The SSL protocol uses asymmetric encryption technology to realize the secure transmission of information between two parties. The confidentiality and integrity of information transmission can be realized, and both sides of the conversation can identify each other's identity.
When establishing an HTTPS connection with a website, a handshake process is required between the browser and the WEB SERVER to complete identity authentication and key exchange to establish a secure connection. The process is:
1. The user's browser sends its SSL version number, encryption setting parameters, session-related data and other necessary information to the server
2. The server sends its SSL version number, encryption setting parameters, session-related data and Other necessary information is sent to the browser, along with the server's certificate. If the configuration server's SSL needs to verify the user's identity, it also requests the browser to provide the user's certificate.
3. The client checks the server certificate. If the check fails, it prompts that the SSL connection cannot be established. If successful, continue
. 4. The client browser generates a pre-master secret for this session, encrypts it with the server public key, and sends it to server.
5. If the server requires authentication of the client's identity, the client has to sign some other data and send it to the server together with the client certificate.
6. If the server requires authentication of the client's identity, check whether the CA that signed the client's certificate is trusted. If not on the trust list, end the session. If the check passes, the server decrypts the received pre-master secret with its own private key, and uses it to generate the master secret for this session through some algorithm.
7. Both the client and the server use this master secret to generate the session key (symmetric key) for this session. This session key is used for any messages passed after the SSL handshake between the two parties. The main reason for this is that symmetric encryption requires more than an order of magnitude less computation than asymmetric encryption, which can significantly improve the computation speed of both parties during a conversation.
8. The client informs the server that all messages sent thereafter are encrypted with this session key. And notify the server that the client has completed the SSL handshake.
9. The server informs the client that all messages sent thereafter are encrypted with this session key. And notify the client server that the SSL handshake has been completed.
10. The handshake process ends, and the session has been established. Both parties use the same session key to encrypt and decrypt the sent and received information respectively. 1. You can use Windows system or Linux system
to generate server-side certificate files (1) Windows environment conditions: JDK has been installed Steps: l Enter the %JAVA_HOME%/bin directory l Run the command keytool -genkey -alias tomcat -keyalg RSA -keystore F: \tomcat.keystore -validity 36500 parameter brief description: "F:\tomcat.keystore" means to save the certificate file in the F drive, the certificate file name is tomcat.keystore; "-validity 36500" means the validity period of the certificate, 36500 means 100 Year, the default value is 90 days l Fill in the necessary parameters on the command line: A. Enter the keystore password: you need to enter a string of more than 6 characters here B. "What are your first and last names?" This is a required item , and must be the domain name or IP of the TOMCAT deployment host [eg: gbcom.com or 10.1.25.251], which is the access address you will enter in the browser in the future
C、“你的组织单位名称是什么?”、“您的组织名称是什么?”、“您所在城市或区域名称是什么?”、“您所在的州或者省份名称是什么?”、“该单位的两字母国家代码是什么?”可以按照需要填写也可以不填写直接回车,在系统询问“正确吗?”时,对照输入信息,如果符合要求则使用键盘输入字母“y”,否则输入“n”重新填写上面的信息
D、输入<tomcat>的主密码,这项较为重要,会在tomcat配置文件中使用,建议输入与keystore的密码一致,设置其它密码也可以
l 完成上述输入后,直接回车则在你在第二步中定义的位置找到生成的文件
(2) Linux环境
条件:安装了JDK
步骤:
l 进入$JAVA_HOME/bin目录
l 执行命令
./keytool -genkey -alias tomcat -keyalg RSA -keystore /usr/local/ac/web/tomcat.keystore -validity 36500
参数简要说明:“/etc/tomcat.keystore”含义是将证书文件保存在路径/usr/local/ac/web/下,证书文件名称是tomcat.keystore ;“-validity 36500”含义是证书有效期,36500表示100年,默认值是90天
l 在命令行填写必要的参数:
A、Enter keystore password:此处需要输入大于6个字符的字符串
B、“What is your first and last name?”这是必填项,并且必须是TOMCAT部署主机的域名或者IP[如:gbcom.com 或者 10.1.25.251],就是你将来要在浏览器中输入的访问地址
C、“What is the name of your organizational unit?”、“What is the name of your organization?”、“What is the name of your City or Locality?”、“What is the name of your State or Province?”、“What is the two-letter country code for this unit?”可以按照需要填写也可以不填写直接回车,在系统询问“correct?”时,对照输入信息,如果符合要求则使用键盘输入字母“y”,否则输入“n”重新填写上面的信息
D、Enter key password for <tomcat>,这项较为重要,会在tomcat配置文件中使用,建议输入与keystore的密码一致,设置其它密码也可以
l 完成上述输入后,直接回车则在你在第二步中定义的位置找到生成的文件
2、配置TOMCAT服务器
(1) 如果你是在Windows环境中生成证书文件,则需要将生成的证书tomcat.keystore拷贝到Tomcat将要引用的位置,假设tomcat的应用证书的路径是“/etc/tomcat.keystore”,则需要将证书文件拷贝到“etc/”下;如果是在Linux环境按照上述介绍的步骤生成证书文件的话,此时证书文件已经在“etc/”下。
(2) 配置Tomcat,打开$CATALINA_HOME/conf/server.xml,修改如下,
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
修改参数=>
<Connector port="80" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" />
<!--
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"/>
-->
去掉注释且修改参数=>
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keystoreFile="/etc/tomcat.keystore" keystorePass="www.gbcom.com.cn"/>
注释:标识为淡蓝色的两个参数,分别是证书文件的位置和<tomcat>的主密码,在证书文件生成过程中做了设置
<!--
<Connector port="8009" enableLookups="false" protocol="AJP/1.3" redirectPort="8443" />
-->
修改参数=>
<Connector port="8009" enableLookups="false" protocol="AJP/1.3" redirectPort="443" />
(3) 打开$CATALINA_HOME/conf/web.xml,在该文件末尾增加:
<security-constraint>
<web-resource-collection >
<web-resource-name >SSL</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
3、上述配置完成后,重启TOMCAT后即可以使用SSL。IE地址栏中可以直接输入地址不必输入“http://” 或者 “https://” ;也可以输入 “http:// ” 会跳转成为 “https://” 来登录
4、注意事项:
(1) 生成证书的时间,如果IE客户端所在机器的时间早于证书生效时间,或者晚于有效时间,IE会提示“该安全证书已到期或还未生效”
(2) 如果IE提示“安全证书上的名称无效或者与站点名称不匹配”,则是由生成证书时填写的服务器所在主机的域名“您的名字与姓氏是什么?”/“What is your first and last name?”不正确引起的
=========================================
以上配置完成后 启动tomcat 出现错误
原因:可能端口被占用。
或者 将:tomcat下的bin目录下的tcnative-1.dll删掉,重启一下服务器。
===========================================
为客户端生成证书
下一步是为浏览器生成证书,以便让服务器来验证它。为了能将证书顺利导入至IE和Firefox,证书格式应该是PKCS12,因此,使用如下命令生成:
keytool -genkey -v -alias mykey -keyalg RSA -storetype PKCS12 -keystore c:\my.p12
对应的证书库存放在“C:\my.p12”,客户端的CN可以是任意值。稍候,我们将把这个“my.p12”证书库导入到IE和Firefox中。
第三步:让服务器信任客户端证书
由于是双向SSL认证,服务器必须要信任客户端证书,因此,必须把客户端证书添加为服务器的信任认证。由于不能直接将PKCS12格式的证书库导入,我们必须先把客户端证书导出为一个单独的CER文件,使用如下命令:
keytool -export -alias mykey -keystore my.p12 -store PKCS12 -storepass password -rfc -file c:\my.cer
通过以上命令,客户端证书就被我们导出到“C:\my.cer”文件了。下一步,是将该文件导入到服务器的证书库,添加为一个信任证书:
keytool -import -v -file my.cer -keystore tomcat.keystore
通过list命令查看服务器的证书库,我们可以看到两个输入,一个是服务器证书,一个是受信任的客户端证书:
keytool -list -keystore tomcat.keystore
第四步:配置Tomcat服务器
打开Tomcat根目录下的/conf/server.xml,找到如下配置段,修改如下:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS"
keystoreFile="C:/tomcat.keystore" keystorePass="password"
truststoreFile="C:/tomcat.keystore" truststorePass="password"
/>
第五步:导入客户端证书
如果设置了clientAuth="true",则需要强制验证客户端证书。双击“C:\my.p12”即可将证书导入至IE:
p12 证书直接双击然后按提示下一步就可导入。