What is HTTPS?
When an HTTP request is sent to a site based on SSL/TLS (usually using https: // URL), the server sends a certificate to the client. The client uses the installed public certificate to verify the identity of the server through this certificate, and then checks whether the IP name (machine name) matches the machine connected to the client. The client generates random information about the private key (called the session key) that can be used to generate a conversation, and then encrypts it with the public key of the server and sends it to the server. The server decrypts the message with its own private key, and then uses the random information to derive the same private session key as the client. The RSA public key algorithm is usually used in this phase. Then, the client and server use the private session key and private key algorithm (usually RC4) to communicate. Use the message authentication code of another key to ensure message integrity.
What is a digital signature?
The digital signature means that the information sender uses its private key to perform RSA algorithm operations on the feature data (or digital fingerprint) extracted from the transmitted message, to ensure that the sender is not allowed to deny the information that has been sent (that is, the non-repudiation), and to ensure that the information message is tampered with (that is, integrity) at the end of the signature ). After receiving the message, the message receiver can use the sender's public key to verify the digital signature.
Overview of SSL?
SSL, or Secure Socket Layer, is a technology which allows web browsers and web servers to communicate over a secured connection. this means that the data being sent is encrypted by one side, transmitted, then decrypted by the other side before processing. this is a two-way process, meaning that both the server and the browser encrypt all traffic before sending out data.
Another important aspect of the SSL protocol is authentication. this means that during your initial attempt to communicate with a web server over a secure connection, that server will present your web browser with a set of credentials, in the form of a "Certificate ", as proof the site is who and what it claims to be. in certain cases, the server may also request a certificate from your web browser, asking for proof thatYouAre who you claim to be. this is known as "client authentication," although in practice this is used more for business-to-business (B2B) transactions than with individual users. most SSL-enabled web servers do not request client authentication.
HTTPS and tomcat
The Apache Jakarta Tomcat 5 Servlet/JSP ContainerSSL configuration how-?
Quick Configuration:
1. Use keytool in JDK to generate a tomcat keystore
In the command line, enter % java_home %/bin/keytool-genkey-alias tomcat-keyalg RSA.
You will be prompted to enter keypassword, keystorepassword, and other related information. Confirm as prompted.
2. Add the following to CONF/server. xml:
Maxthreads = "150" minsparethreads = "25" maxsparethreads = "75"
Enablelookups = "false" disableuploadtimeout = "true"
Acceptcount = "100" DEBUG = "0" Scheme = "HTTPS" secure = "true"
Clientauth = "false" keystorepass = "password" sslprotocol = "TLS"/>
3. start Tomcat and enter https: // localhost: 8443 in the browser.
Note: The keystore file generated using this method is placed under C:/Documents ents and settings/user.
Note:
Attribute |
Description |
clientAuth |
Set this valuetrue If you want tomcat to require all SSL clients to present a client certificate in order to use this socket. Set this valuewant If you want tomcat to request a client certificate, but not fail if one isn' t presented. |
keystoreFile |
Add this attribute if the keystore file you created is not in the default place That tomcat expects (a file named.keystore In the user home directory under which Tomcat is running). You can specify an absolute pathname, or a relative pathname that is resolved against$CATALINA_BASE Environment variable. |
keystorePass |
Add this element if you used a different keystore (and Certificate) password than the one Tomcat expects (changeit ). |
keystoreType |
Add this element if using a PKCS12 keystore. The valid values areJKS AndPKCS12 . |
sslProtocol |
The encryption/decryption protocol to be used on this socket. it is not recommended to change this value if you are using sun's JVM. it is reported that IBM's 1.4.1 Implementation of the TLS protocol is not compatible with some popular browsers. in this case, use the valueSSL . |
ciphers |
The comma separated list of encryption ciphers that this socket is allowed to use. By default, any available cipher is allowed. |
algorithm |
TheX509 Algorithm to use. This defaults to the Sun implementation (SunX509 ). For IBM JVMs you shoshould use the valueIbmX509 . For other vendors, consult the JVM documentation for the correct value. |
truststoreFile |
The truststore file to use to validate client certificates. |
truststorePass |
The password to access the truststore. This defaults to the valuekeystorePass . |
truststoreType |
Add this element if your are using a different format for the truststore then you are using for the keystore. The valid values areJKS AndPKCS12 . |
What is the function and usage of the Java keytool?
Keytool is a security key and certificate management tool. It manages a keystore (equivalent to a database) that stores private keys and verifies the corresponding public keys associated with them ).
Keytool is a valid security key and certificate management tool. It enables users to use digital signatures to manage their own private/public key pairs, manage certificates used for self-identification, and manage data integrity and authentication services. It also enables users to cache their public keys during communication.
A certificate is a digital signature of an entity (individual, company, etc.), indicating the detailed value of the public key (or other information) of another entity. after the data is signed, the signature information is used to verify the integrity and authenticity of the data. integrity index data has not been modified or tampered with, and authenticity index data has arrived from any party that generates and signs the data.
Keytool stores the key and certificate to a keystore. The keystore is a file. It uses a password to protect the key. Another tool, jarsigner, uses the information in the keystore to generate or test the digital signature in the Java archive (JAR file.
The keystore has two different portals:
1. key entry: stores very sensitive Encrypted Key Information and stores it in a protected format to prevent unauthorized access. the key stored in this form is a secret key or a private key corresponding to the public key in the certificate chain.
2. trusted certificate entry: contains a single public key certificate for other parts. it is called "trusted Certificate" because the public key in the certificate trusted by the keystore truly belongs to the identity of the certificate owner.
Keystore alias:
All keystore entries (key and trust certificate entries) are accessed through a unique alias. aliases are case insensitive. For example, the aliases Hugo and Hugo point to the same keystore portal.
You can use the-genkey parameter when adding an entry to the keystore to generate a key pair (Public Key and private key) and specify the alias. you can also use the-import parameter to add a certificate or certificate chain to the trusted certificate.
For example, keytool-genkey-alias Duke-keypass dukekeypasswd
Duke is the alias, and dukekeypasswd is the password of the duke alias. This command is used to generate a new public/private key pair. duke is the alias, and dukekeypasswd is the password of the duke alias. this command is used to generate a new public/private key pair.
If you want to change the password, you can use:
Keytool-keypasswd-alias Duke-keypass dukekeypasswd-New newpass
Change the old password dukekeypasswd to newpass.
Keystore generation:
1. when the-genkey,-import, or-identitydb command is used to add data to a keystore, And the keystore does not exist, a keystore is generated. the default name is. keystore, which is stored in the user-home directory.
2. When-keystore is used, the specified keystore will be generated.
Keystore implementation:
The keytool class is located in Java. under the security package, a very good interface is provided to obtain and modify information in a keystore. currently, there are two command lines: keytool and jarsinger. a gui tool policy can implement keystore. because the keystore is public, you can use it to write additional security applications.
Keystore also has an internal implementation provided by Sun. it uses keystore as a file. A keystore type (Format) "jks" is used ". it uses a separate password to protect every private key. different passwords may also be used to protect the integrity of the entire keystore.
Supported algorithms and key sizes:
Keytool allows you to specify the key pair and the signature algorithm provided by the cryptographic service provider. The default key pair generation algorithm is "DSA ". If the private key is of the "DSA" type, the default signature algorithm is "sha1withdsa". If the private key is of the "RSA" type, the default algorithm is "md5withrsa ".
When a DSA key pair is generated, the key must be between 512-1024 bits. The default key size for any algorithm is 1024 bits.
1. Certificate: a certificate is a digital signature of an entity, indicating that the public key of another entity has a clear value.
2. Public Key: it is a digital Association of the same detailed entity and intends to let all other entities that want to have a trust relationship with the entity know. The public key is used to test the signature;
3. Digital Signature: if the data has been signed and stored in an entity with an identity, a signature can prove that the entity knows the data. The data is signed and submitted using the entity's private key;
4. Identity: Methods for knowing entities. In some systems, identity is a public key. In other systems, it can be anything from the Unix uid of an X.509 email address;
5. Signature: A signature uses the entity private key to calculate some encrypted data;
6. private Key: a number. Each private key can only be known by a specific entity that owns the private key. private and public keys exist in key pairs of all systems encrypted with public keys. A public key is encrypted (such as DSA), and a private key communicates with a correct public key. the private key is used to calculate the signature.
7. entity: an entity can be a person, an organization, a program, a computer, a business, a bank, or something else you want to trust.
Keytool application instance:
1. Generate a keystore:
Keytool-genkey-alias user (keystore alias)-keyalg RSA-validity 7-keystore (specified keystore ).
When you run this command, the system prompts:
Enter keystore password: yourpassword (enter the password)
What is your first and last name?
[UNKNOWN]: Your name (enter your name)
What is the name of your organizational unit?
[UNKNOWN]: Your organizational (enter the name of your organization)
What is the name of your organization?
[UNKNOWN]: Your Organization Name (enter the name of your organization)
What is the name of your city or locality?
[UNKNOWN]: Your city name (enter the name of the city)
What is the name of your state or province?
[UNKNOWN]: Your Provice name (enter the name of the Province)
What is the two-letter country code for this unit?
[UNKNOWN]: CN (name of the input country)
Is Cn = your name, ou = Your organizaion, O = "your organization name", L = your city name, St = your province name, c = cn correct?
[No]: Yes
3. Check A keystore:
Keytool-list-v-keystore
Enter keystore password: Your password (enter password)
The keystore content is displayed as follows:
Keystore type: jks
Keystore provider: Sun
Your keystore contains 1 entry
Alias Name: yourname
Creation date: Dec 20,200 1
Entry type: keyentry
Certificate Chain Length: 1
Certificate [1]:
Owner: Cn = yourname, ou = your organization, O = "your organization name ",
L = your city name, St = your province name, c = Cn
Issuer: Cn = Duke, ou = Java software, O = "Sun Microsystems, Inc.", L = Palo Alto, St = Ca, c = us
Serial number: 3c22adc1
Valid from: Thu DEC 20 19:34:25 PST 2001 until: Thu Dec 27 19:34:25 PST 2001
Certificate fingerprints:
MD5: F1: 5b: 9B: A1: F7: 16: Cf: 25: Cf: F4: FF: 35: 3f: 4C: 9C: F0
Sha1: B2: 00: 50: DD: B6: CC: 35: 66: 21: 45: 0f: 96: AA: AF: 6a: 3D: e4: 03: 7c: 74
3. Output The keystore to a file: testkey:
Keytool-export-alias Duke-keystore-RFC-file testkey
System output: Enter keystore password: Your password (enter password)
Certificate stored in file <TD>
4. Enter the certificate to a new truststore:
Keytool-import-alias dukecert-file testkey-keystore truststore
Enter keystore password: Your new password. (enter the new truststore password)
5. Check truststore:
Keytool-list-v-keystore truststore
The system displays truststore information.
Now you can use the appropriate keystore to run your application. For example:
Java -djavax.net. SSL. keystore = keystore
-Djavax.net. SSL. keystorepassword = PASSWORD Server
And:
Java -djavax.net. SSL. truststore = truststore
-Djavax.net. SSL. truststorepassword = trustword Client