Recently because of using CAs to do single sign-on, you need to configure SSL, the process is relatively simple, record the meaning of each step, so as not to forget later.
Requirements Scenario: CAs single sign-on requires SSL and the server operating system is Centos,web container for Tomcat.
If you serve as a service provider, you need to read the full text
If you're a customer of demand, it just needs to be seen in the third part.
Steps:
Let's say that our Tomcat path is/opt/tomcat, where the new SSL directory is used to store the certificate:
Cd/opt/tomcat/ssl
First, we need to generate SSL certificates, using the Keytool tool, the key is three steps:
① generates Keystone to command
#keytool-genkey-alias ssologin-keyalg rsa-keypass changeit-storepass changeit-keystore server.keystore-validity 365 0
Note: Changeit is the default password for the certificate in the JDK
② from Keysotre to export the alias to Tomcat-cas-server certificate, generate SERVER.CRT file
#keytool-export-trustcacerts-alias ssologin-file server.crt-keystore server.keystore-storepass Changeit
③ import SERVER.CRT to the JRE's trusted certificate warehouse
#keytool-import-trustcacerts-alias ssologin-file server.crt-keystore "$JAVA _home/jre/lib/security/cacerts"- Storepass Changeit
Note: If it is a Windows host, use%java_home%, and if it is Linux, use $java_home
Second, after configuring the certificate, we need to configure Tomcat to support SSL
Modify the Conf/server.xml file, where the SSL section is as follows, others are not moved:
<connector port= "443" protocol= "http/1.1"
connectiontimeout= "5000" uriencoding= "UTF-8"
Scheme= "https" secure= "true" sslenabled= "true"
Clientauth= "false" sslprotocol= "TLS"
Keystorefile= "/opt/tomcat/ssl/server.keystore"
keystorepass= "Changeit"/>
After modification, restart Tomcat to take effect
Before the official visit, remember to open the firewall 443 port, CentOS iptables configuration as follows:
#vi/etc/sysconfig/iptables
Add the following configuration:
-A input-m state--state new-m tcp-p TCP--dport 443-j ACCEPT
Remember to restart iptables after configuration:
#service iptables Restart
After iptables reboot, you can access the https://your.domain.com from the browser
Third, Tomcat as the client of SSL
If our application is to communicate with the server on which SSL is being used as a client, then we must install the server certificate in the trusted list of the JRE.
The steps are to distribute the SERVER.CRT generated in the first step above to the client that you want to use, and then import the Keytool tool to the trusted list of the JRE in the client, such as the following command: ②
#keytool-import-trustcacerts-alias ssologin-file Server.crt-keystore "%java_home%/jre/lib/security/cacerts"- Storepass Changeit
Note: My machine here is a Windows machine, so use%java_home%, in fact this import process and a. ③ is the same
Iv. Other certificate-related commands that may be used
① lists the certificate names that exist in the system warehouse:
#keytool-list-keystore "$JAVA _home/jre/lib/security/cacerts"-storepass Changeit
As the certificate added in this article, you will find this line
Ssologin, 2014-9-4, Trustedcertentry,
Certified fingerprint (MD5): 12:3b:02:6f:78:6e:a6:d3:ab:96:ca:63:7d:7b:55:04
② eliminates the existence of a certificate in the system named Ssologin
#keytool-delete-alias ssologin-keystore "$JAVA _home/jre/lib/security/cacerts"-storepass Changeit
#keytool-delete-alias Ssologin-storepass Changeit