Tomcat Configuring client certificate authentication

Source: Internet
Author: User

After you have configured client certificate authentication, the browser will prompt you to select the certificate when it accesses the server with HTTPS, and then the server will verify the certificate. This means that only a client with a valid certificate can open the Web site.

The following are the specific configuration procedures.

1. Generate the relevant certificate on the server side

(1) Generate a server certificate container.

/usr/java/jdk1. 6 36500 " CN=105.12.201.31,OU=TEST,O=TEST,L=SHANGHAI,ST=SHANGHAI,C=CN " -storepass test001-keypass test001

which

Validity specifies how many days are valid,

Dname sets Some of the information contained in the signature, noting that it is said that the IP address specified by the CN must be the same as the IP that is accessed (whether or not it will be rejected if not tested).

Keyalg the algorithm that specifies the signature, RSA or DSA

Storepass and Keypass specify containers to store passwords and read passwords, respectively. Set to the same password because Tomcat has only one password set.

(2) Build a trusted client certificate container

/usr/java/jdk1. 6 36500 " CN=105.12.201.31,OU=TEST,O=TEST,L=SHANGHAI,ST=SHANGHAI,C=CN " -storepass test002-keypass test002

(3) Generate client-side secret key pair

/usr/java/jdk1. 6 36500 " CN=CLIENT_1,OU=TEST,O=TEST,L=SHANGHAI,ST=SHANGHAI,C=CN " -storepass test003-keypass test003

Export client Certificates

/usr/java/jdk1. 6. 0_43/bin/keytool-export-v-alias client_1-keystore client_1.p12-storetype pkcs12-storepass test003-rfc-f Ile Client_1.cer

(4) Import the certificate from the client to the certificate container of the trusted client on the server

/usr/java/jdk1. 6. 0_43/bin/keytool-import-v-alias client_1-file Client_1.cer-keystore server_trust.keystore-storepass test002

2. Modify the Tomcat configuration file Conf/server.xml

Find the configuration section of the original HTTPS, default is in the comment state, release it

    <port= "8443"  protocol= "http/1.1"  sslenabled= " True "               maxthreads= " scheme= "https"  secure  = "true"               clientauth= "false"  sslprotocol= "TLS"                / >

Modified to:

    <ConnectorPort= "8443"Protocol= "http/1.1"sslenabled= "true"MaxThreads= "Max"Scheme= "https"Secure= "true"ClientAuth= "true"Sslprotocol= "TLS"Keystorefile= "${catalina.base}/keystore/server.keystore"Keystorepass= "test001"Truststorefile= "${catalina.base}/keystore/server_trust.keystore"Truststorepass= "test002"               />

3. Set mandatory SSL access in the Web App

In Web-inf/web.xml

    <!--force SSL, that is, HTTP requests automatically jump to HTTPS -     <Security-constraint>        <web-resource-collection>            <Web-resource-name>Ssl</Web-resource-name>            <Url-pattern>/*</Url-pattern><!--use SSL for all stations -        </web-resource-collection>        <User-data-constraint>            <Description>SSL Required</Description>            <!--Confidential: Ensure that transfer data is not modified and cannot be viewed -            <!--INTEGRAL: Ensure that transfer data is not modified -            <!--None: No special restrictions -            <Transport-guarantee>Confidential</Transport-guarantee>        </User-data-constraint>    </Security-constraint>

4. After importing the client_test.cer and CLIENT_TEST.P12 generated by the client PC, restart the browser to access

The initial visit pops up the dialog box for selecting the certificate and selects the imported CER certificate.

Tomcat Configuring client certificate authentication

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.