An example of a simple CA certification

xiaoxiao2021-03-25  200

date

2005

year

8

month

1

day

Author

gauss

Types of

safety certificate

content

How to apply centralized certification

How to apply centralized certification

One,

Tag second application centralized certification process:

two,

The process of making a certification server (the following generation process is

WebSphere6.0

Undergo

1.

Start

-

Procedure used

-IBM http server-

Start key management utility

enter

IKeyman

Figure:

2.

Click "Key Data File"

/

New, select the key type

CMS

3.

Generate server private key

Click OK, that is, the next interface

Enter a password, select "Store the password to the file?", Click OK

Select "Personal Certificate Request" in the "Key Database Content" in the drop option, click New Generate Certificate Request File

Enter relevant information and save it.

4.

Submit a certificate request file

CA

Generate a server certificate will be generated

Certreq.arm

Send to Xin Chengtong and generate server certificates.

5.

Select the signator certificate option, import

CA

Root certificate selection signator certificate option

-

Add to

Browse to select the root certificate, click OK

6.

Select "Personal Certificate" option, import

CA

The certificate is issued to select "Personal Certificate" option

-

receive

Browse Select the server certificate issued by Xincheng. Click OK

Completed the production of the server certificate.

three,

Configure

SSL

1.

modify

IBMHTPSERVER / CONF / httpd.conf

File, at the bottom of the bottom:

LoadModule IBM_SSL_MODULE MODULES / IBMModuLESSL128.DLL

Listen 80

Listen 443

KeyFile f: /new/key.kdb

SSLDISABLE

SSLV2TIMEOUT 100

SSLV3Timeout 1000

ServerName Netsoft-4D52657

ServerName Netsoft-4D52657

SSLENABLE

SSLClientAuth Optional

Note that the key file is just passed

IKeyman

The key file generated by the tool, the service name is the host name (the background color is the yellow part is to modify according to the actual situation)

2.

The correctness of the configuration file can be passed

BIN / APACHECTL Configtest

carry out testing

3.

use

Bin / StartServer.sh

Command startup

WebSphere

4.

in

IE

Inin

Http: // Host domain name: 9090 / admin,

use

root

User Login Management Console

5.

Click on the environment

/

Virtual host, choose

Default_host

, Enter the "host alias" option, increase

443

port.

6.

Click on "Environment

/

Update

Web

Server plug-in, click OK Update Plugin

7.

Restart

WebSphere

, Then use

Apachecrl Start

start up

IBMHTTPSERVER

server

8.

At the client

IE

Type in the address bar

Https: // Host domain name / Snoop,

test

SSL

Whether the configuration is correct

four,

Client personal certificate

Download the personal certificate application form above the website of Xincheng, fill in the relevant content and send it to the believer

Members, production certificates, we use soft certificates when testing the centralized certification. Attached with a person who I applied for

book.

Fives,

Install the authentication page

1. Copy the following documents

% WebSphere% / Java / JRE / LIB / EXT

Directory (these

jar

Package

Lib

inside)

Comm.jar

jcert.jar

js.jar

Local_Policy.jar

Rt.jar

US_EXPORT_POLIYC.JAR

Am.jar

JCE1_2_2.jar

Jnet.jar

Jsse.jar

Poolman.jar

Sunjce_Provider.jar

2.

copy

cacerts

to

% WebspeRe% / Java / JRE / Security

(Nothing to find what I want is:

% WebSpere% / Java / JRE / LIB / Security

)

3.

modify

% WebspeRe% / Java / JRE / Security / Java.security

Document (did not find what I think is:

% WebSpere% / Java / JRE / LIB / Security / Java.Security

,Add to

Security.Provider.n = sun.security.provider.sun

,among them

n

According to the original file

JCE

PRIOVIDE

Quantity

4.

copy

askASERVICE.PROPERTY

File

% WebSpeRe% / Property

Directory, modify files according to actual deployment environments (parameter description Annotation file)

5.

release

Auth.war

Virtual directory

AUTH

Auth.war

The role is to pass the call

HTTPS: //

Host domain name

/Default.jsp?id=label

(

ID = label

It is a sign, specific definition, reference parameter instructions to read the client's personal certificate information and connect the authentication server to verify, generate

Tokenid

,followed by

Tokenid

Put on the client

cookie

In, and forward to the corresponding page, where this page is

askASERVER.PROPERTY

Defined.

6.

Restart

WebSphere

six,

Install the parameters required to configure the authentication system (

askASERVER.PROPERTY

Document defined

)

1. : The web address displayed after the login fails; (we should set it as the home page)

Login_failure

2. : Tokenid's survival time, unit is second, -1 indicates that the current browser is cleared;

Maxage

3. : After logging in, you need to access the application system of the application, Auth.war deploys the domain name of the computer.

Domain

4. And Default.jsp needs to be placed in the same virtual directory.

AskASERVICE.JSP

5. Parameter name for the first page to the authentication page. For example, we can now use ID, of course, can be set to others.

PropName

6. For the IP of the authentication server

Hosts

7.

Define mappings for parameter values ​​and actual URLs

Such as:

Label = http: //

Host domain name:

9080 / labelweb /

In this system we need to define the mapping relationship between parameters and actual URLs.

EPLAT = http: //

Host domain name:

9080 / EPLATFORMTESTWEB / LOGIN.JSP

Seven,

deploy

Label.ear

, Reference documentation

Label

Deployment

Eight,

Install client personal certificate

Double click personal certificate:

XXXXXXX

Xxx

All the way "Next" until completion

,

nine,

Login project:

1,

Login System Main page: Pass

URL

:

HTTP: //

Host domain name:

9080 / EPLATFORMTESTWEB /

log in. The following page appears

2,

enter the system

Depending on your user type, select different login portals, such as above, provide three different system portals, acceptance agency users, enterprises, and enterprise registration on the main page. We might want to log in as acceptance institutions, click on the "Acceptance Organization Login".

Pop up page:

determine

Choose

Note:

Auth.war

The project connection authentication server verifies the certificate. If you pass, measure the main page of the different user systems of the label system; because we have some problems here,

Auth.war

Project is executed

String tokenid = login.auth (clientID, request.getRemoteAddr ());

The system is wrong, this problem has not been resolved; then we use Xinhe's certification server, and

Auth.war

Deploying the entrance provided by Xincheng

Https://demo.itownet.cn/auth/default.jsp?id=itown11

Although the certificate passed verified and forwarded to the corresponding page, it did not get it.

Tokenid

After communicating with Xin sincerely, there is still no resolution of this problem, and it is estimated that there is a problem with the domain name. If the certification server is adopted, you can continue to negotiate with our faith. When we were developed, I have modified it.

Auth.war

Package, the legality verification method is revised by the certificate, not verified by the certification server, but directly according to the root certificate of Xinhe Tong, verify the personal certificate through the root certificate to verify that the personal certificate is made by this root The certificate is signed, and whether the validity period is effective, etc. After verification, put the information of the personal certificate in

cookie

In, when the interface provided by the system call beloved, we log out this method, but use a variant method. If

cookie

The information after the certification is included, you can log in to the system directly, and if you do not return to the main page of the system. Of course, this method has a lot of defects, but this is just our application in the development phase of the system. When we really use the actual application, we only need to

LoginAction

Cancellation of the interface provided by Xindong Tong is not to be modified elsewhere.

With our model, after the figure is clicked, the following page will appear.

Description:

EPLATFORMTESTWEB

It is my own application "electronic platform

J2EE

A test item made by the security system is just a reference for the framework of the electronic platform system.

转载请注明原文地址:https://www.9cbs.com/read-130463.html

New Post(0)