Hi All,
When I want to config SSL in Tomcat: apache-tomcat-7.0.4 in windows XP,
there is some error below , anyone can tell me what is the problem?
step 1:
I generate client /server java key store by code as follow:
import java.io.FileOutputStream;
import java.math.BigInteger;
import java.security.InvalidKeyException;
import java.security.KeyPair;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SecureRandom;
import java.security.SignatureException;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.Date;
import javax.security.auth.x500.X500Principal;
import javax.security.auth.x500.X500PrivateCredential;
import org.bouncycastle.jce.provider.asymmetric.ec.KeyPairGenerator;
import org.bouncycastle.x509.X509V3CertificateGenerator;
/**
*
* Tomcat HTTPS client/server key Certificate generator
*
*/
public class TomcatKey {
//Client Certificate
static String TRUST_STORE_NAME = client;
static char[] TRUST_STORE_PASSWORD = test.toCharArray();
//Server Certificate
static String SERVER_NAME = server;
static char[] SERVER_PASSWORD = test.toCharArray();
static String SERVER_HOST = localhost;
/**
* @param args
*/
public static void main(String[] args) {
try {
// trustsotre, my root certificate
KeyStore store = KeyStore.getInstance(JKS);
// initialize
store.load(null, null);
KeyPair rootPair = generateKeyPair();
X500PrivateCredential rootCredential = createRootCredential(rootPair);
store.setCertificateEntry(TRUST_STORE_NAME, rootCredential
.getCertificate());
store.store(new FileOutputStream(TRUST_STORE_NAME + .keystore),
TRUST_STORE_PASSWORD);
// server credentials
store = KeyStore.getInstance(JKS);
store.load(null, null);
store.setKeyEntry(SERVER_NAME, rootCredential.getPrivateKey(),
SERVER_PASSWORD, new Certificate[] { rootCredential
.getCertificate() });
store.store(new FileOutputStream(SERVER_NAME + .keystore),
SERVER_PASSWORD);
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
} catch (NoSuchProviderException e) {
e.printStackTrace();
} catch (Exception e) {
e.printStackTrace();
}
}
//generate Key Pair
public static KeyPair generateKeyPair() throws NoSuchAlgorithmException,
NoSuchProviderException {
// create the keys
java.security.KeyPairGenerator generator =
KeyPairGenerator.getInstance(RSA);
generator.initialize(1024, new SecureRandom());
return generator.generateKeyPair();
}
//generate certificate
public static X500PrivateCredential createRootCredential(KeyPair rootPair)
throws Exception {
X509Certificate rootCert = generateX509V3RootCertificate(rootPair);
return new X500PrivateCredential(rootCert, rootPair.getPrivate());
}
public static X509Certificate generateX509V3RootCertificate(KeyPair
pair)throws NoSuchAlgorithmException,
NoSuchProviderException, CertificateEncodingException, InvalidKeyException,
IllegalStateException, SignatureException {
X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();
certGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis()));
certGen.setIssuerDN(new X500Principal(CN= + SERVER_HOST+ , OU=GoldenSF,
O=SHA, C=cn));
certGen.setNotBefore(new Date(System.currentTimeMillis() - 5000L));
certGen.setSubjectDN(new X500Principal(CN= + SERVER_HOST+ ,
OU=GoldenSF, O=SHA, C=cn));
certGen.setPublicKey(pair.getPublic());
certGen.setSignatureAlgorithm(SHA1WithRSA);
certGen.setNotAfter(new Date(System.currentTimeMillis() +
Integer.MAX_VALUE));
return certGen.generate(pair.getPrivate(), new SecureRandom());
}
}
step2:
put the files in apache-tomcat-7.0.4/conf : client.keystore, and
server.keystore
step3:
then update server.xml as follow:
?xml version='1.0' encoding='utf-8'?
Server port=8005 shutdown=SHUTDOWN
Listener className=org.apache.catalina.core.AprLifecycleListener
SSLEngine=on /
Listener className=org.apache.catalina.core.JasperListener /
Listener
className=org.apache.catalina.core.JreMemoryLeakPreventionListener /
Listener
className=org.apache.catalina.mbeans.GlobalResourcesLifecycleListener /
GlobalNamingResources
Resource name=UserDatabase auth=Container
type=org.apache.catalina.UserDatabase
description=User database that can be updated and saved
factory=org.apache.catalina.users.MemoryUserDatabaseFactory
pathname=conf/tomcat-users.xml /
/GlobalNamingResources
Service name=Catalina
Connector port=443 SSLEnabled=true
maxThreads=150 scheme=https secure=true
clientAuth=false sslProtocol=TLS
protocol=org.apache.coyote.http11.Http11AprProtocol
keystoreFile=conf/server.keystore keystorePass=test
truststoreFile =conf/client.keystore truststorePass=test/
Connector