SSL (Secure Socket Layer -Construction Settings)

Function: Guarantee the security of data transmission on the Internet, and use data encryption technology to ensure that the data will not be intercepted and eavesdropped during the transmission of data to prevent tampering.

How to make our web application apply SSL security? After a few days of exploration, the Tomcat+SSL two -way certification is finally implemented. In other words, the client will require the security of the server to ensure that the correct server is accessed, not counterfeit fishing websites. Second, the server must also certify customers. The security of the end can only be accessed by those clients with a server -authorized certificate.

Please follow the detailed steps below

1.       Cable on D drive: MyKeys

2.       Start the command line and transfer to D:/MyKeys

a)         Create the server key, the key store is d: /mykeys/server.ks. Note that Keypass and Storepass are consistent. They represent key passwords and key library passwords. Pay attention to CN = localhost. SSL’s host name, cannot be specified arbitrarily
D:/mykeys>keytool -genkey -v -alias serverKey -dname “CN=localhost” -keyalg RSA -keypass rwm258 -keystore server.ks -storepass rwm258

b)        Create a client key, its key library is D:/MyKeys/Client.p12, pay attention to the suffix of this key library, pay attention
D:/mykeys>keytool -genkey -v -alias clientKey -dname “CN=SomeOne” -keyalg RSA -keypass lyl147 -keystore client.p12 -storepass lyl147 -storetype PKCS12

c)        Export the client key to the certificate document
D:/mykeys>keytool -export -alias clientKey -file clientKey.cer -keystore client.p12 -storepass lyl147 -storetype PKCS12

d)        Import the above client key file into the server certificate library and set it as a trust certificate; pay attention to ask if you trust the certificate, answer y
D:/mykeys>keytool -import -v -alias clientKey -file clientKey.cer -keystore server.ks -storepass rwm258

3.       In order to visit SSL in this browser, please: Double -click d: /mykeys/Client.p12, and the certificate will be launched

a)         Step 2: The file name to be imported D: /myKeys/Client.p12

b)        Step 3: Go to the password for the private key Lyl147, check: the key is the exportable

c)        Step 4: Certificate Storage, Select: Put all the certificates in the following storage area, and then browse-individual

d)        Now, open IE and check the certificate: Tool-Internet options-content-certificate-individual, you can see that the Someone certificate has been installed

4.       Configure Tomcat server to support SSL authentication, edit files:%tomcat_home%/conf/server.xml. The following configuration code was originally blocked. Among them, clientAuth = “TRUE” is used to start two-way certification, otherwise, only client certification server-one-way

<Connector port=”8443″ protocol=”HTTP/1.1″ SSLEnabled=”true”

maxThreads=”150″ scheme=”https” secure=”true”

clientAuth=”true” sslProtocol=”TLS”

keystoreFile=”D:/mykeys/server.ks” keystorePass=”rwm258″

truststoreFile=”D:/mykeys/server.ks ” truststorePass=” rwm258″ />

5.       Start Tomcat, and then visit in the IE browser:https://localhost:8443/

a)         A message box will pop up. This is the client certification server. View the certificate can see the server certificate as LocalHost. Looking back on the previous steps

The

b)        page appears, indicating that the client is allowed to access

6.       Now, open IE again, tool -Internet options-content-certificate-individual, delete that SOMEONE certificate

a)         Now, visit the IE browser again:https://localhost:8443/You will find that if you look back at the previous 3 steps, you will understand why the client certificate is imported into the IE browser;

7.       Please repeat 3 steps again, and then try to visit

OK, at this point, we have been successful in the SSL two -way configuration on this machine. So, how to deal with another computer to access this machine server? Very simple, copy d: /myKeys/Client.p12 to the machine, and then execute 3 steps to import this certificate into the machine’s IE browser’s personal certificate. Remember the password is: Lyl147; of course, on that computer, of course, on that computer During the visit, the localhost is modified to the host name or IP address of this machine

——————————————————————-

To make your own web program apply SSL security access, please follow the following configuration

Add the following configuration in the <Web-APP> </Web-APP> of the web.xml file you applied

<login-config>

             <!– Authorization setting for SSL –>

        <auth-method>CLIENT-CERT</auth-method>

        <realm-name>Client Cert Users-only Area</realm-name>

    </login-config>

    <security-constraint>

             <!– Authorization setting for SSL –>

        <web-resource-collection >

            <web-resource-name >SSL</web-resource-name>

            <url-pattern>/*</url-pattern>

        </web-resource-collection>

        <user-data-constraint>

            <transport-guarantee>CONFIDENTIAL</transport-guarantee>

        </user-data-constraint>

</security-constraint>

You will find that even if you use http: // ….:: 8080 to access your application, it will be redirected to visit https: //..8443, that is, your application has already already been Force use the SSL security access layer

OK, now fully enjoy the SSL security access service

In addition, you can also verify the client certificate in your procedure to realize the client certificate login. I will not talk about it here. The full program will be given next time

Original link:http://blog.csdn.net/nimmy/article/details/5490990