Use keytools to configure ssl bidirectional authentication for tomcat 7

SSL brief introduction

SSL(Secure Sockets Layer Secure Sockets Layer) is a protocol (specification) used to secure the communication between the client and the server so that the information transmitted during the communication is not stolen or modified.

1. How to ensure the security of data transmission?

Client and server in a handshake (client and server connection is established, and the exchange of parameter process called a handshake) will produce a "conversation key" (session key), is used to encrypt the data transmission, the decryption is also use this "conversation key," and the "conversation key" only know the client and server. That is, as long as the "conversation key" is not cracked, it can be secured.

2. Client and server certificates

Client certificates and server certificates are used to prove one's identity, just as each person has an ID card, which is the only one. Generally, a server-side certificate is sufficient, but sometimes the client is required to provide its own certificate to prove its identity.

Keytool

Keytool certificate is 1 Java data management tools, Keytool the key (key) and certificate (certificates) there is a file called keystore in keystore, contains two kinds of data: the key entities (Key entity) - the key (secret key) or a private key and matching the public key (asymmetric encryption) trusted certificate entities (trusted certificate entries) - only contains the public key. Let's take a look at the detailed process of configuring ssl bi-directional authentication for tomcat 7 using keytools.

1. Generation of certificate base, certificate, etc

1. Generate server certificate library

keytool -validity 36500 -genkey -v -alias tomcat_server -keyalg RSA -keystore tomcat_server.keystore -dname "CN=127.0.0.1,OU=,O=,L=,ST=,c=" -storepass 123456 -keypass 123456

-validity 36500 valid in days CN 1 must be the domain name or IP address of the server OU organizational unit O organization L area ST State/province C countries

2. Client certificate

keytool -validity 36500 -genkeypair -v -alias testclient -keyalg RSA -storetype PKCS12 -keystore testclient.p12 -dname "CN=testclient,OU=,O=,L=,ST=,c=" -storepass 123456

-ES58en PKCS12 is mainly for importing certificates into IE/firefox.

Import the generated certificate into IE.

3. Import the client certificate into the server certificate library

The server-side certificate does not recognize the CERTIFICATE in p12 format. You need to export the CER format certificate from the client-side certificate and then import the CER format certificate into the server-side certificate.

keytool -export -alias testclient -keystore testclient.p12 -storetype PKCS12 -storepass 123456 -rfc -file testclient.cer

Then import client.cer into the server certificate library (use any one of the following commands)

keytool -import -v -file testclient.cer -keystore tomcat_server.keystore -storepass 123456
keytool -import -alias testclient -v -file testclient.cer -keystore tomcat_server.keystore -storepass 123456

Note: The alias here is mykey. If you don't have an alias, the default is mykey, so don't be surprised to see mykey.

4. Export the server certificate from the server certificate library

keytool -export -alias tomcat_server -keystore tomcat_server.keystore -storepass 123456 -rfc -file tomcat_server.cer

This certificate can be imported into the browser to have the client trust the server certificate. Not importing does not affect usage, but the browser will not trust the server certificate and will prompt an error message.

5. View all certificates in the certificate store

keytool -list -keystore tomcat_server.keystore -storepass 123456

2. Tomcat configuration

Configuration server xml

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
 maxThreads="150" scheme="https" secure="true"
 keystoreFile="D:\\dev\\tomcat-https\\note\\tomcat_server.keystore" 
 keystorePass="123456" 
 truststoreFile="D:\\dev\\tomcat-https\\note\\tomcat_server.keystore" 
 truststorePass="123456"
 clientAuth="true" sslProtocol="TLS" />

Just start tomcat.

The problem

If you start times the following error:

SEVERE: Failed to initialize end point associated with ProtocolHandler ["http-apr-8443"]
java.lang.Exception: Connector attribute SSLCertificateFile must be defined when using SSL with APR
 at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:507)
 at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:610)
 at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:429)
 at org.apache.catalina.connector.Connector.initInternal(Connector.java:981)
 at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
 at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)
 at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
 at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:814)
 at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
 at org.apache.catalina.startup.Catalina.load(Catalina.java:640)
 at org.apache.catalina.startup.Catalina.load(Catalina.java:665)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
 at java.lang.reflect.Method.invoke(Method.java:601)
 at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281)
 at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:455)

As for the implementation of SSL, Tomcat provides two types: JSSE and APR. If APR is installed, APR is preferred as the implementation.

The ssh configuration of APR requires OpenSSH to be configured. This is explained in ES122en. xml:

Define a SSL HTTP/1.1 Connector on port 8443
This connector uses the JSSE configuration, when using APR, the connector should be using the OpenSSL style configuration described in the APR documentation

What about APR? There are two ways,

1, amend the HTTP protocol = "/ 1.1" to protocol = "org. apache. coyote. http11. Http11Protocol"

2. Under windows, tcnative-1.dll can be deleted.

conclusion

The above is the whole content of this article, I hope the content of this article can bring 1 definite help to your study or work, if you have any questions, you can leave a message to communicate.