One-way SSL authentication on tomcat using OpenSSL


One-way SSL authentication:

Openssl is used for creating private keys and certificates.

Create a self-signed certificate for the server.

1. Create a private key
        openssl genrsa -out serverprivatekey.pem 2048

2. Create an openSSL self-signed certificate for the server using the above private key
        openssl req -new -x509 -key serverprivatekey.pem -out servercert.pem -days 1095

      This prompts you to enter a few pieces of information, use “.” to leave the field blank. When prompted for 'Common Name' specify the hostname of the machine the tomcat runs on.

3. Tomcat currently operates only on JKS format keystore. So generate a keystore in JKS format from above certificate
      openssl pkcs12 -export -out serverkeystore.pkcs12 -in servercert.pem -inkey serverprivatekey.pem

      It asks for the export password, and it is recommended to provide a password.

4. Now convert serverkeystore.pkcs12 file to JKS format keystore using Java's keytool
         keytool -importkeystore -srckeystore serverkeystore.pkcs12 -srcstoretype PKCS12 -destkeystore                                                                                           keystore.jks -deststoretype JKS

       Keytool asks you for a new password(keystore password) for the JKS keystore twice, and it will also ask you for the password you set for the PKCS12 keystore created earlier.

5. Configure tomcat to use this keystore and enable HTTPS. Edit CATALINA_HOME/conf/server.xml, where CATALINA_HOME is the base directory of Tomcat.  By default, the HTTPS Connector configuration is commented out. Uncomment it and change the keystorefile and keystore password(password given while creating JKS keystroe in previous step)

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="path/to/jks_keystore_file" keystorePass ="geebox"/>

References:

1. http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html
2. http://marc.info/?l=tomcat-user&m=106293430225790&w=2
3. http://yimingsun.wordpress.com/2012/03/12/step-by-step-instructions-on-self-signed-certificate-and-tomcat-over-ssl/
4. http://publib.boulder.ibm.com/infocenter/tivihelp/v5r1/index.jsp?topic=%2Fcom.ibm.itim.infocenter.doc%2Ftsk%2Ftsk_ic_security_genproc_1wayca.html
5.http://blog1.vorburger.ch/2006/08/setting-up-two-way-mutual-ssl-with.html
6. http://virgo47.wordpress.com/2010/08/23/tomcat-web-application-with-ssl-client-certificates/

Location: Asia

Comments

Post a Comment

Popular posts from this blog

Two-way ssl using cURL

cURL - command line tool for transferring data using multiple proto cols.  To es tablish a tw o-way ssl communi cat ion between cURL and a apache tomcat web application, generate a s elf-signed certificate for server and client (machine cURL is running on ). Self-Signed certificate for client: 1. Create a private key for client.      openssl genrsa -out clientprivatekey.pem 2048 2. Create an openSSL self-signed certificate for the client using the private key      openssl req -new -x509 -key clientprivatekey.pem -out clientcert.pem -days 365.      Self-Signed certificate for server: 1. Generate a private key for server openssl genrsa -out serverprivatekey.pem 2048 2.Create an openSSL self-signed certificate for the server using the private key       openssl req -new -x509 -key serverprivatekey.pem -out servercert.pem -days 1095             This prompts ...
Read more

Two-way SSL authentication on tomcat using OpenSSL self signed certificates.

Two-way SSL authentication: Openssl is used for creating private keys and certificates. Setting up two-way ssl authentication on tomcat is done as follows  Generate a self-signed certificate for tomcat web application  Generate a self-signed certificate for the client (consider browser for this example)  Import client certificate into server's keystore - as CA is not used and server needs to know public key of client.(Optional)  Configuring tomcat's server.xml Generating a private key using openSSL openssl genrsa -out privkey.pem 2048 This generates an RSA private key of 2048 bits. With OpenSSL, the private key contains the public key information as well, so a public key doesn't need to be generated separately. Generating a self-signed certificate using openSSL openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095 Generates a self-signed certificate that has public key in it valid for 1095 days. 1. Generate...
Read more

Hive support for Cassandra CQL3.

Cassandra: Apache Cassandra is an open source distributed database management system designed to handle large amounts of data across many commodity servers, providing high availability with no single point of failure. Cassandra offers robust support for clusters spanning multiple datacenters, with asynchronous masterless replication allowing low latency operations for all clients. Cassandra's data model is a partitioned row store with tunable consistency. Rows are organized into tables; the first component of a table's primary key is the partition key; within a partition, rows are clustered by the remaining columns of the key. Other columns may be indexed separately from the primary key. Hive: Hive is a data warehouse system for Hadoop that facilitates easy data summarization, ad-hoc queries, and the analysis of large datasets stored in Hadoop compatible file systems. Hive provides a mechanism to project structure onto this data and query the data using a SQL-l...
Read more