After my first post concerning the SSL : self-signed certification generation and the installation on Tomcat server, I would expose a new tool PorteCle allowing the generation of KeyStore, self-signed certificate instead of Keytool supported in the JDK / JRE 1.5.
During the navigation of a secured website, the installation of the certificate on the client poste doesn’t asked explicitly because the certificate has been certified by a certification authority (CA). When creating the certificate (in the keystore on server side), it’s possible to precise if the certificate is dedicated to be diffused (classic case) or not be diffused.
For example, the generation of certificate is possible via the keytool:
keytool.exe -genkey -dname "cn=JavaBlog.fr, ou=JAVA/LU, o=Blog JavaBlog.fr, c=LU" -alias tomcatKey -keypass 123456 -keystore D:\keytool\javablogkeystore.ks -storepass 123456 -validity 365
..but there are other tools like PorteCle.
Installation of PorteCle
First, download portecle-1.7.zip from http://sourceforge.net/projects/portecle/ and unzip it.
Then, execute the portecle.jar file with the Java Platform SE binary:
…this is PorteCle:
Create a new KeyStore
The KeyStore contains the keys/certificates:
… select the type Java Keystore:
Create a new certificate
Creation of a new certificate (or Key Pair) in the previous created KeyStore:
…the Key Algorithm will be RAS and with a Key Size of 2048:
…and the détails of our certificate will be:
- Validity: 365 days
- CN (Common Name): HUO
- OU (Organisation Unit): JAVABLOG.FR
- O (Organisation Name): JAVA.LU
- L (Locality Name): LU
- ST (State Name): LU
- C (Country): LU
…it is necessary to fill in an alias and a password for the certificate in the KeyStore (here huo and 123456):
…and double-click on the certificate to display its détails:
…finally, save the KeyStore on the local disk with a specific password 123456. In Tomcat, the private key password and keystore password should be the same. See the official documentation http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html: You MUST use the same password here as was used for the keystore password itself. This is a restriction of the Tomcat implementation.
Export the certificate to *.cer file
Here, it is possible to export a “*.cer” file in order to install directly the certificate for example on client computer/PC. In the case of this article, it is not necessary, however, the installation will not have any impacts.
Important point : the certificate trusted by a certification authority (CA) doesn’t need to be installed on client side, because the most of these certificates have a root certificate which is already installed on user PC (example : UNIPASS).
To install the certificate on client PC and view the détails of certificate : double click on HUO.cer file
In this last screenshot, you could observe that the certificate has not been trusted by a certification authority (CA) (we have generated a self-signed certificate).
Install the certificate on client side:
After certificate installation on client side, it is visible in the certificates manager.
Execute the command certmgr.msc:
Then, you could find the newly installed certificate:
Tomcat Server Configuration : configuration of SSL and tests
Activate the following connector in the file “server.xml” of “conf” folder, to use the https protocol targeting the “C:\MyFiles\Development\Java\tools\sslcertificats” keystore with the password filled above “javablog.fr”: (keystore=”C:\MyFiles\Development\Java\tools\myKeyStore.ks” keystorePass=”123456″):
<!-- Define a SSL HTTP/1.1 Connector on port 8443 This connector uses the JSSE configuration, when using APR, the connector should be using the OpenSSL style configuration described in the APR documentation --> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" keystore="C:\MyFiles\Development\Java\tools\myKeyStore.ks" keystorePass="123456" clientAuth="false" sslProtocol="TLS" />
…don’t modify the connector because, per default, the 8080 port is redirected to the 8443 port:
<Connector connectionTimeout="20000" port="8080" protocol="HTTP/1.1" redirectPort="8443"/>
…and when the tomcat server is started:
15 juil. 2014 01:09:28 org.apache.coyote.http11.Http11Protocol init INFO: Initialisation de Coyote HTTP/1.1 sur http-8080 15 juil. 2014 01:09:29 org.apache.coyote.http11.Http11Protocol init INFO: Initialisation de Coyote HTTP/1.1 sur http-8443 15 juil. 2014 01:09:29 org.apache.catalina.startup.Catalina load ... 15 juil. 2014 01:09:32 org.apache.coyote.http11.Http11Protocol start INFO: Dï¿½marrage de Coyote HTTP/1.1 sur http-8080 15 juil. 2014 01:09:32 org.apache.coyote.http11.Http11Protocol start INFO: Dï¿½marrage de Coyote HTTP/1.1 sur http-8443
Note: If the Tomcat starts with the below error, it’s because in Tomcat, the private key password and keystore password should be the same. So, set the key and keystore to the same password.
15 juil. 2014 00:57:27 org.apache.coyote.http11.Http11Protocol init INFO: Initialisation de Coyote HTTP/1.1 sur http-8080 15 juil. 2014 00:57:27 org.apache.coyote.http11.Http11Protocol init GRAVE: Erreur ï¿½ l'initialisation du point de contact java.io.IOException: Cannot recover key at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:427) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:125) at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:496) ...
If we check our configuration by access to application deployed on tomcat server (for example: https://localhost:8443/test_extJs_1/index2.html):
In order to verify that the connection is secured, we will use the TCP/IP Monitor view in Eclipse to display the content of messages sent and received between the client (browser) and server.
Configure a local monitoring port 8444 redirected to the SSL secure port 8443 on localhost server:
So, access to the securized site via the port 8444 (https://localhost:8444/test_extJs_1/index2.html) and check the crypted data in the configured proxy: