security6.html

j2eePDF格式的电子书

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
    <meta http-equiv="Content-Style-Type" content="text/css" />
    <title>Installing and Configuring SSL Support</title>
    <link rel="StyleSheet" href="document.css" type="text/css" media="all" />
    <link rel="StyleSheet" href="catalog.css" type="text/css" media="all" />
    <link rel="Table of Contents" href="J2EETutorialTOC.html" />
    <link rel="Previous" href="Security5.html" />
    <link rel="Next" href="Security7.html" />
    <link rel="Index" href="J2EETutorialIX.html" />
  </head>

  <body>

    <table width="550" summary="layout" id="SummaryNotReq1">
      <tr>
	<td align="left" valign="center">
	<font size="-1">
	<a href="http://java.sun.com/j2ee/1.4/download.html#tutorial" target="_blank">Download</a>
	<br>
	<a href="http://java.sun.com/j2ee/1.4/docs/tutorial/information/faq.html" target="_blank">FAQ</a>
	<br>
	<a href="http://java.sun.com/j2ee/1.4/docs/tutorial/information/history.html" target="_blank">History</a>
	</td>
        <td align="center" valign="center">
<a accesskey="p" href="Security5.html"><img id="LongDescNotReq1" src="images/PrevArrow.gif" width="26" height="26" border="0" alt="Prev" /></a><a accesskey="c" href="J2EETutorialFront.html"><img id="LongDescNotReq1" src="images/UpArrow.gif" width="26" height="26" border="0" alt="Home" /></a><a accesskey="n" href="Security7.html"><img id="LongDescNotReq3" src="images/NextArrow.gif" width="26" height="26" border="0" alt="Next" /></a><a accesskey="i" href="J2EETutorialIX.html"></a>
        </td>
	<td align="right" valign="center">
	<font size="-1">
	<a href="http://java.sun.com/j2ee/1.4/docs/api/index.html" target="_blank">API</a>
	<br>
	<a href="http://java.sun.com/j2ee/1.4/docs/tutorial/information/search.html" target="_blank">Search</a>
	<br>
	<a href="http://java.sun.com/j2ee/1.4/docs/tutorial/information/sendusmail.html" target="_blank">Feedback</a></font>
	</font>
	</td>
      </tr>
    </table>

    <img src="images/blueline.gif" width="550" height="8" ALIGN="BOTTOM" NATURALSIZEFLAG="3" ALT="Divider">

    <blockquote>
<a name="wp80702"> </a><h2 class="pHeading1">
Installing and Configuring SSL Support
</h2>
<a name="wp80703"> </a><h3 class="pHeading2">
What is Secure Socket Layer Technology?
</h3>
<a name="wp80704"> </a><p class="pBody">
Secure Socket Layer (SSL) is a technology that allows Web browsers and Web servers to communicate over a secured connection. In this secure connection, the data that is being sent is encrypted before being sent, then decrypted upon receipt and prior to processing. Both the browser and the server encrypt all traffic before sending any data. SSL addresses the following important security considerations.
</p>
<div class="pSmartList1"><ul class="pSmartList1">
<a name="wp80705"> </a><div class="pSmartList1"><li><b class="cBold">Authentication</b> </li></div>
<a name="wp80706"> </a><p class="pBodyRelative">
During your initial attempt to communicate with a Web server over a secure connection, that server will present your Web browser with a set of credentials in the form of a server certificate. The purpose of the certificate is to verify that the site is who and what it claims to be. In some cases, the server may request a certificate that the client is who and what it claims to be (which is known as client authentication). 
</p>
<a name="wp80707"> </a><div class="pSmartList1"><li><b class="cBold">Confidentiality</b></li></div>
<a name="wp80708"> </a><p class="pBodyRelative">
When data is being passed between the client and server on a network, third parties can view and intercept this data. SSL responses are encrypted so that the data cannot be deciphered by the third-party and the data remains confidential.
</p>
<a name="wp80709"> </a><div class="pSmartList1"><li><b class="cBold">Integrity</b></li></div>
<a name="wp80710"> </a><p class="pBodyRelative">
When data is being passed between the client and server on a network, third parties can view and intercept this data. SSL helps guarantee that the data will not be modified in transit by that third party.
</p>
</ul></div>
<a name="wp148244"> </a><p class="pBody">
To install and configure SSL support on your stand-alone Web server, you need the following components. SSL support is already provided if you are using the J2EE 1.4 Application Server. If you are using a different Web server, consult the documentation for your product.
</p>
<div class="pSmartList1"><ul class="pSmartList1">
<a name="wp148251"> </a><div class="pSmartList1"><li>A server certificate keystore (see <a  href="Security6.html#wp80737">Setting Up Digital Certificates</a>).</li></div>
<a name="wp148256"> </a><div class="pSmartList1"><li>An HTTPS connector (see <a  href="Security6.html#wp142440">Configuring the SSL Connector</a>).</li></div>
</ul></div>
<a name="wp148260"> </a><p class="pBody">
To verify that SSL support is enabled, see <a  href="Security6.html#wp157241">Verifying SSL Support</a>.
</p>
<a name="wp80737"> </a><h3 class="pHeading2">
Setting Up Digital Certificates
</h3>
<hr>
<a name="wp413503"> </a><p class="pNote">
Note: Digital certificates for the J2EE 1.4 Application Server have already been generated and can be found in the directory <code class="cCode">&lt;</code><code class="cVariable">J2EE_HOME</code><code class="cCode">&gt;/domains/domain1/config/</code>.
</p>
<hr><a name="wp80738"> </a><p class="pBody">
In order to use SSL, a J2EE server must have an associated certificate for each external interface, or IP address, that accepts secure connections. The theory behind this design is that a server should provide some kind of reasonable assurance that its owner is who you think it is, particularly before receiving any sensitive information. It may be useful to think of a certificate as a &quot;digital driver's license&quot; for an Internet address. It states with which company the site is associated, along with some basic contact information about the site owner or administrator.
</p>
<a name="wp80739"> </a><p class="pBody">
The digital certificate is cryptographically signed by its owner and is difficult for anyone else to forge. For sites involved in e-commerce, or any other business transaction in which authentication of identity is important, a certificate can be purchased from a well-known Certificate Authority (CA) such as Verisign or Thawte. 
</p>
<a name="wp80740"> </a><p class="pBody">
If authentication is not really a concern, such as if an administrator simply wants to ensure that data being transmitted and received by the server is private and cannot be snooped by anyone eavesdropping on the connection, you can simply save the time and expense involved in obtaining a CA certificate and simply use a self-signed certificate. 
</p>
<a name="wp80741"> </a><p class="pBody">
SSL uses <em class="cEmphasis">public key cryptography</em>, which is based on <em class="cEmphasis">key pairs</em>. Key pairs contain one public key and one private key. If data is encrypted with one key, it can only be decrypted with the other key of the pair. This property is fundamental to establishing trust and privacy in transactions. For example, using SSL, the server computes a value and encrypts the value using its private key. The encrypted value is called a <em class="cEmphasis">digital signature</em>. The client decrypts the encrypted value using the server's public key and compares the value to its own computed value. If the two values match, the client can trust that the signature is authentic since only the private key could have been used to produce such a signature.
</p>
<a name="wp157401"> </a><p class="pBody">
Digital certificates are used with the HTTPS protocol to authenticate Web clients. The HTTPS service of most Web servers will not run unless a digital certificate has been installed. Use the procedure outlined below to set up a digital certificate that can be used by your Web server to enable SSL.
</p>
<a name="wp157403"> </a><p class="pBody">
One tool that can be used to set up a digital certificate is <code class="cCode">keytool</code>, a key and certificate management utility that ships with J2EE 1.4 Application Server. It enables users to administer their own public/private key pairs and associated certificates for use in self-authentication (where the user authenticates himself/herself to other users/services) or data integrity and authentication services, using digital signatures. It also allows users to cache the public keys (in the form of certificates) of their communicating peers. For a better understanding of <code class="cCode">keytool</code> and public key cryptography, read the <code class="cCode">keytool</code> documentation at the following URL:
</p>
<div class="pPreformattedRelative"><pre class="pPreformattedRelative">
<a  href=" http://java.sun.com/j2se/1.4.1/docs/tooldocs/solaris/keytool.html" target="_blank"></a>http://java.sun.com/j2se/1.4.2/docs/tooldocs/solaris/key-
tool.html<a name="wp148269"> </a>
</pre></div>
<a name="wp148406"> </a><h4 class="pHeading3">
Creating a Server Certificate
</h4>
<a name="wp148438"> </a><p class="pBody">