Keytool, Tomcat server, IE browser configure https two-way authentication
First briefly describe the principle of https
1. Introduction and relationship of HTTP, HTTPS, SSL, TLS
(1) HTTP: A protocol usually used when browsing the web. The data transmitted by the HTTP protocol is unencrypted (plain text), so the transmission of private information using the HTTP protocol is very insecure.
(2) HTTPS: In order to ensure the encrypted transmission of private data, the SSL/TLS protocol is used to encrypt the data transmitted by the HTTP protocol, that is, HTTPS.
(3) SSL: SSL (Secure Sockets Layer) protocol was designed by Netscape, and later defined in RFC 6101 by IETF. The current version is 3.0.
(4) TLS: TLS can be said to be an improved version of SSL. It emerged from the IETF's upgrade of SSL 3.0 and is defined in RFC 2246. In fact, our current HTTPS is the TLS protocol.
2. TLS/SSL features
(1) HTTPS requires a handshake between the client (browser) and the server (website) before transmitting data. During the handshake process, the cryptographic information for both parties to encrypt the transmitted data will be established.
(2) Asymmetric encryption, symmetric encryption and HASH algorithms are used in TLS/SSL.
The asymmetric encryption algorithm is used to encrypt the generated password during the handshake process, the symmetric encryption algorithm is used to encrypt the data actually transmitted, and the HASH algorithm is used to verify the integrity of the data.
(3) If there is any error in the TLS handshake process, the encrypted connection will be disconnected, thereby preventing the transmission of private information.
Proceed as follows
Keytool self-signed certificate generation, import tomcat server, browser authentication
keytool self-signed certificate generation
The prerequisite needs to configure the java environment, and the specific method can be used for reference to the java environment configuration . The keytool command to generate a certificate is learned as follows: keytool learning summary .
There are many examples of different formats for generating certificates on the Internet. If you have any comments on the following, I suggest you learn the differences between these formats. What is the difference between CSR file and PEM file
Now we need a sample of our certificate generation:
1. Open cmd command line input
keytool -genkey -v -alias tomcat -keyalg RSA -keystore D:\tomcat.keystore -validity 36500
(Parameter description: "D:\tomcat.keystore" means the path to save the certificate file, the name of the certificate file is tomcat.keystore;
"-validity 36500" means the certificate validity period, 36500 means 100 years, and the default value is 90 days; "Tomcat" is the name of the custom certificate)
2. Enter the keystore password : keystore password (assuming you use hangge)
What is your first name and last name: It must be the domain name or IP of the TOMCAT deployment host (the access address you will enter in the browser in the future), otherwise the browser A warning window will pop up, prompting that the user's certificate does not match the domain. When developing and testing locally, you should fill in "localhost". Entered key password: directly press Enter
3. Generate a certificate for the browser so that the server can verify it. In order to import the certificate to IE smoothly, the certificate format should be PKCS12, therefore, use the following command to generate:
keytool -genkey -v -alias mykey -keyalg RSA -storetype PKCS12 -keystore D:\mykey.p12
Assuming that the client certificate password is "123456", fill in the rest.
4. Let the server trust the client certificate . If the server trusts the client certificate, the client certificate must be added as the server's trust certificate.
(1) Since the certificate library in PKCS12 format cannot be imported directly, the client certificate must be exported as a separate CER file, using the following command: (The client certificate password "123456" is used below)
keytool -export -alias mykey -keystore D:\mykey.p12 -storetype PKCS12 -storepass 123456 -rfc -file D:\mykey.cer
(2) Import the file into the server's certificate store and add it as a trusted certificate. Use the following command:
keytool -import -v -file D:\mykey.cer -keystore D:\tomcat.keystore
(3) View the server certificate library through the list command, you can see two certificates, one is the server certificate and the other is the trusted client certificate:
keytool -list -keystore D:\tomcat.keystore
5. Let the client trust the server certificate
Because it is a two-way SSL authentication, the client must also verify the server certificate. To export the server certificate as a separate CER file and provide it to the client, use the following command:
keytool -keystore D:\tomcat.keystore -export -alias tomcat -file D:\tomcat.cer
The following are preparations: the generated certificate
Import tomcat server
First, you need to prepare a Tomcat server. I personally downloaded version 8.5. Download and configuration can learn from the download and installation of Tomcat . If it is the first time to use Tomcat, you need to open the installation directory to agree to the administrator authority (maybe because of my personal firewall settings), and then use configure tomcat. There are start, and stop options below to turn the server on and off. The browser opens the default localhost:8080 to confirm whether your Tomcat is successfully configured.
1. Open the Tomcat installation directory , find the server.xml file under conf and find the following code segment and
modify it to ( it is recommended not to delete the original comment segment, you can copy the comment segment and modify it to avoid not remembering the original code. Secondly, if you modify it) The format of the server.xml file is incorrect, which may cause the Tomcat server to fail to restart! It is also recommended to save an original backup of server.xml before modification )
<Connector port = "8443" protocol = "org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled = "true" maxThreads = "150" scheme = "https"
secure = "true" clientAuth = "true" sslProtocol = "TLS"
keystoreFile = "D:\tomcat.keystore" keystorePass = "hangge"
truststoreFile = "D:\tomcat.keystore" truststorePass = "hangge" />
Attribute description:
clientAuth: set whether to verify two-way authentication, the default is false, set to true means two-way authentication keystoreFile: server certificate file path
keystorePass: server certificate password truststoreFile: used to verify the root certificate of the client certificate, in this case is the server certificate
truststorePass : Root certificate password
2. When operating here, because there are so many cases given on the Internet, I also learned some, such as the difference between port 8443 and port 443 . Here, due to Tomcat version issues, etc., the configuration is very easy to cause the browser to appear "the page is missing and cannot be accessed". Please also be patient to debug your server.xml file.
3. In the learning process, you can also try the automatic jump from http to https, that is </welcome-file-list>, add such a paragraph after the web.xml file format under conf
<login-config>
<!-- Authorization setting for SSL -->
<auth-method>CLIENT-CERT</auth-method>
<realm-name>Client Cert Users-only Area</realm-name>
</login-config>
<security-constraint>
<!-- Authorization setting for SSL -->
<web-resource-collection >
<web-resource-name >SSL</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Browser authentication
What I tried was the computer’s IE browser. Simple self-signed certificates are not highly secure, and Chrome and other browsers are likely to fail (display "invalid certificate").
1. Enter https://localhost:8443/ in the browser (the following figure shows that the https of tomcat is successfully turned on. It does not matter if it reports an invalid certificate, because our client has not imported the certificate)
2. Import the client certificate. Tools-"internet options-"Content-"Certificates-"Personal-"Import, click Next, and select the mykey.p12 file.
Enter the client certificate password "123456" set before, and then click Next and OK.
3. Restart the browser and open https://localhost:8443/, and the following figure will be displayed. 
4. Click Allow to display the successful configuration of the client certificate.
You can see that it can be accessed successfully (the "certificate error" in the address bar indicates that there is no two-way verification yet, but the data is already transmitted using HTTPS)
5. Import the server public key certificate (tomcat.cer)
because it is a self-signed certificate, Avoid prompting unsafe every time. Here double click tomcat.cer to install the server certificate.
Note: Fill in the certificate to "Trusted Root Certification Authorities". If you re-visit the server again, you will find that there is no insecure prompt, and there is also a "lock" icon on the browser address bar, indicating that this session has passed HTTPS two-way authentication. Click the "lock" next to the page refresh to view the certificate you configured.
Learn the main reference article : Tomcat server configuration https two-way authentication (use keytool to generate a certificate)