Configuring Tomcat 4 Use SSL ----------------------- Content: 1. Tomcat Introduction 2. Introduction to SSL (Server Socket Layer) 3. SSL working principle 4. Configure Tomcat 4.x Use SSL 5. Conclusion Zhao Liang (B-D@163.com) May 2002 Zhao Liang, graduated from Beijing University of Aeronautics and Astron 1995. Interested in J2EE, J2ME, and CORBA, Web Service and other technologies. The current main job is to use J2EE technology to develop a supply chain / sales chain ERP for distributing enterprises. You can contact the author via email b-d@163.com. ---------------------- Currently introduced that Tomcat 4 is more information on using one-way SSL certification (only verify server certificate), and the process is relatively simple. However, since it is configured to use bidirectional SSL authentication (also need to verify the client personal certificate), in addition to requiring CA to obtain a personal certificate from CA. For this issue, there are very few information about how to operate how to operate. Through exploration of some SSL tools, the author has implemented simple CA function locally, and on this basis, the author is configured to successfully Tomcat's two-way authentication, I hope to share some of them with everyone. However, subject to this level, there will be a mistake and improper in the article, so please understand. 1. Tomcat Introduction Tomcat is one of the subcommets of Apache Jakarta, as an excellent open source web application server, fully supports JSP 1.2 and servlet2.3 specification. Because of its advanced technology, performance is stable, and free, it has been recognized by Java enthusiasts and has been recognized by some software developers, making it a popular web application server. 2. SSL (Server Socket Layer) Introduction to other computers during the network information on the source-sink. In general, the intermediate computer does not listen to the information. However, it is possible to monitor when using online banking or credit card transactions, resulting in a disclosure of personal privacy. Due to Internet and intranet architectural reasons, some people can always read and replace the information sent by the user. With the continuous development of online payment, people's requirements for information security are getting higher and higher. Therefore, Netscape proposed an SSL protocol to achieve a wide range of applications on the Web on the Web to achieve a safe confidential transfer of information security on an open network (Internet). The IETF (www.ietf.org) was then standardized, which is RFC2246, which is called TLS (TLS (Transport Layer Security), which is technically, and TLS1.0 and SSL3.0 are very small. 3. SSL Working Principle SSL Protocol Use Asymmetric Encryption Technology to implement the information of information between sessions between sessions. The confidentiality and integrity of information transfer can be realized, and the session can identify the identity of the other party. Unlike commonly used HTTP protocols, we use the HTTPS protocol when establishing an SSL secure connection with the website, ie, using https: // ip: port / way to access. When we establish an HTTPS connection with a website, our browser and web server have to pass a handshake process to complete the identification and key exchange, thereby establishing a secure connection. The specific process is as follows: The user browser sends its SSL version number, encrypted setting parameters, and sends the data related to the session and other necessary information to the server. The server sends its SSL version number, encrypted setting parameters, data related to session, and other necessary information to the browser, and send it to the browser. If you configure the server's SSL needs to verify the user's identity, you have to issue a request to request the browser to provide a user certificate.
The client checks the server certificate. If the check fails, the prompt cannot establish an SSL connection. If successful, then continue. The client browser generates the pre-master secret for this session and is encrypted with the server public key. If the server requires authentication of the customer, the client will also send another data signature and send it to the server with the client certificate. If the server requires authentication of the customer, check if the CA of the client certificate is credible. If you are not in the trust list, end this session. If the check is passed, the server is decrypted with its own private key to receive the pre-master second, and use it to generate the master Secret of this session through some algorithms. All clients and servers use this Master Secret to generate session key (symmetric key) of this session. This session key is used after the end of the two ssl handshakes. The main reason for this is that symmetrical encryption is lower than that of unsatisfied, and can significantly improve the computation speed when both parties session. The message sent by the client will be encrypted using this session key. And notify the server client has completed this SSL handshake. The server notifies the client that the message sent later uses this session key to encrypt. And inform the client server has completed this SSL handshake. This handshake process ends and sessions have been established. Both sides use the same session key to add, decrypt the information of the transmitted and accepted, respectively. 4. Configuring Tomcat 4.x Use SSL 4.1 for Package Tomcat 4.0.2 Use: Web Server. Download: http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.3/bin/ JSSE 1.0, 2 Uses: Use to generate TOCMCAT's secret keys (KeyStore). Download: http://java.sun.com/products/jsse/ OpenSSL 0.9.9.6 Use: Used to generate a CA certificate, sign and generate the PKCS # 12 format private key that IE can import. Download: http://www.openssl.org/ The installation process of the above tools can refer to your own help, this article is no longer described in detail. 4.2 Establishing your own CA 4.2.1 Creating a Category MKDir CA 4.2.2 Generates a CA private key and self-signed name root certificate 4.2.2.1 Generates CA private key OpenSSL Genrsa -out CA / CA-Key.pe.pem 1024 4.2.2.2 Generate to be signature Certificate OpenSSL Req -new -Out Ca / Ca-Req.csr -Key CA / CA-Key.pem 4.2.2.3 Self-signed OpenSSL X509-REQ -IN CA / CA-REQ.CSR -OUT CA / CA / Ca-cert.pe.pem -daykey ca / ca-key.pem -days 365 4.3 Setting Tomcat 4.x In this article, the symbol "% jdk_home%" is used to represent the JDK installation location, indicating Tomcat with symbol "% tcat_home%". Install the location.
4.3.1 establish a working directory mkdir server 4.3.2 generated server-side certificate 4.3.2.1 generate KeyPair% JDK_HOME% / bin / keytool -genkey -alias tomcat_server -validity 365 -keyalg RSA -keysize 1024 -keypass changeit -storepass changeit -dname " CN = localhost, ou = department, o = company, l = beijing, st = beijing, c = cn "-keystore server / server_keystore 4.3.2.2 generation to sign a certificate% jdk_home% / bin / keytool -ternreq -alias tomcat_server -sigalg MD5withrsa -file server / server.csr -keypass changeit -keystore server / server_keystore -storepass changeit 4.3.2.3 Sign with CA private key OpenSSL X509 -REQ -In Server / Server.csr -out Server / Server-Cert.PEM-CA CA / CA-CERT.PEM-CAKEY CA / CA-CAE.PEM-DAYS 365 4.3.2.4 Import trusted CA root certificate to JSSE's default location (% jdk_root% / jre / security / cacerts)% jdk_home% / bin / KeyTOOL -IMPORT -V -TRUSTCACERTS -STOREPASS CHANGEIT -AAS MY_CA_ROOT -FILE CA / CA-CERT.PEM -KEYSTORE% JDK_HOME% / JRE / LIB / Security / Cacerts 4.3.2.5 Import the server-end certificate after the CA sign into KeyStore% JDK_HOME % / bin / keytool -import -v -trustcacerts -storepass changeit -alias tomcat_server -file server / server-cert.pem-readystore s ERVER / Server_KeyStore 4.3.2.6 View server-end certificate Keytool -List -KeyStore% JDK_HOME% / jre / lib / security / cacerts keytool -list -keystore server / server_keystore 4.3.3 Modify server.xml to get Tomcat support SSL first find the following, Remove the comments on it. Then refer to the red part of modification. If you configure Tomcat does not verify your customer identity, you can setclientAuth = "false". Port = "8443" MINPROCESSORS = "5" maxprocessors = "75"
Enablelookups = "True"
AcceptCount = "10" debug = "0" scheme = "https" secure = "true">
ClientAuth = "true" protocol = "tls"
KeyStorefile = "% TCAT_HOME% / conf / server_keystore" KeyStorePass = "changeit"
/>
Then copy the file server / server_keystore to directory% TCAT_HOME% / conf /. 4.4 Installing a personal certificate in IE
4.4.1 Establishing a Work Content
Mkdir Client
4.4.2 Generate a client private key and sign with a CA private key
4.4.2.1 Generates a Client Private Key
OpenSSL Genrsa -Out Client / Client-Key.pem 1024
4.4.2.2 Generating a certificate to be signature
Openssl Req -new -out Client / Client-Req.csr -Key Client / Client-Key.pem
4.4.2.3 Sign with CA private key
OpenSSL X509 -REQ -IN Client / Client-Req.csr -Out Client / Client.crt -Signkey Client / Client-Key.pem
-CA CA / CA-CAT.PEM-CAKEY CA / CA-key.pem -cacreateserial -days 365
4.4.2.4 Generating a CLIENT
Because jsse1.0.2 does not fully implement the operation of the PKCS # 12 format file (only read, cannot be output), so you need to create a CLIENT end with OpenSS (including private key).
OpenSSL PKCS12 -EXPORT -CLCERTS -IN Client / Client.crt -inkey Client / Client-Key.Pem -Out Client / Client.p12
4.4.2.5 Installation Trust
Remove CA / CA-Key.pem to CA / CA-Key.Cer, use "Tool 'Internet Options'" in the IE of the Client End, imports the CA root certificate we generated, making it user trust CA.
4.4.3 Installing a personal certificate
Import client.p12 into the IE of the Client side as a personal certificate, the import process is 4.4.2.5.
4.5 Access Tomcat with the SSL protocol with IE browser
4.5.1 Launch Tomcat 4.x
Perform% tcat_home% / bin / startup.bat launch Tomcat 4.x
4.5.2 Access Tomcat 4.x with IE
Enter https: // localhost: 8443 in the address bar of the IE browser. If the previous operation is correct, you should see the Tomcat welcome page. At the same time, the small lock on the status bar is closed, indicating that you have successfully established an SSL secure connection that requires client authentication with the server.
5 Conclusion
We have implemented the entire process of SSL for Tomcat 4.x to configure client validation. For other types of servers, such as Apache, Netscape Enterprise Server, WebSphere, WebLogic, etc., usually just slightly different in the server-side saving certificate, but their principles are similar, and can be based on the way in this article. Do the corresponding adjustment.
Reference
Tomcat SSL Configuration How-To
SSL3.0 specification
Description of The Secure Sockets Layer (SSL) HANDSHAKE (Q257591)
KeyTool - Key and Certificate Management Tool
OpenSSL User Manual