How SSL, HTTPS and Certificates works in Java web
applications
SSL as implemented by the JSSE (Java Secure Socket Extension)
SSL as implemented by the JSSE (Java Secure Socket Extension)
SSE provides an SSL
toolkit for Java applications. In addition to the necessary classes and
interfaces, JSSE provides a handy command-line debugging switch that you can
use to watch the SSL protocol in action. In
addition to providing useful information for debugging a recalcitrant
application, playing with the toolkit is a great way to get your feet wet with
SSL and JSSE.
How
to configure Tomcat to support SSL or https
1. Generate Keystore
First, uses “keytool” command to
create a self-signed certificate. During the keystore creation process, you
need to assign a password and fill in the certificate’s detail.
C:\Program Files\Java\jdk1.7.0_45\bin>keytool -g
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: Prakash Gaikwad
What is the name of your organizational unit?
[Unknown]: Prash Infosoft Pvt Ltd
What is the name of your organization?
[Unknown]: Prash Infosoft Pvt Ltd
What is the name of your City or Locality?
[Unknown]: Pune
What is the name of your State or Province?
[Unknown]: Maharashtra
What is the two-letter country code for this uni
[Unknown]: IN
Is CN=Prakash Gaikwad, OU=Prash Infosoft Pvt Ltd
ne, ST=Maharashtra, C=IN correct?
[no]: y
Enter key password for <tomcat>
(RETURN if same as
keystore password):
Certificate Details
You can use same “
keytool” command to list the existing
certificate’s detail
2. Connector in
server.xml
Next, locate your Tomcat’s server configuration
file at $Tomcat\conf\server.xml,
modify it by adding a connector element to support for SSL or https connection.File : $Tomcat\conf\server.xml
//...
<!-- Define a SSL HTTP/1.1 Connector on port 8443
This connector uses the JSSE configuration, when using APR, the connector should be using the OpenSSL style configurationdescribedinthe APR documentation -->
<Connector port="8443"protocol="HTTP/1.1"SSLEnabled="true"
maxThreads="150"scheme="https"secure="true"
clientAuth="false"sslProtocol="TLS"
keystoreFile="c:\mkyongkeystore"
keystorePass="password"/>
//...
Note
keystorePass="password" is the password you assigned to your keystore via “keytool” command.
3. Done
Saved it and restart Tomcat, access to https://localhost:8443/
In Google Chrome to access the Tomcat configured SSL site, and you may notice a crossed icon appear before the https protocol :), this is caused by the self-signed certificate and Google chrome just do not trust it.
In production environment, you should consider buy a signed certificate from trusted SSL service provider or sign it with your own CA server
Reference
2 – Configuring Tomcat for
using the keystore file – SSL config
Open your Tomcat installation directory and open the conf folder.
Inside this folder, you will find the server.xml file. Open it.
Find the following declaration:
3 – Let’s test it!
Start tomcat service and try to access https://localhost:8443.
You will see Tomcat’s local home page.
Note if you try to access the default 8080 port it will be
working too: http://localhost:8080
4 – BONUS
- Configuring your app to work with SSL (access through
https://localhost:8443/yourApp)
To force your web application to work with SSL, you simply need
to add the following code to your web.xml file (before web-app tag ends):
<security-constraint>
<web-resource-collection>
<web-resource-name>securedapp</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
The url pattern is set to /* so any page/resource from your application is
secure (it can be only accessed with https). The transport-guarantee tag is set to CONFIDENTIAL to make sure your app will work on SSL.
If you want to turn off the SSL, you don’t need to delete the
code above from web.xml, simply change CONFIDENTIAL to NONE.
No comments:
Post a Comment