The SSL protocol is located between the TCP/IP protocol and various application layer protocols, providing security support for data Communication. The SSL protocol can be divided into two Tiers: SSL record protocol (ssl Recorder Protocol): It is based on a reliable transport protocol (such as TCP) to provide high-level protocol data encapsulation, compression, encryption and other basic functions of support. SSL Handshake Protocol (ssl Handshake Protocol): It is based on the SSL logging protocol, which is used to authenticate, negotiate cryptographic algorithms, Exchange encryption keys, etc. before the actual data transfer Begins.
It provides the following services:
1) authenticate users and servers to ensure that data is sent to the correct client and server;
2) encrypt data to prevent the data from being stolen in the middle;
3) maintain the integrity of the data and ensure that the data is not changed during Transmission.
When configuring portal for arcgis, SSL is required because of the need to use HTTPS for access and to communicate with ArcGIS Server.
OpenSSL is a powerful Secure Sockets Layer cipher library that includes key cryptographic algorithms, common key and certificate encapsulation Management functions, and SSL protocols, and provides rich applications
Used for testing or other Purposes. The entire OpenSSL package can be divided into three main functional parts: the cryptographic algorithm library, the SSL protocol library, and the Application.
The following is a general configuration process for SSL using OPENSSL.
1. Generate a key pair
OpenSSL genrsa-des3-out Myserver.key 2048
2. Generate a Certificate signing Request.
OpenSSL Req-new-key myserver.key-out myserver.csr-subj
"/c=cn/st=guangdong/l=guangzhou/o=esri/ou=it/cn=www.seanpc.com"
Note: cn is the server domain Name.
3. Signing Certificate
OpenSSL req-x509-sha256-days 3650-key myserver.key-in myserver.csr-out myserver.crt
4. Test the Certificate.
OpenSSL x509-noout-text-in Myserver.crt
6. Export the PKCS standard Certificate. The format certificate can be imported into Iis.
OpenSSL pkcs12-export-inkey myserver.key-in myserver.crt-name "www.seanpc.com"-out myserver.pfx
7. Import to the Tomcat or IIS server to start Https.
#对于IIS服务器, Double-click myserver.pfx to start the import Wizard.
#对于tomcat服务器, Modify the Server.xml configuration file as Follows.
# #使用JSSE实现:
1 <!--Define a http/1.1 Connector on port 8443, JSSE NIO Implementation -2 3 <ConnectorProtocol= "org.apache.coyote.http11.Http11NioProtocol"4 5 Port= "8443" .../>6 7 8 9 <!--Define a http/1.1 Connector on port 8443, JSSE BIO Implementation -Ten one <ConnectorProtocol= "org.apache.coyote.http11.Http11Protocol" a - Port= "8443" .../>
1 <!--Define a SSL Coyote http/1.1 Connector on port 8443 -2 <Connector3 Protocol= "org.apache.coyote.http11.Http11NioProtocol"4 Port= "8443"MaxThreads= "$"5 Scheme= "https"Secure= "true"sslenabled= "true"6 Keystorefile= "${user.home}/.keystore"Keystorepass= "changeit"7 ClientAuth= "false"Sslprotocol= "TLS"/>
# #使用APR the OpenSSL engine implementation:
1 <ListenerClassName= "org.apache.catalina.core.AprLifecycleListener"Sslengine= "on" />2 3 4 <!--Define a http/1.1 Connector on port 8443, APR implementation -5 <ConnectorProtocol= "org.apache.coyote.http11.Http11AprProtocol"6 Port= "8443" .../>
1 <!--Define a SSL Coyote http/1.1 Connector on port 8443 -2 <Connector3 Protocol= "org.apache.coyote.http11.Http11Protocol"4 Port= "8443"MaxThreads= "$"5 Scheme= "https"Secure= "true"sslenabled= "true"Ciphers= "tls_ecdhe_rsa_with_aes_128_cbc_sha256,tls_ecdhe_rsa_with_aes_128_cbc_sha,tls_ecdhe_rsa_with_aes_256_cbc_ Sha384,tls_ecdhe_rsa_with_aes_256_cbc_sha,tls_rsa_with_aes_128_cbc_sha256,tls_rsa_with_aes_128_cbc_sha,tls_rsa _with_aes_256_cbc_sha256,tls_rsa_with_aes_256_cbc_sha "ClientAuth= "false"Sslprotocol= "TLS"Sslenabledprotocols= "tlsv1.2,tlsv1.1,tlsv1"6 Keystoretype= "PKCS12"Keystorefile= "C:\apache-tomcat-7.0.47\myServer.pfx"Keystorepass= "esrichina"/>
How to configure the HTTPS certificate correctly when installing portal for ArcGIS