Tomcat6 configuration uses SSL two-way authentication (uses OpenSSL to generate certificates)

Source: Internet
Author: User
Tags openssl x509 pkcs12

Two-way authentication: the client sends a message to the server. First, the message is encrypted with the client certificate and then the client certificate is sent together to the server. After receiving the message, the server decrypts the message with the client certificate first, then, encrypt the message with the server private key, and send the server certificate and message together to the client. The client decrypts the message with the sent server certificate, and then encrypts the message with the server certificate, then, encrypt the message with the client certificate and send it together with the encrypted message and client certificate to the server. Then, decrypt the message with the client certificate, make sure that the message is sent by the customer, and then decrypt the message with the private key of the server to obtain the plaintext data.

======================================

 

OpenSSL installation on Windows

 

Download OpenSSL for Windows from here

Http://gnuwin32.sourceforge.net/packages/openssl.htm

Decompress the package and set the PATH environment variable to point to its bin folder.

Download OpenSSL profile http://www.securityfocus.com/data/tools/openssl.conf

And copy it to a folder so that it can be specified through the command line. Here is C:/SSL/

Otherwise, the error "unable to load config info from/usr/local/SSL/OpenSSL. CNF" is reported during running.

==================================

 

The following installation and configuration environments are Linux, Tomcat-5.5.30

 

1. Create a directory

CD/home

Mkdir SSL

CD SSL

Mkdir ca

Mkdir Client

Mkdir Server

 

To create a certificate, follow these steps:

(1) generate the System Private Key

(2) generate the certificate to be signed

(3) generate an X509 Certificate and sign it with the CA private key

(4) convert to the p12 format certificate supported by the browser

 

Ii. Generate a CA certificate
Currently, the CA of a third-party authority is not used for authentication and serves as the CA.
1. Create a private key:
OpenSSL genrsa-out Ca/ca-key.pem 1024
2. Create a certificate request:
OpenSSL req-New-out Ca/ca-req.csr-key Ca/ca-key.pem

-----
Country name (2 letter code) [au]: CN
State or province name (full name) [some-State]: BJ
Locality name (eg, city) []: BJ
Organization Name (eg, company) [Internet widgits Pty Ltd]: Tb
Organizational unit name (eg, section) []: Tb
Common name (eg, your name) []: CA
Email Address []: ca@ca.com

 

Please enter the following 'extra 'attributes
To be sent with your certificate request
A challenge password []:
An optional company name []:

3. Self-signed certificate:
OpenSSL X509-req-in Ca/ca-req.csr-out Ca/ca-cert.pem-signkey Ca/ca-key.pem-days 3650
4. Export the certificate to the. p12 format supported by the browser:

OpenSSL PKCS12-export-clcerts-in Ca/ca-cert.pem-inkey Ca/ca-key.pem-out Ca/CA. p12
Password 123456


Iii. Generate server certificate
1. Create a private key:
OpenSSL genrsa-out server/server-key.pem 1024
2. Create a certificate request:
OpenSSL req-New-out server/server-req.csr-Key Server/server-key.pem
-----
Country name (2 letter code) [au]: CN
State or province name (full name) [some-State]: BJ
Locality name (eg, city) []: BJ
Organization Name (eg, company) [Internet widgits Pty Ltd]: Tb
Organizational unit name (eg, section) []: Tb
Common name (eg, your name) []: localhost # the IP address of the server must be written here
Email Address []: server@server.com

 

Please enter the following 'extra 'attributes
To be sent with your certificate request
A challenge password []:
An optional company name []:
3. Self-signed certificate:
OpenSSL X509-req-in server/server-req.csr-out server/server-cert.pem-signkey server/server-key.pem-ca/ca-cert.pem-Cakey Ca/ca-key.pem-cacreateserial-days 3650
4. Export the certificate to the. p12 format supported by the browser:
OpenSSL PKCS12-export-clcerts-in server/server-cert.pem-inkey server/server-key.pem-out server/server. p12
Password 123456

4. Generate client certificate
1. Create a private key:
OpenSSL genrsa-out client/client-key.pem 1024
2. Create a certificate request:
OpenSSL req-New-out client/client-req.csr-Key Client/client-key.pem
-----
Country name (2 letter code) [au]: CN
State or province name (full name) [some-State]: BJ
Locality name (eg, city) []: BJ
Organization Name (eg, company) [Internet widgits Pty Ltd]: Tb
Organizational unit name (eg, section) []: Tb
Common name (eg, your name) []: Dong
Email Address []: dong@dong.com

 

Please enter the following 'extra 'attributes
To be sent with your certificate request
A challenge password []:
An optional company name []:

3. Self-signed certificate:
OpenSSL X509-req-in client/client-req.csr-out client/client-cert.pem-signkey client/client-key.pem-ca/ca-cert.pem-Cakey Ca/ca-key.pem-cacreateserial-days 3650
4. Export the certificate to the. p12 format supported by the browser:
OpenSSL PKCS12-export-clcerts-in client/client-cert.pem-inkey client/client-key.pem-out client/client. p12
Password 123456

 

5. Generate a jks file (Java keystore) based on the CA certificate)
Keytool-keystore truststore. jks-keypass 222222-storepass 222222-alias ca-import-trustcacerts-file ca/ca-cert.pem

 

6. Configure Tomcat SSL
Modify CONF/server. xml. The sslenabled = "true" attribute is added to Tomcat 6. Keystorefile and truststorefile are set to the correct path.
XML Code
Tomcat 5.5 Configuration:
<Connector Port = "8443" maxhttpheadersize = "8192"
Maxthreads = "150" minsparethreads = "25" maxsparethreads = "75"
Enablelookups = "false" disableuploadtimeout = "true"
Acceptcount = "100" Scheme = "HTTPS" secure = "true"
Clientauth = "true" sslprotocol = "TLS"
Keystorefile = "server. p12" keystorepass = "changeit" keystoretype = "PKCS12"
Truststorefile = "truststore. jks" truststorepass = "222222" truststoretype = "jks"/>
Tomcat6.0 Configuration:
<Connector Port = "8443" protocol = "HTTP/1.1" sslenabled = "true"
Maxthreads = "150" Scheme = "HTTPS" secure = "true"
Clientauth = "true" sslprotocol = "TLS"
Keystorefile = "server. p12" keystorepass = "changeit" keystoretype = "PKCS12"
Truststorefile = "truststore. jks" truststorepass = "222222" truststoretype = "jks"/>

 

VII. Test (in Linux)
OpenSSL s_client-connect localhost: 8443-Cert/home/SSL/client/client-cert.pem-key/home/SSL/client/client-key.pem-tls1-cafile/home/SSL/CA/ca-cert.pem-state-showcerts

GET/index. jsp HTTP/1.0

 

8. Import Certificates
Server Import server. p12 AND Ca. p12 certificates
Import the ca. p12 and client. p12 certificates from the client.
IE (Open ie->; Internet option-> content-> Certificate)

CA. p12 import to Trusted Root Certificate Authority, client. p12 import to individual

In Firefox (tools-options-advanced-encryption-view Certificate-your certificate)

Import ca. p12 and client. p12 here
 

Note: the common name (CA = Ca, Server = localhost, client = Dong) of CA, server, and client certificates must be unique. Otherwise, SSL fails.

 

9. Tomcat application authentication using browser certificates

Change basic authentication to certificate authentication in server/webapps/manager/WEB-INF/Web. xml

<Login-config>
<Auth-method> client-Cert </auth-method>
<Realm-Name> Tomcat Manager application </realm-Name>
</Login-config>

 

Fill in the following content in the conf/tomcat-users.xml
<? XML version = '1. 0' encoding = 'utf-8'?>
<Tomcat-users>
<Role rolename = "manager"/>
<Role rolename = "admin"/>
<Role rolename = "user"/>
<User Username = "emailaddress = dong@dong.com, Cn = Dong, ou = Tb, O = Tb, L = BJ, St = BJ, C = cn "Password =" null "roles =" Admin, user, Manager "/>
</Tomcat-users>

 

Access http: // localhost: 8443 to verify that SSL is successful

Access http: // localhost: 8443/manager/html to verify that the application uses the client certificate to verify whether the application is successful.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.