Javaweb Study Summary (iii)--TOMCAT Server learning and use (ii) contains HTTPS asymmetric key NB

Source: Internet
Author: User
Tags decrypt server port tomcat server asymmetric encryption


Javaweb Study Summary (iii)--TOMCAT Server learning and using (ii) One, packaging javaweb applications

In Java, using the "jar" command to package a Javaweb app into a war package, the JAR command uses the following:

  

Example: Package Javawebdemoproject this javaweb app as a war package

  

After the execution, you can get a file, usually after the development of javaweb application, generally will be packaged Javaweb application into a war package, and then put the war package into the Tomcat server WebApps directory, when the Tomcat server started, The war packet in the WebApps directory will be automatically unzipped.

For example, it will now be placed in the WebApps directory of the Tomcat server.

  

The Tomcat server will automatically "deploying Web Application" after it is started, extracting the war file as shown in:

  

  

Ii. the system structure of Tomcat

  

The Tomcat server is started based on a server.xml file, and when Tomcat starts it starts with a server,server inside it will launch Service,service inside will start multiple "Connector (connectors)", Each connector waits for the client to connect, when a user uses a browser to access the Web resources above the server, the first is to connect to the Connector (connector), Connector (connector) is not processing the user's request, but the user's request to an engine (engines) To deal with, the engine will parse the host that the user wants to access after receiving the request, and then hand over the request to the appropriate host,host to resolve the Web application that the user wants to access under the host, a Web application that corresponds to a context.

 1 <?xml version= ' 1.0 ' encoding= ' Utf-8 '?> 2 <server port= "8005" shutdown= "Shutdown" > 3 <service name= "Cat                Alina "> 4 <connector port=" 8080 "protocol=" http/1.1 "5 connectiontimeout=" 20000 "6                redirectport= "8443"/> 7 <connector port= "8443" protocol= "Org.apache.coyote.http11.Http11Protocol" 8  Maxthreads= "sslenabled=" true "scheme=" https "secure=" true "9 Clientauth=" false "sslprotocol=" TLS " Ten keystorefile= "Conf/.keystore" keystorepass= "123456"/>11 <connector port= "8009" protocol= "AJP/ 1.3 "redirectport=" 8443 "/>12 <engine name=" Catalina "defaulthost=" localhost ">13 Third, the principle of encryption on the Internet

The tomcat server starts with multiple connector (connectors), and the Tomcat server's connectors are divided into cryptographic connectors and non-encrypted machines, such as:

  

This is the connector that uses port 8080.

1  <connector port= "8080" protocol= "http/1.1" 2                connectiontimeout= "20000" 3                redirectport= "8443"/>

This connector is a non-encrypted connector, using "http://localhost:8080/JavaWebDemoProject/Web/1.jsp" to request Web resources on the server in this process, our request is not encrypted, If you want to access the Tomcat server in an encrypted manner, configure an encrypted connector in Tomcat. To configure a cryptographic connector, you should first clarify the encryption principle on the Internet.

3.1, symmetric encryption using a single-key cryptography system encryption method, the same key can be used as information encryption and decryption, this encryption method is called symmetric encryption, also known as single-key encryption. Encryption algorithms that use the same key for encryption and decryption are required. Because of its fast speed, symmetric encryption is typically used when the message sender needs to encrypt large amounts of data.  Symmetric encryption is also known as key encryption. Symmetry is the use of the same encryption method used by both parties to encrypt and decrypt the same key. A key is an instruction that controls the process of encrypting and decrypting.  The algorithm is a set of rules that specify how to encrypt and decrypt. The security of encryption is important not only by the encryption algorithm itself, but also by the security of Key management.because both encryption and decryption use the same key, how to safely pass the key to the decryption hand is a must to solve the problem。 Commonly used symmetric encryption: DES, Idea, RC2, RC4, Skipjack, RC5, AES algorithm, etc. 3.2, asymmetric encryption

An asymmetric encryption algorithm requires two keys: Public key (PublicKey) and private key (Privatekey). Public key and private key is a pair, if the data encrypted with public key, only with the corresponding private key to decrypt, if the private key to encrypt the data, then only the corresponding public key can be decrypted. Because encryption and decryption use two different keys, this algorithm is called an asymmetric encryption algorithm. The basic process of the asymmetric encryption algorithm to realize the secret information exchange is: Party A generates a pair of keys and exposes one of them as a public key to other parties; the party B who obtains the public key encrypts the secret information and sends it to party a, and then decrypts the encrypted information with another private key that it saves. On the other hand, party A can use the public key of party B to sign the confidential information and then send it to party B, and then use his private key to check the data.

How asymmetric Encryption works1.A to send information to B, both A and B generate a pair of public and private keys for encryption and decryption.  The private key of the 2.A is confidential, A's public key tells B;b's private key secret, and B's public key tells A.  3.A to send a message to B, a uses the public key of B to encrypt the information because a knows the public key of B. 4.A sends this message to B (the message has been encrypted with B's public key).5.B After receiving this message, B decrypts a message with its private key. All other people who receive this message are unable to decrypt because only B has the private key of B.

The sender encrypts the data using the receiver's public key, and the receiver decrypts it with its own private key, so that the information can arrive at the destination safely and without error, even if intercepted by a third party, and cannot be decrypted because there is no corresponding private key. The encryption process is ensured by means of a digital process, that is, only the private key can be decrypted.

Asymmetric encryption still does not solve the security problems of data transmission, such as a want to send data to B, b first generate a pair of keys (public and private), and then send the public key to A,a get B to his public key can be used to encrypt the public key data sent to B, but in the B public key sent to a process, is likely to be intercepted by third party C, C intercepted to B's public key, also use B's public key to encrypt the data, and then sent to the B,b received data after the faint, because it is unclear whether the received data is a or C, this is one of the problems, another problem is that C intercepted the public key of B, C can generate a pair of keys themselves (public and private), and then sent to A,a to get the public key and thought it was b sent to him, then the use of public key encryption data sent to B, the process of sending to B was intercepted by C, because a is sent to his public key by C encryption data, and C has a private key, So it is possible to decrypt the contents of a after encryption, and B received a sent to his data after the solution is not open, because the data is encrypted with C's public key, B does not have C's private key, so it cannot be decrypted. Therefore, there is a problem with asymmetric encryption: a want to send data to B, a how to determine that the public key must be B hair? So how do we solve this problem? Can only be secured by a third-party agency (CA institution, or certificate Authority (Certificate Authority), or certificate authority). A want to send data to B, B first sent the public key to the CA agency, the CA agency got B's public key and ran to B's home Q: Is this the public key you sent? B confirmed after said is: Yes, I sent! Then the CA agency will guarantee the public key of B, generate a digital certificate to B, the digital certificate contains the CA's guarantee authentication signature and B's public key, B to the CA's digital certificate, sent to A,a to obtain a digital certificate, see the above has a CA signature, you can determine the current get the public key is B hair, Then you can confidently use the public key to encrypt the data and then send it to B.

Four, HTTPS connector

After understanding the Internet encryption principle, the following to see the browser and server interaction, the browser wants to encrypt the data and then send to the server, then what to do? The server first to show a digital certificate to the browser, the browser will see the digital certificate, you can use the public key inside the digital certificate to encrypt data, so to do the browser and server encryption data transfer, then the first to generate a digital certificate for the server. Then configure the server, so that the server receives a browser request, the browser will show its digital certificate.

4.1. Generate a digital certificate for the Tomcat server

Sun provides a tool for making certificates, which is included in the Keytool version of JDK 1.4, and is located in <java_home>\bin\keytool.exe

1 Keytool-genkey-alias tomcat-keyalg RSA

Use Keytool to generate a certificate named Tomcat, which is stored in the. KeyStore KeyStore

  

After the command executes, a. keystore file is generated below the user folder of the operating system as shown in:

  

Use the command: Keytool-list-keystore. KeyStore to view all certificates in the. KeyStore KeyStore

  

4.2. Configure HTTPS Connector

Copy the generated. KeyStore KeyStore file to the Conf directory of the Tomcat server, as shown in:

  

To modify the Server.xml file, configure the HTTPS connector with the following code:

1  <connector port= "8443" protocol= "Org.apache.coyote.http11.Http11Protocol" 2                maxthreads= "150" Sslenabled= "true" scheme= "https" secure= "true" 3                clientauth= "false" Sslprotocol= "TLS" 4                keystorefile= "conf/ . KeyStore "keystorepass=" 123456 "/>

In the Server.xml file is configured with a port is 8443 encryption connector, browser access to 8443 port connector, will be encrypted access to the Web server, the connector receives a browser request, will show a digital certificate to the browser, the browser and the digital certificate inside the public key to encrypt the data, key Storefile= "Conf/.keystore" is used to indicate the path where the KeyStore file is located, the server needs a password to extract the certificate from the KeyStore, and keystorepass= "123456" indicates the access password for the KeyStore.

Using "https://localhost:8443/" to access the 8443 encryption connector

  

Because the certificate inside the KeyStore is our hand-generated, not certified by the CA, so using "https://localhost:8443/" to access 8443 of the encrypted connector, the browser will appear "certificate error, Navigation blocked", the browser that the current to access the host is not secure , do not recommend continued access, click on it can continue to visit, as shown in:

  

4.3. Install digital certificate

In order for the browser to trust the digital certificate we generated, we need to install the digital certificate into the browser, IE8 the browser as an example of the certificate installation instructions, the installation steps are as follows:

  

After the certificate is successfully installed, restart IE, use "https://localhost:8443/" to access 8443 encryption connector, the browser will no longer prompt the certificate error, as shown in:

  

4.4. Delete the digital certificate

Take IE8 as an example to illustrate the following steps: Tools----->internet Options

  

  

Restart your browser after you delete it

Javaweb Learning Summary (iii)--TOMCAT Server learning and use (ii) contains HTTPS asymmetric key NB

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.