Tomcat-2 that supports SSL in Linux Configuration

Source: Internet
Author: User
Tags dname openssl x509 pkcs12 ftp client ssl connection
I. Configure the environment
1.1 Tomcat Introduction

Tomcat is Apache
One of Jakarta's sub-projects, as an excellent open-source Web application server, fully supports jsp1.2 and servlet2.3 specifications. Because of its advanced technology, stable performance, and free of charge
Therefore, it is favored by Java enthusiasts and recognized by some software developers. It has become a popular Web application server.
1.2 introduction to SSL (server socket layer)

Information on the network passes through other computers during source-host transmission. Generally, the intermediate computer does not listen for information passing. However, when using online banking or making credit card transactions
Monitoring, resulting in leakage of personal privacy. Due to the Internet and Intranet architecture, some people can read and replace the information sent by users. With the continuous online payment
People have higher and higher requirements on information security. Therefore, Netscape proposed the SSL protocol to transmit information securely and securely on an open network (Internet ).
Protocols have been widely used on the web.
Later, IETF ( Standardized SSL, namely rfc2246, and called it transport layer (TLS)
Security), technically speaking, the difference between tls1.0 and SSL3.0 is very small.

1.3 How SSL works

The SSL protocol uses asymmetric encryption technology to securely transmit information between the two parties. Information Transmission is confidential and complete, and both parties can identify the other party. Different from common HTTP protocols
We use the HTTPS protocol when establishing an SSL secure connection with the website, that is, using https: // ip: Port/for access.

When we establish an HTTPS connection with a website, we need to shake hands between our browser and the Web server to complete identity authentication and key exchange, so as to establish a secure connection. The specific process is as follows:

Your browser sends the SSL version number, encryption parameters, session-related data, and other necessary information to the server.
The server sends the SSL version number, encryption parameters, session-related data, and other necessary information to the browser, and also sends the server certificate to the browser. If the SSL of the configuration server needs to verify the user identity, you must also send a request asking the browser to provide the user certificate.
The client checks the server certificate. If the check fails, it prompts that an SSL connection cannot be established. If yes, continue.
The client browser generates a pre-master secret for this session and sends it to the server after encrypting it with the server public key.
If the server requires customer identification, the client must sign other data and send it together with the client certificate to the server.
If the server requires customer identification, check whether the CA that signs the customer certificate is trusted. If the session is not in the Trust List, end the session. If the check succeeds, the server uses its own private key to decrypt the received pre-master secret and uses it to generate the master secret for this session through some algorithms.
Both the client and server use this master secret to generate the session key (symmetric key) for this session ). This session key is used to send any messages after the SSL handshake ends. The main reason for doing so is that symmetric encryption is more than an order of magnitude less computation than asymmetric encryption, which can significantly increase the computing speed of both parties' sessions.
The client notifies the server that all subsequent messages are encrypted using this session key. And notifies the Server client that the SSL handshake has been completed.
The server notifies the client that all subsequent messages are encrypted using this session key. The client server is notified that the SSL handshake has been completed.
The handshake process ends and the session has been established. Both parties use the same session key to encrypt and decrypt the sent and received information respectively.
1.4 required software packages
Tomcat 4.0.2
Purpose: Web server.
JSSE 1.0, 2
Purpose: generate the key pair used by tocmcat ).
OpenSSL 0.9.6
Purpose: generate the CA certificate, signature, and generate the private key in PKCS #12 format that can be imported by IE.
Step 2
2.1 create your own CA certificate
1. Create your own ca directory under the apps directory of OpenSSL, for example, mageca

Mkdir mageca

2. Generate a ca key

OpenSSL genrsa-out mageca/ca-key.pem 1024

Genrsa [Key Generation Command]-out [key file output path] 1024 [key bit]

3. Generate the certificate to be signed

OpenSSL req-New-out mageca/ca-req.csr-key mageca/ca-key.pem

REQ [generate CERTIFICATE command]-New [generate new certificate]-out [Certificate file output path]-Key [private key file path]

4. Self-signed with the CA private key

OpenSSL X509-req-In mageca/ca-req.csr-out mageca/ca-cert.pem-signkey mageca/ca-key.pem-days 365

X509 [X509 Certificate issuing command]-req [enter the certificate to be issued]-in [enter the path to the certificate to be issued]-out [generate the X509 Certificate file output path]-
Signkey [Self-issued key file path]-days [certificate validity period]-Ca [Issuing and certificate]-Cakey [root certificate key file]
-Cacreateserial [Create a serial number]

[Note] copy the automatically generated file to the created ca directory ..

2.2 configure Tomcat 4.x
2.2.1 create a server certificate
[Note] In this document, the "% jdk_home %" symbol is used to indicate the JDK installation location. The "% tcat_home %" symbol is used to indicate the tomcat installation location.

1. Create a working directory

Create your own server directory under the bin directory of % jdk_home %, for example: Server

Mkdir Server

2. Generate a server key pair

% Jdk_home %/bin/keytool-genkey-alias tomcat_server-validity 365
-Keyalg RSA-keysize 1024-keypass changeit-storepass changeit-dname
"Cn = localhost, ou = Department, O = company, L = Beijing, St = Beijing, c = cn"
-Keystore server/server_keystore

-Genkey [generate key pair]-alias [key pair alias]-validity [key validity period]-keyalg [key algorithm parameter]-keysize [key bit]
-Keypass [key protection Password]-storepass [storage Password]-dname [alias-related additional information]-keystore [key storage file path]

[Note]-The tomcat_server after alias is the name of the key pair, which can be replaced with the name you need;

-After keypass and-storepass, changeit must have six digits to protect the password. Replace it with your password;

-Dname indicates the server information. CN is the name of the server, which must be the same as that set in the web server.

3. Generate the certificate to be signed

% Jdk_home %/bin/keytool-certreq-alias tomcat_server-sigalg md5withrsa
-File Server/server. CSR-keypass changeit-keystore
Server/server_keystore-storepass changeit

-Certreq [generate the certificate to be signed]-alias [certificate alias]-sigalg [certificate algorithm parameters]-file [generate file output path]-keypass [key protection Password]-keystore [Storage file Path]-storepass [storage Password]

4. Sign with the CA private key

OpenSSL X509-req-in server/server. CSR-out server/server-cert.pem-ca
Mageca/ca-cert.pem-Cakey mageca/ca-key.pem-days 365

[Note] FTP the generated server. CSR file to the server subdirectory under the OpenSSL directory on Linux. The FTP transmission mode should be set to the bin mode.

2.2.2 import CA root certificate and server certificate to Tomcat
1. Import the CA root certificate

FTP the CA root certificate (ca-cert.pem) to the CA subdirectory under the Java working directory

% Jdk_home %/bin/keytool-import-v-trustcacerts-storepass changeit
-Alias my_ca_root-file ca/ca-cert.pem-keystore
% Jdk_home %/JRE/lib/security/cacerts

-Import [import command]-v-trustcacerts [import trust certificate]-storepass [storage Password]-alias [certificate alias]-file [Certificate file path]-keystore [import file path]

[Note]-storepass here is the default "changeit ". -Alias is the alias of the CA root certificate.

2. Import the server certificate

FTP the server certificate (server-cert.pem) to the server subdirectory under the Java working directory.

% Jdk_home %/bin/keytool-import-v-trustcacerts-storepass changeit
-Alias tomcat_server-File Server/server-cert.pem-keystore

[Note]-storepass indicates the password used to generate the certificate. -Alias is the alias of the server certificate.

3. view the certificate

View CA certificates

Keytool-list-keystore % jdk_home %/JRE/lib/security/cacerts

View server certificates

Keytool-list-keystore server/server_keystore

2.2.3 modify the tomcat configuration file
Modify the server. xml file in the conf directory, find the following content, remove the comment, and modify it.

<! -- Define an ssl http/1.1 Connector on port 8443 -->

<Connector classname = "org. Apache. Catalina. connector. http. httpconnector"

Port = "8443" minprocessors = "5" maxprocessors = "75"

Enablelookups = "false"

Acceptcount = "10" DEBUG = "0" Scheme = "HTTPS" secure = "true">

<Factory classname = " sslserversocketfactory"

Clientauth = "true" protocol = "TLS"

Keystorefile = "C:/jakarta-tomcat-4.0-b1/CONF/server_keystore" keystorepass = "780608"



Then copy the file server/server_keystore to the directory % tcat_home %/CONF /.

2.3 configure the IE Client
2.3.1 create a client certificate
1. Create your own client directory under the apps directory of OpenSSL, for example, client

2. Generate a client key pair

Open SSL genrsa-out client/client-key. pem 1024

3. Generate the certificate to be signed

OpenSSL req-New-out client/client-req.csr-Key Client/client-key.pem

4. Sign with the CA private key

OpenSSL X509-req-in client/client-req.csr-out client/client-cert.pem
-Signkey C lient/client-key.pem-ca/ca-cert.pem-Cakey Ca/ca-key.pem
-Cacreateserial-days 365

5. Generate a personal certificate that can be imported by the client.

OpenSSL PKCS12-export-clcerts-in client/client-cert.pem-inkey client/client-key.pem-out client/client. p12

PKCS12 [generate a CERTIFICATE command in pks12 format]-export [export file]-clerts [Export client certificate only]-in [input client certificate file path]-inkey [client certificate key file path ]-out [export the pks12 format file path]

2.3.2 import the CA certificate and client certificate to IE
1. Import the CA root certificate

Rename the ca-cert.pem in the CA subdirectory that has been FTP to the Java working directory to the ca-cert.cer;

Use <tools>, <Internet Options>, <content>, <certificate>, <import> In the IE client to import the generated CA root certificate, make it a trusted ca.

2. Import the client certificate

FTP client certificate (client. p12) to client, and import client. p12 to client ie as client certificate. The import process is the same

3. Use IE to access Tomcat through the SSL protocol
1. Run % tcat_home %/bin/startup. BAT to start Tomcat 4.x;

2. Enter https: // localhost: 8443 in the address bar of IE browser. If the previous operations are correct, you can see the welcome page of Tomcat. The lock on the status bar is closed, indicating that you have successfully established an SSL secure connection with the server that requires client verification.
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.