Introduction to SSL
SSL, or Secure Socket Layer, is a technology which allows web browsers and web servers to communicate over a secured connection. This means that the data being sent is encrypted by one side, transmitted, then decrypted by the other side before processing. This is a two-way process, meaning that both the server AND the browser encrypt all traffic before sending out data.
Another important aspect of the SSL protocol is Authentication.
This means that during your initial attempt to communicate with a web server over a secure connection, that server will present your web browser with a set of credentials, in the form of a “Certificate”, as proof the site is who and what it claims to be. In certain cases, the server may also request a Certificate from your web browser, asking for proof that you are who you claim to be. This is known as “Client Authentication,” although in practice this is used more for business-to-business (B2B) transactions than with individual users. Most SSL-enabled web servers do not request Client Authentication.
SSL and Tomcat
It is important to note that configuring Tomcat to take advantage of secure sockets is usually only necessary when running it as a stand-alone web server. When running Tomcat primarily as a Servlet/JSP container behind another web server, such as Apache or Microsoft IIS, it is usually necessary to configure the primary web server to handle the SSL connections from users. Typically, this server will negotiate all SSL-related functionality, then pass on any requests destined for the Tomcat container only after decrypting those requests. Likewise, Tomcat will return clear text responses that will be encrypted before being returned to the user’s browser. In this environment, Tomcat knows that communications between the primary web server and the client are taking place over a secure connection (because your application needs to be able to ask about this), but it does not participate in the encryption or decryption itself.
Certificates
In order to implement SSL, a web server must have an associated Certificate for each external interface (IP address) that accepts secure connections. The theory behind this design is that a server should provide some kind of reasonable assurance that its owner is who you think it is, particularly before receiving any sensitive information. While a broader explanation of Certificates is beyond the scope of this document, think of a Certificate as a “digital driver’s license” for an Internet address. It states what company the site is associated with, along with some basic contact information about the site owner or administrator.
This “driver’s license” is cryptographically signed by its owner, and is therefore extremely difficult for anyone else to forge. For sites involved in e-commerce, or any other business transaction in which authentication of identity is important, a Certificate is typically purchased from a well-known Certificate Authority (CA) such as VeriSign or Thawte. Such certificates can be electronically verified — in effect, the Certificate Authority will vouch for the authenticity of the certificates that it grants, so you can believe that that Certificate is valid if you trust the Certificate Authority that granted it.
Overall Steps
Open the $CATALINA_HOME/conf/server.xml and uncomment SSL connector code which looks like:
<– Define a SSL Coyote HTTP/1.1 Connector on port 8443 –>
<!–
<Connector
port=”8443″ maxThreads=”200″
scheme=”https” secure=”true” SSLEnabled=”true”
keystoreFile=”${user.home}/.keystore” keystorePass=”changeit”
clientAuth=”false” sslProtocol=”TLS”/>
–>
The
After completing these configuration changes, you must restart Tomcat as you normally do, and you should be in business. You should be able to access any web application supported by Tomcat via SSL. For example, try:
and you should see the usual Tomcat splash page (unless you have modified the ROOT web application)
Create a local Certificate Signing Request (CSR)
In order to obtain a Certificate from the Certificate Authority of your choice you have to create a so called Certificate Signing Request (CSR). That CSR will be used by the Certificate Authority to create a Certificate that will identify your website as “secure”. To create a CSR follow these steps:
Tip: The 2048 in the command above is the key bit length. GeoTrust recommends a key bit length of 2048. In some cases you will have to enter the domain of your website (i.e.
Importing the Certificate
Now that you have your Certificate you can import it into you local keystore. First of all you have to import a so called Chain Certificate or Root Certificate into your keystore. After that you can proceed with importing your Certificate.
Download intermediate certificate from here https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR1728 and save as primary_inter,cer and secondary_inter.cer.
keytool -import -trustcacerts -alias secondaryIntermediate -keystore /usr/SSL/remit_keystore.keystore -file /usr/SSL/secondary_inter.cer
keytool -import -trustcacerts -alias tomcat -keystore /usr/SSL/remit_keystore.keystore -file /usr/SSL/cert.cer
Before running these commands please make sure that all certificates are in /use/SSL directory. Or, change the paths in commands.
Configuration in Tomcat
Open the server.xml and provide actual location of keystore and its password in SSL connector.
Restart the server and enjoy SSL in tomcat.
For More details, click on follwoing links:
1. http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html
2. http://www.geocerts.com/csr/tomcat
3. https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR1130
4. https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR212
5. https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&actp=CROSSLINK&id=SO9313
SSL, or Secure Socket Layer, is a technology which allows web browsers and web servers to communicate over a secured connection. This means that the data being sent is encrypted by one side, transmitted, then decrypted by the other side before processing. This is a two-way process, meaning that both the server AND the browser encrypt all traffic before sending out data.
Another important aspect of the SSL protocol is Authentication.
This means that during your initial attempt to communicate with a web server over a secure connection, that server will present your web browser with a set of credentials, in the form of a “Certificate”, as proof the site is who and what it claims to be. In certain cases, the server may also request a Certificate from your web browser, asking for proof that you are who you claim to be. This is known as “Client Authentication,” although in practice this is used more for business-to-business (B2B) transactions than with individual users. Most SSL-enabled web servers do not request Client Authentication.
SSL and Tomcat
It is important to note that configuring Tomcat to take advantage of secure sockets is usually only necessary when running it as a stand-alone web server. When running Tomcat primarily as a Servlet/JSP container behind another web server, such as Apache or Microsoft IIS, it is usually necessary to configure the primary web server to handle the SSL connections from users. Typically, this server will negotiate all SSL-related functionality, then pass on any requests destined for the Tomcat container only after decrypting those requests. Likewise, Tomcat will return clear text responses that will be encrypted before being returned to the user’s browser. In this environment, Tomcat knows that communications between the primary web server and the client are taking place over a secure connection (because your application needs to be able to ask about this), but it does not participate in the encryption or decryption itself.
Certificates
In order to implement SSL, a web server must have an associated Certificate for each external interface (IP address) that accepts secure connections. The theory behind this design is that a server should provide some kind of reasonable assurance that its owner is who you think it is, particularly before receiving any sensitive information. While a broader explanation of Certificates is beyond the scope of this document, think of a Certificate as a “digital driver’s license” for an Internet address. It states what company the site is associated with, along with some basic contact information about the site owner or administrator.
This “driver’s license” is cryptographically signed by its owner, and is therefore extremely difficult for anyone else to forge. For sites involved in e-commerce, or any other business transaction in which authentication of identity is important, a Certificate is typically purchased from a well-known Certificate Authority (CA) such as VeriSign or Thawte. Such certificates can be electronically verified — in effect, the Certificate Authority will vouch for the authenticity of the certificates that it grants, so you can believe that that Certificate is valid if you trust the Certificate Authority that granted it.
Overall Steps
- Enable SSL in Apache Tomcat 6.
- Create the CSR & Key store and send it to certificate authority.
- Get the certificate.
- Download intermediate keys and load all certificates in Keystore.
- Configure Tomcat.
Open the $CATALINA_HOME/conf/server.xml and uncomment SSL connector code which looks like:
<– Define a SSL Coyote HTTP/1.1 Connector on port 8443 –>
<!–
<Connector
port=”8443″ maxThreads=”200″
scheme=”https” secure=”true” SSLEnabled=”true”
keystoreFile=”${user.home}/.keystore” keystorePass=”changeit”
clientAuth=”false” sslProtocol=”TLS”/>
–>
The
port attribute (default value is 8443) is the TCP/IP
port number on which Tomcat will listen for secure connections. You can
change this to any port number you wish (such as to the default port
for https communications, which is 443).After completing these configuration changes, you must restart Tomcat as you normally do, and you should be in business. You should be able to access any web application supported by Tomcat via SSL. For example, try:
| https://localhost:8443 | ||
Create a local Certificate Signing Request (CSR)
In order to obtain a Certificate from the Certificate Authority of your choice you have to create a so called Certificate Signing Request (CSR). That CSR will be used by the Certificate Authority to create a Certificate that will identify your website as “secure”. To create a CSR follow these steps:
- Using the java keytool command line utility, the first thing you need to do is create a keystore and generate the key pair. Do this with the following command:
Tip: The 2048 in the command above is the key bit length. GeoTrust recommends a key bit length of 2048. In some cases you will have to enter the domain of your website (i.e.
http://www.myside.org) in the field “first- and lastname” in order to create a working Certificate.- The CSR is then created with: $JAVA_HOME/bin/keytool -certreq -alias tomcat -file /usr/SSL/remit_csr.csr -keystore /usr/SSL/remit_keystore.keystore.
Importing the Certificate
Now that you have your Certificate you can import it into you local keystore. First of all you have to import a so called Chain Certificate or Root Certificate into your keystore. After that you can proceed with importing your Certificate.
- Store the certificate in a cert.cer file.
- Download primary & secondary intermediate certificate from verisign site.
Download intermediate certificate from here https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR1728 and save as primary_inter,cer and secondary_inter.cer.
- Go to $JAVA_HOME/bin and run following commands to import certificates
keytool -import -trustcacerts -alias secondaryIntermediate -keystore /usr/SSL/remit_keystore.keystore -file /usr/SSL/secondary_inter.cer
keytool -import -trustcacerts -alias tomcat -keystore /usr/SSL/remit_keystore.keystore -file /usr/SSL/cert.cer
Before running these commands please make sure that all certificates are in /use/SSL directory. Or, change the paths in commands.
Configuration in Tomcat
Open the server.xml and provide actual location of keystore and its password in SSL connector.
Restart the server and enjoy SSL in tomcat.
For More details, click on follwoing links:
1. http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html
2. http://www.geocerts.com/csr/tomcat
3. https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR1130
4. https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR212
5. https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&actp=CROSSLINK&id=SO9313
No comments:
Post a Comment