After you have configured client certificate authentication, the browser will prompt you to select the certificate when it accesses the server with HTTPS, and then the server will verify the certificate. This means that only a client with a valid certificate can open the Web site.
The following are the specific configuration procedures.
1. Generate the relevant certificate on the server side
(1) Generate a server certificate container.
/usr/java/jdk1. 6 36500 " CN=105.12.201.31,OU=TEST,O=TEST,L=SHANGHAI,ST=SHANGHAI,C=CN " -storepass test001-keypass test001
which
Validity specifies how many days are valid,
Dname sets Some of the information contained in the signature, noting that it is said that the IP address specified by the CN must be the same as the IP that is accessed (whether or not it will be rejected if not tested).
Keyalg the algorithm that specifies the signature, RSA or DSA
Storepass and Keypass specify containers to store passwords and read passwords, respectively. Set to the same password because Tomcat has only one password set.
(2) Build a trusted client certificate container
/usr/java/jdk1. 6 36500 " CN=105.12.201.31,OU=TEST,O=TEST,L=SHANGHAI,ST=SHANGHAI,C=CN " -storepass test002-keypass test002
(3) Generate client-side secret key pair
/usr/java/jdk1. 6 36500 " CN=CLIENT_1,OU=TEST,O=TEST,L=SHANGHAI,ST=SHANGHAI,C=CN " -storepass test003-keypass test003
Export client Certificates
/usr/java/jdk1. 6. 0_43/bin/keytool-export-v-alias client_1-keystore client_1.p12-storetype pkcs12-storepass test003-rfc-f Ile Client_1.cer
(4) Import the certificate from the client to the certificate container of the trusted client on the server
/usr/java/jdk1. 6. 0_43/bin/keytool-import-v-alias client_1-file Client_1.cer-keystore server_trust.keystore-storepass test002
2. Modify the Tomcat configuration file Conf/server.xml
Find the configuration section of the original HTTPS, default is in the comment state, release it
<port= "8443" protocol= "http/1.1" sslenabled= " True " maxthreads= " scheme= "https" secure = "true" clientauth= "false" sslprotocol= "TLS" / >
Modified to:
<ConnectorPort= "8443"Protocol= "http/1.1"sslenabled= "true"MaxThreads= "Max"Scheme= "https"Secure= "true"ClientAuth= "true"Sslprotocol= "TLS"Keystorefile= "${catalina.base}/keystore/server.keystore"Keystorepass= "test001"Truststorefile= "${catalina.base}/keystore/server_trust.keystore"Truststorepass= "test002" />
3. Set mandatory SSL access in the Web App
In Web-inf/web.xml
<!--force SSL, that is, HTTP requests automatically jump to HTTPS - <Security-constraint> <web-resource-collection> <Web-resource-name>Ssl</Web-resource-name> <Url-pattern>/*</Url-pattern><!--use SSL for all stations - </web-resource-collection> <User-data-constraint> <Description>SSL Required</Description> <!--Confidential: Ensure that transfer data is not modified and cannot be viewed - <!--INTEGRAL: Ensure that transfer data is not modified - <!--None: No special restrictions - <Transport-guarantee>Confidential</Transport-guarantee> </User-data-constraint> </Security-constraint>
4. After importing the client_test.cer and CLIENT_TEST.P12 generated by the client PC, restart the browser to access
The initial visit pops up the dialog box for selecting the certificate and selects the imported CER certificate.
Tomcat Configuring client certificate authentication