2. Tech
  3. How to configure Tomcat to support SSL

How to configure Tomcat to support SSL

zhaozj2021-02-16  47

How to configure Tomcat to support SSL

Wood (blog.9cbs.net/luckybeggar) msn: luckybegar@21cn.com -------------------------------- ---- Since I have chosen the distance, I only take care of the wind and rain!

Glossary:

1 SSL (Server Socket Layer):

Other computers are passed during the transmission of information on the network. In general, the intermediate computer does not listen to the information. However, it is possible to monitor when using online banking or credit card transactions, resulting in a disclosure of personal privacy. Due to Internet and intranet architectural reasons, some people can always read and replace the information sent by the user. With the continuous development of online payment, people's requirements for information security are getting higher and higher. Therefore, Netscape proposed an SSL protocol to achieve a wide range of applications on the Web on the Web to achieve a safe confidential transfer of information security on an open network (Internet). The IETF (www.ietf.org) was then standardized, which is RFC2246, which is called TLS (TLS (Transport Layer Security), which is technically, and TLS1.0 and SSL3.0 are very small.

SSL working principle:

SSL protocol uses asymmetric encryption technology to implement the information of information between sessions between sessions. The confidentiality and integrity of information transfer can be realized, and the session can identify the identity of the other party. Unlike commonly used HTTP protocols, we use the HTTPS protocol when establishing an SSL secure connection with the website, ie, using https: // ip: port / way to access. When we establish an HTTPS connection with a website, our browser and web server have to pass a handshake process to complete the identification and key exchange, thereby establishing a secure connection. The specific process is as follows: 1. The user browser sends its SSL version number, encrypted setting parameters, and sends data related to session and other necessary information to the server. 2. The server sends its SSL version number, encrypted setting parameters, and sends the data related to the session, and other necessary information to the browser, and send it to the browser's certificate. If you configure the server's SSL needs to verify the user's identity, you have to issue a request to request the browser to provide a user certificate. 3. The client checks the server certificate. If the check fails, the prompt cannot establish an SSL connection. If successful, then continue. 4. The client browser generates a pre-master secret for this session and transmits it to the server after encrypting its server public key. 5. If the server requires authentication of the customer, the client will also send another data signature and send it to the server with the client certificate. 6. If the server requires authentication of the customer, check if the CA of the client certificate is credible. If you are not in the trust list, end this session. If the check is passed, the server is decrypted with its own private key to receive the pre-master second, and use it to generate the master Secret of this session through some algorithms. 7. The client and the server use this Master Secret to generate the session key (symmetric key) of this session. This session key is used after the end of the two ssl handshakes. The main reason for this is that symmetrical encryption is lower than that of unsatisfied, and can significantly improve the computation speed when both parties session. 8. The client notifies the server that the message sent later uses this session key to encrypt. And notify the server client has completed this SSL handshake. 9. The server notifies the client that the message sent later uses this session key to encrypt. And inform the client server has completed this SSL handshake. 10. This handshake process ends, the session has been established. Both sides use the same session key to add, decrypt the information of the transmitted and accepted, respectively. 2 JSSE: Java SSL EXTENSION

SSL used to support Java programs;

3 Keystore

Java puts various keys to Key Pair, verifying Certification, etc., and one? File can put multiple key pairs and verification information, and distinguish between different Key Pair / Certifications with alias alias. ??? The file that stores this information is called KeyStore;

4 Keytool

JDK comes with tool installation preparation for managing KeyStore:

1. Determine that there is a JDK1.2 or more version (java -version); if your machine is installed, you can prepare it or not you need. 2. Download JSSE, URL: http://java.sun.com/products/jsse/index-102.html (note, JDK1.4 or above has been integrated, do not need to download), generally only Can Download global version (there is also a version of the United States / Canada version, the encryption bits are not limited); 3. Install JSSE, mainly copying the lib / *. Jar in the JSSE package to java_home / jre / lib / ext / And join ClassPath (this step is very important); 4. Edit Java_Home / JRE / LIB / Security / Java.Security file, mainly add: security.Provider.1 = sun.security.provider.sun (General system original There is this line) security.provider.2 = com.sun.net.ssl.internal.ssl.Provider (Number 2 should be the original maximum number of provider of your system, not necessarily 2; but general Set its priority to 2, and change other) 5. Determine your system with one of the following files: 1 java_home / jre / lib / security / jssecacerts or 2) Java_Home / JRE / LIB / Security / Cacerts Application Server Certificate

1 Establish a directory for the relevant information related information

Such as: C: / MyServerKey

2 Type the following command to generate .KeyStore file in the DOS window

% Java_home% / bin / keytool -genkey -alias tomcattest -keyalg keta-ready/serverkey.keystore / ServerKey.KeyStore

Will prompt you to enter the password to protect the keystore

Note question: Minding can enter domain names, China's country code is: CN

-lias Tomcattest's Tomcattest is an alias for any input

Please confirm if you generate file serverKey.KeyStore in a C: / MyServerKey directory

Picture 1 3 Generates Certificate Signature Request (CSR) to apply for a valid server certificate to the CA authority:

% Java_home% / bin / keytool -certreq -keyalg rsa -alias tomcattest -file c: /myserserkey/certreq.csr -storepass lxz2003 -keystore c: /myserserkey/serverkey.keystore

Description of the command line:

-alias tomcattest is generated. KeyStore alias

-StorePass Access. KeyStore password

-file certreq.csr generates a document request stored

In the C: / MyServerKey directory, find the Certreq.csr file to open text editor (such as NotePad.exe, UltraEdit.exe) (not to change the contents of the content or word processing software with a certain format with Word or other format) or Store the above information.) The content is similar to:

----- Begin New Certificate Request -----

MIIBQJCCARMCAQAWAJELMAKGA1UEBHMCQ04XEJAQBGNVBAGTCWD1YW5NZG9UC2HLBNPOZW4XDZANBGNVBAOTBMJ5DHRLCJEPMA0GA1UECXMGYNL0DGVYMRIWEAY

MC4WLJEWGZ8WDQYJKOZIHVCNAQEBBQADGY0AMIGJAOGBALKNSEFGVD4KHKGKFY

PP7CTQ4WMQR807Q JoeQQu78HWD4DD8I4R7FG6PL6GGMHUOVG S7J59QF S9pdum / SJ5EX

Im5skhiyssigsdwmy / mml2u212aenkxr2bzrwtt0ouv1yhvcme6cmifqkce51r3ag

BGKQHKIG9W0BAQQFAAOBGQBOQ79RHMT2YO1B2EZUBAV6IEYMLGVYXDID / SU8UPKW0

RPDPPEQJOPKDNQW1GXYU5ZXHEWMCH7K4P / R2NNF2CVZS3HGVESWX2 / CJDO2Q246EOZQY /

LFAUQDBVQCEVS29Z / 0TL H6GECSQU / P6WVVOZ0MFA ==

----- End new certificate request -----

4 Log in to the website of the CA Authority submit a certificate request, registration related information, generate a server certificate (this note is demonstrated to apply for the test version server certificate, apply for website: http://www.cnca.net).

Enter the page to apply for a server-side certificate in the circle of the figure.

Image 2 The first application must install the certificate chain. After installing the certificate chain, press the Screen Tip to continue. Picture 3 Fill in basic information: (Note Domain Name or IP, Administrator's Email Address) Picture 4 Fill in other information and contact information: (Note Web Server Type Apache) Picture 5 Submission Certificate Request Information:

Request the certificate to the certificate to the text box to the text box (Certreq.csr). Picture 6 Get business acceptance number: Picture 7 With the service acceptance number in the administrator mailbox, password installation certificate: Photo 8 saves the certificate to the specified directory, the certificate application is completed. Picture 9 5 Installing a server certificate to issue a CAC:

The document of the certificate chain is ServerRoot.p7b, double-click the file to export a CA certificate in the certificate chain, select one of the certificates to select an export in all tasks.

Picture 10 Press the screen prompt (note: The export format of the certificate is selected as: base64 encoded X.509 (.cer)). Image 11 Select the saved path, file name (such as rootca.cer), complete the exported operation, and export another certificate storage as (Serverca.cer)

6 Import Trusted Root Certificate Chain to your. Beystore file:

% Java_home% / bin / keytool -import -alias root -storepass changeit -keystore% java_home% / jre / lib / security / cacerts -TrustCacerts -file rootca.cer

7 Import trusted Server CA to your. Beystore file:

% Java_home% / bin / keytool -import -alias serverca -storepass changeit -keystore

% Java_Home% / JRE / LIB / Security / Cacerts -TrustCacerts -file Serverca.cer

8 Import the server certificate to your. Beystore file:% java_home% / bin / keytool -import -alias tomcattest-storepass lxz2003 -keystore c: /myserserkey/serverkey.keystore -trib-file server.cer

9 Verify the validity of Key PAIRS and CA in KeyStore:

% Java_home% / bin / keytool -list -v -alias tomcattest-storepass lxz2003 -keystore c: /myserverkey/serverkey.keystore

The screen output is as follows: Picture 12 9 Configure the server (Tomcat) to open the SSL service

Open the Tomcat installation directory /conf/server.xml file to find the following text to cancel the comment and make the following modification:

Port = "8443" MINPROCESSORS = "5" maxprocessors = "75"

Enablelookups = "True"

Acceptcount = "10" debug = "0"

Scheme = "https" secure = "true"

Useurivalidationhack = "true">

ClientAuth = "false" protocol = "tls"

KeyStorefile = "c: /myserverkey/serverkey.keystore" KeyStorePass = "lxz2003" />

Description:

Attributes

description

Classname

Implement the name, do not change the default value

ClientAuth

True: Client Access SSL needs to provide client certificates, False can not provide

KeyStorefile

. KeyStore file location

KeyStorePass

Access. KeyStore password

Protocol

Encryption / decrypt the protocol, do not modify the default value

10 Test server certificate successfully installed

Restart Tomcat, open the IE browser in the address bar: https: //127.0.0.1: 8443 / index.jsp appears as follows: Tomcat server certificate configuration success: Picture 13 Circle Selection section Double click to display certificate information: Photo 14 If you change clientAuth = "false" to "True" in Tomcat's server.xml configuration, the client must apply for a client certificate. If there is no client certificate, it is denied access (preferably set to true) to display the following page: Image 15 How to apply for a client certificate 1 Install the client CA certificate chain

Log in to http://www.cnca.net Use IE browser to download client certificates (client certificate refer to a personal certificate, unit certificate, unit employee certificate) certificate chain, and the CA system automatically installs the certificate chain. Image 16 Click the installation certificate chain, prompt information To select "Yes": Image 17 shows the certificate chain installation is successful, the website requires you to enter the application: Picture 18 Select the encrypted service provider and key length:

If your private key and digital certificate is installed on the local computer (Microsoft Base Cryptographic Provider 1.0 or Mircrosoft Enhanced Cryptographic Proveder 1.0), the key length is best to select 1024 If other peripherals are used to store private keys and numbers Certificate Refer to the table later in the table to select the appropriate options: Picture 19 Fill in the supplementary information, then press "Yes" when the pop-up warning box is selected: Yes ": Show business acceptance number, select" Install Certificate ", open your application Email address, find the business handling number, the password is selected when the password fills in the Warning box popstered in the page input box, and the certificate will continue to install the certificate will prompt the certificate to be installed.

You can open the IE browser "" - "" "-" "-" "Certificate" will have a personal certificate to this client certificate is successful, you can pass https: // ip: 8443

Access the application. Picture 21 Getting Business Acceptance Number: Picture 22 Display Certificate Information and Warning Box: Picture 23 Certificate Download Success: Picture 24 Confirmation Certificate to Install to System: Picture 25 Collection: Muzi Since I chose the distance, I only take care of the wind and rain. (End)

转载请注明原文地址:https://www.9cbs.com/read-21195.html

9cbs

New Post(0)