I. Configure the environment
1.1 Tomcat Introduction
Tomcat is Apache
One of Jakarta's sub-projects, as an excellent open-source Web application server, fully supports jsp1.2 and servlet2.3 specifications. Because of its advanced technology, stable performance, and free of charge
Therefore, it is favored by Java enthusiasts and recognized by some software developers. It has become a popular Web application server.
1.2 introduction to SSL (server socket layer)
Information on the network passes through other computers during source-host transmission. Generally, the intermediate computer does not listen for information passing. However, when using online banking or making credit card transactions
Monitoring, resulting in leakage of personal privacy. Due to the Internet and Intranet architecture, some people can read and replace the information sent by users. With the continuous online payment
People have higher and higher requirements on information security. Therefore, Netscape proposed the SSL protocol to transmit information securely and securely on an open network (Internet ).
Protocols have been widely used on the web.
Later, IETF (www.ietf.org) Standardized SSL, namely rfc2246, and called it transport layer (TLS)
Security), technically speaking, the difference between tls1.0 and SSL3.0 is very small.
1.3 How SSL works
The SSL protocol uses asymmetric encryption technology to securely transmit information between the two parties. Information Transmission is confidential and complete, and both parties can identify the other party. Different from common HTTP protocols
We use the HTTPS protocol when establishing an SSL secure connection with the website, that is, using https: // ip: Port/for access.
When we establish an HTTPS connection with a website, we need to shake hands between our browser and the Web server to complete identity authentication and key exchange, so as to establish a secure connection. The specific process is as follows:
Your browser sends the SSL version number, encryption parameters, session-related data, and other necessary information to the server.
The server sends the SSL version number, encryption parameters, session-related data, and other necessary information to the browser, and also sends the server certificate to the browser. If the SSL of the configuration server needs to verify the user identity, you must also send a request asking the browser to provide the user certificate.
The client checks the server certificate. If the check fails, it prompts that an SSL connection cannot be established. If yes, continue.
The client browser generates a pre-master secret for this session and sends it to the server after encrypting it with the server public key.
If the server requires customer identification, the client must sign other data and send it together with the client certificate to the server.
If the server requires customer identification, check whether the CA that signs the customer certificate is trusted. If the session is not in the Trust List, end the session. If the check succeeds, the server uses its own private key to decrypt the received pre-master secret and uses it to generate the master secret for this session through some algorithms.
Both the client and server use this master secret to generate the session key (symmetric key) for this session ). This session key is used to send any messages after the SSL handshake ends. The main reason for doing so is that symmetric encryption is more than an order of magnitude less computation than asymmetric encryption, which can significantly increase the computing speed of both parties' sessions.
The client notifies the server that all subsequent messages are encrypted using this session key. And notifies the Server client that the SSL handshake has been completed.
The server notifies the client that all subsequent messages are encrypted using this session key. The client server is notified that the SSL handshake has been completed.
The handshake process ends and the session has been established. Both parties use the same session key to encrypt and decrypt the sent and received information respectively.
1.4 required software packages
Tomcat 4.0.2
Purpose: Web server.
Download: http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.3/bin/
JSSE 1.0, 2
Purpose: generate the key pair used by tocmcat ).
Download: http://java.sun.com/products/jsse/
OpenSSL 0.9.6
Purpose: generate the CA certificate, signature, and generate the private key in PKCS #12 format that can be imported by IE.
Download: http://www.openssl.org/
Step 2
2.1 create your own CA certificate
1. Create your own ca directory under the apps directory of OpenSSL, for example, mageca
X509 [X509 Certificate issuing command]-req [enter the certificate to be issued]-in [enter the path to the certificate to be issued]-out [generate the X509 Certificate file output path]-
Signkey [Self-issued key file path]-days [certificate validity period]-Ca [Issuing and certificate]-Cakey [root certificate key file]
-Cacreateserial [Create a serial number]
[Note] copy the automatically generated ca-key.srl file to the created ca directory ..
2.2 configure Tomcat 4.x
2.2.1 create a server certificate
[Note] In this document, the "% jdk_home %" symbol is used to indicate the JDK installation location. The "% tcat_home %" symbol is used to indicate the tomcat installation location.
1. Create a working directory
Create your own server directory under the bin directory of % jdk_home %, for example: Server
Mkdir Server
2. Generate a server key pair
% Jdk_home %/bin/keytool-genkey-alias tomcat_server-validity 365
-Keyalg RSA-keysize 1024-keypass changeit-storepass changeit-dname
"Cn = localhost, ou = Department, O = company, L = Beijing, St = Beijing, c = cn"
-Keystore server/server_keystore
[Note] FTP the generated server. CSR file to the server subdirectory under the OpenSSL directory on Linux. The FTP transmission mode should be set to the bin mode.
2.2.2 import CA root certificate and server certificate to Tomcat
1. Import the CA root certificate
FTP the CA root certificate (ca-cert.pem) to the CA subdirectory under the Java working directory
2.2.3 modify the tomcat configuration file
Modify the server. xml file in the conf directory, find the following content, remove the comment, and modify it.
<! -- Define an ssl http/1.1 Connector on port 8443 -->
Then copy the file server/server_keystore to the directory % tcat_home %/CONF /.
2.3 configure the IE Client
2.3.1 create a client certificate
1. Create your own client directory under the apps directory of OpenSSL, for example, client
PKCS12 [generate a CERTIFICATE command in pks12 format]-export [export file]-clerts [Export client certificate only]-in [input client certificate file path]-inkey [client certificate key file path ]-out [export the pks12 format file path]
2.3.2 import the CA certificate and client certificate to IE
1. Import the CA root certificate
Rename the ca-cert.pem in the CA subdirectory that has been FTP to the Java working directory to the ca-cert.cer;
Use <tools>, <Internet Options>, <content>, <certificate>, <import> In the IE client to import the generated CA root certificate, make it a trusted ca.
2. Import the client certificate
FTP client certificate (client. p12) to client, and import client. p12 to client ie as client certificate. The import process is the same
3. Use IE to access Tomcat through the SSL protocol
1. Run % tcat_home %/bin/startup. BAT to start Tomcat 4.x;
2. Enter https: // localhost: 8443 in the address bar of IE browser. If the previous operations are correct, you can see the welcome page of Tomcat. The lock on the status bar is closed, indicating that you have successfully established an SSL secure connection with the server that requires client verification.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.