Https_ssl configuration steps and Principle notes

Source: Internet
Author: User

  1. Say in front

    1. One-way authentication is that the transmitted data is encrypted, but the source of the client is not verified

    2. Two-way authentication, if the client browser does not import the client certificate, is not able to access the web system, can not find the address, want to use the system without a certificate can not access the system HTTPS concept

  2. HTTPS Concepts

    1) Introduction

    HTTPS (full name: Hypertext Transfer Protocol over secure Socket Layer) is a security-targeted HTTP channel and is simply a secure version of HTTP. That is, the SSL layer is added under HTTP, the security base of HTTPS is SSL, so the detailed content of encryption needs SSL. The initial development of the system, conducted by Netscape, provides an authentication and encryption method of communication, which is now widely used in security-sensitive communications on the World Wide Web, such as transaction payments.

    2) The difference between HTTPS and HTTP

    A. The HTTPS protocol requires a certificate to be applied to the CA, and the general free certificate is very small and requires a fee.

    B. HTTP is a Hypertext Transfer Protocol, the information is transmitted in plaintext, and HTTPS is an SSL encrypted transport protocol with security.

    C. http and HTTPS use a completely different connection method, the default port is not the same, the former is 80, the latter is 443.

    D. HTTP connection is simple and stateless; The HTTPS protocol is a network protocol built by the SSL+HTTP protocol for encrypted transmission and authentication, which is more secure than the HTTP protocol.

    3) The role of HTTPS

    Its main role can be divided into two kinds: one is to establish an information security channel to ensure the security of data transmission, the other is to confirm the authenticity of the website.

    A HTTPS in the general sense is that the server has a certificate. The main purpose is to ensure that the server is the server he claims, this is the same as the 1th; all communication between the service and the client is encrypted.

    B. Specifically, it is the client that generates a symmetric key, exchanging the key through the server's certificate, the handshake process in the general sense.

    C. All the information that follows is encrypted. Even if a third party intercepts, it doesn't make any sense, because he doesn't have a key, and of course it doesn't make sense to tamper with it.

    D In the case of a small client requirement, the client must also have a certificate.

    Here the client certificate, in fact, similar to the personal information, in addition to the user name/password, there is a CA authenticated identity. Because personal certificates are generally not emulated by others, all this can be a deeper confirmation of their identity. Currently a small number of personal banking Professional Edition is this practice, the specific certificate may be to take a U-Shield as a backup carrier.

  3. About SSL

    1) Introduction

    SSL (Secure Socket Layer) has been developed by Netscape to secure data transmission over the Internet, and the use of encryption (encryption) technology ensures that data is not intercepted and tapped during transmission over the network. It has been widely used for authentication and encrypted data transfer between Web browsers and servers. The SSL protocol is located between the TCP/IP protocol and various application layer protocols, providing security support for data communication.

    2) services provided by SSL

    A. Authenticating users and servers to ensure that data is sent to the correct client and server

    B. Encrypt data to prevent the data from being stolen in the middle

    C. Maintain the integrity of the data to ensure that the data is not changed during transmission.

    3) Handshake process for SSL protocol

    SSL protocol uses both public-key cryptography and symmetric encryption technology, although symmetric encryption technology is faster than public-key cryptography, but public key cryptography provides better authentication technology. The SSL handshake protocol is very effective in enabling mutual authentication between the client and the server, and the main process is as follows:

    The browser of the ① client transmits the version number of the client SSL protocol to the server, the type of cryptographic algorithm, the random number generated, and the various information needed to communicate between the server and the client.

    The ② server transmits the version number of the SSL protocol to the client, the type of encryption algorithm, the random number, and other related information, and the server also transmits its own certificate to the client.

    ③ customers use the information sent by the server to verify the legitimacy of the server, the legitimacy of the server includes: whether the certificate expires, the issuing server certificate of the CA is reliable, the publisher certificate's public key can correctly unlock the server certificate "publisher's digital signature", the server certificate on the domain name and the server's actual domain name match. If the legitimacy verification is not passed, the communication will be disconnected, and if the legitimacy validation passes, the fourth step will continue.

    The ④ client randomly generates a "symmetric password" for subsequent communication, encrypts it with the server's public key (obtained from the server's certificate in step ②), and then passes it to the server.

    The ⑤ server decrypts the "symmetric password" with the private key (where the public and private keys are interrelated, the public key-encrypted data can only be decrypted with the private key, and the private key is reserved only on the server side.) Refer to: http://zh.wikipedia.org/wiki/RSA%E7%AE%97%E6%B3%95), and then use it as the server and client "call password" encryption and decryption communication. At the same time in the process of SSL communication to complete the integrity of data communication, to prevent any changes in data communication.

    The ⑥ client sends a message to the server that indicates that subsequent data traffic will use the master password in the ⑤ as the symmetric key, and notifies the server client that the handshake process is complete.

    The ⑦ server sends a message to the client indicating that the subsequent data traffic will use the master password in the ⑤ as the symmetric key, and notifies the client that the server side of the handshake process is complete.

    ⑧ssl The handshake part ends, the SSL secure channel data communication begins, the client and the server begin to use the same symmetric key for data communication, while the integrity of the communication test.

  4. Steps to configure HTTPS_SSL:

Server-side one-way authentication:

  • Step one: Go to the bin directory below the installation file path of the JDK;

  • Step Two: Enter the following command in the bin directory

    Keytool-genkey-v-alias mykey-keyalg rsa-validity 3650-keystore c:\sdust.keystore

    -dname "cn= your IP, ou=cn,o=cn,l=cn,st=cn,c=cn"-storepass 123456-keypass 123456

    Description

    Keytool is the certificate generation tool provided by the JDK, and the use of all parameters is described in Keytool–help

    -genkey Creating a new certificate

    -V Detailed information

    -alias "MyKey" as the alias for the certificate. This can be modified as needed

    -keyalgrsa Specifying the algorithm

    -keysize specifying algorithm encryption key length

    -keystorec:\sdust.keystore save path and file name

    -VALIDITY3650 Certificate validity period, unit of day

    cn= the configuration of your IP,OU=CN,O=CN,L=CN,ST=CN,C=CN basic information

    Cn= Your IP This configuration is important to note

    -storepass 123456789-keypass 123456789 Password settings

  • Step three: Generate the file as shown in

  • Fourth step: Configure Tomcat's Server.xml file [1]redirectport port number to: 443

    <connector connectiontimeout= "20000" port= "" "Protocol=" http/1.1 "redirectport=" 443 "usebodyencodingforuri=" True "/>

    [2] Where SSL http/1.1 connector is defined, modify the port number to: 443

    <connector port= "443" protocol= "Org.apache.coyote.http11.Http11Protocol"

    minsparethreads= "5" maxsparethreads= "75"

    Enablelookups= "true" disableuploadtimeout= "true"

    Acceptcount= "maxthreads=" sslenabled= "true" scheme= "https" secure= "true"

    Keystorefile= "C:/sdust.keystore" keystorepass= "123456"

    Clientauth= "false" sslprotocol= "TLS"/>

    Property Description: ClientAuth: Set whether bidirectional authentication, default is False, set to true to represent two-way authentication keystorefile: Server certificate file path keystorepass: Server certificate Password Truststorefile: The root certificate used to authenticate the client certificate, in this case the server certificate truststorepass: Root certificate Password

    [3] AJP 1.3 Connector defined place, modify Redirectport to 443

    <connector port= "8009" protocol= "ajp/1.3" redirectport= "443"/>

  • Fifth step: Restart Tomcat.

Additional content: To make the app accessible only through HTTPS, add the following code to the project's Web. xml file:

<login-config>
<!--Authorization setting for SSL--and
<auth-method>CLIENT-CERT</auth-method>
<realm-name>client Cert users-only area</realm-name>
</login-config>

<security-constraint>
<!--Authorization setting for SSL--and
<web-resource-collection>
<web-resource-name>SSL</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<!--
Require HTTPS for everything except/img (Favicon) and/css.
-
<security-constraint>
<web-resource-collection>
<web-resource-name>HTTPSOrHTTP</web-resource-name>
<url-pattern>*.ico</url-pattern>
<url-pattern>/img/*</url-pattern>
<url-pattern>/css/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint> test: In the browser input: https://localhost:8443/, will pop up select the client certificate interface, click "OK", will go to the Tomcat homepage, the address bar will have a "lock" icon, Indicates that this session has been authenticated by HTTPS two-way, and the information transmitted during the subsequent session is encrypted with SSL information.

Problems that may exist:

tomcat7.0 is started in Eclipse and the local tomcat profile is restored by Eclipse.

The problem is that, in Eclipse's servers configuration item, the Tomcat boot is configured for use with Tomcat location, but each time the publish project in eclipse will place the local G:\tomcate7.0\ Apache-tomcat-7.0.29\conf under the configuration file (such as: Tomcat-user.xml added users and other information) to reset, that is, the content added inside is emptied, revert to the original appearance:

Problem Solutions:

Your Eclipse project list should also have a Servers project, the following will have the TOMCAT7 configuration file, you change the corresponding configuration file inside. Each time it is overwritten with this file, tomcat files below.

Specific directories for HTTPS access

Solution:

Configure the appropriate path in the Web. xml file

<security-constraint>
<!--Authorization setting for SSL--and
<web-resource-collection>
<web-resource-name>SSL</web-resource-name>
<url-pattern>/login.html</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

Http://jingyan.baidu.com/article/e4d08ffdb61f040fd3f60d48.html

Https_ssl configuration steps and Principle notes

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.