Securing Tomcat with JSSE

utahcokeServers

Nov 17, 2013 (3 years and 4 months ago)

65 views

Securing Tomcat with JSSE



1: Downloading and Installing JSSE

Since JSSE does not come with the Java 2 SDK, you must download it from Sun's site and
integrate it with your current JDK installation.

1.

Download JSSE by going to
http://www.javasoft.com/products/jsse/

and following the links at the
bottom of the page.

2.

After downloading JSSE, you should have a file named
jsse
-
1_0_2
-
do.zip
. Unzip this file
to produce a folder named
jsse1.0.2.


3.

Within the
jss
e1.0.2

folder you'll find a lib directory and within the lib directory, you'll find
the files
jsse.jar
,
jcert.jar
, and
jnet.jar
. Copy these files to the
lib/ext

subdirectory of your Java home directory. You should also copy these JAR files to the
jre/lib/
ext

directory off of where the Java 2 SDK is installed.

4.

Edit $JAVA_HOME/jre/lib/security/java.security.

Add this line:


security.provider.2=com.sun.net.ssl.internal.ssl.Provider



2: Modify the tomcat server.xml configuration file


To use the HTTP wi
th SSL connector in tomcat, verify that it is activated (Uncommented) in server.xml


<Connector className="org.apache.tomcat.service.PoolTcpConnector">


<Parameter name="handler" value="org.apache.tomcat.service.http.HttpConnectionHandler"/>


<Para
meter name="port" value="8443"/>


<Parameter name="socketFactory" value="org.apache.tomcat.net.SSLSocketFactory" />

</Connector>


3: Create server certificate using the keytool


keytool

genkey

alias tomcat

keyalg RSA


System will prompt you to enter
:




Example

Enter keystore password:





changeit

What is your first and last name(Domain name or IP):


192.168.222.3

What is the name of your organizational unit:

AJJASP

What is the name of your organiztion:

AJJA

What is the name of your City or Locality?:

Ottawa

What is the name of your State or Province?:

Ontario

What is the two
-
letter country code for this unit?

CA

Is correct?


Y

Enter key password of <tomcat
-
sv>


Press return








2

4: Export the server certificate using the keytool


keytool

export

alias tomcat
-
sv

file servertomcat.cer


System will prompt you to enter:



Example

Enter keystore password:




changeit


5: Import the server certificate to client application’s keystore using the keytool

Copy the cer file you just created into the client JRE/bin directory.


Use keytool:

keytool

import

alias tomcat
-
sv

file
servertomcat.cer
-
trustcacerts

v

keystore
<JAVA_HOME>
\
jre
\
lib
\
security
\
cacerts


The keystore password is changeit. Then you will be prompted if you Trust this cerificate?[no]: Type the
letter ‘y’. The cerificate will be added to the keystore.


6: Estab
lishing a Connection using SSL to the Tomcat


To establish a connection to the server the security manager of JSSE must trust server certificate. The
previous step added the apache server certificate to the list of trusted certificates in the application’
s
keystore. To establish a connection to a server its certificate must be signed by Certificate Authority. The
following is a list of Trusted Certificate Authorities.



Thawte Inc.



www.thawte.com



VeriSign Inc


www.verisign.com



RSA Data Security Inc.

www
.rsa.com


Listing 1.1 Is a program that establishes a SSL connection with a specified URL address.
















3

Listing 1.1:

Establishing a SSL connection

import java.io.*;

import java.net.*;

import java.security.*;


public class ShowJavaHome {




public static void main(String[] args) throws Exception {




ShowJavaHome browser = new ShowJavaHome("hello");


browser.run();


}


public ShowJavaHome (String urlString) {


String text = urlString;

Security.addProvider(new com.sun.net.ssl.internal.ssl.Prov
ider());
System.setProperty("java.protocol.handler.pkgs","com.sun.net.ssl.internal.www.protocol");



}

public void run() throws Exception {


HttpURLConnection urlc = null;


URL url = new URL("https://www.sun.com");


try {


urlc = (HttpURLConnection) url.o
penConnection();


}


catch (Exception e) {



System.out.println("Error with connection" + e);


}


System.out.println(System.getProperty("java.home"));


System.out.println("The Headers");


System.out.println("
-----------
");


System.out.println(urlc);


for (
int i=1;;i++) {


String key;


String value;


if ((key = urlc.getHeaderFieldKey(i)) == null) break;


if ((value = urlc.getHeaderField(i)) == null) break;


System.out.println("Key: " + key);


System.out.println("Value:" + value);


}


BufferedReader reader =

new BufferedReader(new InputStreamReader(urlc.getInputStream()));


String line;


System.out.println("The Content");


System.out.println("
-----------
");


while((line = reader.readLine()) !=null) System.out.println(line);

}

}


Sources

http://jakarta.apache.org/tomcat/tomcat
-
3.3
-
doc/tomcat
-
ssl
-
howto.html

By Gomez Henri

http://www.javasoft.com/products/js
se/INSTALL.html