The variable $CATALINA_HOME used in the following description refers to the installation directory of Tomcat 5, and most directories are parsed based on it. However, if you use the CATALINA_BASE directory to run multiple instances of Tomcat 5, you should use $CATALINA_BASE instead of these references.

To install and configure SSL on Tomcat 5, follow these steps. If you need more information, please refer to the rest of the document.

1. If you are running JVM 1.3, please download JSSE 1.0.3 (or later version) from /products/jsse/ and extend the installation, or set an environment variable JSSE_HOME to point to the installation directory.

2. Execute the following command to create a certificate keystore:

Window:

% JAVA _ HOME % \ bin \ keytool-genkey-alias Tomcat-keyalg RSA

Unix:

$ JAVA _ HOME/bin/keytool-genkey-alias Tomcat-keyalg RSA

And specify the password: "changeit".

3. uncomment "sslhtp/1.1connector" in $CATALINA_HOME/conf/server.xml, and make necessary adjustments.

2.2 Introduction. Encrypted socket protocol layer

SSL (Secure Sockets Layer) is a technology that enables a web browser and a server to communicate on the basis of establishing a secure connection. This means that one end encrypts, sends, transmits and decrypts the data before the other end processes it. This is a two-way process, and the server and the client encrypt all the data to be sent.

Another important aspect is authentication. This means that your initial communication with the web server is based on a secure connection. The server will give your browser a set of certificates to prove that this website is what it claims to be. In some cases, the server will also request a certificate from your browser to prove that you are who you claim to be. This is "customer authentication", although in practical application, it is a business-to-business transaction, not an individual user. Most web servers that use SSL do not require client authentication.

3.SSL and Tomcat

Note that you usually only need to configure secure sockets when Tomcat is running in standalone mode. When Tomcat mainly runs behind other web servers (such as Apache or Microsoft IIS) as a Servlet/JSP container, it is usually necessary to configure the main web server to handle SSL connections from users. Typically, the server will handle all SSL-related functions and then decrypt these requests before forwarding them to Tomcat. Similarly, Tomcat will return an unencrypted response, which will be encrypted by the main server and sent to the user's browser. In this case, Tomcat knows that the communication between the host server and the client is based on a secure connection (because your application needs to be able to know this), but it does not participate in encryption or decryption itself.

4. Certificate

In order to implement SSL, the web server must provide a certificate for each interface (IP address) that accepts secure connections. The theory behind this design is that the server should provide some kind of "who do you think its owner is" guarantee, especially before accepting any sensitive information. However, a deeper explanation of the certificate is beyond the scope of this document, and the certificate can be regarded as a "digital driver's license" for Internet addresses. It explains which company this website belongs to and some basic contact information of the website owner or administrator.

The "driver's license" is encrypted and signed by the owner. It is extremely difficult for anyone else to forge it. Authentication is an important issue for websites related to e-commerce or any other business transactions. Certificates are usually purchased from well-known certification authorities, such as VeriSign or Thawte. CA will guarantee its recognized certificates, which can be effectively verified by electronic means. So if you trust the certificate recognized by CA, then you can trust the validity of the certificate.

However, in many cases, recognition is not really concerned. The administrator may just want to ensure that the data sent and received by the connected server is confidential and will not be eavesdropped by anyone who wants to eavesdrop on the Internet. Fortunately, Java provides a relatively simple command-line tool called keytool, which can easily create a "self-signed" certificate. Self-signed certificates are only user-generated certificates, and will not be officially registered by any famous CA, so they are not really credible guarantees. It may or may not be important to you, depending on your needs.

5. Prompt to run SSL

When a user visits the security page of your website for the first time, he usually sees a dialog box with certificate details (such as company and contact name) and asks if he is willing to accept the certificate as valid and continue the transaction. Some browsers offer the option of accepting certificates permanently, so that users don't have to worry about being prompted every time they visit your website. Once approved by the user, the certificate will be considered valid for the entire browser session.

Although SSL protocol is designed to have enough effective security, encryption/decryption is an expensive calculation process in terms of performance. Not all web applications need to run strictly on SSL, and developers can choose which pages need secure connection and which do not. For a moderately busy site, it is a practice to run only some pages that may exchange sensitive information under SSL. This usually includes login page, personal information page and shopping cart inspection page (credit card information may be sent). As long as you download the Java Secure Sockets Extension (JSSE) package of 1.0.3 or above and prefix the address with "/products/jsse/", you can request any page in the application through secure sockets. If you installed Tomcat from the source code, you may have downloaded this package. If you are running JDK 1.4.x, these classes have been integrated directly into JDK, so you can skip this step.

After decompression, there are two ways to make it available to Tomcat (choose one):

1. Install JSSE as an extension by copying three JAR files (jcert.jar, jnet.jar and jsse.jar) to the $ java _ home/JRE/lib/ext directory.

2. Create a new environment variable JSSE_HOME and point it to the absolute path of the decompressed JSSE directory.

6.2 Prepare the certificate keystore

Tomcat is usually executed only in the keystore of JKS or PKCS 12 format. JKS is the standard "Java KeyStore" format of Java. It is a format created by command line tools, which are located in JDK. PKCS 12 is an Internet standard, which can be operated by OpenSSL and Microsoft's key manager. However, there are usually some restrictions on the support of PKCS 12.

To import an existing certificate into the JKS keystore, please read the documentation about keytool (in the JDK documentation package).

To use OpenSSL to import an existing certificate signed by your own CA into the PKCS 12 keystore, execute the following command:

OpenSSL pkcs 12-export-infile mycert . CRT-inkey mykey . key \

-outfile mycert . p 12-name Tomcat-CAfile myca . CRT \

-caname root chain

For more advanced usage, please refer to the OpenSSL documentation.

To create a temporary self-signed certificate, execute the following command on the terminal:

Window:

% JAVA _ HOME % \ bin \ keytool-genkey-alias Tomcat-keyalg RSA

Unix:

$ JAVA _ HOME/bin/keytool-genkey-alias Tomcat-keyalg RSA

(RSA algorithm is the preferred security algorithm to ensure compatibility with other servers and components. )

This command will create a new file named''. Keystore "is in the directory where you are running. To specify the address of the file, follow the full path of the file after the -keystore parameter. You need to reflect this change in the server.xml configuration file described later. Example:

Window:

% JAVA _ HOME % \ bin \ keytool-genkey-alias Tomcat-keyalg RSA \

-keystore \path\to\my\keystore

Unix:

$ JAVA _ HOME/bin/keytool-genkey-alias Tomcat-keyalg RSA \

-keystore /path/to/my/keystore

After executing this command, you will be prompted to enter the password of the keystore. The default password used by Tomcat is "changeit" (all lowercase), or you can specify it yourself. At the same time, you also need to specify a custom password in server.xml described later.

You will be prompted with this certificate, such as company, contact name and so on. This information will be displayed to users who want to visit your security page, so please make sure that the information provided here meets users' expectations.

Finally, you will be prompted to enter the key password, which is unique to this certificate (unlike any other certificate stored in the same keystore file). You must use the same password as the keystore. (Usually keytool's prompt will tell you that entering the car directly will automatically complete this item. )

If everything is done, you now have a keystore file that contains certificates that the server can use.

6.3 edit Tomcat configuration file

The last step is to configure your secure socket in $ catalina _ home/conf/server.xml. In the installed Tomcat, the default server.xml already contains an element example of SSL connector. It looks like this:

& lt- define SSL coyote http/1.1connector-> on port 8443;

& lt！ -

& ltconnector class name = " org . Apache . coyote . Tomcat 5 . coyote connector "

port = " 8443 " min processors = " 5 " max processors = " 75 "

enable lookups = " true " disableuploadtime out = " true "

Accept count = "100" debug = "0" scheme = ",thawte.com or trustcenter.de) To obtain and install the certificate, you should have read the previous section. Now please follow the following instructions:

7. 1 Create a local certificate signing request (CSR).

In order to obtain a certificate from the CA you choose, you should first create a so-called certificate signing request (CSR). CA will use CSR to create a certificate to prove the security of your site. To create a CSR, follow these steps:

Create a local certificate:

keytool-genkey-alias Tomcat-keyalg RSA-keystore

Note: In some cases, in order to create a valid certificate, you must enter the domain name of your website (such as www.myside.org) in the First and Last Name field.

Then create CSR:

keytool-certreq-keyalg RSA-alias Tomcat-file certreq . CSR-keystore

Now that you have a file named certreq.csr, you can submit it to CA (please refer to the documentation on CA website for instructions). Then I got my license.

7.2 Import Certificate

Now that you have your own certificate, you can import it into the local keystore. First, you must import the so-called chain certificate or root certificate into your keystore. Then you can continue to import your certificate.

7.2. 1 Download the chain certificate from the CA from which you obtained the certificate:

For Verisign.com, go to/support/install/intermediate.html.

For Trustcenter.de, go, go/certs/trustmap.html.

7.2.2 Import the chain certificate into the keystore:

keytool-import-alias root-keystore \

-Trust certificate-file

7.2.3 Finally, import your new certificate:

Keytool-import- alias tomcat -keystore \

-Trust certificate-file

solve problems

The following are common problems and their solutions when installing SSL:

"java.security.nosuchalgarithexception" error occurred in 1. log file.

JVM did not find the JSSE JAR file. Please follow the instructions in "downloading and installing JSSE".

2. When 2. Error "java.io.file notfound exception: {some-directory}/{some-file} notfound" occurred when Tomcat started.

One possible explanation is that Tomcat didn't find the keystore file. By default, Tomcat thinks the file is named. The keystore in the home directory where Tomcat runs. If the file is somewhere else, you need to add the keystoreFile attribute to the Factory element.

Error "java.io.file not found exception: keystore suppressed, or incorrect password" occurred in 3.3. Tomcat, here we go.

Assuming that no one has tampered with the keystore file, Tomcat probably used a different password than when he created the keystore file. To solve this problem, you can re-create the keystore file or add the keystorePass attribute to the factory. Remember: passwords are case-sensitive.