Configure SSL for TomCat
A couple of weeks ago I ran into a problem - TomCat is installed on a server (windows 2008), it’s not mine, and moreover, I didn’t even see how it was installed. It is necessary to make authorization using SSL protocol. Previously, I never set up a web server either on Windows or on Nix, and you need to solve it in the shortest possible time - 3 days. I decided to ask Google with Yandex and found a bunch of articles on how to make SSL channel encryption and one obscure about "two-phase authorization". I suffered all 3 days and at the end of the term I got a solution (as always, the bright idea came from a great hangover). Now more:
How to install TomCat I will not describe, because such articles shaft.
First, create a keystore with the key:
We type the following code in the command line:
Here:
- tomcat - alias name
- keyalg - key generation algorithm
- keystore - storage name
- validity - certificate expiration date
- keysize - key size
As a result, you will see the following on the console:
Enter keystore password: mystorepassword
What is your first and last name?
[Unknown]: firstname lastname
What is your organizational unit?
[Unknown]: organizationalunit
What is the name of your organization?
[Unknown]: organization
What is your city or locality?
[Unknown]: city
What is your state or province?
[Unknown]: state
What is the two-letter country code for this unit?
[Unknown]: ru
Is CN = firstname lastname, OU = organizationalunit, O = organization, L = city, ST = state, C = ru correct?
[no]: yes
Enter key password for (RETURN if same as keystore password):
What is highlighted in bold - to be entered manually, requests appear line by line.
Please note that for the key the password was not entered (in this case the storage password is used).
Configuring SSL-connector (fragment server.xml ):
Find a record
and add below it
Find the string:
Also, if you have this line:
also comment on it.
Now we throw the mystore file from the java folder into the Tomkata root, if you drop it to the root, then you need to change the line
Line
We are launching Tomcat, SSL encryption is already working.
"Two-phase" SSL - authorization on the site according to the certificate
')
The verification mechanism is very simple: it is necessary that the server has a key, the subject distinguished name of which will coincide with the issuer distinguished name of the key being verified (and the client does not have to have such a key, since you can confirm trust in the dialog mode). When the keys issued by the certification center are used, we already have the public key of the center and our own one signed by this center. In the case of a self-signed key (it is these keys that the keytool creates) it is necessary that the public key used by the client be in the server's truststore.
We generated the server key above, now we will make the client key
Type the following command in the console
the following will appear on the console:
Enter keystore password: myclientstorepassword
What is your first and last name?
[Unknown]: client
What is your organizational unit?
[Unknown]: orgunit
What is the name of your organization?
[Unknown]: org
What is your city or locality?
[Unknown]: locality
What is your state or province?
[Unknown]: state
What is the two-letter country code for this unit?
[Unknown]: RU
Is CN = client, OU = orgunit, O = org, L = locality, ST = state, C = RU correct?
[no]: yes
Enter key password for (RETURN if same as keystore password):
all by analogy with the generation of the server key, only the parameter appeared
The next step is to place the public key in the server’s trusted storage (truststore). To do this, export it from the received storage (myclientstore) to the clientcert file:
Let's enter the following command in the console:
in response we will see:
Enter keystore password: myclientstorepassword
Certificate stored in file "clientcert"
Here, the question “Enter keystore password:” asks not a new password, but one that we entered when we formed “myclientstore”
Here I think everything is clear, because All parameters are discussed above. And the result is the clientcert file.
We import the resulting file into a new repository for the server (this will be a truststore):
We introduce in the console command
They will ask us
Enter keystore password: mytruststorepassword
if answered correctly then we'll see
Owner: CN = client, OU = orgunit, O = org, L = locality, ST = state, C = RU
Issuer: CN = client, OU = orgunit, O = org, L = locality, ST = state, C = RU
Serial number: 462a2361
Valid from: Sat Apr 21 18:44:49 MSD 2007 until: Fri Jul 20 18:44:49 MSD 2007
Certificate fingerprints:
MD5: 78: 55: 83: 13: 3A: 4F: DB: CA: 1A: 60: 5E: A4: 87: 1D: EC: 93
SHA1: 7A: A7: 7C: C6: 71: 2B: 82: 74: 9C: 4F: C7: 3D: FA: 14: AD: 2A: E5: BF: 39: 2F
last question
Trust this certificate? [no]: yes
and in response
Certificate was added to keystore
Here, the question “Enter keystore password:” asks not a new password, but one that we entered during the formation of “mytruststore”
Well, all certificates are generated and placed in trusted repositories.
Now we need to tell the server to use them, we supplement the server configuration. Now the SSL connector configuration looks like this:
The paths to mytruststore, mystore, as already mentioned, can be changed, do not forget to change the password values at the same time :-)
If you need to add a third-party certificate to the trustedstore, use the following code:
If you need to delete the certificate in the trustedstore, use the following code:
Copy the files mytruststore and mystore into the root of the volume or into the folders specified in the connector parameters (keystoreFile and truststoreFile) if you changed them.
We import myclientstore into the used browser into certificates. Those. by example of IE:
Service-> Internet Options-> Content-> Certificates-> Import-> Next-> Browse-> All Files-> Find a folder with java (by default, new generated files are saved there), choose our myclientstore, -> Next-> enter the password that we asked when generating myclientstore and that's it!
Restart the server.
Now if you type https: // localhost: 8443 - the server will require a certificate, but if you type
http: // localhost: 8080 will open the same page as in the first case, but without any protection. In order for all requests to be redirected from http to https in the web.xml add
Before closing the web-app:
Restart the server, voila - everything works!
I hope this article will be more understandable than the rest, because then I gathered all the nuggets of knowledge found on the Internet and the experience I received at the time of hard lovemaking with SSL and TomCat.
How to install TomCat I will not describe, because such articles shaft.
First, create a keystore with the key:
We type the following code in the command line:
>keytool -genkey -alias tomcat -keyalg RSA -keystore mystore -validity 999 -keysize 512 Here:
- tomcat - alias name
- keyalg - key generation algorithm
- keystore - storage name
- validity - certificate expiration date
- keysize - key size
As a result, you will see the following on the console:
Enter keystore password: mystorepassword
What is your first and last name?
[Unknown]: firstname lastname
What is your organizational unit?
[Unknown]: organizationalunit
What is the name of your organization?
[Unknown]: organization
What is your city or locality?
[Unknown]: city
What is your state or province?
[Unknown]: state
What is the two-letter country code for this unit?
[Unknown]: ru
Is CN = firstname lastname, OU = organizationalunit, O = organization, L = city, ST = state, C = ru correct?
[no]: yes
Enter key password for (RETURN if same as keystore password):
What is highlighted in bold - to be entered manually, requests appear line by line.
Please note that for the key the password was not entered (in this case the storage password is used).
Configuring SSL-connector (fragment server.xml ):
Find a record
<!-- Define a SSL HTTP/1.1 Connector on port 443 This connector uses the JSSE configuration, when using APR, the connector should be using the OpenSSL style configuration described in the APR documentation --> and add below it
<Connector port="8443" SSLEnabled="true" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="200" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="mystore" keystorePass="mystorepassword" keystoreType="JKS" keyAlias="tomcat"/> Find the string:
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" /> - The default is 27 lines, comment it out.Also, if you have this line:
<Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" /> also comment on it.
Now we throw the mystore file from the java folder into the Tomkata root, if you drop it to the root, then you need to change the line
keystoreFile="mystore" on keystoreFile="/ /mystore" Line
keystorePass="mystorepassword" - “mystorepassword”, this is your password specified when creating a repository with a key.We are launching Tomcat, SSL encryption is already working.
"Two-phase" SSL - authorization on the site according to the certificate
')
The verification mechanism is very simple: it is necessary that the server has a key, the subject distinguished name of which will coincide with the issuer distinguished name of the key being verified (and the client does not have to have such a key, since you can confirm trust in the dialog mode). When the keys issued by the certification center are used, we already have the public key of the center and our own one signed by this center. In the case of a self-signed key (it is these keys that the keytool creates) it is necessary that the public key used by the client be in the server's truststore.
We generated the server key above, now we will make the client key
Type the following command in the console
keytool -genkey -alias client -keyalg RSA -keystore myclientstore -storetype PKCS12 -validity 999 -keysize 512 the following will appear on the console:
Enter keystore password: myclientstorepassword
What is your first and last name?
[Unknown]: client
What is your organizational unit?
[Unknown]: orgunit
What is the name of your organization?
[Unknown]: org
What is your city or locality?
[Unknown]: locality
What is your state or province?
[Unknown]: state
What is the two-letter country code for this unit?
[Unknown]: RU
Is CN = client, OU = orgunit, O = org, L = locality, ST = state, C = RU correct?
[no]: yes
Enter key password for (RETURN if same as keystore password):
all by analogy with the generation of the server key, only the parameter appeared
-storetype . This parameter indicates the type of storage supported by our browser, if you do not know exactly what type you have - do not change, this one is suitable for everyone (checked by electronics !!!) -keystore - here it is the storage of client certificates.The next step is to place the public key in the server’s trusted storage (truststore). To do this, export it from the received storage (myclientstore) to the clientcert file:
Let's enter the following command in the console:
keytool -export -alias client -keyalg RSA -keystore myclientstore -storetype PKCS12 -file clientcert in response we will see:
Enter keystore password: myclientstorepassword
Certificate stored in file "clientcert"
Here, the question “Enter keystore password:” asks not a new password, but one that we entered when we formed “myclientstore”
Here I think everything is clear, because All parameters are discussed above. And the result is the clientcert file.
We import the resulting file into a new repository for the server (this will be a truststore):
We introduce in the console command
keytool -import -alias client -keyalg RSA -keystore mytruststore -storetype JKS -file clientcert They will ask us
Enter keystore password: mytruststorepassword
if answered correctly then we'll see
Owner: CN = client, OU = orgunit, O = org, L = locality, ST = state, C = RU
Issuer: CN = client, OU = orgunit, O = org, L = locality, ST = state, C = RU
Serial number: 462a2361
Valid from: Sat Apr 21 18:44:49 MSD 2007 until: Fri Jul 20 18:44:49 MSD 2007
Certificate fingerprints:
MD5: 78: 55: 83: 13: 3A: 4F: DB: CA: 1A: 60: 5E: A4: 87: 1D: EC: 93
SHA1: 7A: A7: 7C: C6: 71: 2B: 82: 74: 9C: 4F: C7: 3D: FA: 14: AD: 2A: E5: BF: 39: 2F
last question
Trust this certificate? [no]: yes
and in response
Certificate was added to keystore
Here, the question “Enter keystore password:” asks not a new password, but one that we entered during the formation of “mytruststore”
Well, all certificates are generated and placed in trusted repositories.
Now we need to tell the server to use them, we supplement the server configuration. Now the SSL connector configuration looks like this:
<Connector port="8443" SSLEnabled="true" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="200" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="true" sslProtocol="TLS" keystoreFile="mystore" keystorePass="123456" keystoreType="JKS" keyAlias="tomcat" truststoreFile="mytruststore" truststorePass="123456" truststoreType="JKS"/> The paths to mytruststore, mystore, as already mentioned, can be changed, do not forget to change the password values at the same time :-)
If you need to add a third-party certificate to the trustedstore, use the following code:
keytool -import -mytruststore -keystore mystore -alias tomcat -file clientcert If you need to delete the certificate in the trustedstore, use the following code:
keytool -delete -mytruststore -keystore mystore -alias tomcat -file clientcert Copy the files mytruststore and mystore into the root of the volume or into the folders specified in the connector parameters (keystoreFile and truststoreFile) if you changed them.
We import myclientstore into the used browser into certificates. Those. by example of IE:
Service-> Internet Options-> Content-> Certificates-> Import-> Next-> Browse-> All Files-> Find a folder with java (by default, new generated files are saved there), choose our myclientstore, -> Next-> enter the password that we asked when generating myclientstore and that's it!
Restart the server.
Now if you type https: // localhost: 8443 - the server will require a certificate, but if you type
http: // localhost: 8080 will open the same page as in the first case, but without any protection. In order for all requests to be redirected from http to https in the web.xml add
Before closing the web-app:
<security-constraint> <web-resource-collection> <web-resource-name>Protected Context</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <!— --> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> Restart the server, voila - everything works!
I hope this article will be more understandable than the rest, because then I gathered all the nuggets of knowledge found on the Internet and the experience I received at the time of hard lovemaking with SSL and TomCat.
Source: https://habr.com/ru/post/134453/
All Articles