Using Tomcat to build the HTTPS service

Time:2020-7-30

Devui is a team with both design and engineering perspectives. It serves Huawei cloud devcloud platform and several Huawei internal middle and back-end systems, as well as designers and front-end engineers.
Official website: devui.design
Ng component library: ng devui (welcome to star)
Official communication group: add devui small assistant (micro signal: devui official) into the group

introduction

This paper mainly describes how to use Tomcat to build the HTTPS service

1. Foundation of HTTPS protocol and digital certificate

2. Basic environmental preparation

3. Configure Tomcat with self signed certificate

4. Configure Tomcat one-way authentication by simulating CA authentication certificate

5. Configure Tomcat mutual authentication

1. Foundation of HTTPS protocol and digital certificate

HTTPS protocol

Refer to the definition of Wikipedia: hypertext transfer protocol secure (abbreviation: HTTPS; often called HTTP over TLS, HTTP over SSL or HTTP secure) is a transmission protocol for secure communication through computer network. HTTPS communicates over HTTP, but uses SSL / TLS to encrypt packets. The main purpose of the development of HTTPS is to provide the identity authentication of the website server and protect the privacy and integrity of the exchanged data. This protocol was first proposed by Netscape in 1994 and then extended to the Internet.

Historically, HTTPS connection is often used for transaction payment on the world wide web and the transmission of sensitive information in enterprise information system. From the late 2000’s to the early 2010’s, HTTPS was widely used to ensure the authenticity of all types of web pages, protect accounts and maintain the privacy of user communication, identity and web browsing.

Key point: the HTTP protocol itself is not secure. On the basis of HTTP protocol, an SSL transport layer is added to ensure the security of HTTP protocol

HTTPS = HTTP + SSL

Using Tomcat to build the HTTPS service

digital certificate

Here are some basic concepts:

Public key cryptography / asymmetric cryptography

Public key cryptography (English: public key cryptography) also known as asymmetric cryptography (English: asymmetric cryptography) is an algorithm of cryptography, it requires two keys, one is public key, the other is private key; the public key is used for encryption, and the private key is used for decryption. The ciphertext obtained by encrypting plaintext with public key can only be decrypted with the corresponding private key and the original plaintext can be obtained. The public key originally used for encryption cannot be used for decryption. Because encryption and decryption need two different keys, it is called asymmetric encryption, which is different from symmetric encryption in which both encryption and decryption use the same key. The public key can be made public and can be released to the public at will; the private key can not be made public and must be kept by the user in strict secret. It will never be provided to anyone through any means, nor will it be disclosed to the trusted other party who wants to communicate.

Key point: encrypt with public key, decrypt with private key

Using Tomcat to build the HTTPS service

The image above is from the book graphic cryptography

digital signature

Digital signature (also known as public key digital signature) is a kind of method which is similar to the ordinary signature written on paper, but uses the technology of public key encryption to identify digital information. A set of digital signatures usually defines two complementary operations, one for signature and the other for verification. The meaning of electronic signature and digital signature in legal terms is not the same. Electronic signature refers to the person attached to and associated with the electronic document to identify and confirm the identity, qualification and authenticity of the signer of the electronic document; digital signature is an electronic signature formed by encrypting it with mathematical algorithm or other methods. This means that not all electronic signatures are digital signatures.

Digital signature does not mean scanning a signature into a digital image, or obtaining a signature with a touchpad, let alone signing.

The integrity of the digital signature document is very easy to verify (there is no need for cross stitch seal, cross stitch signature, and handwriting identification), and the digital signature is non repudiation (i.e. non repudiation), and it does not need handwriting experts to verify

Key points:

The private key encryption is used to generate the signature, and the public key decryption is used to verify the signature

Digital signature can identify tampering and camouflage and prevent denial

Using Tomcat to build the HTTPS service

The image above is from the book graphic cryptography

Using Tomcat to build the HTTPS service

digital certificate

Public key authentication (English: public key certificate), also known as digital certificate or identity certificate. It is an electronic document used for public key infrastructure construction to prove the identity of the public key owner. This file contains the public key information, the owner’s identity information (subject), and the digital signature of the digital certificate authority (issuer) to ensure that the overall content of the file is correct. With this file, the owner can identify himself to the computer system or other users, so that the other party can gain trust and authorize access to or use some sensitive computer services. The computer system or other users can verify the contents of the certificate through certain procedures, including whether the certificate has expired or not, and whether the digital signature is valid. If you trust the issuing authority, you can trust the key on the certificate and communicate with the owner with public key encryption.

In short, the certification authority uses its own private key to impose digital signature on the public key of the person (or organization) to be authenticated and generate a certificate, that is, the essence of the certificate is to apply digital signature to the public key.

One of the most important advantages of digital certificate is that during the authentication of the owner’s identity, the owner’s sensitive personal data (such as date of birth, ID card number, etc.) will not be transmitted to the computer system of the data requester. Through this data exchange mode, the owner can not only confirm his / her identity, but also avoid excessive disclosure of personal data, which is beneficial to both sides of computer service access.

10. 509 certificate

10. 509 is a standard structure of digital certificate,

Generally, certificates conforming to the X.509 format specification will have the following contents, which are represented in the form of fields [12]:

Version: the current general version is v3
Serial number: used to identify each certificate, especially when revoking a certificate
Subject: the identity or machine of legal person or natural person with this certificate, including:
Country (C, country)
State (s, state)
L, location
Organization (O, organization)
Cn, common name: in TLS applications, this field is generally a domain
Publisher: the digital certificate authority that signed this certificate as a digital signature
Validity start time: the effective start time of this certificate, before which the certificate has not been effective
End time of validity: the effective end time of this certificate. After that, the certificate will be invalid
Public key usage: Specifies the purpose of the public key on the certificate, such as digital signature, server verification, client verification, etc
public key
Public key fingerprint
digital signature
Principal alias: for example, a website may have multiple domains( www.wikipedia.org , zh.wikipedia.org , zh.m. wikipedia.org There may be more than one website in an organization wikipedia.org , *. wikibooks.org , *. wikidata.org All domains belong to Wikimedia Foundation). Different domains can use the same certificate to facilitate application and management

For example, Wikipedia certificate

Using Tomcat to build the HTTPS service

2. Basic environment

Basic environment: jdk8 + tomcat7

Download from the official website of JDK https://www.oracle.com/java/technologies/javase-jdk8-downloads.html

Download Tomcat official website https://tomcat.apache.org/

The specific installation is not described here

3 Tomcat configure self signed certificate

Step 1 generate the certificate

Generating server key pair

Generates a keystore file that contains a certificate that the server can use

Simplify the CMD command:

keytool -genkey -alias tomcat -keysize 2048 -validity 3650 -keyalg RSA -keystore tomcat.jks

Using Tomcat to build the HTTPS service

Command description (keytool – genkey — help)

-Genkey means to generate a key pair

-Alias < alias > the alias of the entry to process

-Key < keyalg > key algorithm name, RSA algorithm should be preferred as the security algorithm, which can also ensure the general compatibility with other servers and components

-Keysize < keysize > key bit size

-Validity < valdays > valid days

Manual input parameter description:

CN (what’s your first and last name?) the domain name to apply for the certificate

Ou (what is the name of your organization?) the name of the Department of the applicant

O (what is the name of your city or region?) the company name of the applicant

What is the name of your city / municipality

St (what is the name of your province / city / autonomous region?) the province where the applicant is located

C (what is the two letter country / region code of the unit?) country of the applicant, ISO country code (two characters)

Other notes: keystore password and key password are set to the same default password changeit for simplicity

You can also use the full command to generate a certificate at once:

keytool -genkey -alias tomcat -keystore tomcat.jks -keypass changeit -storepass changeit -keyalg RSA -keysize 2048 -validity 365 -v -dname "CN = YWJ,OU = DevUI,O = DevCloud,L = ShenZhen,ST = GUANGDONG,C = CN"

View Certificate

After the certificate is generated, use the following command to view the content of the certificate

keytool -list -v -keystore tomcat.jks

Using Tomcat to build the HTTPS service

If all goes well, you will now have a keystore file that contains the certificate, which the server can use

Step 2 configure Tomcat

Modify% Tomcat_ HOME%/conf/ server.xml

Using Tomcat to build the HTTPS service

<! -- self generated certificate -- >

<Connector
  protocol="org.apache.coyote.http11.Http11NioProtocol"
  port="443" maxThreads="200"
  scheme="https" secure="true" SSLEnabled="true"
  keystoreFile="keystore\_guanwang/tomcat.jks"
  keystorePass="changeit"
  clientAuth="false" sslProtocol="TLS"
/>

4. Tomcat one-way authentication based on certificate configuration of formal CA authentication

Have stage

Application process of formal certificate

Using Tomcat to build the HTTPS service

First of all, we have the following certificate documents

1. Devui’s own keystore file: devui.jks

keytool -genkey -alias devui -keystore devui.jks -keypass changeit -storepass changeit -keyalg RSA -keysize 2048 -validity 3650 -v -dname "CN = YWJ,OU = DevUI,O = DevCloud,L = ShenZhen,ST = GUANGDONG,C = CN"

2 key store file of Ca organization: ca.jks (CA key pairs are simulated)

keytool -genkey -alias ca -keystore ca.jks -keypass changeit -storepass changeit -keyalg RSA -keysize 2048 -validity 3650 -v -dname "CN = myca,OU = CA,O = CA,L = BEIJING,ST = BEIJING,C = CN"

Next, we take devui as an example to apply for a signature certificate from ca

1) Devui uses certreq to generate a certificate signing request file devui_ To_ ca.csr

2) Ca (certificate authority) uses gencert to generate certificate ca_ To_ devui.cer

3) After devui receives the CA certificate, it uses importcert to import the certificate into its own devui.jks

Step 1 devui uses certreq to generate a certificate signature request file

Devui uses its own JKS key to generate a certificate signing request

CMD command:

keytool -certreq -alias devui -keystore devui.jks -file devui\_to\_ca.csr -v

Parameter Description:

-Certreq means certificate signing request

-Keystore < keystore > keystore name

-Alias < alias > the alias of the entry to process

-File < file name > output file name

-V detailed output

The certificate request file devui created here_ To_ ca.csr 。 Submit this file to a Ca, such as VeriSign. The CA authenticates the requester (usually offline) and returns a certificate signed by them to authenticate the devui’s public key.

Step 2 CA uses gencert to issue the certificate

CMD command:

keytool -gencert -alias ca -infile devui_to_ca.csr -outfile ca_to_devui.cer -keystore ca.jks

Parameter Description:

-Alias < alias > the alias of the entry to process

-Keystore < keystore > keystore name

-Infile < filename > enter the file name

-Outfile < file name > output file name

remarks:This paper simulates the process of Ca (certificate authority) generating certificate according to CSR file. In real situation, it needs to submit application to real CA such as VeriSign

Step 3 after devui receives the CA certificate, it uses importcert to import the certificate into its own keystore

CMD command:

keytool -importcert -file ca\_to\_devui.cer -keystore devui.jks -alias devui

An error occurred here, unable to build chain from reply:

Using Tomcat to build the HTTPS service

Keytool error: java.lang.Exception : unable to build chain from reply

Cause of the problem:ca.jks The signature of the certificate will be verified when the certificate is issued by the ca. The current server does not import the certificate of the simulated Ca into the trust certificate list of the local machine, which causes this error to be thrown

Solution:First from ca.jks Export CA public key certificate ca.cer , and then ca.cer Import devui.jks Medium.

1) From ca.jks Export CA public key certificate ca.cer

CMD command:

keytool -exportcert -alias ca -file ca.cer -keystore ca.jks

2) Will ca.cer Import devui.jks in

CMD command

keytool -importcert -alias ca -keystore devui.jks -file ca.cer -storepass changeit

The default password is also changeit

3) Through the certificate view command, you can see the certificate chain containing two certificates

keytool -list -v -keystore devui.jks

Using Tomcat to build the HTTPS service

Step 4 configure Tomcat one-way authentication

Using Tomcat to build the HTTPS service

<Connector
  protocol="org.apache.coyote.http11.Http11NioProtocol"
  port="443" maxThreads="200"
  scheme="https" secure="true" SSLEnabled="true"
  keystoreFile="keystore\_guanwang/devui.jks"
  keystorePass="changeit"
  clientAuth="false"
  sslProtocol="TLSv1.2"
/>

5 Tomcat configuration mutual authentication

Tomcat two-way authentication only needs to add the following steps on the basis of the above one-way authentication:

1. Add client authentication file client.jks

2_ To_ devui.cer Import to client.jks in

3. Configure Tomcat mutual authentication

Step 1 add the client authentication file

CMD command:

keytool -genkey -alias client -keystore client.jks -keypass changeit -storepass changeit -keyalg RSA -keysize 2048 -validity 3650 -v -dname "CN = client,OU = DevUIClient,O = DevCloud,L = ShenZhen,ST = GUANGDONG,C = CN"

Step 2 will ca.cer Import to client.jks in

CMD command

keytool -importcert -alias ca -keystore client.jks -file ca\_to\_devui.cer -storepass changeit

Step 3 configure Tomcat mutual authentication

Using Tomcat to build the HTTPS service

<Connector
  protocol="org.apache.coyote.http11.Http11NioProtocol"
  port="443"
  maxThreads="200"
  scheme="https" 
  secure="true" 
  SSLEnabled="true"
  keystoreFile="keystore\_guanwang/devui.jks"
  keystorePass="changeit"

  truststoreFile="keystore\_guanwang/client.jks"
  truststorePass="changeit"
  clientAuth="ture"

  sslProtocol="TLS"
/>

Appendix reference

HTTPS protocol RFC: https://tools.ietf.org/html/rfc2818

Wikipedia:

HTTPS: https://zh.wikipedia.org/zh-cn/%E8%B6%85%E6%96%87%E6%9C%AC%E4%BC%A0%E8%BE%93%E5%AE%89%E5%85%A8%E5%8D%8F%E8%AE%AE

Public key encryption (asymmetric encryption) https://zh.wikipedia.org/wiki/%E5%85%AC%E5%BC%80%E5%AF%86%E9%92%A5%E5%8A%A0%E5%AF%86

Digital signature:

https://zh.wikipedia.org/wiki/%E6%95%B8%E4%BD%8D%E7%B0%BD%E7%AB%A0

Digital certificate:

https://zh.wikipedia.org/zh-cn/%E5%85%AC%E9%96%8B%E9%87%91%E9%91%B0%E8%AA%8D%E8%AD%89

10. 509 certificate:

https://zh.wikipedia.org/zh-cn/X.509

Keytool official description:

https://docs.oracle.com/javase/8/docs/technotes/tools/windows/keytool.html

HTTP client 4.5 official website

https://hc.apache.org/httpcomponents-client-4.5.x/quickstart.html

Httpclient client code demo:

https://hc.apache.org/httpcomponents-client-4.5.x/httpclient/examples/org/apache/http/examples/client/ClientCustomSSL.java

For a brief description of the HTTPS protocol and digital signature, please refer to the following articles:

https://zhuanlan.zhihu.com/p/57142784

https://www.ruanyifeng.com/blog/2011/08/what_is_a_digital_signature.html

Huawei cloud certificate application process

https://support.huaweicloud.com/qs-scm/scm_07_0001.html

Reference books

The art of java encryption and decryption

Graphical http

Graphic cryptography

Join us

We are devui team, welcome to join us to create elegant and efficient man-machine design / R & D system. Recruitment email: [email protected]

(devui Jiege)

Previous articles recommended

What you have to know about git rebase

Web interface dark mode and thematic development

How to build a gray publishing environment

Recommended Today

Performance test after class notes (1) basic concepts of performance test

I. real meaning and work content of performance test At first, I thought that performance testing was justDo some scripting, parameterization, correlation, press it up, and then throw a result. But in fact, not only these contents, but alsoPerformance analysis focuses on the improvement of response time, TPS and resource savings after tuning The direction […]