SSL, or Secure Socket Layer, is a technology that allows web browsers and web servers to communicate over a secure connection. This means that the data to be sent is translated into a cipher on one end, sent out, and the cipher is decrypted and processed on the other end. This is a two-way process, meaning that both the browser and the server need to encrypt the data before sending it.
Another important aspect of the SSL protocol is Authentication. That is, when you start trying to communicate with a web server over a secure connection, the server will ask your browser to present a set of credentials that "authenticate" that this is the website you claim to be.
In some cases, the server will also ask for a certificate from your web browser, proving that you are who you say you are. This is known as "customer authentication", although in practice it is used more for business-to-business (B2B) transactions than for individual users.
But most SSL-capable web servers do not require Client Authentication.
Certificates
In order to implement SSL, a web server must have a corresponding certificate (Certificate) for each external interface (IP address) that accepts secure connections. The theory about this design is that a server must provide some reasonable assurance that the owner of the server is who you think it is. This certificate is to state the company associated with the site, as well as some basic contact information for the site's owner or system administrator.
This certificate is cryptographically signed by everyone and is extremely difficult for others to forge. For e-commerce websites, or any other commercial transaction where identity authentication is critical, the certificate should be purchased from a well-known Certificate Authority (CA) such as VeriSign or Thawte. Such certificates may be verified electronically. In fact, the certification authority will guarantee the authenticity of the certificate issued by it. If you trust the certification authority that issued the certificate, you can trust that the certificate is valid.
In many cases, certification is not really a cause for concern. A system administrator may just want to ensure that the data sent and received by the server is kept secret from thieves on the connection. Fortunately, Java provides a relatively simple command-line tool called keytool that can easily generate "self-signed" certificates. A self-signed certificate is only a user-generated certificate and has not been formally registered with a well-known certification authority, so its authenticity cannot be guaranteed. But it can guarantee the security of data transmission.
Certification may or may not be important, depending on the needs of the website.
There are two main steps to configure SSL with Tomcat:
1. Generate a certificate
1. Execute on the command line:
%Java_home%\bin\keytool -genkey -alias tomcat -keyalg RSA
In this command, keytool comes with JDK tool for generating certificates. Using the RSA algorithm as the primary security algorithm ensures compatibility with other servers and components.
This command will create a new file called " .keystore " in the user's home directory. After execution, you are first asked to show the keystore password. The default password used by Tomcat is " changeit " (all lowercase letters), you can specify your own password if you wish. You also need to specify your own password in the server.xml configuration file, which will be described later.
2. You will be asked to provide general information about the certificate, such as company, contact name, etc. This information is displayed to users trying to access secure web pages in your program to ensure that the information provided here corresponds to what they expect.
3. You will be asked to show the key password, which is the password unique to this certificate (different from other certificates stored in the same keystore file). You have to use the same password here as the keystore password. (Currently, keytool will prompt you to press ENTER and will do this for you automatically).
If all went well, you now have a certificated keystore file that can be used by your server.
Second, configure tomcat
The second major step is to configure the secure socket in the $CATALINA_HOME/conf/server.xml file. $CATALINA_HOME represents the directory where Tomcat is installed. An example is the SSL connector element included in the default server.xml file installed with Tomcat. It looks like this:
$CATALINA_HOME/conf/server.xml
< -- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
< !--
< Connector
port="8443" minProcessors="5" maxProcessors= "75"
enableLookups="true" disableUploadTimeout="true"
acceptCount="100" debug="0" scheme="https" secure="true";
clientAuth="false"
The Connector element itself, by default, is commented out, so you need to remove the comment mark around it. Then, you can customize (set yourself) specific properties as needed. Generally, you need to add two attributes, keystoreFile and keystorePass, to specify the path where you store the certificate (eg: keystoreFile="C:/.keystore") and the password you just set (eg: keystorePass="123456"). For details on various other options, see the Server Configuration Reference.
After making these configuration changes, you must restart Tomcat, and then you can access any web application supported by Tomcat over SSL. Only the command needs to be like this: https://localhost:8443
Reprinted from: http://wuzhaohuixy-qq-com.iteye.com/blog/1039910
Configure https for local Tomcat
(1) Use keytool to generate a certificate
step:
1. Generate a certificate
keytool -genkey -alias tomcat -keyalg RSA -keystore d:\mykeystore -dname "CN=localhost, OU=localhost, O=localhost, L=SH, ST=SH, C=CN" -keypass changeit -storepass changeit
Parameter Description:
1) -genkey creates a new key
2) -alias key alias
3)-keyalg encryption algorithm, here is RSA
4) -keystore key saved file
5) -dname represents the distinguished names of the key
CN=commonName
OU=oranizationUnit
O = organizationName
L=locatityName
S=stateName
C=country
6) -keypass password for the private key
7) -storepass access password, used to retrieve information from the file where the key is stored (located in the location specified in -keystore)
2. Export the certificate (Note: export the certificate, installed by the client)
keytool -export -alias tomcat -keystore d:\mykeystore -file d:\mycerts.cer -storepass changeit
Parameter Description:
1) -export export the certificate of the specified alias to a file
2) -alias key alias
3) -keystore key saved file
4) -file export to the specified file
5) - the storage password of the file saved by the storepass key
3. Client configuration (import the key for the client's JVM (import the certificate issued by the server into the JVM))
keytool -import -trustcacerts -alias tomcat -keystore "%JAVA_HOME%/jre/lib/security/cacerts" -file d:\mycerts.cer -storepass changeit
Parameter Description:
1) -import import the signed digital certificate into the keystore
2)-trustcacerts
3) -file digital certificate path
Verify successful import into JVM certificate store
keytool -list -alias tomcat -keystore "%JAVA_HOME%/jre/lib/security/cacerts " -storepass changeit
4. Other commands
1. Delete the certificate from the jvm certificate store
keytool -delete -alias tomcat –keystore "%JAVA_HOME%/jre/lib/security/cacerts" -storepass changeit
2. Export the certificate from the jvm certificate store
keytool -export -keystore "%JAVA_HOME%/jre/lib/security/cacerts" -storepass changeit -alias tomcat -file d:\ mycerts.cer
(2) Configure Tomcat
1. Log out the statement in server.xml:
<!--<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />-->
Otherwise tomcat will give the following error:
INFO: Initializing ProtocolHandler ["http-apr-8443"]
Jul 5, 2011 3:20:16 PM org.apache.coyote.AbstractProtocol init
SEVERE: Failed to initialize end point associated with ProtocolHandler ["http-apr-8443"]
java.lang.Exception: Connector attribute SSLCertificateFile must be defined when using SSL with APR
For the analysis, see: http://java.dzone.com/articles/ssl-your-tomcat-7
2. Release the following comments
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="D:\mykeystore" keystorePass="changeit" />