[Reprinted] How to Implement HTTPS secure connection in Tomcat

Source: Internet
Author: User

SSL introduction SSL or Secure Socket Layer is a technology that allows web browsers and web servers to communicate through a secure connection. This means that the sent data is translated into a password at one end, sent out, unlocked at the other end, and then processed. This is a two-way process, that is, both the browser and the server need to encrypt the data before sending it. Another important aspect of the SSL protocol is authentication ). This means that when you try to communicate with a web server through a secure connection, the server will ask your browser to present a set of certificates, the "authentication" method proves that this is the website you declare. In some cases, the server will also require your web browser certificate to prove that you are the one you mentioned. This is known as "customer authentication", although in actual situations, it is more used for business-to-business (B2B) transactions than for individual users. However, most SSL-enabled web servers do not require client authentication ). In order to implement SSL, a Web server must have a certificate (certificate) for each external interface (IP address) that accepts secure connections ). The theory of this design is that a server must provide a reasonable guarantee to prove that the host of the server is the one you think. This certificate indicates the company associated with the website and some basic contact information of the website owner or system administrator. This certificate is signed by everyone using a password, and it is very difficult for others to forge it. For websites that conduct e-commerce or any business transaction that is essential to identity authentication, the certificate should be issued to the well-known Certification Authority (CA )) for example, Verisign or thawte. This certificate can be proved by electronic technology. In fact, the certification authority will guarantee the authenticity of the certificate it issued. If you trust the authority that issued the certificate, you can believe that the certificate is valid. In many cases, authentication is not really worrying. The system administrator may only want to ensure that the data transmitted and received by the server is confidential and will not be stolen by the leader on the connection line. Fortunately, Java provides a relatively simple command line tool called keytool, which can generate a "self-signed" certificate. A self-signed certificate is only a user-generated certificate. It has not been officially registered with the well-known authentication authority. Therefore, it cannot be ensured. But it can ensure the security of data transmission. Authentication may be important, maybe not. It depends entirely on the needs of the website. To configure SSL using tomcat, follow these two steps:

I. Generate a certificate

1. Run % java_home % \ bin \ keytool-genkey-alias tomcat-keyalg RSA in the command line. In this command, keytool is a built-in JDK certificate generation tool. Run RSAAlgorithmAs the main security algorithm, this ensures compatibility with other servers and components. This command will generate a new file named ". keystore" in your home directory. After the command is executed, you must first display the keystore password. The default password for Tomcat is "changeit" (all in lower case). If you want to use it, you can specify your own password. You also need to specify your password in the server. xml configuration file, which will be described later.

2. You will be asked to provide general information about the certificate, such as the company name and contact name. This information will be displayed to those who attempt to access youProgramTo ensure that the information provided here corresponds to what they expect.

3. You will be asked to display the key password, which is the unique password of the certificate (different from other certificates stored in the same keystore file ). You must use the same password as the keystore password here. (Currently, keytool prompts you to press enter to automatically help you do this ). If everything goes well, you now have a keystore file that can be used by your server.

2. Configure Tomcat

The second step is to configure the secure socket in the $ catalina_home/CONF/server. xml file. $ Catalina_home indicates the directory where Tomcat is installed. In one example, the <connector> element of the SSL connector is included in the default server. xml file installed with Tomcat. It looks like this:

$ Catalina_home/CONF/server. xml

<-- Define a SSL coyote HTTP/1.1 Connector on port 8443->

<! --

<Connection Port = "8443"

Minprocessors = "5"

Maxprocessors = "75"

Enablelookups = "true"

Disableuploadtimeout = "true"

Acceptcount = "100"

DEBUG = "0"

Scheme = "HTTPS"

Secure = "true ";

Clientauth = "false"

Sslprotocol = "TLS"/>

-->

The default form of the connector element is commented out, so you need to delete the annotation mark around it. Then, you can customize (set by yourself) specific attributes as needed. Generally, you need to add the keystorefile and keystorepass attributes to specify the path for storing the certificate (for example, keystorefile = "C :/. keystore ") and the password you just set (for example, keystorepass =" 123456 "). For more information about other options, see server configuration reference. After completing these configuration changes, you must restart tomcat, and then you can access any web applications supported by Tomcat through SSL.

The command must be as follows: https: // localhost: 8443

Bytes -----------------------------------------------------------------------------------------------------------

Put the generated key in the specified directory:

Java_home/bin/keytool-genkey-alias tomcat-keyalg RSA-keystore C: \ tomcat. Key

RelatedArticle: IBM http://www.ibm.com/developerworks/cn/security/se-tcssl/index.html

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.