Configuring two way SSL in Tomcat

Setting up Tomcat to provide self-signed SSL certificates allowing secure client/server communication and relatively easy to set up.  Java provides a handy command-line tool called keytool that you can use to generate keystores.

Generate the Client and Server Keystores : 

By following the instructions below, you will create two keystores:

clientkeystore.jks (for the client to use) and serverkeystore.jks (for the server to use). In order to provide copies of the client’s certificate to the server (and vice versa), you will export public certificates based on the private keys.
Finally, you will install the server’s public certificate in to the client’s keystore and vice versa, allowing both the client and server to properly authenticate and trust each other when a secure connection is established.

keytool -genkeypair -alias serverkey -keyalg RSA -dname "CN=localhost,OU=Organization Unit,O=Organization,L=City,S=State,C=IN" -keypass password -keystore serverkeystore.jks -storepass password
keytool -genkeypair -alias clientkey -keyalg RSA -dname "CN=localhost,OU=Organization Unit,O=Organization,L=City,S=State,C=IN" -keypass password -storepass password -keystore clientkeystore.jks 

Export the Client’s Public Certificate and Import it in to the Server’s Keystore :

keytool -exportcert -alias clientkey -file client-public.cer -keystore clientkeystore.jks -storepass password
keytool -importcert -keystore serverkeystore.jks -alias clientcert -file client-public.cer -storepass password -noprompt
keytool -list -keystore serverkeystore.jks -storepass password 

Export the Server’s Public Certificate and Import it in to the Client’s Keystore :

keytool -exportcert -alias serverkey -file server-public.cer -keystore serverkeystore.jks -storepass password
keytool -importcert -keystore clientkeystore.jks -alias servercert -file server-public.cer -storepass password -noprompt
keytool -list -keystore clientkeystore.jks -storepass password 

The clientkeystore.jks is of format JKS (Java Key Store). Firefox and Chrome, both accept keystores of format PKCS12 (Personal Information Exchange Syntax Standard).

To convert clientkeystore.jks, go to the terminal and type:

keytool -importkeystore -srckeystore clientkeystore.jks -destkeystore clientcert.p12 -srcstoretype JKS -srcalias clientkey -deststoretype pkcs12 
You will be asked for the keystore password and will also be asked to set a new password.

Configuring Tomcat server.xml file :

Update {tomcat.home}/conf/server.xml, substituting the entries forkeystoreFile, keystorePass, truststoreFile, and truststorePass with the appropriate paths/passwords from your implementation. These paths will point to the keystores created earlier in this process.

   clientAuth="true" port="443" protocol="HTTP/1.1"
   maxThreads="200" scheme="https" secure="true" SSLEnabled="true"
   keystoreType="JKS" keystorePass="password"
   truststoreFile="/path/to/your/keystore/serverkeystore.jks" truststoreType="JKS" 
   truststorePass="password" SSLVerifyClient="require" sslProtocol="TLS" />

Now you can open Firefox / Chrome / IE and go to Setting/Options –> content / Manage Certificates –> import, select the certificate and import. Give the password when it’s prompted. In address bar give the path and accept the self-signed certificate,

Client Application using apache’s commons httpclient :

To establish a secure connection to the Tomcat server we can use Apache’s Commons HTTPClient, the system properties defined in the static block, these properties tell the JVM where to find the trust store (which self-signed server certificates it should trust) and the keystore.

import org.apache.commons.httpclient.HttpClient;
import org.apache.commons.httpclient.HttpException;
import org.apache.commons.httpclient.URI;
import org.apache.commons.httpclient.methods.GetMethod;
public class ClientConnectionTest
 System.setProperty("", "/path/to/your/keystore/clientkeystore.jks");
 System.setProperty("", "password");
 System.setProperty("", "/path/to/your/keystore/clientkeystore.jks");
 System.setProperty("", "password");
   public static void main(String[] args) throws HttpException, IOException
      HttpClient client = new HttpClient();
      GetMethod method = new GetMethod();
      //if you are not redirecting you can use port as localhost:8443
      method.setURI(new URI("https://localhost", false)); 
img logo

No comments :

Post a Comment