什么是HTTPS?
當(dāng)使用 基于SSL/TLS(通常使用
https://
URL)向站點(diǎn)進(jìn)行HTTP請(qǐng)求時(shí),從服務(wù)器向客戶機(jī)發(fā)送一個(gè)證書(shū)。客戶機(jī)使用已安裝的公共證書(shū)通過(guò)這個(gè)證書(shū)驗(yàn)證服務(wù)器的身份,然后檢查 IP
名稱(機(jī)器名)與客戶機(jī)連接的機(jī)器是否匹配。客戶機(jī)生成一些可以用來(lái)生成對(duì)話的私鑰(稱為會(huì)話密鑰)的隨機(jī)信息,然后用服務(wù)器的公鑰對(duì)它加密并將它發(fā)送到
服務(wù)器。服務(wù)器用自己的私鑰解密消息,然后用該隨機(jī)信息派生出和客戶機(jī)一樣的私有會(huì)話密鑰。通常在這個(gè)階段使用 RSA
公鑰算法。然后,客戶機(jī)和服務(wù)器使用私有會(huì)話密鑰和私鑰算法(通常是 RC4)進(jìn)行通信。使用另一個(gè)密鑰的消息認(rèn)證碼來(lái)確保消息的完整性。
什么是數(shù)字簽名?
所
謂數(shù)字簽名就是信息發(fā)送者用其私有密鑰對(duì)從所傳報(bào)文中提取出的特征數(shù)據(jù)(或稱數(shù)字指紋)進(jìn)行RSA算法操作,以保證發(fā)信人無(wú)法抵賴曾發(fā)過(guò)該信息(即不可抵
賴性),同時(shí)也確保信息報(bào)文在經(jīng)簽名后末被篡改(即完整性)。當(dāng)信息接收者收到報(bào)文后,就可以用發(fā)送者的公鑰對(duì)數(shù)字簽名進(jìn)行驗(yàn)證。
Overview of SSL?
SSL, or Secure Socket Layer, is a technology which allows web browsers
and web servers to communicate over a secured connection. This means
that the data being sent is encrypted by one side, transmitted, then
decrypted by the other side before processing. This is a two-way
process, meaning that both the server AND the browser encrypt all
traffic before sending out data.
Another important aspect of
the SSL protocol is Authentication. This means that during your initial
attempt to communicate with a web server over a secure connection, that
server will present your web browser with a set of credentials, in the
form of a "Certificate", as proof the site is who and what it claims to
be. In certain cases, the server may also request a Certificate from
your web browser, asking for proof that
you are who you claim
to be. This is known as "Client Authentication," although in practice
this is used more for business-to-business (B2B) transactions than with
individual users. Most SSL-enabled web servers do not request Client
Authentication.
https與Tomcat
The Apache Jakarta Tomcat 5 Servlet/JSP Container SSL Configuration HOW-TO?
利用快速配置:
1,用jdk中的keytool生成一個(gè)tomcat keystore
在命令行敲入:%JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA
會(huì)提示你輸入keypassword 和 keystorepassword 以及其它相關(guān)信息。按提示確認(rèn)完成。
2, 在conf/server.xml中加入:
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" debug="0" scheme="https" secure="true"
clientAuth="false" keystorePass="password" sslProtocol="TLS" />
3,啟動(dòng)tomcat,打開(kāi)瀏覽器輸入https://localhost:8443 就OK了。
注意:用此方法生成的keystore文件置于C:\Documents and Settings\user下
注釋:
| Attribute |
Description |
clientAuth |
Set this value to true if you want Tomcat to require all SSL clients to present a client Certificate in order to use this socket. Set this value to want if you want Tomcat to request a client Certificate, but not fail if one isn't presented. |
keystoreFile |
Add this attribute if the keystore file you created is not in the default place that Tomcat expects (a file named .keystore
in the user home directory under which Tomcat is running). You can
specify an absolute pathname, or a relative pathname that is resolved
against the $CATALINA_BASE environment variable. |
keystorePass |
Add this element if you used a different keystore (and Certificate) password than the one Tomcat expects (changeit). |
keystoreType |
Add this element if using a PKCS12 keystore. The valid values are JKS and PKCS12. |
sslProtocol |
The encryption/decryption protocol to be used on this socket. It is
not recommended to change this value if you are using Sun's JVM. It is
reported that IBM's 1.4.1 implementation of the TLS protocol is not
compatible with some popular browsers. In this case, use the value SSL. |
ciphers |
The comma separated list of encryption ciphers that this socket is allowed to use. By default, any available cipher is allowed. |
algorithm |
The X509 algorithm to use. This defaults to the Sun implementation (SunX509). For IBM JVMs you should use the value IbmX509. For other vendors, consult the JVM documentation for the correct value. |
truststoreFile |
The TrustStore file to use to validate client certificates. |
truststorePass |
The password to access the TrustStore. This defaults to the value of keystorePass. |
truststoreType |
Add this element if your are using a different format for the
TrustStore then you are using for the KeyStore. The valid values are JKS and PKCS12. |
Java keytool工具的作用及使用方法?
Keytool 是安全鑰匙與證書(shū)的管理工具。它管理一個(gè)存儲(chǔ)了私有鑰匙和驗(yàn)證相應(yīng)公共鑰匙的與它們相關(guān)聯(lián)的X.509 證書(shū)鏈的keystore(相當(dāng)一個(gè)數(shù)據(jù)庫(kù))。
Keytool 是一個(gè)有效的安全鑰匙和證書(shū)的管理工具。它能夠使用戶使用數(shù)字簽名來(lái)管理他們自己的私有/公共鑰匙對(duì),管理用來(lái)作自我鑒定的相關(guān)的證書(shū),管理數(shù)據(jù)完整性和鑒定服務(wù)。它還能使用戶在通信時(shí)緩存它們的公共鑰匙.
一個(gè)證書(shū)是某一實(shí)體(個(gè)人,公司等)的數(shù)字簽名,指出其他實(shí)體的公共鑰匙(或其他信息)的詳細(xì)的值.當(dāng)數(shù)據(jù)被簽名后,這個(gè)簽名信息被用來(lái)檢驗(yàn)數(shù)據(jù)的完整性和真實(shí)性.完整性指數(shù)據(jù)沒(méi)有被修改和篡改,真實(shí)性指數(shù)據(jù)從任何產(chǎn)生和簽名的一方真正的傳輸?shù)竭_(dá)。
Keytool 把鑰匙和證書(shū)儲(chǔ)存到一個(gè)keystore.默任的實(shí)現(xiàn)keystore的是一個(gè)文件。它用一個(gè)密碼保護(hù)鑰匙。而另外的一個(gè)工具jarsigner用keystore中的信息產(chǎn)生或檢驗(yàn)Java aRchive(jar文件)中的數(shù)字簽名。
Keystore有兩個(gè)不同的入口:
1. 鑰匙入口:保存了非常敏感的加密的鑰匙信息,并且是用一個(gè)保護(hù)的格式存儲(chǔ)以防止未被授權(quán)的訪問(wèn).以這種形式存儲(chǔ)的鑰匙是秘密鑰匙,或是一個(gè)對(duì)應(yīng)證書(shū)鏈中公有鑰匙的私有鑰匙.
2. 信任證書(shū)入口:包含一個(gè)屬于其他部分的單一公共鑰匙證書(shū).它之所以被稱為"信任證書(shū)",是因?yàn)閗eystore信任的證書(shū)中的公共鑰匙真正屬于證書(shū)所有者的身份識(shí)別.
Keystore的別名:
所有的keystore入口(鑰匙和信任證書(shū)入口)是通過(guò)唯一的別名訪問(wèn).別名是不區(qū)分大小寫(xiě)的。如別名Hugo和hugo指向同一個(gè)keystore入口.
可以在加一個(gè)入口到keystore的時(shí)候使用-genkey參數(shù)來(lái)產(chǎn)生一個(gè)鑰匙對(duì)(公共鑰匙和私有鑰匙)時(shí)指定別名.也可以用-import參數(shù)加一個(gè)證書(shū)或證書(shū)鏈到信任證書(shū)。
如:keytool -genkey -alias duke -keypass dukekeypasswd
其中duke為別名,dukekeypasswd為duke別名的密碼。這行命令的作用是產(chǎn)生一個(gè)新的公共/私有鑰匙對(duì). 其中duke為別名,dukekeypasswd為duke別名的密碼.這行命令的作用是產(chǎn)生一個(gè)新的公共/私有鑰匙對(duì).
假如你想修改密碼,可以用:
keytool -keypasswd -alias duke -keypass dukekeypasswd -new newpass
將舊密碼dukekeypasswd改為newpass.
Keystore的產(chǎn)生:
1. 當(dāng)使用-genkey 或-import或-identitydb命令添加數(shù)據(jù)到一個(gè)keystore,而當(dāng)這個(gè)keystore不存在時(shí),產(chǎn)生一個(gè)keystore.默認(rèn)名是.keystore,存放到user-home目錄.
2. 當(dāng)用-keystore指定時(shí),將產(chǎn)生指定的keystore.
Keystore的實(shí)現(xiàn):
Keytool
類位于java.security包下,提供一個(gè)非常好的接口去取得和修改一個(gè)keystore中的信息.
目前有兩個(gè)命令行:keytool和jarsinger,一個(gè)GUI工具Policy
可以實(shí)現(xiàn)keystore.由于keystore是公開(kāi)的,用戶可以用它寫(xiě)一些額外的安全應(yīng)用程序。
Keystore還有一個(gè)sun公司提供的內(nèi)在實(shí)現(xiàn).它把keystore作為一個(gè)文件來(lái)實(shí)現(xiàn).利用了一個(gè)keystore類型(格式)"JKS".它用單獨(dú)的密碼保護(hù)每一個(gè)私有鑰匙.也用可能不同的密碼保護(hù)整個(gè)keystore的完整性.
支持的算法和鑰匙大小:
keytool允許用戶指定鑰匙對(duì)和注冊(cè)密碼服務(wù)供應(yīng)者所提供的簽名算法.缺省的鑰匙對(duì)產(chǎn)生算法是"DSA"。假如私有鑰匙是"DSA"類型,缺省簽名算法是"SHA1withDSA",假如私有鑰匙是"RSA"類型,缺省算法是"MD5withRSA".
當(dāng)產(chǎn)生一個(gè)DSA鑰匙對(duì),鑰匙必須在512-1024位之間.對(duì)任何算法的缺省鑰匙大小是1024位.
1. 證書(shū):一個(gè)證書(shū)是一個(gè)實(shí)體的數(shù)字簽名,指出其他實(shí)體的公共鑰匙有明確的值。
2. 公共鑰匙:是同一個(gè)詳細(xì)的實(shí)體的數(shù)字關(guān)聯(lián),并有意讓所有想同這個(gè)實(shí)體發(fā)生信任關(guān)系的其他實(shí)體知道,公共鑰匙用來(lái)檢驗(yàn)簽名;
3. 數(shù)字簽名:假如數(shù)據(jù)已被簽名,并用身份存儲(chǔ)在一個(gè)實(shí)體中,一個(gè)簽名能夠證明這個(gè)實(shí)體知道這個(gè)數(shù)據(jù).這個(gè)數(shù)據(jù)用實(shí)體私有鑰匙簽名并遞交;
4. 身份:知道實(shí)體的方法.在一些系統(tǒng)中身份是公共鑰匙,其他系統(tǒng)中可以是從一個(gè)X.509名字的郵件地址的Unix UID來(lái)的任何東西;
5. 簽名:一個(gè)簽名用實(shí)體私有鑰匙來(lái)計(jì)算某些加密數(shù)據(jù);
6. 私有鑰匙:是一些數(shù)字,每一個(gè)私有鑰匙只能被特定的擁有該私有鑰匙的實(shí)體知道.私有和公共鑰匙存在所有用公共鑰匙加密的系統(tǒng)的鑰匙對(duì)中.一個(gè)公共鑰匙加密(如DSA),一個(gè)私有鑰匙與一個(gè)正確的公共鑰匙通信.私有鑰匙用來(lái)計(jì)算簽名。
7. 實(shí)體:一個(gè)實(shí)體可以是一個(gè)人,一個(gè)組織,一個(gè)程序,一臺(tái)計(jì)算機(jī),一個(gè)商業(yè),一個(gè)銀行,或其他你想信任的東西.
Keytool應(yīng)用實(shí)例:
1.產(chǎn)生一個(gè)keystore:
keytool -genkey -alias User(keystore的別名) -keyalg RSA -validity 7 -keystore keystore(指定keystore).
運(yùn)行這個(gè)命令,系統(tǒng)提示:
Enter keystore password:yourpassword(輸入密碼)
What is your first and last name?
[Unknown]: your name(輸入你的名字)
What is the name of your organizational unit?
[Unknown]:your organizational(輸入你所在組織單位的名字)
What is the name of your organization?
[Unknown]:your organization name (輸入你所在組織的名字)
What is the name of your City or Locality?
[Unknown]:your city name(輸入所在城市的名字)
What is the name of your State or Province?
[Unknown]:your provice name(輸入所在省份名字)
What is the two-letter country code for this unit?
[Unknown]:cn(輸入國(guó)家名字)
Is CN=your name, OU=your organizaion, O="your organization name",L=your city name, ST=your province name, C=cn correct?
[no]: yes
3. 檢查一個(gè)keystore:
keytool -list -v -keystore keystore
Enter keystore password:your password(輸入密碼)
將顯示keystore內(nèi)容如:
Keystore type: jks
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: yourname
Creation date: Dec 20, 2001
Entry type: keyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=yourname, OU=your organization, O="your organization name",
L=your city name, ST=your province name, C=CN
Issuer: CN=Duke, OU=Java Software, O="Sun Microsystems, Inc.", L=Palo Alto, ST=CA, C=US
Serial number: 3c22adc1
Valid from: Thu Dec 20 19:34:25 PST 2001 until: Thu Dec 27 19:34:25 PST 2001
Certificate fingerprints:
MD5: F1:5B:9B:A1:F7:16:CF:25:CF:F4:FF:35:3F:4C:9C:F0
SHA1: B2:00:50:DD:B6:CC:35:66:21:45:0F:96:AA:AF:6A:3D:E4:03:7C:74
3.輸出keystore到一個(gè)文件:testkey:
keytool -export -alias duke -keystore keystore -rfc -file testkey
系統(tǒng)輸出:Enter keystore password:your password(輸入密碼)
Certificate stored in file < td>
4.輸入證書(shū)到一個(gè)新的truststore:
keytool -import -alias dukecert -file testkey -keystore truststore
Enter keystore password:your new password.(輸入truststore新密碼)
5.檢查truststore:
keytool -list -v -keystore truststore
系統(tǒng)將顯示truststore的信息.
現(xiàn)在可以用適當(dāng)?shù)膋eystore運(yùn)行你的應(yīng)用程序.如:
java -Djavax.net.ssl.keyStore = keystore
-Djavax.net.ssl.keyStorePassword=password Server
和:
java -Djavax.net.ssl.trustStore=truststore
-Djavax.net.ssl.trustStorePassword=trustword Client