什么是HTTPS����?
當使用 基于SSL/TLS(通常使用 https:// URL)向站點進行HTTP請求時����,從服務器向客戶機發(fā)送一個證書?�?蛻魴C使用已安裝的公共證書通過這個證書驗證服務器的身份����,然后檢查 IP 名稱(機器名)與客戶機連接的機器是否匹配?��?蛻魴C生成一些可以用來生成對話的私鑰(稱為會話密鑰)的隨機信息,然后用服務器的公鑰對它加密并將它發(fā)送到服務器�。服務器用自己的私鑰解密消息�����,然后用該隨機信息派生出和客戶機一樣的私有會話密鑰。通常在這個階段使用 RSA 公鑰算法����。然后���,客戶機和服務器使用私有會話密鑰和私鑰算法(通常是 RC4)進行通信。使用另一個密鑰的消息認證碼來確保消息的完整性�。
什么是數(shù)字簽名����?
所謂數(shù)字簽名就是信息發(fā)送者用其私有密鑰對從所傳報文中提取出的特征數(shù)據(jù)(或稱數(shù)字指紋)進行RSA算法操作�,以保證發(fā)信人無法抵賴曾發(fā)過該信息(即不可抵賴性),同時也確保信息報文在經(jīng)簽名后末被篡改(即完整性)��。當信息接收者收到報文后��,就可以用發(fā)送者的公鑰對數(shù)字簽名進行驗證��。
Overview of SSL?
SSL, or Secure Socket Layer, is a technology which allows web browsers and web servers to communicate over a secured connection. This means that the data being sent is encrypted by one side, transmitted, then decrypted by the other side before processing. This is a two-way process, meaning that both the server AND the browser encrypt all traffic before sending out data.
Another important aspect of the SSL protocol is Authentication. This means that during your initial attempt to communicate with a web server over a secure connection, that server will present your web browser with a set of credentials, in the form of a "Certificate", as proof the site is who and what it claims to be. In certain cases, the server may also request a Certificate from your web browser, asking for proof that
you are who you claim to be. This is known as "Client Authentication," although in practice this is used more for business-to-business (B2B) transactions than with individual users. Most SSL-enabled web servers do not request Client Authentication.
https與Tomcat
The Apache Jakarta Tomcat 5 Servlet/JSP Container SSL Configuration HOW-TO?
利用快速配置:
1,用jdk中的keytool生成一個tomcat keystore
在命令行敲入:%JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA
會提示你輸入keypassword 和 keystorepassword 以及其它相關信息。按提示確認完成。
2, 在conf/server.xml中加入:
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" debug="0" scheme="https" secure="true"
clientAuth="false" keystorePass="password" sslProtocol="TLS" />
3����,啟動tomcat,打開瀏覽器輸入https://localhost:8443 就OK了���。
注意:用此方法生成的keystore文件置于C:\Documents and Settings\user下
注釋:
| Attribute |
Description |
clientAuth |
Set this value to true if you want Tomcat to require all SSL clients to present a client Certificate in order to use this socket. Set this value to want if you want Tomcat to request a client Certificate, but not fail if one isn't presented. |
keystoreFile |
Add this attribute if the keystore file you created is not in the default place that Tomcat expects (a file named .keystore in the user home directory under which Tomcat is running). You can specify an absolute pathname, or a relative pathname that is resolved against the $CATALINA_BASE environment variable. |
keystorePass |
Add this element if you used a different keystore (and Certificate) password than the one Tomcat expects (changeit). |
keystoreType |
Add this element if using a PKCS12 keystore. The valid values are JKS and PKCS12. |
sslProtocol |
The encryption/decryption protocol to be used on this socket. It is not recommended to change this value if you are using Sun's JVM. It is reported that IBM's 1.4.1 implementation of the TLS protocol is not compatible with some popular browsers. In this case, use the value SSL. |
ciphers |
The comma separated list of encryption ciphers that this socket is allowed to use. By default, any available cipher is allowed. |
algorithm |
The X509 algorithm to use. This defaults to the Sun implementation (SunX509). For IBM JVMs you should use the value IbmX509. For other vendors, consult the JVM documentation for the correct value. |
truststoreFile |
The TrustStore file to use to validate client certificates. |
truststorePass |
The password to access the TrustStore. This defaults to the value of keystorePass. |
truststoreType |
Add this element if your are using a different format for the TrustStore then you are using for the KeyStore. The valid values are JKS and PKCS12. |
Java keytool工具的作用及使用方法?
Keytool 是安全鑰匙與證書的管理工具��。它管理一個存儲了私有鑰匙和驗證相應公共鑰匙的與它們相關聯(lián)的X.509 證書鏈的keystore(相當一個數(shù)據(jù)庫)�。
Keytool 是一個有效的安全鑰匙和證書的管理工具���。它能夠使用戶使用數(shù)字簽名來管理他們自己的私有/公共鑰匙對,管理用來作自我鑒定的相關的證書,管理數(shù)據(jù)完整性和鑒定服務���。它還能使用戶在通信時緩存它們的公共鑰匙.
一個證書是某一實體(個人,公司等)的數(shù)字簽名���,指出其他實體的公共鑰匙(或其他信息)的詳細的值.當數(shù)據(jù)被簽名后,這個簽名信息被用來檢驗數(shù)據(jù)的完整性和真實性.完整性指數(shù)據(jù)沒有被修改和篡改,真實性指數(shù)據(jù)從任何產(chǎn)生和簽名的一方真正的傳輸?shù)竭_�。
Keytool 把鑰匙和證書儲存到一個keystore.默任的實現(xiàn)keystore的是一個文件。它用一個密碼保護鑰匙��。而另外的一個工具jarsigner用keystore中的信息產(chǎn)生或檢驗Java aRchive(jar文件)中的數(shù)字簽名��。
Keystore有兩個不同的入口:
1. 鑰匙入口:保存了非常敏感的加密的鑰匙信息,并且是用一個保護的格式存儲以防止未被授權的訪問.以這種形式存儲的鑰匙是秘密鑰匙,或是一個對應證書鏈中公有鑰匙的私有鑰匙.
2. 信任證書入口:包含一個屬于其他部分的單一公共鑰匙證書.它之所以被稱為"信任證書",是因為keystore信任的證書中的公共鑰匙真正屬于證書所有者的身份識別.
Keystore的別名:
所有的keystore入口(鑰匙和信任證書入口)是通過唯一的別名訪問.別名是不區(qū)分大小寫的���。如別名Hugo和hugo指向同一個keystore入口.
可以在加一個入口到keystore的時候使用-genkey參數(shù)來產(chǎn)生一個鑰匙對(公共鑰匙和私有鑰匙)時指定別名.也可以用-import參數(shù)加一個證書或證書鏈到信任證書。
如:keytool -genkey -alias duke -keypass dukekeypasswd
其中duke為別名,dukekeypasswd為duke別名的密碼。這行命令的作用是產(chǎn)生一個新的公共/私有鑰匙對. 其中duke為別名,dukekeypasswd為duke別名的密碼.這行命令的作用是產(chǎn)生一個新的公共/私有鑰匙對.
假如你想修改密碼,可以用:
keytool -keypasswd -alias duke -keypass dukekeypasswd -new newpass
將舊密碼dukekeypasswd改為newpass.
Keystore的產(chǎn)生:
1. 當使用-genkey 或-import或-identitydb命令添加數(shù)據(jù)到一個keystore,而當這個keystore不存在時,產(chǎn)生一個keystore.默認名是.keystore,存放到user-home目錄.
2. 當用-keystore指定時,將產(chǎn)生指定的keystore.
Keystore的實現(xiàn):
Keytool 類位于java.security包下,提供一個非常好的接口去取得和修改一個keystore中的信息. 目前有兩個命令行:keytool和jarsinger,一個GUI工具Policy 可以實現(xiàn)keystore.由于keystore是公開的,用戶可以用它寫一些額外的安全應用程序。
Keystore還有一個sun公司提供的內(nèi)在實現(xiàn).它把keystore作為一個文件來實現(xiàn).利用了一個keystore類型(格式)"JKS".它用單獨的密碼保護每一個私有鑰匙.也用可能不同的密碼保護整個keystore的完整性.
支持的算法和鑰匙大小:
keytool允許用戶指定鑰匙對和注冊密碼服務供應者所提供的簽名算法.缺省的鑰匙對產(chǎn)生算法是"DSA"��。假如私有鑰匙是"DSA"類型��,缺省簽名算法是"SHA1withDSA"�,假如私有鑰匙是"RSA"類型,缺省算法是"MD5withRSA".
當產(chǎn)生一個DSA鑰匙對,鑰匙必須在512-1024位之間.對任何算法的缺省鑰匙大小是1024位.
1. 證書:一個證書是一個實體的數(shù)字簽名,指出其他實體的公共鑰匙有明確的值��。
2. 公共鑰匙:是同一個詳細的實體的數(shù)字關聯(lián),并有意讓所有想同這個實體發(fā)生信任關系的其他實體知道�����,公共鑰匙用來檢驗簽名;
3. 數(shù)字簽名:假如數(shù)據(jù)已被簽名,并用身份存儲在一個實體中,一個簽名能夠證明這個實體知道這個數(shù)據(jù).這個數(shù)據(jù)用實體私有鑰匙簽名并遞交;
4. 身份:知道實體的方法.在一些系統(tǒng)中身份是公共鑰匙,其他系統(tǒng)中可以是從一個X.509名字的郵件地址的Unix UID來的任何東西;
5. 簽名:一個簽名用實體私有鑰匙來計算某些加密數(shù)據(jù);
6. 私有鑰匙:是一些數(shù)字,每一個私有鑰匙只能被特定的擁有該私有鑰匙的實體知道.私有和公共鑰匙存在所有用公共鑰匙加密的系統(tǒng)的鑰匙對中.一個公共鑰匙加密(如DSA),一個私有鑰匙與一個正確的公共鑰匙通信.私有鑰匙用來計算簽名。
7. 實體:一個實體可以是一個人,一個組織,一個程序,一臺計算機,一個商業(yè),一個銀行,或其他你想信任的東西.
Keytool應用實例:
1.產(chǎn)生一個keystore:
keytool -genkey -alias User(keystore的別名) -keyalg RSA -validity 7 -keystore keystore(指定keystore).
運行這個命令,系統(tǒng)提示:
Enter keystore password:yourpassword(輸入密碼)
What is your first and last name?
[Unknown]: your name(輸入你的名字)
What is the name of your organizational unit?
[Unknown]:your organizational(輸入你所在組織單位的名字)
What is the name of your organization?
[Unknown]:your organization name (輸入你所在組織的名字)
What is the name of your City or Locality?
[Unknown]:your city name(輸入所在城市的名字)
What is the name of your State or Province?
[Unknown]:your provice name(輸入所在省份名字)
What is the two-letter country code for this unit?
[Unknown]:cn(輸入國家名字)
Is CN=your name, OU=your organizaion, O="your organization name",L=your city name, ST=your province name, C=cn correct?
[no]: yes
3. 檢查一個keystore:
keytool -list -v -keystore keystore
Enter keystore password:your password(輸入密碼)
將顯示keystore內(nèi)容如:
Keystore type: jks
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: yourname
Creation date: Dec 20, 2001
Entry type: keyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=yourname, OU=your organization, O="your organization name",
L=your city name, ST=your province name, C=CN
Issuer: CN=Duke, OU=Java Software, O="Sun Microsystems, Inc.", L=Palo Alto, ST=CA, C=US
Serial number: 3c22adc1
Valid from: Thu Dec 20 19:34:25 PST 2001 until: Thu Dec 27 19:34:25 PST 2001
Certificate fingerprints:
MD5: F1:5B:9B:A1:F7:16:CF:25:CF:F4:FF:35:3F:4C:9C:F0
SHA1: B2:00:50:DD:B6:CC:35:66:21:45:0F:96:AA:AF:6A:3D:E4:03:7C:74
3.輸出keystore到一個文件:testkey:
keytool -export -alias duke -keystore keystore -rfc -file testkey
系統(tǒng)輸出:Enter keystore password:your password(輸入密碼)
Certificate stored in file < td>
4.輸入證書到一個新的truststore:
keytool -import -alias dukecert -file testkey -keystore truststore
Enter keystore password:your new password.(輸入truststore新密碼)
5.檢查truststore:
keytool -list -v -keystore truststore
系統(tǒng)將顯示truststore的信息.
現(xiàn)在可以用適當?shù)膋eystore運行你的應用程序.如:
java -Djavax.net.ssl.keyStore = keystore
-Djavax.net.ssl.keyStorePassword=password Server
和:
java -Djavax.net.ssl.trustStore=truststore
-Djavax.net.ssl.trustStorePassword=trustword Client