Tomcat SSL configuration and Tomcat CA certificate installation

Recently to do an SSL application, two-way authentication with SSL means that when the client connects to the server, both sides of the link have to authenticate each other's digital certificate to ensure that it is authorized to be able to connect. When we link general SSL with one-way authentication, the client only validates the server's certificate, the server does not authenticate the client's certificate, and the U-Shield used to store the online bank is used for storing the client certificate required for two-way authentication.

Tomcat can be either a stand-alone servlet container or a servlet container attached to other HTTP servers. If Tomcat works in a standalone mode, SSL is not typically configured, and the HTTP server it is dependent on is used to communicate with the client for SSL. The communication between Tomcat and HTTP servers does not need to be encrypted, and the HTTP server passes the decrypted data to Tomcat and encrypts the data from Tomcat to the customer.

If Tomcat is a stand-alone Java Web server, you can configure SSL for Tomcat based on security needs, which contains the following two steps:

(1) Prepare the security certificate.

(2) Configure the Tomcat's SSL connector (Connector). First, the preparation of security certificates

There are two ways to get a security certificate: one way to buy from an authority, and one way to create self-signed certificates. Here is the second way to get the certificate, after all, for free.

Sun offers a certificate-making tool Keytool. This tool is included in the version after JDK 1.4, and its location is <java_home>\bin\keytool.exe.

The command to create a certificate through the Keytool tool is: Keytool-genkeypair-alias "tomcat"-keyalg "RSA"

The above command will produce a pair of asymmetric keys and self-signed certificates, with several parameters in the command meaning:-genkeypair: Generates a pair of asymmetric keys. -alias: Specifies the alias of the key pair, which is public. -KEYALG: Specifies the encryption algorithm, in this case using a common RAS encryption algorithm

You will be prompted to enter the KeyStore password first.

Then prompts to enter personal information, such as name, organizational unit and city, and so on, direct return can.

You will then be prompted for the correct input and "Y" to indicate that the information is correct.

The final requirement is to enter the <Tomcat> 's master password, which is set to the same password as KeyStore, so just press the ENTER key according to the prompts. Second, configure the SSL connector

In Tomcat's Server.xml file, a ready-made code to configure an SSL connector has been provided, as long as the <Connector> element annotation is removed:

<!-define a SSL http/1.1 Connector on port 8443 This Connector uses the JSSE configuration, when using APR, the CO Nnector should is using the OpenSSL style configuration described in the APR documentation-->

<connector port= "8443" protocol= "http/1.1" sslenabled= "true" maxthreads= "*" scheme= "https" secure= "true"           Clientauth= "false" sslprotocol= "TLS" keystorefile= "C:\Documents and Settings\xuliang\.keystore" keystorepass= "Sunchis" ciphers= "Sunchis"/>

In fact, SSL-based HTTPS uses a default port of 443. But Tomcat sets the HTTPS port here to 8443. Some of the property parameters in <Connector> configuration are as follows:

ClientAuth If set to true (that is, two-way authentication)

Keystorefile specify where keystore files are stored

KEYSTOREPASS Specifies the password for KeyStore

Third, access to SSL-enabled Web sites

Because SSL technology has been built into most browsers and Web server programs, you can activate the SSL feature by simply installing the server certificate on the Web server side.

If you have already configured the first and second steps above, you can restart the Tomcat server and then access any Web application on the Tomcat server in HTTPS from IE browser. Now we're going to visit this address:

Return a new HttpClient (Tomcat clientauth= "false") that accepts any SSL certificate

Private defaulthttpclient getignoresslhttpclient (int sslport) throws Exception {

HttpClient = new Defaulthttpclient ();

Sslcontext Sslcontext = sslcontext.getinstance ("TLS");

X509trustmanager TM = new X509trustmanager () {

Public x509certificate[] Getacceptedissuers () {

return null;

}

public void checkclienttrusted (x509certificate[] certs,

String authtype) {

}

public void checkservertrusted (x509certificate[] certs,

String authtype) {

SYSTEM.OUT.PRINTLN ("server:" +certs[0]);

}

};

Sslcontext.init (NULL, new trustmanager[] {TM}, NULL);

Sslsocketfactory SF = new Sslsocketfactory (sslcontext);

Scheme sch = new scheme ("https", Sslport, SF);

Httpclient.getconnectionmanager (). Getschemeregistry (). Register (Sch);

return httpclient;

}

V. One-way authentication SSL certificate httpclient (Tomcat clientauth= "false")

Private Defaulthttpclient getonewayauthsslhttpclient (final String IP, int sslport) throws Exception {

HttpClient = new Defaulthttpclient ();

Sslcontext Sslcontext = sslcontext.getinstance ("TLS");

X509trustmanager TM = new X509trustmanager () {

Public x509certificate[] Getacceptedissuers () {

return new x509certificate[0];

}

public void checkclienttrusted (x509certificate[] certs,

String authtype) {

}

public void checkservertrusted (x509certificate[] certs,

String authtype) throws Certificateexception {

if (certs = null | | certs.length = 0)

throw new IllegalArgumentException ("null or ZERO-LENGTH certificate chain");

if (authtype = null | | authtype.length () = 0)

throw new IllegalArgumentException ("Null or Zero-length Authentication type");

Boolean br = FALSE;

for (X509Certificate x509certificate:certs) {

String issuer = X509certificate.getissuerdn (). toString ();

if (Issuer.contains ("cn=" + IP)) {

BR = true;

Return

}

}

if (!BR) {

throw new Certificateexception ("Authen failed!");

}

}

};

Sslcontext.init (NULL, new trustmanager[] {TM}, NULL);

Sslsocketfactory SF = new Sslsocketfactory (sslcontext);

Scheme sch = new scheme ("https", Sslport, SF);

Httpclient.getconnectionmanager (). Getschemeregistry (). Register (Sch);

return httpclient;

}

Vi. bi-directional authentication of SSL certificates httpclient (Tomcat clientauth= "true")

Server needs:

1) KeyStore: The private key of the server is saved

2 Trust KeyStore: Save the client's authorization certificate

Similarly, the client needs to:

1) KeyStore: Save the client's private key

2 Trust KeyStore: Save the service-side authorization certificate

Generate Key and certificate

1 generate the server-side private key and import it into the server-side KeyStore file

Keytool-genkey-alias Serverkey-keystore Serverkey.keystore

2 Export the service-side certificate according to the private key

Keytool-export-alias Serverkey-keystore Serverkey.keystore-file SERVER.CRT

SERVER.CRT is the service-side certificate

3 The service-side certificate, imported into the client's trust KeyStore

Keytool-import-alias serverkey-file Server.crt-keystore Servercrt.keystore

Tclient.keystore is for the client, which holds the trusted certificate

Using the same method, generate the client's private key, the client's certificate, and import it into the service-side trust KeyStore

1) Keytool-genkey-alias Clientkey-keystore Clientkey.keystore

2) Keytool-export-alias Clientkey-keystore clientkey.keystore-file client.crt

3) Keytool-import-alias Clientkey-file Client.crt-keystore Clientcrt.keystore

Thus, the resulting file is divided into two groups

Service side Save: Serverkey.keystore Clientcrt.keystore

Client Save: Clientkey.keystore Servercrt.kyestore

The client uses the Clientkey private key in Clientkey.keystore to encrypt the data and sends it to the server

The server uses the CLIENT.CRT certificate in Clientcrt.keystore (contains the Clientkey public key) to decrypt the data, if the decryption succeeds, the proof message comes from the client, carries on the logical processing

The server uses the Serverkey private key in Serverkey.keystore to make data called M, sent to the client

The client uses the SERVER.CRT certificate in Servercrt.kyestore (including the Serverkey public key) to decrypt the data, and if the decryption succeeds, the proof message comes from the server and is logically processed

If the decryption fails in the process, the message source error is proved. No logical processing. This completes the two-way identity authentication.

Tomcat configuration:

<connector port= "8443" protocol= "http/1.1" sslenabled= "true"

maxthreads= "Scheme=" "https" secure= "true"

Clientauth= "true" sslprotocol= "TLS"

Keystorefile= "F:\serverKey.keystore" keystorepass= "123123" keystoretype= "JKS"

Truststorefile= "F:\clientCrt.keystore" truststorepass= "123123" truststoretype= "JKS"

/>

Private defaulthttpclient getmutualauthsslhttpclient (int sslport) throws Exception {

HttpClient = new Defaulthttpclient ();

String Client_key_store_password = "123123";

String Client_trust_key_store_password = "123123";

String Client_key_path = "Clientkey.keystore";//client ' s private KEY

String Server_cert_path = "Servercrt.keystore";//server ' s certificate

Sslcontext Sslcontext = sslcontext.getinstance ("TSL");

Keymanagerfactory KMF = keymanagerfactory.getinstance ("SunX509");

Trustmanagerfactory TMF = trustmanagerfactory.getinstance ("SunX509");

KeyStore KS = keystore.getinstance ("JKS");

KeyStore tks = keystore.getinstance ("JKS");

Ks.load (New FileInputStream (Client_key_path), Client_key_store_password.tochararray ());

Tks.load (New FileInputStream (Server_cert_path), Client_trust_key_store_password.tochararray ());

Kmf.init (KS, Client_key_store_password.tochararray ());

Tmf.init (TKS);

Sslcontext.init (Kmf.getkeymanagers (), tmf.gettrustmanagers (), NULL);

Sslsocketfactory SF = new Sslsocketfactory (sslcontext);

Scheme sch = new scheme ("https", Sslport, SF);

Httpclient.getconnectionmanager (). Getschemeregistry (). Register (Sch);

return httpclient;

}

Reference: http://www.sunchis.com/html/java/javaweb/2010/0314/71.html

Http://www.blogjava.net/stone2083/archive/2007/12/20/169015.html

－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－

Keytool+tomcat Configure HTTPS two-way certificate authentication

System Requirements:

1. Windows system or Linux system

2. Install and configure JDK 1.6.0_13

3. Install and configure Tomcat 6.0

First step: Generate a certificate for the server

1. Windows System Run the console, enter the%java_home%/bin directory using Keytool to generate certificates for Tomcat, assuming the domain name of the target machine is "localhost", keystore file is stored in "D:\home\tomcat.keystore", The password is "password" and is generated using the following command:

Keytool-genkey-v-alias tomcat-keyalg rsa-keystore D:\home\tomcat.keystore-validity 36500

(Parameter brief description: "D:\home\tomcat.keystore" meaning is the certificate file save path, certificate file name is Tomcat.keystore; "-validity 36500" meaning is certificate validity period, 36500 means 100 years, The default value is 90 days) to fill in the required parameters at the command line:

A, enter KeyStore password: Here you need to enter a string greater than 6 characters

B, "What's your first and last name?" "This is required and must be a domain name for the Tomcat deployment host or ip[such as: Gbcom.com or 10.1.25.251] (the access address you want to enter in the browser in the future), or the browser will pop up a warning window to indicate that the user certificate does not match the domain. When you do development testing locally, you should fill in "localhost"

C, "What is the name of your organizational unit?" "," What is your organization's name. "," What is the name of your city or region. "," What is the name of your state or province. "," what the two-letter country code of the Unit is. "You can fill in as needed or do not fill in direct return, ask in the system" right. "When, in contrast to input information, if meet the requirements of the use of the keyboard input letter" Y ", otherwise enter" n "to fill in the above information

D, input <tomcat> master password, this is more important, will be used in the Tomcat configuration file, recommended to enter the same password as KeyStore, set other passwords can also complete the above input, direct return to the location you defined in the second step to find the generated files

2. Linux system