Articles on how to use Tomcat servers to implement two-way SSL certified, have already been there, more practical articles can be taken
IBM DeveloperWorks China Website May 2002 configures Tomcat 4 using SSL (
http://www-900.ibm.com/developerWorks/cn/security/se-tcssl/index.shtml), you can also search for many similar articles using Google.
But now, these articles have a deficiency, one is to explain the configuration method on the Tomcat 4 server, there is a difference in the configuration method of the Tomcat 5 series that is generally used, secondly, most methods in these articles As an experimental operation, there will be some problems if the certificate environment is used for the actual web server:
The generated CA private key (CA-key.pem) and the self-certification certificate (Ca-cert.pem) are not encrypted, and since the server is published, and the root certificate cannot be modified after the client certificate is released. Then there is security issues when the CA private key that does not have encrypted, and the self-signed native root certificate (if someone gets your CA root certificate, he can generate a client certificate for you); the generated server-side certificate (Server_KeyStore) does not include trusted CA root certificates, trusted CA root certificates are imported to JSS's default location, if the computer is not the same computer, the server is not the same computer, then when the server-side certificate is installed, You also need to import the CA root certificate into the JSSE default location; generate the process of generating the client certificate is more cumbersome, it is inconvenient to carry out the generation of the client certificate; there is no unified configuration file, the process of generating a certificate requires a fairly multi-command , Repeatability, the possibility of error is relatively large. For the above problems, based on the article "Configuring Tomcat 4 Use SSL" article, the certificate kit consisting of 4 batches and a configuration file is organized. This kit takes into account the needs of the certificate in the actual Web server environment, overcoming those problems mentioned above.
Software package
The KeyTool tool in Tomcat 5.0.x jsse, has come with this tool in JDK 1.4, so you only need to install JDK1.4.x can be OpenSSL (OpenSSL has been included in this kit, no need to install See the toolkit download) Cygwin's sed and echo commands (these command files are already included in the toolkit, do not need to be installed, see the toolkit download)
Configuration and main order introduction
PATH environment variable
After installing JDK, you need to set the environment variable java_home to the JDK installation directory. Kit structure
.bin: Store the executable executable file of the OpenSSL and Cygwin's Sed and Echo commands; .etc: Store the system's configuration file, the main configuration file is .etc / config.cmd; dist: this directory stores all kinds of various Certificate; Work: The storage directory of the temporary file used during the certificate is generated. For security reasons, after each certificate related operation, it is recommended to empty this directory; Step0, 1, 2, 3 batch command: these four commands Operations for all aspects of certificates, respectively. .Etc / config.cmd
This file is a system configuration file, mainly configuring information about the CA root certificate / server certificate / client certificate, such as the DISTINGUISHED NAME information of the certificate. Before generating a certificate, you need to update this profile according to the actual situation; Step0 CA-PFX.bat
This command generates a CA private key and a self-signed name root certificate, and finally gets the CA root certificate in the PKCS12 format (the CA root certificate of the PKCS12 format is password protection, so there is a better security); the generated PKCS12 format CA root certificate is saved Under the DIST / CA-CERT directory, in the formally used system, this certificate file (* .pfx) needs to be properly saved, because later server certificates and client certificates need to rely on this certificate, especially client certificates, if lost The CA root certificate cannot be released, and re-generate the CA root certificate, you need to regenerate server certificates and client certificates, re-release all client certificates with more client users. There is a considerable workload; during the execution of this command, you will prompt the input certificate to protect your password. Please pay attention to not forgotten or leak this password, otherwise the security of the root certificate is threatened. Step1-ca-prepare.bat This command The CA private key and the uncoated CA root certificate are derived from the CA root certificate in the PKCS12 format; because of the security reasons, the CA root certificate is usually stored in a password-protected PKCS12 format file (* .PFX), then if you need to use the CA root certificate To publish a server certificate or a client certificate, you first need to execute this command to get the uncoated form of the CA root certificate; during the execution of this command, the protection password for the input root certificate will appear two prompts. If the password is incorrect, this The command will not be successful, but it is not possible to perform the operation of the following two steps. Step2-server.bat
This command is used to generate a server-side certificate (KeyStore file); Note: CA root certificate will also be imported into the keystore file of the certificate, which does not need to set the CA root certificate when applying this certificate to the Tomcat web server. Import to JSS's default position; this command must be running normally after executing step1-ca-prepare.bat. Step3-client.bat
This command is used to publish client certificates; in order to generate client certificates, this command supports command line parameters, and the first to 3 parameters are:
The import password of the PKS12 format client certificate generated by the client certificate, the import password of the PKS12 format of the client certificate belongs, this password can protect the certificate only if the user is imported into the browser, the command must be Once you have step1-ca-prepare.bat, you can run it normally.
Description: After the web server starts to formally run, the step0-ca-pfx.bat command cannot be executed again, if you need to re-release the server certificate, or publish a new client certificate, execute Step2-Server.bat and Step3-Client Before the .bat command, you can re-export the CA private key and the uncoated CA root certificate from the saved PKCS12 format CA root certificate via Step1-CA-prepare.bat.
Tomcat 5 Server Configuration Reference configuration method is as follows:
The keystore file under the Dist / Server directory generated by the "Step2-Server.bat" command (if you use the default configuration of this kit, this file is called "SSL-Test.Net-Tomcat.KeyStore") Copy to Tomcat Installation Directory. In the confed directory; modify the "server.xml" file under the CONF directory of the Tomcat installation directory, modify the "Connector" element contained in
Acceptcount = "100" connectionTIMEOUT = "20000" disableuploadtimeout = "true" Port = "8080" redirectport = "8443" Maxsparethreads = "75" Maxthreads = "150" MINSPARETHREADS = "25"> Maxthreads = "150" MINSPARETHREADS = "25" maxsparethreads = "75" Enablelookups = "false" disableuploadtimeout = "true" Acceptcount = "100" debug = "0" scheme = "https" secure = "true" ClientAuth = "true" sslprotocol = "tls" KeyStorefile = "$ {catalina.home} /conf/ssl-test.net-tomcat.keystore" KeyStorePass = "openssl" TrustStorefile = "$ {catalina.home} /conf/ssl-test.net-tomcat.keystore" TrustStorePass = "openssl" /> ...... Enable two-way SSL configuration of web applications To enable two-way SSL authentication, you need to add some configurations as follows in web.xml: auth-method = client-cert description is "confirming the user's identity" in the client digital certificate, "Transport-Guarance = Confidential Represents Application The program requires that the data must be transmitted in a "to prevent other entities from being transmitted." After the above configuration, the browser will automatically switch to the HTTPS mode and pop up the dialog box for the client certificate. How to use client certificates to verify View some information to mention the Subject's CN section in the client certificate, can be integrated with users in Tomcat's Realm, but have not tried success; in the web application, you can get from the REQUEST object through the Java code, according to Servlet Specifications Using Request.GetaTribute ("Javax.Servlet.Request.x509certificate), you can get the client certificate chain information of HTTPS request, where the first element is the client certificate, the corresponding sample code is as follows: string ceertsubject = null; x509certificate [] certChain = (X509Certificate []) request.getAttribute ( "javax.servlet.request.X509Certificate"); int len = certChain.length; if (len> 0) {X509Certificate cert = (X509Certificate) certChain [0]; Principal Psubject = ceert.getsubjectdn (); certsubject = psubject.getname ();} The Subject of the client certificate is similar to CN = Client, Ou = Web, O = SSL-TEST.NET, L = Your_Locality, ST = Your_Province, C = CN, where CN = ... is the client certificate The user name, the web application can verify the user identity of the HTTPS request via this field. Toolkit download Tomcat-ca.20050118.zip, 4,202,111 bytes, MD5: 5495E6CEDE88F14FE87E93734DBD36DA Run interface (use mozilla firefox 1.0) Did access the web application when you access the web application to the server when you reject the Web application, when you reject the web application Tomcat5ssl_serverandClient is quoted by the following topics: Home | technology
