the TLS handshake, the encrypted connection will be disconnected, thereby preventing the transfer of private information.

Tools/Materials
    • Configure HTTPS bidirectional authentication with the Tomcat server

Method/Step
  1. Generate a certificate for the server

    Run the console, enter the%java_home%/bin directory, and enter the directory using the following command:

    CD "C:\Program Files\java\jdk1.6.0_11\bin"

    Using Keytool to generate a certificate for Tomcat, assuming the domain name of the target machine is "localhost", the KeyStore file is stored in "D:\home\tomcat.keystore" and the password is "password", which is generated using the following command:

    Keytool-genkey-v-alias tomcat-keyalg rsa-keystore D:\home\tomcat.keystore-validity 36500 (parameter brief description: "D:\home\tomcat.ke Ystore "means to save the path of the certificate file, the certificate file name is Tomcat.keystore;"-validity 36500 "means the certificate validity period, 36500 means 100 years, the default is 90 days" Tomcat "for the custom certificate name).

    Fill in the necessary parameters at the command line:

    A, enter KeyStore password: Here you need to enter a string greater than 6 characters.

    B, "What is your first and last name?" "This is required and must be the domain name of the Tomcat deployment host or ip[, such as: Gbcom.com or 10.1.25.251] (which is the access address you will enter in the browser), or the browser will pop up a warning window prompting the user certificate to not match the domain in which it resides. When you do the development test locally, you should fill in "localhost".

    C, what is the name of your organizational unit? "," What is your organization name? "," What is your city or region name? "," What is the name of your state or province? "," What is the two-letter country code for this unit? "Can be filled in as needed or can not fill in the direct return, the system asked" correct? ", enter the letter" Y "with the keyboard if required, otherwise enter" n "to re-fill the information.

    D, enter <tomcat> master password, this is more important, will be used in the Tomcat configuration file, it is recommended to enter the same password as KeyStore, set other passwords can also, after completing the above input, the direct return to the location you defined in the second step to find the generated file.

  2. Generate certificates for clients

    Generate a certificate for your browser so that the server can verify it. In order to successfully import the certificate into IE and Firefox, the certificate format should be PKCS12, so use the following command to generate:

    Keytool-genkey-v-alias mykey-keyalg rsa-storetype pkcs12-keystore D:\home\mykey.p12 (MyKey Custom).

    The corresponding certificate inventory is placed in "D:\HOME\MYKEY.P12", and the client's CN can be any value. Double-click the Mykey.p12 file to import the certificate into the browser (client).

  3. Let the server trust the client certificate

    Because it is two-way SSL authentication, the server must trust the client certificate, so the client certificate must be added as the server's trust authentication. Because you cannot directly import a certificate library in the PKCS12 format, you must first export the client certificate as a separate CER file, using the following command:

    Keytool-export-alias mykey-keystore D:\HOME\MYKEY.P12 -storetype pkcs12-storepass password-rfc-file d:\home\mykey.cer 

    (MyKey for customization is consistent with client-defined MyKey, Password is the password you set). With the above command, the client certificate is exported to the "D:\home\mykey.cer" file.

    The next step is to import the file to the server's certificate library and add it as a trusted certificate using the following command:

        &NBSP;KEYTOOL-IMPORT-V-file D:\home\mykey.cer- KeyStore D:\home\tomcat.keystore

    To view the server's certificate store through the List command, you can see two certificates, one server certificate and one trusted client certificate:

    Keytool-list- KeyStore D:\home\tomcat.keystore (Tomcat sets the server-side certificate name for you).

  4. Let the client trust the server certificate

    Because it is two-way SSL authentication, the client also verifies the server certificate, so the server certificate must be added to the browse " Trusted Root Certification authorities. Because you cannot import a certificate library in the KeyStore format directly, you must first export the server certificate as a separate CER file, using the following command:

    Keytool-keystore D:\home\tomcat.keystore-export- Alias Tomcat-file D:\home\tomcat.cer (Tomcat sets the server-side certificate name for you).

    With the above command, the server certificate is exported to the "D:\home\tomcat.cer" file. Double-click the Tomcat.cer file, follow the prompts to install the certificate, and fill in the certificate to Trusted root certification authorities.

  5. Configuring the Tomcat Server

    Open the/conf/server.xml in the Tomcat root directory and locate the connector port= "8443" configuration section, as follows:

    <connector port= "8443" protocol= "Org.apache.coyote.http11.Http11NioProtocol"

    Sslenabled= "true" maxthreads= "scheme=" "https"

    Secure= "true" Clientauth= "true" sslprotocol= "TLS"

    Keystorefile= "D:\\home\\tomcat.keystore" keystorepass= "123456"

    Truststorefile= "D:\\home\\tomcat.keystore" truststorepass= "123456"/>

    (Tomcat to match the generated server-side certificate name)

    Property Description:

    ClientAuth: Set whether bidirectional authentication, default = False, set to True for bidirectional authentication

    Keystorefile: Server certificate file path

    Keystorepass: Server certificate Password

    Truststorefile: The root certificate used to authenticate the client certificate, in this case the server certificate

    Truststorepass: Root certificate Password

  6. Test

    In the browser input: https://localhost:8443/, will pop-up select the client certificate interface, click "OK", will enter the Tomcat homepage, the address bar will have a "lock" icon, indicating that the session has been authenticated through HTTPS two-way, The information transmitted during the next session is encrypted with SSL information.


The native development test entered here is 123456789 here is just a one-way certificate

(HTTPS)-https principle and Tomcat configuration HTTPS method

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.