security6.html

j2eePDF格式的电子书

A server certificate has already been created for the J2EE 1.4 Application Server. The certificates can be found in the <code class="cCode">&lt;</code><code class="cVariable">J2EE_HOME</code><code class="cCode">&gt;/domains/domain1/config/</code> directory. The server certificate is in <code class="cCode">keystore.jks</code>. The client certificate is contained in the trust-store file, <code class="cCode">cacerts.jks</code>.
</p>
<a name="wp411966"> </a><p class="pBody">
If necessary, you can use <code class="cCode">keytool</code> to generate certificates. The <code class="cCode">keytool</code> stores the keys and certificates in a file termed a <em class="cEmphasis">keystore</em>. A keystore is a repository of certificates used for identifying a client or a server. Typically, a keystore contains one client or one server's identity. The default keystore implementation implements the keystore as a file. It protects private keys with a password.
</p>
<a name="wp148439"> </a><p class="pBody">
The keystores are created in the directory from which you run <code class="cCode">keytool</code>. This can be the directory where the application resides or it can be a directory common to many applications. 
</p>
<a name="wp148440"> </a><p class="pBody">
To create a server certificate, 
</p>
<div class="pSmartList1"><ol type="1" class="pSmartList1">
<a name="wp157986"> </a><div class="pSmartList1"><li>Create the keystore.</li></div>
<a name="wp157998"> </a><div class="pSmartList1"><li>Export the certificate from the keystore.</li></div>
<a name="wp158002"> </a><div class="pSmartList1"><li>Sign the certificate.</li></div>
<a name="wp158003"> </a><div class="pSmartList1"><li>Import the certificate into a trust-store. A trust-store is a repository of certificates used for verifying the certificates. A trust-store typically contains more than one certificate. An example using a trust-store for SSL-based mutual authentication is discussed in <a  href="Security7.html#wp129121">Example: Client-Certificate Authentication over HTTP/SSL with JAX-RPC</a>.</li></div>
</ol></div>
<a name="wp148441"> </a><p class="pBody">
Run <code class="cCode">keytool</code> to generate the server keystore, which we will name <code class="cCode">server-keystore.jks</code>. This step uses the alias <code class="cCode">server-alias</code> to generate a new public/private key pair and wrap the public key into a self-signed certificate inside <code class="cCode">server-keystore.jks</code>. The key pair is generated using an algorithm of type RSA, with a default password of <code class="cCode">changeit</code>. For more information on <code class="cCode">keytool</code> options, see its online help at <code class="cCode"><a  href="http://java.sun.com/j2se/1.4.2/docs/tooldocs/solaris/keytool.html" target="_blank">http://java.sun.com/j2se/1.4.2/docs/tooldocs/solaris/keytool.html</a></code>.
</p>
<a name="wp148480"> </a><p class="pBody">
From the directory in which you want to create the keystore, run <code class="cCode">keytool</code> with the following parameters. When you press Enter, <code class="cCode">keytool</code> prompts you to enter the server name, organizational unit, organization, locality, state, and country code. Note that you must enter the server name in response to <code class="cCode">keytool</code>'s first prompt in which it asks for first and last names. For testing purposes, this may be <code class="cCode">localhost</code>. The host specified in the keystore must match the host identified in the <code class="cCode">host</code> variable specified in the <code class="cCode">&lt;</code><code class="cVariable">INSTALL</code><code class="cCode">&gt;/j2eetutorial14/examples/common/build.properties</code>.
</p>
<div class="pSmartList1"><ol type="1" class="pSmartList1">
<a name="wp148491"> </a><div class="pSmartList1"><li>Generate the server certificate.</li></div>
<a name="wp148444"> </a><p class="pBodyRelative">
<code class="cCode">&lt;</code><code class="cVariable">JAVA_HOME</code><code class="cCode">&gt;\bin\keytool -genkey -alias server-alias<br />-keyalg RSA -keypass changeit -storepass changeit <br />-keystore keystore.jks</code>
</p>
<a name="wp148449"> </a><div class="pSmartList1"><li>Export the generated server certificate in <code class="cCode">keystore.jks</code> into the file <code class="cCode">server.cer</code>. </li></div>
<a name="wp158013"> </a><p class="pBodyRelative">
<code class="cCode">&lt;</code><code class="cVariable">JAVA_HOME</code><code class="cCode">&gt;\bin\keytool -export -alias server-alias <br />-storepass changeit -file server.cer -keystore keystore.jks</code>
</p>
<a name="wp158019"> </a><div class="pSmartList1"><li>If you want to have the certificate signed by a CA, read <a  href="Security6.html#wp148434">Signing Digital Certificates</a> for more information.</li></div>
<a name="wp158024"> </a><div class="pSmartList1"><li>To create the trust-store file <code class="cCode">cacerts.jks</code> and add the server certificate to the trust-store, run <code class="cCode">keytool</code> from the directory where you created the keystore and server certificate with the following parameters: </li></div>
<a name="wp148455"> </a><p class="pBodyRelative">
<code class="cCode">&lt;JAVA_HOME&gt;\bin\keytool -import -v -trustcacerts<br />-alias server-alias -file server.cer <br />-keystore cacerts.jks -keypass changeit <br />-storepass changeit</code>
</p>
<a name="wp148456"> </a><p class="pBodyRelative">
Information on the certificate, such as that shown below will display.
</p>
<a name="wp148457"> </a><p class="pBodyRelative">
<code class="cCode">&lt;</code><code class="cVariable">INSTALL</code><code class="cCode">&gt;/j2eetutorial14/examples/gs 60% keytool -import <br />-v -trustcacerts -alias server-alias -file server.cer <br />-keystore cacerts.jks -keypass changeit -storepass changeit<br />Owner: CN=localhost, OU=Sun Micro, O=Docs, L=Santa Clara, ST=CA, C=US<br />Issuer: CN=localhost, OU=Sun Micro, O=Docs, L=Santa Clara, ST=CA, C=US<br />Serial number: 3e932169<br />Valid from: Tue Apr 08<br />Certificate fingerprints:<br />MD5: 52:9F:49:68:ED:78:6F:39:87:F3:98:B3:6A:6B:0F:90 <br />SHA1: EE:2E:2A:A6:9E:03:9A:3A:1C:17:4A:28:5E:97:20:78:3F:<br />Trust this certificate? [no]: </code>
</p>
<a name="wp148458"> </a><div class="pSmartList1"><li>Enter <code class="cCode">yes</code>, then strike the <code class="cCode">Enter</code> or <code class="cCode">Return</code> key. The following information displays:</li></div>
<a name="wp148427"> </a><p class="pBodyRelative">
<code class="cCode">Certificate was added to keystore<br />[Saving cacerts.jks] </code>
</p>
</ol></div>
<a name="wp148434"> </a><h4 class="pHeading3">
Signing Digital Certificates
</h4>
<a name="wp148519"> </a><p class="pBody">
Once you've created a digital certificate, you will want to have it signed by its owner. Once the digital certificate is cryptographically signed by its owner, it is difficult for anyone else to forge. For sites involved in e-commerce, or any other business transaction in which authentication of identity is important, a certificate can be purchased from a well-known Certificate Authority (CA) such as Verisign or Thawte. 
</p>
<a name="wp148520"> </a><p class="pBody">
If authentication is not really a concern, such as if an administrator simply wants to ensure that data being transmitted and received by the server is private and cannot be snooped by anyone eavesdropping on the connection, you can simply save the time and expense involved in obtaining a CA certificate and simply use the self-signed certificate. 
</p>
<a name="wp125126"> </a><h4 class="pHeading3">
Creating a Client Certificate for Mutual Authentication
</h4>
<a name="wp80807"> </a><p class="pBody">
This section discusses setting up client-side authentication. When both server and client-side authentication are enabled, this is called mutual, or two-way, authentication. In client authentication, clients are required to submit certificates that are issued by a certificate authority that you choose to accept. From the directory where you want to create the client certificate, run <code class="cCode">keytool</code> as outlined below. When you press Enter, <code class="cCode">keytool</code> prompts you to enter the server name, organizational unit, organization, locality, state, and country code. Note that you must enter the <em class="cEmphasis">server name</em> in response to <code class="cCode">keytool</code>'s first prompt in which it asks for first and last names. For testing purposes, this may be <code class="cCode">localhost</code>. The host specified in the keystore must match the host identified in the <code class="cCode">host</code> variable specified in the <code class="cCode">&lt;</code><code class="cVariable">INSTALL</code><code class="cCode">&gt;/j2eetutorial14/examples/common/build.properties</code> file.
</p>
<a name="wp159531"> </a><p class="pBody">
To create a keystore named <code class="cCode">client-keystore.jks</code> that contains a client certificate named <code class="cCode">client.cer</code>, follow these steps:
</p>
<div class="pSmartList1"><ol type="1" class="pSmartList1">
<a name="wp159444"> </a><div class="pSmartList1"><li>Generate the client certificate.</li></div>
<a name="wp159445"> </a><p class="pBodyRelative">
<code class="cCode">&lt;</code><code class="cVariable">JAVA_HOME</code><code class="cCode">&gt;\bin\keytool -genkey -alias client-alias -keyalg RSA -keypass changeit -storepass changeit <br />-keystore keystore.jks</code>
</p>
<a name="wp159446"> </a><div class="pSmartList1"><li>Export the generated client certificate into the file <code class="cCode">client.cer</code>. </li></div>
<a name="wp159447"> </a><p class="pBodyRelative">
<code class="cCode">&lt;</code><code class="cVariable">JAVA_HOME</code><code class="cCode">&gt;\bin\keytool -export -alias client-alias <br />-storepass changeit -file client.cer -keystore keystore.jks</code>
</p>
<a name="wp159455"> </a><div class="pSmartList1"><li>Add the certificate to the trust-store file <code class="cCode">cacerts.jks</code>. Run <code class="cCode">keytool</code> from the directory where you created the keystore and client certificate with the following parameters: </li></div>
<a name="wp159456"> </a><p class="pBodyRelative">
<code class="cCode">&lt;JAVA_HOME&gt;\bin\keytool -import -v -trustcacerts<br />-alias client-alias -file client.cer <br />-keystore cacerts.jks -keypass changeit <br />-storepass changeit</code>
</p>
<a name="wp86201"> </a><p class="pBodyRelative">
<code class="cCode">Keytool</code> returns this message:
</p>
<a name="wp86199"> </a><p class="pBodyRelative">
<code class="cCode">Owner: CN=J2EE Client, OU=Java Web Services, O=Sun, L=Santa Clara, ST=CA, C=US<br />Issuer: CN=J2EE Client, OU=Java Web Services, O=Sun, L=Santa Clara, ST=CA, C=US<br />Serial number: 3e39e66a<br />Valid from: Thu Jan 30 18:58:50 PST 2003 until: Wed Apr 30<br />19:58:50 PDT 2003<br />Certificate fingerprints:<br />MD5: 5A:B0:4C:88:4E:F8:EF:E9:E5:8B:53:BD:D0:AA:8E:5A<br />SHA1:90:00:36:5B:E0:A7:A2:BD:67:DB:EA:37:B9:61:3E:26:B3:89:46:<br />32<br />Trust this certificate? [no]: yes<br />Certificate was added to keystore</code>
</p>
</ol></div>
<a name="wp87757"> </a><p class="pBody">
For an example application that uses mutual authentication, see <a  href="Security7.html#wp129121">Example: Client-Certificate Authentication over HTTP/SSL with JAX-RPC</a>. For information on verifying that mutual authentication is running, see <a  href="Security6.html#wp148553">Verifying Mutual Authentication is Running</a>.
</p>
<a name="wp81056"> </a><h4 class="pHeading3">
Miscellaneous Commands for Certificates
</h4>
<div class="pSmartList1"><ul class="pSmartList1">
<a name="wp80833"> </a><div class="pSmartList1"><li>To check the contents of a keystore that contains a certificate with an alias <code class="cCode">server-alias</code>: </li></div>
<a name="wp80834"> </a><p class="pBodyRelative">
<code class="cCode">keytool -list -keystore keystore.jks -alias server-alias -v</code>
</p>
<a name="wp80835"> </a><div class="pSmartList1"><li>To check the contents of the <code class="cCode">cacerts</code> file: </li></div>
<a name="wp80836"> </a><p class="pBodyRelative">
<code class="cCode">keytool -list -keystore cacerts.jks</code>
</p>
</ul></div>
<a name="wp142440"> </a><h3 class="pHeading2">
Configuring the SSL Connector
</h3>
<a name="wp142443"> </a><p class="pBody">
An SSL Connector is preconfigured for the J2EE 1.4 Application Server. You do not have to configure anything.
</p>
<a name="wp157241"> </a><h4 class="pHeading3">
 Verifying SSL Support
</h4>
<a name="wp148660"> </a><p class="pBody">