To achieve mutual authentication Tomcat

Feb 2 posted in Java (RSS), 1 comments.

Concept:

SSL: Security Socket Layer Protocol
The public key and private key: for OpenSSL, which also includes the private key public key information. So, do not need a separate public key is generated.
Public key generation algorithm: The most popular and certificates related to RSA and DSA.

Description:

To achieve two-way SSL authentication, you must also configure the Web server certificates and client certificates, and the need for the server and the client is properly installed between the root certificate. Therefore, to configure a good two-way SSL, we need to have these things.

Now I am a little bit about the detailed steps of its total is divided into six major step:

First step: generate a self-signed CA certificate
A) Create CA private key
zhou @ ubuntu: ~ / ssl $ openssl genrsa-out ca / ca-key.pem 2048
genrsa mean that the generated private key rsa
-out parameter refers to the place where the private key generated
2048 this parameter in many other online documents which are written in 1024, I wrote 2048 in the openssl.org website inside to see.
As follows: The number 2048 is the size of the key, in bits. Today, 2048 or higher is recommended for RSA keys, as fewer amount of bits is consider insecure or to be insecure pretty soon.
B) with the CA private key is generated CA certificate request
zhou @ ubuntu: ~ / ssl $ openssl req-new-out ca / ca-req.csr-key ca / ca-key.pem
req means that CA generated certificate request
-new estimate is that used to generate a new certificate request
-out that where the certificate request file into the
-key, said private key with which to generate a certificate request

Type enter, the system will ask you to fill in the following range of information:
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank
For some fields there will be a default value, If you enter '.', The field will be left blank.
-----
Country Name (2 letter code) [AU]: cn / / Which country
State or Province Name (full name) [Some-State]: zhejiang / / Which provinces
Locality Name (eg, city) []: hangzhou / / which city
Organization Name (eg, company) [Internet Widgits Pty Ltd]: lianlian / / which company
Organizational Unit Name (eg, section) []: CPT / / Department Name
Common Name (eg, YOUR name) []: zhizhang / / your name
Email Address []: zhouzz@lianlian.com / / your e-mail

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: changeit / / password
An optional company name []: lianlian group / / What's the name the company can also be

Theoretically speaking, generated by the CA certificate request body, it will be issuing a certificate issued by the CA, we are here, from the self-signed certificate instead.

C) with the CA private key and CA certificate request is generated self-signed CA certificate
zhou @ ubuntu: ~ / ssl $ openssl x509-req-in ca / ca-req.csr-out ca / ca-cert.pem-signkey ca / ca-key.pem-days 1095
Type enter, the system prompts signature Ok:
Signature ok
subject = / C = cn / ST = zhejiang / L = hangzhou / O = lianlian / OU = CPT / CN = zhizhang / emailAddress = zhouzz@lianlian.com
Getting Private key

Second step: generate the server certificate

A) Create Server private key
zhou @ ubuntu: ~ / ssl $ openssl genrsa-out server / server-key.pem 2048
B) with the Server certificate request private key is generated Server
zhou @ ubuntu: ~ / ssl $ openssl req-new-out server / server-req.csr-key server / server-key.pem
Type enter, the system will ask you to fill in the following range of information:
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value, If you enter '.', The field will be left blank.
-----
Country Name (2 letter code) [AU]: cn
State or Province Name (full name) [Some-State]: zhejiang
Locality Name (eg, city) []: hangzhou
Organization Name (eg, company) [Internet Widgits Pty Ltd]: lianlian
Organizational Unit Name (eg, section) []: CPT
Common Name (eg, YOUR name) []: localhost / / here it should be not the same as with the CA certificate should be the domain name server or the IP
Email Address []: zhouzz@lianlian.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: changeit
An optional company name []: lianlian group

C) with the Server private key, Server certificate request, CA private key and CA certificate self-signed certificate is generated Server
zhou @ ubuntu: ~ / ssl $ openssl x509-req-in server / server-req.csr-out server / server-cert.pem-signkey server / server-key.pem-CA ca / ca-cert.pem-CAkey ca / ca-key.pem-CAcreateserial-days 1095
The system returns Signature OK
Signature ok
subject = / C = cn / ST = zhejiang / L = hangzhou / O = lianlian / OU = CPT / CN = localhost / emailAddress = zhouzz@lianlian.com
Getting Private key
Getting CA Private Key

D) Server to export the certificate into the browser supports. P12 format
zhou @ ubuntu: ~ / ssl $ openssl pkcs12-export-clcerts-in server / server-cert.pem-inkey server / server-key.pem-out server/server.p12
Enter Export Password:
Verifying - Enter Export Password:

The third step: Generating client certificates
A) Creating Client private key
zhou @ ubuntu: ~ / ssl $ openssl genrsa-out client / client-key.pem 2048
Typing carriage return:
Generating RSA private key, 2048 bit long modulus
.................................................. ...+++
..............+++
e is 65537 (0x10001)

B) the private key is generated using Client Certificate Request Client

zhou @ ubuntu: ~ / ssl $ openssl req-new-out client / client-req.csr-key client / client-key.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', The field will be left blank.
-----
Country Name (2 letter code) [AU]: cn
State or Province Name (full name) [Some-State]: zhejiang
Locality Name (eg, city) []: hangzhou
Organization Name (eg, company) [Internet Widgits Pty Ltd]: lianlian
Organizational Unit Name (eg, section) []: CPT
Common Name (eg, YOUR name) []: clienthost / / Here I am not quite clear about the details should write what I write client-server address.
Email Address []: zhouzz@lianlian.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: changeit
An optional company name []: lianlian group
C) with the Client private key, Client certificate request, CA private key and CA certificate self-signed certificate is generated Client
zhou @ ubuntu: ~ / ssl $ openssl x509-req-in client / client-req.csr-out client / client-cert.pem-signkey client / client-key.pem-CA ca / ca-cert.pem-CAkey ca / ca-key.pem-CAcreateserial-days 1095
The system returns Signature OK
Signature ok
subject = / C = cn / ST = zhejiang / L = hangzhou / O = lianlian / OU = CPT / CN = clienthost / emailAddress = zhouzz@lianlian.com
Getting Private key
Getting CA Private Key
D) to export the certificate into the Client browser support. P12 format
zhou @ ubuntu: ~ / ssl $ openssl pkcs12-export-clcerts-in client / client-cert.pem-inkey client / client-key.pem-out client/client.p12
Type the command, the system will be asked to lose two password: changeit
Enter Export Password:
Verifying - Enter Export Password:

The fourth step: According to the CA certificate is generated truststore JKS file (I guess the meaning of this abbreviation may be Java Key Store)
A) generated truststore file
zhou @ ubuntu: ~ / ssl $ keytool-keystore jks / truststore.jks-keypass changeit-storepass lianlian.com-alias ca-import-trustcacerts-file ca / ca-cert.pem
After typing thing, indicating whether the information in this certificate, enter yes, then the generated keystore success.

Owner: EMAILADDRESS = zhouzz@lianlian.com, CN = zhizhang, OU = CPT, O = lianlian, L = hangzhou, ST = zhejiang, C = cn
Issuer: EMAILADDRESS = zhouzz@lianlian.com, CN = zhizhang, OU = CPT, O = lianlian, L = hangzhou, ST = zhejiang, C = cn
Serial number: c14463d09ba37b39
Valid from: Fri Jan 29 03:33:25 PST 2010 until: Mon Jan 28 03:33:25 PST 2013
Certificate fingerprints:
MD5: D6: 4A: 7E: 89:59:27:88:63: B5: 28:2 C: 38: EB: 44: B5: B6
SHA1: BA: 26:16: C4: 4B: 1C: 0B: 65: F2: CB: CD: DB: DF: E1: D1: C3: 70:55:0 D: 2A
Signature algorithm name: SHA1withRSA
Version: 1
Trust this certificate? [No]: yes
Certificate was added to keystore

5th step: Configure Tomcat SSL
tomcat6.0 configuration:
<Connector port = "8443" protocol = "HTTP/1.1" SSLEnabled = "true"
maxThreads = "150" scheme = "https" secure = "true"
clientAuth = "true" sslProtocol = "TLS"
keystoreFile = "D: \ \ app \ \ ssl \ \ ssl \ \ server \ \ server.p12" keystorePass = "changeit" keystoreType = "PKCS12"
truststoreFile = "D: \ \ app \ \ ssl \ \ ssl \ \ jks \ \ truststore.jks" truststorePass = "lianlian.com" truststoreType = "JKS" />

Sixth step: Test Tomat SSL

ca-cert.pem imported into the Trusted Root Certificate Authorities, client.p12 import to individuals
Access to your application https: / / ip: 8443 /, if configured correctly, you will appear a request for Digital Certificate dialog box.