First, the foreword: The article on how to implement bi-directional SSL authentication with Tomcat server is very early, and a more practical article can look at IBM developerWorks China website May 2002 configuration Tomcat 4 uses bidirectional SSL (http:// www-900.ibm.com/developerworks/cn/security/se-tcssl/index.shtml) and configure Tomcat 5 to use bidirectional SSL (Http://thinkbase.net/w/main /wiki? tomcat5ssl_serverandclient). On the principle side is not the focus of this article, so the following only explain the actual operation of the process and the description of each process:
Second, the required software packages: Tomcat 5.0.25 Purpose: Web Server. Download: http://jakarta.apache.org/builds/jakarta-tomcat-5.0/release/v5.0.25/bin/ JSSE 1.0,2 Use: A secret key pair (KeyStore) used to produce tocmcat. This tool has been brought in over the JDK version 1.4, so just install jdk1.4.x Download: http://java.sun.com/products/jsse/ Openssl 0.9.9.6 Use: Used to generate CA certificate, signature and generate IE can import pkcs#12 format private key. Download: http://www.openssl.org/ The above tool installation process can refer to the help, this article is no longer described in detail. Third, certificate environment settings: Export Ca_dn=/c=cn/st=guangdong/l=guangzhou/o=boss ssl/ou=boss cacenter/cn=boss CA root/emailaddress= Winsonhrh@gmail.com
Export Server_dname=cn=21cn.com,ou=boss Server,o=boss SSL,L=GUANGZHOU,ST=GUANGDONG,C=CN Export Server_keypass=openssl Export Server_storepass=openssl Export Server_alias=boss-alias Export Server_keystore=boss-alias.keystore
Export Client_dn_ou=w21cn-boss-client Export Client_dn_cn=huronghua Export CLIENT_DN=/C=CN/O=W21CN boss/ou= $CLIENT _dn_ou/cn= $CLIENT _DN_CN Export ssl_java_home=/home/uud/software/jdk1.5.0_06 Export jdk_keystore= $SSL _java_home/jre/lib/security/cacerts #JSSE the stored password for the trusted CA root certificate, it does not seem to change Export Jdk_storepass=changeit Export OPENSSL_SRL_FILE=./CA-CERT.SRL Export Ca_root_alias=boss-ca-root Four, generate the CA private key and self-signed root certificate, and finally get the CA root certificate in PKCS12 format:
Description This command generates the CA private key as well as the self-signed root certificate, and finally obtains the CA root certificate in the PKCS12 format (the CA root certificate in the PKCS12 format is password protected and therefore has better security); The CA root certificate in the generated PKCS12 format is kept in the Dist/ca-cert directory, and in a formally used system, the certificate file (*.PFX) needs to be properly saved, Because later server certificates and client certificates need to rely on this certificate, especially the client certificate, if the CA root certificate is lost, You cannot publish a new client certificate and regenerate the CA root certificate, you will need to regenerate the server certificate and the client certificate. In the case of more client users, republishing all the client certificates is a considerable amount of work; In the process of executing this command, you will be prompted to enter a certificate protection password, please be careful not to forget or disclose this password, otherwise the root certificate security is threatened.
mkdir CA mkdir Dist CD dist mkdir ca-cert CD ... # genrsa [Generate key command]-out[key file output PATH] 1024 [key digits] OpenSSL genrsa-out ca/ca-key.pem 1024 # req[Generate certificate command]-new[freshman As]-out[certificate file output PATH]-key[private key file path OpenSSL req-new-out ca/ca-req.csr-key ca/ca-key.pem-subj $CA _dn # x509[Issue X509 Certificate Command]-req[Enter the certificate to be issued]-in[enter the certificate file path to be issued-out[generate X509 certificate file output path #-signkey[self-signed key file path]-days[certificate validity OpenSSL x509- req-in ca/ca-req.csr-out ca/ca-cert.pem-signkey ca/ca-key.pem-days 365 # Generate CA Certificate: ca/ca-cert.pfx, note Be sure to remember export password: default Generate PKCS12 Certificate command for SSL # pkcs12[]-export[Export file-clerts[Export client certificate only]-password[export password] #-in[The client certificate file path entered-inkey [Client certificate key file path]-out[export PKS12 format file path] OpenSSL pkcs12-export-clcerts-in Ca/ca-cert.pem-inkey ca/ca-key.pem-out CA/CA-CERT.PFX # Saves the generated certificate (required later) CP ca/ca-cert.pfx dist/ca-cert/ca-cert-200606.pfx |
V. Export the CA private key and the unencrypted CA root certificate from the CA root certificate in the PKCS12 format
Description This command is used to export the CA's private key and the unencrypted CA root certificate from the CA root certificate in the PKCS12 format; For security reasons, the CA root certificate is usually stored in a password-protected PKCS12 format file (*.pfx). If you need to use a CA root certificate to publish a server certificate or a client certificate, you first need to execute this command to obtain an unencrypted form of the CA root certificate; During the execution of this command, there will be two prompts to enter the protection password for the root certificate, and if the password is incorrect, the command will fail to execute successfully. You will not be able to perform the following two steps to publish the certificate.
mkdir Decrypt_ca # Export unencrypted CA certificate from CA Certificate in PKCS12 format: CA/CA-CERT.PEM OpenSSL pkcs12-in dist/ca-cert/ca-cert-20060621.pfx-clcerts-nodes-nokeys-out Decrypt_ca/ca-cert.pem # Remove the first four lines of the resulting certificate file (Bag Attributes) # because the Keytool import in Step2-server.bat will think that the file containing bag attributes "is not a X.509 authentication" VI Ca-cert.pem Press 4 First, press DD again Finally Press x! Exit file Edit # Export CA private key from PKCS12-format CA certificate: CA/CA-KEY.PEM OpenSSL pkcs12-in dist/ca-cert/ca-cert-20060621.pfx-clcerts-nodes-out Decrypt_ca/file.pem OpenSSL rsa-in decrypt_ca/file.pem-out Decrypt_ca/ca-key.pem |
Vi. Generating server-side certificates
Description This command is used to generate server-side certificates (keystore files); Note: The CA root certificate is also imported into the KeyStore file of the certificate, so that the CA root certificate will not be required when the certificate is applied to the Tomcat Web server The default location for import to Jsse; This command must be performed ( five, from the CA root certificate in PKCS12 format to export the CA private key and the unencrypted CA root certificate ) before it can function correctly.
Generate KeyPair mkdir Server #-genkey[generate key pair]-alias[key pair alias]-validity[key validity]-keyalg[key algorithm parameters]-keysize[key digits] #-keypass[key protection password]-storepass[store password] #-dname[Alias-related additional information, where CN is the name of the server must be the same as set in the Web server-keystore[key storage file path]
Keytool-genkey-alias $SERVER _alias-validity 720-keyalg rsa-keysize 1024-keypass $SERVER _keypass-storepass $SERVER _s Torepass-dname $SERVER _dname-keystore server/$SERVER _keystore Generate pending Signing certificate SERVER/SERVER.CSR #-certreq[generate pending signing certificate]-alias[certificate alias]-sigalg[certificate algorithm parameters]-file [generate file Output PATH] #-keypass[key protection password]-keystore[store file path]-storepass[Store password]
Keytool-certreq-alias $SERVER _alias-sigalg md5withrsa-file server/server.csr-keypass $SERVER _keypass-keystore serve r/$SERVER _keystore-storepass $SERVER _storepass Sign with CA private key to produce X509 certificate file
# x509[Issue x509 Certificate Command]-req[Enter the certificate to be issued]-in[enter the path to the certificate file to be issued-out[generate X509 certificate file output PATH] #-ca[issuing root certificate]-cakey[root certificate key file]-days[certificate lifetime]-CASERIAL[CA serial number file] OpenSSL x509-req-in server/server.csr-out server/server-cert.pem-ca decrypt_ca/ca-cert.pem-cakey decrypt_ca/ Ca-key.pem-days 365-caserial $OPENSSL _srl_file-sha1-trustout Import (replace) trusted CA root certificate to jsse default location (%jdk_keystore%)
# Delete first before importing (if already imported) # JSSE Trusted CA Root certificate key store file path Keytool-delete-v-alias $CA _root_alias-storepass $JDK _storepass-keystore $JDK _keystore
#-import[Import command]-V trustcacerts[import Trust certificate]-storepass[store password]-alias[ca alias of Root certificate] #-file[certificate file path]-keystore[import file path]-noprompt[do not prompt "trust this authentication." "] Keytool-import-v-trustcacerts-storepass $JDK _storepass-alias $CA _root_alias-file Decrypt_ca/ca-cert.pem-keystore $ Jdk_keystore Import the server-side certificate after the CA is signed into keystore:server/%server_keystore% #-import[Import command]-V trustcacerts[import Trust certificate]-storepass[store password]-keypass[key protection password] #-alias[Server certificate alias]-file[certificate file path]-keystore[import file path]
Keytool-import-v-trustcacerts-storepass $SERVER _storepass-keypass $SERVER _keypass-alias $SERVER _alias-file server/ Server-cert.pem-keystore server/$SERVER _keystore Import CA root certificate into keystore:server/%server_keystore% #-import[Import command]-V trustcacerts[import Trust certificate]-storepass[store password]-keypass[key protection password] #-alias[Server certificate alias]-file[certificate file path]-keystore[import file path-noprompt[do not prompt "Do you still want to add it to your own keystore?" "] Keytool-import-v-trustcacerts-storepass $SERVER _storepass-keypass $SERVER _keypass-alias $CA _root_alias-file decryp T_ca/ca-cert.pem-keystore server/$SERVER _keystore View the Jsse CA root certificate Keytool-list-storepass $JDK _storepass-keystore $JDK _keystore-alias $CA _root_alias-v
Remove the CA root certificate that was imported to the default location of the Jsse (to restore the JDK to its original state) Keytool-delete-v-alias $CA _root_alias-storepass $JDK _storepass-keystore $JDK _keystore Save the generated certificate (for use by the server) CD Dist mkdir Server Cd.. CP server/$SERVER _keystore dist/server/$SERVER _keystore
View server-side certificates Keytool-list-storepass $SERVER _storepass-keystore dist/server/$SERVER _keystore-v |
Vii. Issuing client certificates:
Description This command is used to publish the client certificate; To facilitate batch generation of client certificates, this command supports command-line arguments, and the 1th to 3rd parameter, in turn, is: Name of the client certificate (Common name) Organization to which the client certificate belongs (organizational unit Name) The imported password for the generated PKS12 format client certificate, which protects the certificate from being imported to the browser only by users who know the password This command must be performed ( five, from the CA root certificate in PKCS12 format to export the CA private key and the unencrypted CA root certificate ) before it can function correctly.
mkdir Client CD Dist mkdir Client Cd.. # Generate client private key: Client/client-key.pem # GENRSA [Generate key command]-out[key file output PATH] 1024 [key digits] OpenSSL genrsa-out Client/client-key.pem 1024 Generate pending Signing Certificate: CLIENT/CLIENT-REQ.CSR
# req[Generate certificate command]-new[new Build]-out[certificate file output PATH]-key[private key file path] #-subj[request ' s subject, where distinguished Name (DN) information is placed] OpenSSL req-new-out client/client-req.csr-key client/client-key.pem-subj $CLIENT _dn Signed with the CA private key to produce the X509 certificate file: CLIENT/CLIENT.CRT # x509[Issue x509 Certificate Command]-req[Enter the certificate to be issued]-in[enter the path to the certificate file to be issued-out[generate X509 certificate file output PATH] #-signkey [key file path] #-ca[issuing root certificate]-cakey[root certificate key file]-days[certificate lifetime]-CASERIAL[CA serial number file]
OpenSSL x509-req-in client/client-req.csr-out client/client.crt-signkey client/client-key.pem-ca decrypt_ca/ Ca-cert.pem-cakey decrypt_ca/ca-key.pem-days 365-caserial $OPENSSL _srl_file Generate client-side personal certificates: Client/$_client_p12_file # pkcs12[Generate PKS12 Format Certificate command]-export[Export file-clerts[Export client certificate only]-password[export password] #-in[entered client certificate file path]-inkey[client certificate key file path]-out[export PKS12 format file path] #-name['s name is good to remember] The code is CLIENTSSL. OpenSSL pkcs12-export-clcerts-in client/client.crt-inkey client/client-key.pem-out client/$CLIENT _dn_ou-$CLIENT _dn _cn.p12-name $CLIENT _dn_ou-$CLIENT _DN_CN Save the generated certificate (published to the user) CP client/$CLIENT _dn_ou-$CLIENT _dn_cn.p12 dist/client/$CLIENT _dn_ou-$CLIENT _dn_cn.p12 |
Eight, Tomcat 5 server configuration:
The reference configuration method is as follows: KeyStore files in the Dist/server directory produced by the " VI, Generate server-side certificate " command (if the default configuration is used, this file is called "Boss-alias.keystore") replicated to the Conf directory of the TOMCAT installation directory Under Modify the "Server.xml" file in the Conf directory of the TOMCAT installation directory and modify the <service name= "Catalina" > contains "Connector" elements as follows (for reference only):
<connector port= "8443" maxhttpheadersize= "8192" maxthreads= "minsparethreads=" maxsparethreads= "75" Enablelookups= "false" disableuploadtimeout= "true" Acceptcount= "Scheme=" "https" secure= "true" Clientauth= "true" sslprotocol= "TLS" Uriencoding= "UTF-8" Keystorefile= "%tomcat%/conf/boss-alias.keystore" keystorepass= "OpenSSL" Truststorefile= "%tomcat%/conf/boss-alias.keystore" truststorepass= "OpenSSL"/> |
ix. Configuration of the Web application when bidirectional SSL is enabled:
To enable bidirectional SSL authentication, you need to add some configuration to the web.xml of your WEB application: The Auth-method=client-cert description is "to authenticate the user's identity with a client-side digital certificate," transport-guarantee= Confidential indicates that the application requires that the data be routed in a way that prevents other entities from seeing the transmitted content ...
<login-config> <!--Authorization setting for SSL; <auth-meth Od>client-cert</auth-method> <realm-name>client CERT users-only area</realm-name> < /login-config> <security-constraint> <!--Authorization setting for SSL < Web-resource-collection <web-resource-name >ssl</web-resource-name> <url-pattern>/* </url-pattern> </web-resource-collection> <user-data-constraint> < Transport-guarantee>confidential</transport-guarantee> </user-data-constraint> </ Security-constraint> |
10, writing a JSP page to display the contents of the certificate: After the above configuration, even if the user is accessing the WEB via HTTP Application, the browser automatically switches to HTTPS and pops up the dialog box that selects the client certificate. How to use client certificates for user authentication in Web applications, can be obtained from the request object through Java code, Depending on the Servlet specifications, the client certificate chain information for HTTPS requests can be obtained using Request.getattribute ("Javax.servlet.request.X509Certificate"). The first element is the client certificate, and the corresponding sample code is as follows:
<%@ page import= "Java.security.cert.X509Certificate"%> <% Response.sendredirect ("jsp/vpay/input.jsp"); String certsubject = null; Java.security.cert.x509certificate[] Certchain= (java.security.cert.x509certificate[]) Request.getattribute ("Javax.servlet.request.X509Certificate"); if (Null!=certchain) { int len=certchain.length; if (len>0) { Java.security.cert.X509Certificate cert = (java.security.cert.X509Certificate) certchain[0]; Java.security.Principal psubject = Cert.getsubjectdn (); Certsubject = Psubject.getname (); } } %> Subject = <%=certSubject%> |
11. Import client certificates and Access HTTPS applications:
Import the client certificate into the browser (double-click the client certificate file "W21CN-BOSS-CLIENT-HUARONGHU.P12" to import IE). After the import, start Tomcat, you can see the http://localhost:8080/index.jsp content of access will automatically switch to https://localhost:8443 up; You can also see that the Subject of the client certificate can be obtained by the JSP page when accessing using HTTPS.
Try to delete the imported certificate in the browser and you will find that the content of the site is no longer accessible:
12. Summary:
When the Web server begins to run, "four , generate CA private key and self-signed root certificate, and finally get the CA root certificate in PKCS12 format " command cannot be executed again. If you need to republish the server certificate or publish a new client certificate, Before you perform the six, generate server-side certificate and Seven, build client-side Certificates command, You can export the CA private key and the unencrypted CA root certificate from the PKCS12 CA root certificate by exporting the CA private key and the unencrypted CA root certificate from the saved PKCS12 format CA root certificate. |