Configure Apache Tomcat for 2-way SSL (version 6.0.18)
- Open the server.xml file in a text editor; located in your tomcat directory in
<TOMCAT_HOME>\conf\server.xml - Find this text block and uncomment it:
<Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" />
3. Modify this text block as follows:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="true" sslProtocol="TLS" keystoreFile="<CERTIFICATES_DIR>\localhost.jks" keystorePass="password" truststoreFile="<CERTIFICATES_DIR>\localhost.jks" trustStorePass="password"/>
- Launch Tomcat and browse to https: // localhost: 8443 / using your preferred browser.
- Your client certificate will be requested in the browser (notes: if you are not offered a certificate, you can try importing it into IE using tools> Internet options> certificates> import). Select the correct client certificate.
- If you see the website, Tomcat is installed and working correctly. If you see that the page was not found or some other error, Tomcat was installed or configured incorrectly.
- Configure Tomcat to support client-side SSL. You must also provide tomcat truststore execution locations and a password. You can enable this either through the command line, or if you run tomcat inside your ide: -Djavax.net.ssl.trustStore = C: {somedir} \ localhost.jks -Djavax.net.ssl.trustStorePassword = password
Install public / private key certificates in your browser
- Your browser must be configured to recognize your certificates as incoming forms of a trusted certificate authority and know how to identify you using a private key.
Firefox instructions:
- From the Firefox menu, choose Tools> Options
- Go to the Advanced tab> Encryption> View Certificates
- Go to the Power tab
- Click the Import button
- Locate and select the CA certificates that you want your browser to recognize as legitimate CAs, then click "Open"
- Click on all the goals you want to trust when signing up with this certificate. Options are websites, email addresses, and software developers.
- Click ok
Firefox will now trust content signed with certificates installed.
IE Instructions:
- Go to Tools> Internet Options
- Select the "Content" tab.
- Click the button labeled "Certificates"
- Click on the tab labeled Trusted Root Certification Authority
- Click Import
- The wizard starts. Click then, then select the certificate file you want to trust as CA
- Select a certificate store. Click Finish
- You will see a pop-up window to confirm the installation. Click Yes
Internet Explorer will now trust content signed with certificates issued by the certification authority that you just installed.
With PKI encryption, your browser needs to know how to identify you on the server using a private key. To do this, you need to install your certificates manually. The suffix of the certificates imported in this example is .p12 Firefox instructions:
- From the Firefox menu, choose Tools> Options
- Go to the Advanced tab> Encryption> View Certificates
- Click the tab labeled "Your Certificates"
- Click Import
- Go and select the certificate you want to select in order to identify yourself. Click "Open"
- Enter the password that is used with this certificate and click Ok
Your certificate is now installed and can be used to identify you on servers using PKI encryption. The above steps can be repeated to install additional certificates if you want to identify yourself using different identifiers at different times. IE Instructions:
- Go to Tools> Internet Options
- Select the "Content" tab.
- Click the button labeled "Certificates"
- Select the "Personal" tab
- Click Import
- The wizard starts. Click "Next" ... then select the pki file that you want to use to identify yourself. Click "Next"
- Enter the password for the certificate and any required parameters.
- Choose where to store the certificate, and click Next> Finish.
Your personal certificate is now installed, and you can use it to identify yourself on sites using PKI encryption.
Cuga
source share