Mac Tomcat HTTPS

first, HTTPS basic principle of work:

HTTPS requires a handshake between the client (browser) and the server (web Site) before transmitting the data, which establishes the password information for both parties to encrypt the transmitted data during the Handshake. TLS/SSL protocol is not only a set of encrypted transmission protocols, but also an artist-designed artwork, Tls/ssl using asymmetric encryption, symmetric encryption and hash algorithm. A brief description of the handshake process is as follows:

1. The browser sends a set of encryption rules that it supports to the web Site.

2. The website selects a set of cryptographic algorithms and hash algorithms, and sends its own identity information back to the browser in the form of a Certificate. The certificate contains information such as the website address, the encrypted public key, and the issuing authority of the Certificate.

3. After obtaining the website certificate, the browser will do the following tasks:

A) verify the legality of the certificate (the issuing authority is legal, the certificate contains the address of the website is consistent with the address being accessed, etc.), if the certificate is trusted, the browser bar will display a small lock, otherwise the certificate is not trusted to Prompt.

B) If the certificate is trusted, or if the user accepts an untrusted certificate, the browser generates a random number of passwords and encrypts them with the public key provided in the Certificate.

C) use the agreed hash to calculate the handshake message and encrypt the message using the generated random number (password), and then send all previously generated information to the Web Site.

4. After the Web site receives the data from the browser, do the following:

A) use your own private key to decrypt the information to remove the password, use the password to decrypt the Browser's handshake message, and verify that the hash is consistent with the Browser.

B) encrypt a handshake message with a password and send it to the Browser.

5. The browser decrypts and calculates the hash of the handshake message, if it is consistent with the hash of the server, at which point the handshake process ends, and all the communication data will be encrypted by the random password generated by the previous browser and using the symmetric encryption Algorithm.

Here the browser and the Web site to send encrypted handshake message and verify, The purpose is to ensure that both sides have obtained a consistent password, and can be normal encryption and decryption of data, for the subsequent transmission of real data to do a Test. In addition, HTTPS generally uses the encryption and hashing algorithm as Follows:

Asymmetric Encryption Algorithm: RSA,DSA/DSS

Symmetric encryption Algorithm: Aes,rc4,3des

Hash algorithm: md5,sha1,sha256

The asymmetric encryption algorithm is used to encrypt the generated password during the handshake, and the symmetric encryption algorithm is used to encrypt the data that is actually transmitted, while the hash algorithm is used to verify the integrity of the Data. Because the password generated by the browser is the key to the entire data encryption, the asymmetric encryption algorithm is used to encrypt it at the time of Transmission. Asymmetric encryption algorithms generate public and private keys, the public key can only be used to encrypt data, so can be transferred at will, and the Web Site's private key is used to decrypt the data, so the site will be very careful to keep their private keys to prevent leakage.

If there are any errors during the TLS handshake, the encrypted connection will be disconnected, thereby preventing the transfer of private Information.

second, the Server-side certificate generation:

Open the terminal on your Mac and use Keytool to generate a certificate for tomcat, assuming the domain name of the target machine is "localhost" and the KeyStore file is stored in the "/users/username/work/ca/" directory, named "tomcat.keystore" , using "RSA" encryption, the password is "password", the expiration time is 100 years, using the following command to Generate:

keytool -genkey -v -alias tomcat -keyalg RSA -keystore/users/user name /work/ca/tomcat.keystore -validity 36500   

(the parameter Brief description: "/users/username/work/ca/tomcat.keystore" is the certificate file save path, The certificate file name is tomcat.keystore; "-validity 36500" means the certificate validity period, 36500 means 100 years, The default is 90 days "tomcat" for the custom certificate name).
Fill in the necessary parameters at the command line:
A, Enter KeyStore password: Here you need to enter a string greater than 6 Characters.
B, "what is your first and last name?" "this is required and must be the domain name of the Tomcat deployment host or ip[, such as: gbcom.com or 10.1.25.251] (which is the access address you will enter in the browser), or the browser will pop up a warning window prompting the user certificate to not match the domain in which it resides. When you do the development test locally, you should fill in "localhost".
C, What is the name of your organizational unit? "," What is your organization name? "," What is your city or region name? "," What is the name of your state or province? "," What is the Two-letter country code for this unit? "can be filled in as needed or can not fill in the direct return, the system asked" correct? ", Enter the letter" y "with the keyboard if required, otherwise enter" n "to re-fill the Information.
D, Enter the master password, This is more important, will be used in the Tomcat configuration file, the recommended input and KeyStore password consistent, set other password can also, after completing the above input, the direct return to the location you defined in the second step to find the generated File.

third, the client certificate generation:

Generate a certificate for your browser so that the server can verify it. In order to successfully import the certificate into IE and firefox, the certificate format should be PKCS12, so use the following command to Generate:

-genkey -v -alias mykey -keyalg RSA -storetype PKCS12 -keystore /Users/用户名/工作/CA/mykey.p12

(mykey is Custom)
The corresponding certificate inventory is placed in "/users/username/work/ca/mykey.p12" and the Client's cn can be any Value. Double-click the Mykey.p12 file to import the certificate into the browser (client).

Iv. server-side Trust Client Certificate:

Because it is a two-way SSL authentication, the server must trust the client certificate, so the client certificate must be added as the Server's trust Authentication. Because you cannot directly import a certificate library in the PKCS12 format, you must first export the client certificate as a separate CER file, using the following command:

-export -alias mykey -keystore /Users/用户名/工作/CA/mykey.p12 -storetype PKCS12 -storepass password -rfc -file /Users/用户名/工作/CA/mykey.cer

(mykey is custom-defined MyKey to the client, password is the password you set). With the above command, the client certificate is exported to the "/users/username/work/ca/mykey.cer" File.
The next step is to import the file into the Server's Certificate library and add the command as a trusted certificate using the following commands:

-import -v -file /Users/用户名/工作/CA/mykey.cer -keystore /Users/用户名/工作/CA/tomcat.keystore

With the list command to view the Server's certificate library, you can see two certificates, one server certificate and one trusted client certificate:

-list -keystore /Users/用户名/工作/CA/tomcat.keystore

(tomcat sets the Server-side certificate name for you).

V. Client-side Trust Server Certificate:

Because it is two-way SSL authentication, the client also validates the server certificate, so the server certificate must be added to the Browser's trusted root certification Authorities. Because you cannot directly import a certificate library in the KeyStore format, you must first export the server certificate as a separate CER file, using the following command:

-keystore /Users/用户名/工作/CA/tomcat.keystore -export -alias tomcat -file /Users/用户名/工作/CA/tomcat.cer

(tomcat sets the Server-side certificate name for you).
With the above command, the server certificate is exported to the "/users/username/work/ca/tomcat.cer" File. Double-click the Tomcat.cer file, follow the prompts to install the certificate, and fill in the certificate to Trusted root certification Authorities.

Vi. Configure the Tomcat server to support Https:

1. Open The/conf/server.xml under the Tomcat root directory, find the connector port= "8443" configuration section, Remove the comments and modify the Following:

<Connectorport="8443"Protocol="org.apache.coyote.http11.Http11Protocol"maxthreads= "sslenabled=" true " scheme=" "https" secure="true" clientauth= "true" sslprotocol= "TLS" keystorefile="/users/username/work/ca/tomcat.keystore"  keystorepass="password" truststorefile="/users/user name/work/ca/tomcat.keystore" truststorepass= "password"/>                  

2. open/conf/web.xml, and at last add the following to make HTTPS mandatory access:

    <Login-config><Auth-method>client-cert</Auth-method><Realm-name>client Cert users-only Area</Realm-name></Login-config><Security-constraint><web-resource-collection > < Web-resource-name >ssl</web-resource-name> <url-pattern>/*</ url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>confidential</ transport-guarantee> </user-data-constraint> </security-constraint>       

This allows Tomcat to support SSL bidirectional Authentication.

Here to Note:
1, Tomcat6 in protocol= "http/1.1",
Protocol= "org.apache.coyote.http11.Http11Protocol" in tomcat7;
2, If you want to test with eclipse, you must modify the Servers folder under the Eclipse working directory (workspace) under the Tomcat configuration file to take effect, modify the Tomcat real directory configuration file is not valid, remember!
3, server.xml file Non-ssl Connector can not be deleted, after deletion tomcat can not start, will report time-out error, remember!
4, If only support client authentication service side to change the ClientAuth to False.

Mac Tomcat HTTPS