Tomcat6.0 Configuring SSL

2010-10-04  来源:本站原创  分类:Java  人气:167 

SSL configuration switch http://danwind.javaeye.com/blog/603402Tomcat6.0 article
First, in order to save time, I here only based on my description of the configuration process, readers according to their own analysis of the situation.
1, the command line, enter the% CATALINA_HOME% / bin directory, execute the following command:
(1)% CATALINA_HOME% / bin> keytool-genkey-alias tomcat-keyalg RSA-keypass changeit-storepass changeit-keystore server.keystore-validity 3600
At this point in the% TOMCAT_HOME% / bin generate server.keystore file.
Note: The parameter-validity refers to the certificate validity period (days), the default period is very short, only 90 days.
(2)% CATALINA_HOME% / bin> keytool-export-trustcacerts-alias tomcat-file server.cer-keystore server.keystore-storepass changeit
This step is used to export the certificate, this time in the% TOMCAT_HOME% / bin generate server.cer file.
(3)% CATALINA_HOME% / bin> keytool-import-trustcacerts-alias tomcat-file server.cer-keystore% JAVA_HOME% / jre / lib / security / cacerts-storepass changeit
This step is imported into the certificate trust database, we can observe the% JAVA_HOME% / jre / lib / security / cacerts file, after executing this command, the file larger.
With: keytool other commands (listed in the trusted certificate store all the certificates have to delete the library a certificate):
keytool-list-v-keystore D: / sdks/jdk1.5.0_11/jre/lib/security/cacerts
keytool-delete-trustcacerts-alias tomcat-keystore D: / sdks/jdk1.5.0_11/jre/lib/security/cacerts-storepass changeit

2, modify% TOMCAT_HOME% \ conf \ server.xml

Find this code: Java code
<Connector port = "8443" protocol = "HTTP/1.1" SSLEnabled = "true"
maxThreads = "150" scheme = "https" secure = "true"
clientAuth = "false" sslProtocol = "TLS" />

This code was originally commented out, remove the comments and add two properties, the following:
Java code
<Connector port = "8443" protocol = "HTTP/1.1" SSLEnabled = "true"
maxThreads = "150" scheme = "https" secure = "true"
clientAuth = "false" sslProtocol = "TLS"
keystoreFile = "D: \ tomcat6.0 \ bin \ server.keystore"
keystorePass = "changeit" />

3, start tomcat, visit https: / / localhost: 8443 /, a security warning pop-up page on OK.

Detailed one-way SSL authentication SSL protocol specific authentication process ① client browser to send the client to the server SSL protocol version number, the type of encryption algorithm to generate random numbers, and other communications between servers and clients need kinds of information.

② server to send to the client version of SSL protocol, the type of encryption algorithm, random number and other relevant information to the client and the server will send its own certificate.

③ customers using the server information transfer over the legitimacy of the authentication server, the server's legitimacy, including: whether the certificate is expired, the CA issued the server certificate of the reliability of the certificate issuer's public key can unlock the correct server certificate "issued by the digital signature ", the server name on the certificate whether the actual domain name and server match. If the validity test is not passed, communication will be disconnected; if legitimacy is verified, and will continue to step four.

④ randomly generate one for the client to communicate behind the "symmetric password", and then use the server's public key (the server's public key from the steps of the server's certificate ② obtained) for its encryption, and then encrypted "pre-primary password "to the server.

⑤ If the server requires client authentication (an optional course in the handshake), the user can create a random number and its digital signature, the signature of this with their own random number and client certificates and encrypted "pre-primary password "to the server together.

⑥ If the server requires client authentication, the server must verify the client certificate and the signature of random numbers of legitimacy, the legitimacy of the specific verification process, including: customers use the date the certificate is valid, the CA certificates to provide customers with the reliability issue of CA's client certificate public key can correctly solve the issue of CA's digital signature, check whether the client's certificate in the certificate revocation list (CRL) in the. If you do not pass inspection, communications, immediately discontinue; If verified, the server will be encrypted with their private key, unlock the "pre-master password", and then perform a series of steps to produce the main communication password (the client will also be produced by the same method the same primary communication password).

⑦ server and client with the same master password that is "Call the password," a symmetric key for the SSL protocol security encryption and decryption of data communication communication. SSL communications at the same time must complete the process the integrity of data communications, to prevent any changes in data communications.

⑧ client send a message to the server, specify the data communication will be used later in step ⑦ the master password for the symmetric key, notify the client server handshake process is completed.

⑨ send a message to the client server, specify the data communication will be used later in step ⑦ the master password for the symmetric key, notify the client server handshake process is completed.
⑩ SSL part of the end of the handshake, SSL secure channel data communication, with the customer and the server to start using the same symmetric key for data communication, while communication integrity test.

SSL mutual authentication protocol specific process

① browser sends a connection request to the secure server.

② own certificate server, and related information with the certificate sent to the client browser.

③ client browser checks the server certificate is sent by the trusted CA by their center issued. If it is to continue to implement the agreement; If not, the client browser to give customers a warning message: Warning customers that the certificate is not trusted, and asks customers if they need to continue.

④ Certificate and then compare the client browser in the news, such as domain name and public key associated with the server just sends the message is consistent, if it is the same, the client browser recognized the legal status of the server.

⑤ server requires a client to send the customer's own certificate. Received, the server verifies client certificates, if not verified, rejected the connection; If authenticated, the server to obtain user's public key.

⑥ client tells the server what the browser can support the communication of the symmetric encryption scheme.

⑦ sent from the server's password from the client program, select a password for the highest level of encryption program, with the customer's public key plus too close notify the browser.

⑧ browser program for this password, select a call key, then uses the server's public key plus too dense and sent to the server.

⑨ server receives the message sent from the browser, with their own private key to decrypt, access to the call key.

⑩ server, the browser is the next communication with the symmetric cryptographic schemes, symmetric key is too close to Canada.

Described above is a two-way SSL authentication protocol specific communication process, this requires both the server and user certificates. One-way authentication protocol does not require customers to have a CA SSL certificate, the specific process with respect to the above steps, you can simply verify the client certificate server to remove the process, as well as symmetric encryption scheme consultation, call symmetric key, the server sends Canadian customers are not too close (this does not affect the security of SSL process) password scheme. Thus, both the specific content of communications, is to add too dense data, if a third party attack, access to encrypted data only, the third party to obtain useful information, you need to decrypt the encrypted data, this time for safety depends on the security of cryptographic schemes. And fortunately, the current password used by the program, as long as the communication key length long enough to have enough security. This is why we stressed the requirement to use 128-bit encrypted communication reasons.

相关文章
  • Tomcat6.0 Configuring SSL 2010-10-04

    SSL configuration switch http://danwind.javaeye.com/blog/603402Tomcat6.0 article First, in order to save time, I here only based on my description of the configuration process, readers according to their own analysis of the situation. 1, the command

  • Tomcat6.0 Configure SSL 2010-03-29

    Tomcat6.0 Configure SSL 1, in order to save time, I am here just based on my description of the configuration process, the reader according to their own analysis of the situation. 1, in the command line, enter the% CATALINA_HOME% / bin directory exec

  • tomcat6.0 configuration ssl 2010-06-30

    sSL protocol uses asymmetric cryptography to achieve security of the information transfer between the two sides. Information transmission can be achieved the confidentiality, integrity and identity of the session the two sides can identify each other

  • Tomcat6.0 complete example of configuring a JNDI data source (same as 5.5 with this configuration) 2011-02-11

    Keywords: Tomcat6.0 configure the JNDI data source Note: tomcat JDK and applications must be consistent version of the JDK (in this case unity JDK1.6) Description: tomcat5.5 and 6.0 configuration is slightly different, namely: tomcat's lib in differe

  • apache2.2.12 + tomcat6.0.20 integration Xiangjie 2010-08-07

    <! - [If gte mso 9]> <xml> <w:WordDocument> <w:View> Normal </ w: View> <w:Zoom> 0 </ w: Zoom> <w:TrackMoves/> < w: TrackFormatting /> <w:PunctuationKerning/> <w:DrawingGridVerticalSpacing>

  • Configuring SSL in Wildfly 8 2015-03-10

    Configuring SSL in Wildfly 8 一:什么是SSL SSL(Security Socket Layer)全称是加密套接字协议层,它位于HTTP协议层和TCP协议层之间,用于建立用户与服务器之间的加密通信,确保所传递信息的安全性,同时SSL安全机制是依靠数字证书来实现的. SSL基于公用密钥和私人密钥,用户使用公用密钥来加密数据,但解密数据必须使用相应的私人密钥.使用SSL安全机制的通信过程如下:用户与服务器建立连接后,服务器会把数字证书与公用密钥发送给用户,用户端生成会话

  • In the SSH jdk6.0 Tomcat6.0 environment using CXF to run the following error jaxb-impl Times 2010-03-29

    In the SSH jdk6.0 Tomcat6.0 environment using CXF error running times are as follows Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.apache.cxf.wsdl.WSDLManager' defined in URL [jar: file: / E: /

  • Tomcat6.0 used to replace the default logging configuration log4j 2010-03-29

    The steps are simple: Decompression jars.rar, unzip the folder is named after the jars, the folder contains the following documents: Into the tomcat6.0 installation directory, replacing the bin directory of the tomcat-juli.jar for the jars in a folde

  • Installed TOMCAT6.0 solution could not be activated 2010-04-17

    As tomcat6.0 has BUG C: \ Program Files \ Java \ jre1.6.0_01 \ bin \ msvcr71.dll Copy this file to the C: \ Program Files \ Apache Software Foundation \ Tomcat 6.0 \ bin New start tomcat on the OK

  • Use BRMS's Tomcat6.0 configuration (Original) 2009-04-16

    Our company server is websphere, so I decided to use the time tested Tomcat6.0 tests in order to later deployed to the server. Tomcat6.0 requirements: 1.jdk5.0 above, and must be the sun's (IBM's jdk release'll get an error); 2. Download the required

  • tomcat6.0 configuration data source 2008-11-26

    J2ee Initial Tomcat data source configuration 1. To find C: \ Program Files \ Apache Software Foundation \ Tomcat 6.0 \ conf the following context to modify configuration files are as follows <Context> <WatchedResource> WEB-INF/web.xml </ W

  • APACHE 2.2.8 + TOMCAT6.0.14 configure load balancing 2010-03-18

    Objectives: Using apache and tomcat configuration can be applied to a web site, to meet the following requirements: 1, Apache as HttpServer, the back to connect multiple instances of tomcat applications and carry out load balancing. 2, set the Sessio

  • Tomcat6.0 virtual directory configuration 2010-03-25

    Set up virtual directory "site", by http://localhost:8080/site access to the physical path D: \ site folder, the contents inside. Setup process is as follows: 1. Copy Tomcat6.0 \ webapps \ ROOT directory under WEB-INF folder to D: \ site directo

  • tomcat6.0 + mysql5.0 + JNDI data source configuration 2010-03-30

    First, the context is a server configuration information, to find the installation files directory tomcat6.0 conf directory context.xml, where we want to in their element <context> </ context> add data source within the configuration informati

  • UBUNTU 9.10 install JDK1.6.0_18 and tomcat6.0.24 2010-02-03

    Download jdk-6u18-linux-i586.bin and apache-tomcat-6.0.24.zip (originally prepared under the cut. Gz, it may not know how happened, the next down gz compressed files is not complete, with the archive manager can not open, so I down a zip) Second, ins

  • Apache2.2.14 and Tomcat6.0.24 integration 2010-04-20

    Integration apache2.2.14 and tomcat6.0.24 The first step: install Apache, visit http://127.0.0.1 or http://localhost to see the apache default page, the page is displayed as It works!, Shows Apache installation was successful. Apache default listenin

  • Starting Method Tomcat6.0 free installation 2010-05-02

    Starting Method Tomcat6.0 free installation 1, download Tomcat Zip archive, extract. 2, modify startup.bat documents: In the first line add the following two lines in front of SET JAVA_HOME = JDK directory SET CATALINA_HOME = Tomcat unpacked in front

  • Java linux development build of the operating environment (jdk + tomcat6.0) 2010-05-15

    Java linux development build of the operating environment (jdk + tomcat6.0) Today's hero: JDK: jdk-6u20-linux-i586-rpm.bin Download address 78M http://cds-esd.sun.com/ESD6/JSCDL/jdk/6u20-b02/jdk-6u20-linux-i586-rpm.bin?AuthParam=1273730354_f1054ae1df

  • tomcat-6.0.18 UTF-8 encoding 2010-06-01

    Chance encounter this problem, utf-8 encoding after deployment with tomcat-6.0.18 page shows all garbled. Solution: Configure tomcat's server.xml add the following two areas: URIEncoding = "UTF-8" <Connector port = "8080" protocol =

  • apache2.2 tomcat6.0 configuration load balancing cluster order 2010-06-28

    =========================== ===================== Correctly configured == Preparation Download mod_jk-1.2.28-httpd-2.2.3.so http://apache.justdn.org/tomcat/tomcat-connectors/jk/binaries/win32/jk-1.2.28/mod_jk-1.2.28-httpd-2.2.3.somod_jk-1.2.28-httpd-