Currently introduced that Tomcat 4 has a lot of information using a single-way SSL authentication (only server certificate), and the process is relatively simple. However, since it is configured to use bidirectional SSL authentication (also need to verify the client personal certificate), in addition to requiring CA to obtain a personal certificate from CA. For this issue, there are very few information about how to operate how to operate. Through exploration of some SSL tools, the author has implemented simple CA function locally, and on this basis, the author is configured to successfully Tomcat's two-way authentication, I hope to share some of them with everyone. However, subject to this level, there will be a mistake and improper in the article, so please understand.
1. Tomcat Introduction Tomcat is one of the subcommets of Apache Jakarta, as an excellent open source web application server, fully supports JSP 1.2 and servlet2.3 specification. Because of its advanced technology, performance is stable, and free, it has been recognized by Java enthusiasts and has been recognized by some software developers, making it a popular web application server.
2. SSL (Server Socket Layer) Introduction to other computers during the network information on the source-sink. In general, the intermediate computer does not listen to the information. However, it is possible to monitor when using online banking or credit card transactions, resulting in a disclosure of personal privacy. Due to Internet and intranet architectural reasons, some people can always read and replace the information sent by the user. With the continuous development of online payment, people's requirements for information security are getting higher and higher. Therefore, Netscape proposed an SSL protocol to achieve a wide range of applications on the Web on the Web to achieve a safe confidential transfer of information security on an open network (Internet). The IETF (www.ietf.org) was then standardized, which is RFC2246, which is called TLS (TLS (Transport Layer Security), which is technically, and TLS1.0 and SSL3.0 are very small.
3. SSL Working Principle SSL Protocol Use Asymmetric Encryption Technology to implement the information of information between sessions between sessions. The confidentiality and integrity of information transfer can be realized, and the session can identify the identity of the other party. Unlike commonly used HTTP protocols, we use the HTTPS protocol when establishing an SSL secure connection with the website, ie, using https: // ip: port / way to access.
When we establish an HTTPS connection with a website, our browser and web server have to pass a handshake process to complete the identification and key exchange, thereby establishing a secure connection. The specific process is as follows:
The user browser sends its SSL version number, encrypted setting parameters, and sends data related to session and other necessary information to the server. The server sends its SSL version number, encrypted setting parameters, data related to session, and other necessary information to the browser, and send it to the browser. If you configure the server's SSL needs to verify the user's identity, you have to issue a request to request the browser to provide a user certificate. The client checks the server certificate. If the check fails, the prompt cannot establish an SSL connection. If successful, then continue. The client browser generates the pre-master secret for this session and is encrypted with the server public key. If the server requires authentication of the customer, the client will also send another data signature and send it to the server with the client certificate. If the server requires authentication of the customer, check if the CA of the client certificate is credible. If you are not in the trust list, end this session. If the check is passed, the server is decrypted with its own private key to receive the pre-master second, and use it to generate the master Secret of this session through some algorithms. All clients and servers use this Master Secret to generate session key (symmetric key) of this session. This session key is used after the end of the two ssl handshakes. The main reason for this is that symmetrical encryption is lower than that of unsatisfied, and can significantly improve the computation speed when both parties session. The message sent by the client will be encrypted using this session key. And notify the server client has completed this SSL handshake. The server notifies the client that the message sent later uses this session key to encrypt. And inform the client server has completed this SSL handshake. This handshake process ends and sessions have been established. Both sides use the same session key to add, decrypt the information of the transmitted and accepted, respectively. 4. Configure Tomcat 4.x to use SSL
4.1 Used package
Tomcat 4.0.2 Uses: Web Server. Download: http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.3/bin/ JSSE 1.0, 2 Use: Use to generate the KeyStore used by TOCMCAT. Download: http://java.sun.com/products/jsse/ OpenSSL 0.9.9.6 Use: Used to generate a CA certificate, sign and generate the PKCS # 12 format private key that IE can import. Download: http://www.openssl.org/
The installation process of the above tools can refer to the help, this article is no longer described in detail.
4.2 Establishing your own CA
4.2.1 Creating a Work Contents MKDIR CA
4.2.2 Generate a CA private key and a self-signed name root certificate 4.2.2.1 Generate CA Private Keys OpenSSL Genrsa -out CA / CA-Key.PEM 1024
4.2.2.2 Generate OpenSSL Req -new -Out Ca / CA-Req.csr -Key Ca / Ca-key.pem
4.2.2.3 Self-signature OpenSSL X509-out ca / ca-correm -Signkey Ca / Ca-key.pem -Days 365 with CA private key
4.3 Setting Tomcat 4.x In this article, the symbol "% JDK_HOME%" is used to represent the installation location of JDK, indicating the mounting position of Tomcat with symbol "% TCAT_HOME%".
4.3.1 Creating a Work Catalog MKDIR Server
4.3.2 4.3.2.1 generating server-side certificate generation KeyPair% JDK_HOME% / bin / keytool -genkey -alias tomcat_server -validity 365 -keyalg RSA -keysize 1024 -keypass changeit -storepass changeit -dname "cn = localhost, ou = department, O = Company, L = Beijing, ST = beijing, c = cn "-keystore server / server_keystore4.3.2.2 Generates a JDK_HOME% / bin / keytool -certreq -alias tomcat_server -sigalg md5withrsa -file server / server. CSR -KEYPASS CHANGEIT -KEYSTORE Server / Server_KeyStore -storepass Changeit
4.3.2.3 Sign with CA private key OpenSSL X509 -RQ -IN Server / Server.csr -out Server / Server-Cert.pem -ca CA / CA-CERT.PEM-CAKEY CA / CA-KEY.PEM-DAYS 365
4.3.2.4 Import Trust CA Root Certificate to JSS Default Location (% JDK_ROOT% / JRE / SECURITY / CACERTS)% JDK_HOME% / BIN / KEYTOOL -IMPORT -V -TRUSTCACERTS -STOREPASS CHANGEIT -ALIAS MY_CA_ROOT -FILE CA / CA- CERT.PEM -KEYSTORE% JDK_HOME% / JRE / LIB / Security / Cacests
4.3.2.5 Import the CA-signed Server-End Certificate into KeyStore% JDK_HOME% / bin / keytool -storepass changeit -alias tomcat_server -file server / server-cert.pem -keystore Server / Server_KeyStore
4.3.2.6 View server-end certificate Keytool -List -KeyStore% JDK_HOME% / jre / lib / security / cacertskeytool -list-readystore server / server_keystore
4.3.3 Modifying Server.xml Make Tomcat Support SSL First, find the following, remove the comments on it. Then refer to the red part of modification. If you configure Tomcat does not verify your customer identity, you can setclientAuth = "false".
Port = "8443" MINPROCESSORS = "5" maxprocessors = "75" Enablelookups = "True" AcceptCount = "10" debug = "0" scheme = "https" secure = "true"> ClientAuth = "true" protocol = "tls" KeyStorefile = "% TCAT_HOME% / conf / server_keystore" keystorepass = "changeit" /> Then copy the file server / server_keystore to directory% TCAT_HOME% / conf /. 4.4 Installing a Personal Certificate in IE 4.4.1 Creating a Work Contents Mkdir Client 4.4.2 Generate a client private key and sign with a CA private key 4.4.2.1 Generates a Client Private Key OpenSSL Genrsa -out Client / Client-Key.pem 1024 4.4.2.2 Generate OpenSSL Req -new -Out Client / Client-Key.pem 4.4.2.3 Sign with CA private keys OpenSSL X509 -RQ -IN Client / Client-Req.csr -Out Client / Client.crt -Signkey Client / Client-Key.pem -ca Ca / Ca-CART.PEM-CAKEY CA /ca-key.pem -cacreateserial -days 365 4.4.2.4 Generate a CLIENT end because JSSE1.0.2 does not fully implement the operation of the PKCS # 12 format file (only read, can not be output), so you need to create a CLIENT end with OpenSS (including private key) . OpenSSL PKCS12 -EXPORT -CLCERTS -IN Client / Client.crt -inkey Client / Client-Key.Pem -Out Client / Client.p12 4.4.2.5 Installation Trust The Root Certificate renamed CA / CA-Key.pem to CA / CA-Key.Cer, using "Tool 'Internet Options'" Certificate "Import" in the Client End's IE to put our CA root Certificate introduction makes it a user trust CA. 4.4.3 Installing a personal certificate to import Client.p12 into the IE of the Client side as a personal certificate, the import process is 4.4.2.5. 4.5 Access Tomcat with the SSL protocol with IE browser 4.5.1 Launch Tomcat 4.x Perform% TCAT_HOME% / BIN / Startup.bat launches Tomcat 4.x 4.5.2 Use IE to access Tomcat 4.x In the address bar of the IE browser, enter https: // localhost: 8443, if the previous operation is correct, you should see the Tomcat welcome page. At the same time, the small lock on the status bar is closed, indicating that you have successfully established an SSL secure connection that requires client authentication with the server. 5 Conclusion The above we implemented the entire process of the SSL for Tomcat 4.x asking the client verified. For other types of servers, such as Apache, Netscape Enterprise Server, WebSphere, WebLogic, etc., usually just slightly different in the server-side saving certificate, but their principles are similar, and can be based on the way in this article. Do the corresponding adjustment.
