Tomcat implements SSL Configuration!

There are so many problems with Tomcat two-way authentication. I will post a Summary of the Tomcat two-way authentication method.

Tomcat implements SSL Configuration

Tomcat implements SSL Configuration
Edit the tomcat configuration file server. XML, remove the following SSL ctor annotation, and modify it to the following:
<! -- Define an ssl http/1.1 Connector on port 8443 -->;

<Connector classname = "org. Apache. Catalina. connector. http. httpconnector"
Port = "8443" minprocessors = "5" maxprocessors = "75"
Enablelookups = "true"
Acceptcount = "10" DEBUG = "0" Scheme = "HTTPS" secure = "true">;
<Factory classname = "org.apache.catalina.net. sslserversocketfactory"
Clientauth = "false" keystorefile = "tomcat. keystore"
Keystorepass = "Tomcat" protocol = "TLS"/>;
</Connector>;
The keystorefile path is tomcat. keystore under the tomcat installation path (certificate library file generated using keytool)
>; Keytool-genkey-alias tomcat-keyalg RSA-keysize 1024-validity 365-keystore tomcat. keystore
Keystorefile stores the server certificate library for client authentication.

Common configuration attributes:
Clientauth
If you want tomcat to require all SSL customers to present a customer certificate to use this socket, set this value to true.
Keystorefile
If the created keystore file is not considered by Tomcat as the default location (a file named. keystore in the home directory where Tomcat runs), this attribute is added. You can specify an absolute path or a relative path dependent on the $ catalina_base environment variable.
Keystorepass
This attribute is added if you use a keystore (and Certificate) password that is different from what Tomcat expects.
Keystoretype
If a PKCS12 keystore is used, add this attribute. Valid values are jks and PKCS12.
Sslprotocol
The encryption/decryption protocol used by the socket. If Sun's JVM is used, we do not recommend that you change this value. It is said that the TLS protocol of IBM version 1.4.1 is incompatible with some popular browsers. In this case, use SSL.
Ciphers
The list of passwords that can be used by this socket separated by commas. By default, you can use any available password.
Algorithm
The X509 algorithm used. The default value is sunx509 ). Ibmx509 should be used for IBM JVMs. For other JVMs, refer to the JVM documentation to obtain the correct value.
Truststorefile
The truststore file used to verify the customer certificate.
Truststorepass
The password used to access truststore. The default value is keystorepass.
Truststoretype
If you use a truststore format different from the keystore in use, add this attribute. Valid values are jks and PKCS12.

Use https: // localhost: 8443 to check the SSL connection.

Bytes ----------------------------------------------------------------------------------------
The SSL connection for appeal is a client one-way authentication server. If two-way authentication is performed, configure the connector of the server. xml file
Clientauth = "false"
Java server certificate library, used by the server to authenticate the client.
Certificate library location: java_home/JRE/lib/security/cacerts keystore password: changeit

Import the root certificate of the client's personal certificate to the server's certificate library to authenticate the client.

Server certificate generation:
>; Keytool-genkey-alias tomcat-keyalg RSA-keysize 1024-validity 365-keystore tomcat. keystore
>; Keytool-certreq-alias tomcat-file server. CSR-keystore tomcat. keystore generate the certificate request file
Use the OpenSSL command to sign the certificate with the root certificate, and then import the signature certificate
>; Keytool-import-trustcacerts-alias tomcat-file server. pem-keystore tomcat. keystore
Note-The trustcacerts option is used to authenticate the certificate from the server certificate library. First, import the root certificate to cacerts.

Bytes ----------------------------------------------------------------------------------------
I encountered a Problem When configuring SSL for Tomcat.
I used OpenSSL to create CA certificates, server certificates, and client certificates.
Use keytool to import the server certificate to Tomcat. in the keystore file, set the tomcat configuration file server. xml configuration for SSL is set to keystorefile = tomcat. keystore. the client authenticates Tomcat during SSL connection. the server certificate in the keystore.
Import the CA certificate to the keystore $ java_home/JRE/lib/security/cacerts to verify the client certificate.
Install the CA certificate and client certificate in IE (PKCS12, in the form of a private key ).
SSL connection https: // localhost: 8443, connection failed.

After thinking twice and knowing the problem, the client needs to verify the server's signature when authenticating the server during SSL connection, so tomcat. keystore should have the server's private key. Therefore, when importing a server certificate, you should import the server certificate containing the private key.
The keytool command cannot import the private key file. You can generate a self-signed certificate in the keystore to export the certificate request. After signing with the CA certificate, you can export the certificate back.
Importing the signature certificate back
>; Keytool-import-trustcacerts-alias tomcat-file server. pem-keystore tomcat. keystore
Note: The trustcacerts option is used to authenticate the certificate from the server certificate library. First, import the root certificate to the Java root certificate library java_home/JRE/lib/security/cacerts.

Bytes ----------------------------------------------------------------------------------------
Analysis of the two-way certificate authentication process for implementing SSL connections using IE
In the address bar, enter https: // localhost: 8443
The client sends a Hello Message to the server. The Tomcat server listens to port 8443 and receives the Hello Message for the SSL connection. The server sends the server certificate and the client certificate request. after the client ie receives the server certificate, it retrieves the issuer item and compares it with the subject of the certificate in the IE trusted root certificate library to find the appropriate root certificate to authenticate the server certificate. The client certificate is also sent to the server. After the server receives the client certificate, the Tomcat server searches for the suject of the root certificate in the root certificate library cacerts and finds the appropriate root certificate to authenticate the client certificate. complete key negotiation during authentication. After the client authentication is complete, the "security alarm" dialog box appears. You can check the server certificate, whether the server certificate is trusted, and whether to continue the SSL connection.