SSL configuration for TomCat
A couple of weeks ago I ran into a problem - TomCat is on the server (windows 2008), it was not installed by me, moreover, I did not even see how it was installed. It is necessary to make authorization via SSL protocol. Previously, I never set up a web server on either Windows or Niks, but you need to solve it in the shortest possible time - 3 days. I decided to ask Google with Yandex and found a bunch of articles on how to make SSL channel encryption and one obscure about "two-phase authentication." I suffered all 3 days and at the end of the term I got a decision (as always, a bright idea came from a great hangover). Now in more detail:
I will not describe how to install TomCat, because such articles are rampant.
To begin, create a keystore with the key:
Let's type the following code in the command line:
Here:
- tomcat - alias name
- keyalg - key generation algorithm
- keystore - storage name
- validity - Certificate
expiration date - keysize - Key size
As a result, you will see the following on the console:
Enter keystore password: mystorepassword
What is your first and last name?
[Unknown]: firstname lastname
What is the name of your organizational unit?
[Unknown]: organizationalunit
What is the name of your organization?
[Unknown]: organization
What is the name of your City or Locality?
[Unknown]: city
What is the name of your State or Province?
[Unknown]: state
What is the two-letter country code for this unit?
[Unknown]: ru
Is CN = firstname lastname, OU = organizationalunit, O = organization, L = city, ST = state, C = ru correct?
[no]: yes
Enter key password for (RETURN if same as keystore password):
What is highlighted in bold is entered manually, requests appear line by line.
Please note that no password has been entered for the key (in this case, the storage password is used).
Configure the SSL connector (fragment server.xml ):
Find the entry
and add it below it
Find the line:
Also, if you have this line:
also comment on it.
Now we throw the mystore file from the java folder to the root of the tomato, if you don’t drop it to the root, you need to change the line
Line
We start Tomcat, SSL encryption is already working.
“Two-phase” SSL - certificate authorization on the site
The verification mechanism is very simple: it is necessary that the server has a key whose subject distinguished name will coincide with the issuer distinguished name of the key being checked (in this case, the client does not have to have such a key, because you can confirm trust in a dialogue mode). When using keys issued by a certification center, we already have a public key of the center and our own, signed by this center. In the case of a self-signed key (exactly such keys are created by keytool), it is necessary that the public key used by the client be in the truststore of the server.
We generated the server key above, now we will make the client key. Let's
type the following command in the console
the following appears on the console:
Enter keystore password: myclientstorepassword
What is your first and last name?
[Unknown]: client
What is the name of your organizational unit?
[Unknown]: orgunit
What is the name of your organization?
[Unknown]: org
What is the name of your City or Locality?
[Unknown]: locality
What is the name of your State or Province?
[Unknown]: state
What is the two-letter country code for this unit?
[Unknown]: RU
Is CN = client, OU = orgunit, O = org, L = locality, ST = state, C = RU correct?
[no]: yes
Enter key password for (RETURN if same as keystore password):
all similar to server key generation, only the parameter appeared
The next step is to place the public key in the server’s trusted store (truststore). To do this, export it from the resulting store (myclientstore) to the clientcert file: Enter
the following command in the console:
In response, we will see:
Enter keystore password: myclientstorepassword
Certificate stored in file "clientcert"
Here the question "Enter keystore password:" does not ask for a new password, but the one that we entered during the formation of "myclientstore"
Here I think everything is clear, because All parameters are discussed above. And the result is a clientcert file.
We import the resulting file into a new storage for the server (this will be truststore):
Enter the command in the console
We will be asked
Enter keystore password: mytruststorepassword
if answered correctly we will see
Owner: CN = client, OU = orgunit, O = org, L = locality, ST = state, C = RU
Issuer: CN = client, OU = orgunit, O = org , L = locality, ST = state, C = RU
Serial number: 462a2361
Valid from: Sat Apr 21 18:44:49 MSD 2007 until: Fri Jul 20 18:44:49 MSD 2007
Certificate fingerprints:
MD5: 78:55: 83: 13: 3A: 4F: DB: CA: 1A: 60: 5E: A4: 87: 1D: EC: 93
SHA1: 7A: A7: 7C: C6: 71: 2B: 82: 74: 9C: 4F: C7 : 3D: FA: 14: AD: 2A: E5: BF: 39: 2F
last question
Trust this certificate? [no]: yes
but in response
Certificate was added to keystore
Here the question “Enter keystore password:” does not ask for a new password, but the one that we entered during the formation of “mytruststore”.
Well, all the certificates are generated and placed in trusted repositories.
Now we need to tell the server that they need to be used, we supplement the server configuration. Now the configuration of the SSL connector looks like this:
The paths to mytruststore, mystore can be changed, as already mentioned, do not forget to change the password values at the same time :-)
If you need to add a third-party certificate to trustedstore, use the following code:
If you need to delete the certificate in trustedstore, use the following code:
Copy the files mytruststore and mystore to the root of the tomato or to the folders specified in the connector parameters (keystoreFile and truststoreFile) if you changed them.
We import myclientstore into the used browser into certificates. Those. on the example of IE:
Tools-> Internet Options-> Content-> Certificates-> Import-> Next-> Browse-> All files-> We find the folder with the manifest (by default the new generated files are saved there), select our myclientstore, -> Next-> enter the password that we set when generating myclientstore and that's it!
We restart the server.
Now if you type https: // localhost: 8443, the server will require a certificate, but if you type
http: // localhost: 8080 the same page will open as in the first case, but without any protection. In order for all requests to be redirected from http to https in web.xml, add
before closing the web-app:
We restart the server, voila - everything works!
I hope this article will be more understandable than the rest, because here I collected all the grains of knowledge found on the Internet and the experience I received at the time of hard making love with SSL and TomCat.
I will not describe how to install TomCat, because such articles are rampant.
To begin, create a keystore with the key:
Let's type the following code in the command line:
>keytool -genkey -alias tomcat -keyalg RSA -keystore mystore -validity 999 -keysize 512
Here:
- tomcat - alias name
- keyalg - key generation algorithm
- keystore - storage name
- validity - Certificate
expiration date - keysize - Key size
As a result, you will see the following on the console:
Enter keystore password: mystorepassword
What is your first and last name?
[Unknown]: firstname lastname
What is the name of your organizational unit?
[Unknown]: organizationalunit
What is the name of your organization?
[Unknown]: organization
What is the name of your City or Locality?
[Unknown]: city
What is the name of your State or Province?
[Unknown]: state
What is the two-letter country code for this unit?
[Unknown]: ru
Is CN = firstname lastname, OU = organizationalunit, O = organization, L = city, ST = state, C = ru correct?
[no]: yes
Enter key password for (RETURN if same as keystore password):
What is highlighted in bold is entered manually, requests appear line by line.
Please note that no password has been entered for the key (in this case, the storage password is used).
Configure the SSL connector (fragment server.xml ):
Find the entry
and add it below it
Find the line:
Also, if you have this line:
also comment on it.
Now we throw the mystore file from the java folder to the root of the tomato, if you don’t drop it to the root, you need to change the line
keystoreFile="mystore" keystoreFile="/ваш путь/mystore"Line
keystorePass="mystorepassword"We start Tomcat, SSL encryption is already working.
“Two-phase” SSL - certificate authorization on the site
The verification mechanism is very simple: it is necessary that the server has a key whose subject distinguished name will coincide with the issuer distinguished name of the key being checked (in this case, the client does not have to have such a key, because you can confirm trust in a dialogue mode). When using keys issued by a certification center, we already have a public key of the center and our own, signed by this center. In the case of a self-signed key (exactly such keys are created by keytool), it is necessary that the public key used by the client be in the truststore of the server.
We generated the server key above, now we will make the client key. Let's
type the following command in the console
keytool -genkey -alias client -keyalg RSA -keystore myclientstore -storetype PKCS12 -validity 999 -keysize 512
the following appears on the console:
Enter keystore password: myclientstorepassword
What is your first and last name?
[Unknown]: client
What is the name of your organizational unit?
[Unknown]: orgunit
What is the name of your organization?
[Unknown]: org
What is the name of your City or Locality?
[Unknown]: locality
What is the name of your State or Province?
[Unknown]: state
What is the two-letter country code for this unit?
[Unknown]: RU
Is CN = client, OU = orgunit, O = org, L = locality, ST = state, C = RU correct?
[no]: yes
Enter key password for (RETURN if same as keystore password):
all similar to server key generation, only the parameter appeared
-storetype -keystoreThe next step is to place the public key in the server’s trusted store (truststore). To do this, export it from the resulting store (myclientstore) to the clientcert file: Enter
the following command in the console:
keytool -export -alias client -keyalg RSA -keystore myclientstore -storetype PKCS12 -file clientcert In response, we will see:
Enter keystore password: myclientstorepassword
Certificate stored in file "clientcert"
Here the question "Enter keystore password:" does not ask for a new password, but the one that we entered during the formation of "myclientstore"
Here I think everything is clear, because All parameters are discussed above. And the result is a clientcert file.
We import the resulting file into a new storage for the server (this will be truststore):
Enter the command in the console
keytool -import -alias client -keyalg RSA -keystore mytruststore -storetype JKS -file clientcert We will be asked
Enter keystore password: mytruststorepassword
if answered correctly we will see
Owner: CN = client, OU = orgunit, O = org, L = locality, ST = state, C = RU
Issuer: CN = client, OU = orgunit, O = org , L = locality, ST = state, C = RU
Serial number: 462a2361
Valid from: Sat Apr 21 18:44:49 MSD 2007 until: Fri Jul 20 18:44:49 MSD 2007
Certificate fingerprints:
MD5: 78:55: 83: 13: 3A: 4F: DB: CA: 1A: 60: 5E: A4: 87: 1D: EC: 93
SHA1: 7A: A7: 7C: C6: 71: 2B: 82: 74: 9C: 4F: C7 : 3D: FA: 14: AD: 2A: E5: BF: 39: 2F
last question
Trust this certificate? [no]: yes
but in response
Certificate was added to keystore
Here the question “Enter keystore password:” does not ask for a new password, but the one that we entered during the formation of “mytruststore”.
Well, all the certificates are generated and placed in trusted repositories.
Now we need to tell the server that they need to be used, we supplement the server configuration. Now the configuration of the SSL connector looks like this:
The paths to mytruststore, mystore can be changed, as already mentioned, do not forget to change the password values at the same time :-)
If you need to add a third-party certificate to trustedstore, use the following code:
keytool -import -mytruststore -keystore mystore -alias tomcat -file clientcertIf you need to delete the certificate in trustedstore, use the following code:
keytool -delete -mytruststore -keystore mystore -alias tomcat -file clientcertCopy the files mytruststore and mystore to the root of the tomato or to the folders specified in the connector parameters (keystoreFile and truststoreFile) if you changed them.
We import myclientstore into the used browser into certificates. Those. on the example of IE:
Tools-> Internet Options-> Content-> Certificates-> Import-> Next-> Browse-> All files-> We find the folder with the manifest (by default the new generated files are saved there), select our myclientstore, -> Next-> enter the password that we set when generating myclientstore and that's it!
We restart the server.
Now if you type https: // localhost: 8443, the server will require a certificate, but if you type
http: // localhost: 8080 the same page will open as in the first case, but without any protection. In order for all requests to be redirected from http to https in web.xml, add
before closing the web-app:
Protected Context /* CONFIDENTIAL We restart the server, voila - everything works!
I hope this article will be more understandable than the rest, because here I collected all the grains of knowledge found on the Internet and the experience I received at the time of hard making love with SSL and TomCat.