June 30, 2011 | By Loiane
This tutorial will walk you through how to configure SSL (https://localhost:8443 access) on Tomcat in 5 minutes.
For this tutorial you will need:
The set up consists in 3 basic steps:
- Create a keystore file using Java
- Configure Tomcat to use the keystore
- Test it
- (Bonus ) Configure your app to work with SSL (access through https://localhost:8443/yourApp)
1 – Creating a Keystore file using Java
Fisrt, open the terminal on your computer and type:
Windows:
cd %JAVA_HOME%/bin
Linux or Mac OS:
cd $JAVA_HOME/bin
The $JAVA_HOME on Mac is located on “/System/Library/Frameworks/JavaVM.framework/Versions/{your java version}/Home/”
You will change the current directory to the directory Java is installed on your computer. Inside the Java Home directory, cd to the bin folder. Inside the bin folder there is a file named keytool. This guy is responsible for generating the keystore file for us.
Next, type on the terminal:
keytool -genkey -alias tomcat -keyalg RSA
When you type the command above, it will ask you some questions. First, it will ask you to create a password (My password is “password“):
loiane:bin loiane$ keytool -genkey -alias tomcat -keyalg RSA Enter keystore password: password Re-enter new password: password What is your first and last name? [Unknown]: Loiane Groner What is the name of your organizational unit? [Unknown]: home What is the name of your organization? [Unknown]: home What is the name of your City or Locality? [Unknown]: Sao Paulo What is the name of your State or Province? [Unknown]: SP What is the two-letter country code for this unit? [Unknown]: BR Is CN=Loiane Groner, OU=home, O=home, L=Sao Paulo, ST=SP, C=BR correct? [no]: yes Enter key password for (RETURN if same as keystore password): password Re-enter new password: password
It will create a .keystore file on your user home directory. On Windows, it will be on: C:\Documents and Settings\[username]; on Mac it will be on /Users/[username] and on Linux will be on /home/[username].
2 – Configuring Tomcat for using the keystore file – SSL config
Open your Tomcat installation directory and open the conf folder. Inside this folder, you will find the server.xml file. Open it.
Find the following declaration:
<!-- <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" /> -->
Uncomment it and modify it to look like the following:
Connector SSLEnabled="true" acceptCount="100" clientAuth="false" disableUploadTimeout="true" enableLookups="false" maxThreads="25" port="8443" keystoreFile="/Users/loiane/.keystore" keystorePass="password" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" sslProtocol="TLS" />
Note we add the keystoreFile, keystorePass and changed the protocol declarations.
3 – Let’s test it!
Start tomcat service and try to access https://localhost:8443. You will see Tomcat’s local home page.
Note if you try to access the default 8080 port it will be working too: http://localhost:8080
4 – BONUS - Configuring your app to work with SSL (access through https://localhost:8443/yourApp)
To force your web application to work with SSL, you simply need to add the following code to your web.xml file (before web-app tag ends):
<security-constraint> <web-resource-collection> <web-resource-name>securedapp</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>
The url pattern is set to /* so any page/resource from your application is secure (it can be only accessed with https). The transport-guarantee tag is set to CONFIDENTIAL to make sure your app will work on SSL.
If you want to turn off the SSL, you don’t need to delete the code above from web.xml, simply changeCONFIDENTIAL to NONE.
Reference: http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html (this tutorial is a little confusing, that is why I decided to write another one my own).
Happy Coding!
]]>
下面的CLIENT端可以与前文提到的JAVA服务端通信Q?br />
#use strict;use IO::Socket::SSL(debug4);my ($v_mode, $sock, $buf);if($ARGV[0] eq "DEBUG") { $IO::Socket::SSL::DEBUG = 1; }# Check to make sure that we were not accidentally run in the wrong# directory:unless (-d "certs") { if (-d "../certs") { chdir ".."; } else {# die "Please run this example from the IO::Socket::SSL distribution directory!\n"; }}if(!($sock = IO::Socket::SSL->new( PeerAddr => '172.19.149.52', PeerPort => '5555', Proto => 'tcp', SSL_verify_mode => 0x01, SSL_ca_file => 'mycerts/cacert.pem', ))) { warn "unable to create socket: ", &IO::Socket::SSL::errstr, "\n"; exit(0);} else { warn "connect ($sock).\n" if ($IO::Socket::SSL::DEBUG);}# check server cert.my ($subject_name, $issuer_name, $cipher);if( ref($sock) eq "IO::Socket::SSL") { $subject_name = $sock->peer_certificate("subject"); $issuer_name = $sock->peer_certificate("issuer"); $cipher = $sock->get_cipher();}warn "cipher: $cipher.\n", "server cert:\n", "\t '$subject_name' \n\t '$issuer_name'.\n\n";print $sock "Knock, knock.\n";my ($buf) = $sock->getlines;$sock->close();print "read: '$buf'.\n";另外Q也l出一个PERL的SVR端示例:
#use strict;use IO::Socket::SSL(debug4);my ($sock, $s, $v_mode);if($ARGV[0] eq "DEBUG") { $IO::Socket::SSL::DEBUG = 1; }# Check to make sure that we were not accidentally run in the wrong# directory:unless (-d "certs") { if (-d "../certs") { chdir ".."; } else {# die "Please run this example from the IO::Socket::SSL distribution directory!\n"; }}if(!($sock = IO::Socket::SSL->new( Listen => 5, LocalAddr => '10.56.28.35', LocalPort => 9000, Proto => 'tcp', Reuse => 1, SSL_use_cert => 1, SSL_verify_mode => 0x00, SSL_cert_file => 'mycerts/cert.pem', SSL_key_file => 'mycerts/key.pem' )) ) { warn "unable to create socket: ", &IO::Socket::SSL::errstr, "\n"; exit(0);}warn "socket created: $sock.\n";while (1) { warn "waiting for next connection.\n"; while(($s = $sock->accept())) { my ($peer_cert, $subject_name, $issuer_name, $date, $str); if( ! $s ) { warn "error: ", $sock->errstr, "\n"; next; } warn "connection opened ($s).\n"; if( ref($sock) eq "IO::Socket::SSL") { $subject_name = $s->peer_certificate("subject"); $issuer_name = $s->peer_certificate("issuer"); } warn "\t subject: '$subject_name'.\n"; warn "\t issuer: '$issuer_name'.\n"; my $date = localtime(); print $s "my date command says it's: '$date'"; close($s); warn "\t connection closed.\n"; }}$sock->close();warn "loop exited.\n";在PERL中写SSL的SOCKETQ要注意Q?br />SVR端中Q?br /> SSL_use_cert => 1,
SSL_verify_mode => 0x00,
SSL_cert_file => 'mycerts/cert.pem',
SSL_key_file => 'mycerts/key.pem'
CLI端是Q?br /> SSL_verify_mode => 0x01,
SSL_ca_file => 'mycerts/cacert.pem',
mode?表示Q不认证对端Q是1表示要认证对斏V?img src ="http://www.tkk7.com/alwayscy/aggbug/85368.html" width = "1" height = "1" />
]]>
]]>
SDK WIN SVR 2003 SP1
MASM 8.0
q入打开sdk?000~译命o行,再运行:
%comspec% /k ""C:\Program Files\Microsoft Visual Studio 8\VC\vcvarsall.bat"" x86
d解压目录Q?br />cd /d "E:\Prj2\ForMe\RefExe\perl+ssl\openssl-0.9.8d"
再编译:
perl Configure VC-WIN32 --prefix=dist
ms\do_ms
nmake -f ms\ntdll.mak
nmake -f ms\ntdll.mak test
nmake -f ms\ntdll.mak install
完成后,dist目录是安装好的东西Q可以拷贝到别处使用
]]>