Shulou(Shulou.com)06/02 Report--

SSL protocol uses asymmetric encryption technology to realize the secure transmission of information between the two parties. The confidentiality and integrity of information transmission can be realized, and both sides of the conversation can identify each other.

When establishing a https connection with a website, the browser and WEB SERVER go through a handshake process to complete identity identification and key exchange, and establish a secure connection. The process is:

1. The user's browser sends its SSL version number, encryption setting parameters, session-related data and other necessary information to the server.

2. The server sends its SSL version number, encryption setting parameters, session-related data and other necessary information to the browser, and the server's certificate is also sent to the browser. If you configure the server's SSL to verify the user's identity, also issue a request for the browser to provide the user's certificate.

3. The client checks the server certificate. If the check fails, it indicates that the SSL connection cannot be established. If it is successful, continue.

4. The client browser generates pre-master secret for this session, encrypts it with the server public key and sends it to the server.

5. If the server requires the identification of the customer, the client has to sign some other data and send it to the server together with the client certificate.

6. If the server requires that the customer be identified, check whether the CA that signed the customer certificate can be trusted. If it is not on the trust list, end this session. If the check passes, the server decrypts the received pre-master secret with its own private key and uses it to generate the master secret for this session through some algorithms.

7. Both the client and the server use this master secret to generate the session key (symmetric key) for this session. This session key is used to pass any messages after the end of the SSL handshake between the two parties. The main reason for this is that the amount of computation of symmetric encryption is more than one order of magnitude lower than that of asymmetric encryption, which can significantly improve the operation speed of the conversation between the two parties.

8. The client informs the server that all messages sent thereafter are encrypted using this session key. And notify the server client that the SSL handshake has been completed.

9. The server informs the client that all messages sent thereafter are encrypted using this session key. And notify the client server that the SSL handshake has been completed.

10. The handshake process is over and the session has been established. Both parties use the same session key to encrypt and decrypt the sent and received information respectively.

1. Generate server-side certificate files

You can use Windows system or Linux system

(1) Windows environment

Condition: JDK is already installed

Steps:

L enter the% JAVA_HOME%/bin directory

L execute command

Keytool-genkey-alias tomcat-keyalg RSA-keystore F:\ tomcat.keystore-validity 36500

Brief description of the parameters: "F:\ tomcat.keystore" means to save the certificate file on F disk, and the name of the certificate file is tomcat.keystore; "- validity 36500" means that the certificate is valid, 36500 means 100 years, and the default value is 90 days.

L fill in the necessary parameters on the command line:

The screenshot section shows:

Enter keystore password: you need to enter a string greater than 6 characters here

B, "what's your first name and last name?" This is required and must be the domain name of the TOMCAT deployment host or IP [e.g. gbcom.com or 10.1.25.251], which is the access address you will enter in the browser in the future.

C, "what is the name of your organizational unit?" , "what is the name of your organization?" , "what is the name of your city or region?" , "what is the name of your state or province?" "what is the two-letter country code for this unit?" You can fill in as needed or enter directly without filling in, and ask "is it correct?" Check the input information and enter the letter "y" on the keyboard if you meet the requirements, otherwise enter "n" to re-fill in the above information

D, enter the master password, which is more important and will be used in the tomcat configuration file. It is recommended to enter the same password as keystore. Other passwords can also be set.

After completing the above input, enter directly and find the generated file in the location you defined in step 2.

(2) Linux environment

Condition: JDK is installed

Steps:

L enter the $JAVA_HOME/bin directory

L execute command

. / keytool-genkey-alias tomcat-keyalg RSA-keystore / usr/local/ac/web/tomcat.keystore-validity 36500

Brief description of the parameters: "/ etc/tomcat.keystore" means to save the certificate file under the path / usr/local/ac/web/, and the name of the certificate file is tomcat.keystore; "- validity 36500" means the certificate is valid, 36500 means 100 years, and the default value is 90 days.

L fill in the necessary parameters on the command line:

The screenshot is as follows:

The screenshot section shows:

A, Enter keystore password: you need to enter a string greater than 6 characters here

B. "What is your first and last name?" This is required and must be the domain name of the TOMCAT deployment host or IP [e.g. gbcom.com or 10.1.25.251], which is the access address you will enter in the browser in the future.

C, "What is the name of your organizational unit?", "What is the name of your organization?", "What is the name of your City or Locality?", "What is the name of your State or Province?", "What is the two-letter country code for this unit?" You can enter directly according to the need or not, and ask "correct?" in the system. Check the input information and enter the letter "y" on the keyboard if you meet the requirements, otherwise enter "n" to re-fill in the above information

D, Enter key password for, which is more important, will be used in the tomcat configuration file. It is recommended to enter the same password as keystore. Other passwords can also be set.

After completing the above input, enter directly and find the generated file in the location you defined in step 2.

2. Configure TOMCAT server

(1) if you are generating a certificate file in the Windows environment, you need to copy the generated certificate tomcat.keystore to the location that Tomcat will reference, assuming that the path to the tomcat application certificate is "/ etc/tomcat.keystore", then you need to copy the certificate file to the "etc/"; if you are generating the certificate file in accordance with the steps described above in the Linux environment, the certificate file is already under "etc/".

(2) configure Tomcat, open $CATALINA_HOME/conf/server.xml, and modify as follows

Modify parameters = >

Remove the comment and modify the parameter = >

Note: the two parameters identified as light blue are the location of the certificate file and the master password, which are set during the generation of the certificate file.

Modify parameters = >

(3) Open $CATALINA_HOME/conf/web.xml and add at the end of the file:

SSL / * CONFIDENTIAL

3. After the above configuration is completed, you can use SSL after restarting TOMCAT. You can enter the address directly in the IE address bar without entering "http://"" or "https://"", or enter "http://" to jump to "https://"" to log in.

4. Points for attention:

(1) the time when the certificate is generated. If the machine on which the IE client resides is earlier or later than the valid time, IE will prompt "the security certificate has expired or is not yet valid".

(2) if IE prompts "the name on the security certificate is invalid or does not match the site name", it is the domain name of the host where the server is located when the certificate was generated. "what is your first name and last name?" / "What is your first and last name?" Caused by incorrect

5. Remaining problems:

(1) if the AC host cannot be found by the domain name, you must use IP, but the IP can only be determined after it has been configured, so the certificate can only be generated after the AC determines the IP address.

(2) Certificate files can only be bound to one IP address. Suppose there are two IP addresses: 10.1.25.250 and 192.168.1.250. If 10.1.25.250 is used in the certificate generation file, only 10.1.25.250 can be used to access AC-WEB,192.168.1.250 through IE, but AC-WEB cannot be accessed.

Reference:

Http://tianli.blog.51cto.com/190322/90101

Http://qixiaopeng.javaeye.com/blog/466298

Follow the official account to get a lot of videos

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.