date
2005
year
8
month
1
day
Author
gauss
Types of
safety certificate
content
How to apply centralized certification
How to apply centralized certification
One,
Tag second application centralized certification process:
two,
The process of making a certification server (the following generation process is
WebSphere6.0
Undergo
1.
Start
-
Procedure used
-IBM http server-
Start key management utility
enter
IKeyman
Figure:
2.
Click "Key Data File"
/
New, select the key type
CMS
3.
Generate server private key
Click OK, that is, the next interface
Enter a password, select "Store the password to the file?", Click OK
Select "Personal Certificate Request" in the "Key Database Content" in the drop option, click New Generate Certificate Request File
Enter relevant information and save it.
4.
Submit a certificate request file
CA
Generate a server certificate will be generated
Certreq.arm
Send to Xin Chengtong and generate server certificates.
5.
Select the signator certificate option, import
CA
Root certificate selection signator certificate option
-
Add to
Browse to select the root certificate, click OK
6.
Select "Personal Certificate" option, import
CA
The certificate is issued to select "Personal Certificate" option
-
receive
Browse Select the server certificate issued by Xincheng. Click OK
Completed the production of the server certificate.
three,
Configure
SSL
1.
modify
IBMHTPSERVER / CONF / httpd.conf
File, at the bottom of the bottom:
LoadModule IBM_SSL_MODULE MODULES / IBMModuLESSL128.DLL
Listen 80
Listen 443
KeyFile f: /new/key.kdb
SSLDISABLE
SSLV2TIMEOUT 100
SSLV3Timeout 1000
ServerName Netsoft-4D52657
Virtualhost>
ServerName Netsoft-4D52657
SSLENABLE
SSLClientAuth Optional
Virtualhost>
Note that the key file is just passed
IKeyman
The key file generated by the tool, the service name is the host name (the background color is the yellow part is to modify according to the actual situation)
2.
The correctness of the configuration file can be passed
BIN / APACHECTL Configtest
carry out testing
3.
use
Bin / StartServer.sh
Command startup
WebSphere
4.
in
IE
Inin
Http: // Host domain name: 9090 / admin,
use
root
User Login Management Console
5.
Click on the environment
/
Virtual host, choose
Default_host
, Enter the "host alias" option, increase
443
port.
6.
Click on "Environment
/
Update
Web
Server plug-in, click OK Update Plugin
7.
Restart
WebSphere
, Then use
Apachecrl Start
start up
IBMHTTPSERVER
server
8.
At the client
IE
Type in the address bar
Https: // Host domain name / Snoop,
test
SSL
Whether the configuration is correct
four,
Client personal certificate
Download the personal certificate application form above the website of Xincheng, fill in the relevant content and send it to the believer
Members, production certificates, we use soft certificates when testing the centralized certification. Attached with a person who I applied for
book.
Fives,
Install the authentication page
1. Copy the following documents
% WebSphere% / Java / JRE / LIB / EXT
Directory (these
jar
Package
Lib
inside)
Comm.jar
jcert.jar
js.jar
Local_Policy.jar
Rt.jar
US_EXPORT_POLIYC.JAR
Am.jar
JCE1_2_2.jar
Jnet.jar
Jsse.jar
Poolman.jar
Sunjce_Provider.jar
2.
copy
cacerts
to
% WebspeRe% / Java / JRE / Security
(Nothing to find what I want is:
% WebSpere% / Java / JRE / LIB / Security
)
3.
modify
% WebspeRe% / Java / JRE / Security / Java.security
Document (did not find what I think is:
% WebSpere% / Java / JRE / LIB / Security / Java.Security
,Add to
Security.Provider.n = sun.security.provider.sun
,among them
n
According to the original file
JCE
PRIOVIDE
Quantity
4.
copy
askASERVICE.PROPERTY
File
% WebSpeRe% / Property
Directory, modify files according to actual deployment environments (parameter description Annotation file)
5.
release
Auth.war
Virtual directory
AUTH
Auth.war
The role is to pass the call
HTTPS: //
Host domain name
/Default.jsp?id=label
(
ID = label
It is a sign, specific definition, reference parameter instructions to read the client's personal certificate information and connect the authentication server to verify, generate
Tokenid
,followed by
Tokenid
Put on the client
cookie
In, and forward to the corresponding page, where this page is
askASERVER.PROPERTY
Defined.
6.
Restart
WebSphere
six,
Install the parameters required to configure the authentication system (
askASERVER.PROPERTY
Document defined
)
1. : The web address displayed after the login fails; (we should set it as the home page)
Login_failure
2. : Tokenid's survival time, unit is second, -1 indicates that the current browser is cleared;
Maxage
3. : After logging in, you need to access the application system of the application, Auth.war deploys the domain name of the computer.
Domain
4. And Default.jsp needs to be placed in the same virtual directory.
AskASERVICE.JSP
5. Parameter name for the first page to the authentication page. For example, we can now use ID, of course, can be set to others.
PropName
6. For the IP of the authentication server
Hosts
7.
Define mappings for parameter values and actual URLs
Such as:
Label = http: //
Host domain name:
9080 / labelweb /
In this system we need to define the mapping relationship between parameters and actual URLs.
EPLAT = http: //
Host domain name:
9080 / EPLATFORMTESTWEB / LOGIN.JSP
Seven,
deploy
Label.ear
, Reference documentation
Label
Deployment
Eight,
Install client personal certificate
Double click personal certificate:
XXXXXXX
Xxx
All the way "Next" until completion
,
nine,
Login project:
1,
Login System Main page: Pass
URL
:
HTTP: //
Host domain name:
9080 / EPLATFORMTESTWEB /
log in. The following page appears
2,
enter the system
Depending on your user type, select different login portals, such as above, provide three different system portals, acceptance agency users, enterprises, and enterprise registration on the main page. We might want to log in as acceptance institutions, click on the "Acceptance Organization Login".
Pop up page:
determine
Choose
Note:
Auth.war
The project connection authentication server verifies the certificate. If you pass, measure the main page of the different user systems of the label system; because we have some problems here,
Auth.war
Project is executed
String tokenid = login.auth (clientID, request.getRemoteAddr ());
The system is wrong, this problem has not been resolved; then we use Xinhe's certification server, and
Auth.war
Deploying the entrance provided by Xincheng
Https://demo.itownet.cn/auth/default.jsp?id=itown11
Although the certificate passed verified and forwarded to the corresponding page, it did not get it.
Tokenid
After communicating with Xin sincerely, there is still no resolution of this problem, and it is estimated that there is a problem with the domain name. If the certification server is adopted, you can continue to negotiate with our faith. When we were developed, I have modified it.
Auth.war
Package, the legality verification method is revised by the certificate, not verified by the certification server, but directly according to the root certificate of Xinhe Tong, verify the personal certificate through the root certificate to verify that the personal certificate is made by this root The certificate is signed, and whether the validity period is effective, etc. After verification, put the information of the personal certificate in
cookie
In, when the interface provided by the system call beloved, we log out this method, but use a variant method. If
cookie
The information after the certification is included, you can log in to the system directly, and if you do not return to the main page of the system. Of course, this method has a lot of defects, but this is just our application in the development phase of the system. When we really use the actual application, we only need to
LoginAction
Cancellation of the interface provided by Xindong Tong is not to be modified elsewhere.
With our model, after the figure is clicked, the following page will appear.
Description:
EPLATFORMTESTWEB
It is my own application "electronic platform
J2EE
A test item made by the security system is just a reference for the framework of the electronic platform system.