1. Configuration
1) Generate certification for server
keytool -genkey -v -alias tomcat -keyalg RSA -keypass 123456 -storepass 123456 -keystore server.keystore -validity 3600
example:
CN=ec2-176-34-12-201.ap-northeast-1.compute.amazonaws.com, OU=srcbj, O=samsung, L=bj, ST=bj, C=cn correct
2)Generate certification for client
keytool -genkey -v -alias myKey -keyalg RSA -storetype PKCS12 -keystore my.p12 -dname "CN=109.105.1.201, OU=srcbj, O=samsung, L=bj, ST=bj, C=cn" -storepass 123456 -keypass 123456
3) Configure Server to trust client's certification
keytool -export -alias myKey -keystore my.p12 -storetype PKCS12 -storepass 123456 -rfc -file my.cer
keytool -import -v -file my.cer -keystore server.keystore -storepass 123456
4) Configure server.xml
<Connector port="18443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/data/tools/tomcat-openam/server.keystore" keystorePass="123456"
truststoreFile="/data/tools/tomcat-openam/server.keystore"
truststoreType="JKS" truststorePass="123456"/>
5) Add configuration for auto transfer from http to https in the end of web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>SSL</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
2. Bypass SSL security check in httpclient
Sometimes, it is necessary to bypass SSL security check in httpclient. After study the resource available, I found there are several methods. I will introduce common methods detail in my next blog.
But for beginning, the following link is very useful.
http://hc.apache.org/httpclient-3.x/sslguide.html