INTRODUCTION
SSL is an acronym for Secure Sockets Layer, an encryption
technology. SSL creates an encrypted connection between your web server and
your visitor web browser allowing for private information to be transmitted
without the problems of eavesdropping, data tampering, or message forgery. To
enable SSL on a website, we will need to get an SSL Certificate that identifies
you and install it on the server. When an SSL certificate is installed on a
website, we can assure that the information you enter (contact or credit card
information), is secured and only seen by the organization that owns the
website.
SSL “HOW IT WORKS ?”
1. A
browser attempts to connect to a website secured with SSL.
2. The
browser requests that the web server identify itself.
3. The
server sends the browser a copy of its SSL Certificate.
4. The
browser checks whether it trusts the SSL Certificate. If so, it sends a message
to the server.
5. The
server sends back a digitally signed acknowledgement to start an SSL encrypted
session.
6.
Encrypted data is shared between the browser and the server.
Web servers and web browsers rely on the Secure
Sockets Layer (SSL) protocol to help users protect their data during transfer
by create a uniquely encrypted channel for private communications over the
public Internet. Each SSL Certificate consists of a key pair as well as
verified identification information. When a web browser (or client) points to a
secured website, the server shares the public key with the client to establish
an encryption method and a unique session key. The client confirms that it
recognizes and trusts the issuer of the SSL Certificate. This process is known
as the "SSL handshake" and it begins a secure session that protects
message privacy and message integrity.
When a browser connects to a server, the server
sends the identification information to the browser.
To view a websites’ credentials:
* Click the closed padlock in a browser
window
* Click
the trust mark (such as a Norton Secured Seal)
* Look in
the green address bar triggered by an Extended Validation (EV) SSL
Step 1 : Installation of Apache Tomcat Web Server on Windows
Before
installing Tomcat, make sure you have a Java Runtime Environment (JRE) on your
machine. A JRE can be downloaded from http://www.javasoft.com/
Once
you have a JRE installed, you can install Tomcat. To get Tomcat, visit the
following link: http://tomcat.apache.org/ Once there, click on the Tomcat 5.5 link under
the Download heading. Under Core, select the Windows Service Installer.
After downloading,
launch the installer. If using Windows Vista, right-click and select "Run
as Administrator". The installation process is self-explanatory. After the
installer finishes, Tomcat is installed and the Tomcat service is started and
listening on the port you specified during the install process, the default of
which is 8080.
Tomcat can be
stopped and started via the control panel - administrative tools - services -
Apache Tomcat service.
To test the tomcat installation, enter the
following in your web browser: http://localhost:8080/
If the apache tomcat page shows up, the installation was successful.
Keep your web pages in the C:\Program Files\Apache Software Foundation\Tomcat 5.5\webapps directory.
Step 2 : Create 3-Level Hierarchical Trust Model using Openssl
·
Download
Openssl from the link: http://www.openssl.org/related/binaries.html and install it by double click
on the setup file and then next , next and finish.
·
Now
set the path for OpenSSL
We
have to go into Computer properties and then to the advanced tab. Go to
Advanced tab into the environment variables, then in user variable name and
write the path of the openssl/bin in
the variable value and terminate with the semicolon (;)
Make the folder in the C Drive named ssl with
hierarchy /usr/local/ssl and copy
the openssl.cnf file from openssl
folder in the C Drive in GNUwin32 to the ssl directory.
Now
we have to create a ROOT CA
//Create
a folder/directory for ROOT CA in any location by below command, any name can
be given but here we are giving name RootCA and we are creating in Desktop.
-
mkdirRootCA
// Check whether directory got
created or not with the below command
-
dir
// Go
inside the directory with the below given command
-
cd
RootCA
//
Make directories inside the ROOTCA
directory with the help of below given command to keep the certificates (Which
we will be creating later)
-
mkdir
certs,crl,newcerts, private
// Check whether directories got
created or not with the below command
-
dir
-
copy
nul index.txt
or
Right click in the RootCA folder
somewhere and create the new file named as index.txt
// Make an text file named serial
and write serial no. inside it with the following command
-
echo
01 > serial
// Copy openssl.cnf file from
openssl folder to RootCA folder and also to the usr/local/ssl folder
// Generate a private key
-
opensslgenrsa
-des3 -out private/RootCA.key 1024
// Create a self-signed
certificate using private key
opensslreq -new -x509 -nodes -sha1 -days
1825 -key private/RootCA.key -out RootCA.pem
//
Do the following changes in openssl.cnf file which is inside RootCA folder
In
openssl.cnf file change following:
-
basic
constraints: FALSE
to
-
basic
constraints: TRUE
-
//
We will find three occurrences of these values
[
CA_default ]
-
dir
= ./
-
certificate=
$dir/RootCA.pem # The CA certificate
-
private_key = $dir/private/RootCA.key # The private key
Now
we have to create a CA
// Be inside the ROOT CA
Directory and create directory /folder for CA, any name can
be given but here we are giving
the name CA
-
mkdir
CA
//
Go inside the CA directory with the following command
-
cd
CA
//
Copy the openssl.cnf file from openssl folder to CA folder
//
Make the directories inside the CA directory to keep the certificates for CA
-
mkdir
certs crlnewcerts private
// Check whether directories got
created or not with the below command
-
dir
// Make an empty text file named
as index.txt
-
copy
nul index.txt
or
Right
click in the CA folder somewhere and create the new file named as index.txt
// Make an text file named serial
and write serial no inside it with the following
Command:
-
echo
01 > serial
Generate
the CA key:
-
opensslgenrsa
-des3 -out private/CAKey.pem 1024
// Generate a signing request
(valid for 1year)
-
opensslreq
-new -sha1 -key private/CAKey.pem -out CA.csr
// Copy the sign request CA.csr
from CA directory to the ROOT CA directory .
// Come out of CA directory with
the help of following command
-
cd
..
// Now you will be in the ROOT CA
directory so sign the request using the following
command
-
opensslca
-extensions v3_ca -days 365 -out CA.crt -in CA.csr -configopenssl.cnf
// Copy CA.crt from Root CA to CA folder
// Go inside the CA folder with
the following
-
cd CA
// Do the changes in the
openssl.cnf file which is inside the CA folder as suggested
below
-
[CA_default ]dir = ./
-
certificate
= $dir/CA.crt # The CA certificate
-
private_key
= $dir/private/CAkey.pem# The privatekey
Create end-user certificate
// Make sure you are in the CA
folder and not in the Root CA
// Create the private key
-
opensslgenrsa
-des3 -out server.key1024 //generate a certificate sign request
opensslreq
-new -key server.key -out server.csr
// Sign the request with the CA
-
opensslca
-configopenssl.cnf -policy policy_anything -out server.crt –infiles server.csr
//Export
the Private Key in the .P12 format certificate
openssl
pkcs12 -export -in server.crt -inkeyserver.key -out server.p12
// Import server.p12 file in
personal tab in the IE browser.
// Import CA.crt file in
Intermediate Certification Authorities tab in the IE browser.
// Import RootCA.pem file in Trusted
Root Certification Authority tab in the IE browser.
Using
the Jetty Software
This software is used to convert .p12 file (which is
used to store the private key along with X.509 certificate) into jks(java key
store)
Copy the .p12 file in any folder, here we are
keeping in the desktop folder named “Convert”
Copy the Jetty-6.1.25.jar in the same Convert folder
which is on the Desktop
Before opening the command line we have to set the
environment variables of java in the environment variables option, As:
-
Variable
name = JAVA_HOME
Variable value = C:\Program Files\Java\jdk1.5.0_13 // no need of
Variable value = C:\Program Files\Java\jdk1.5.0_13 // no need of
semi-colon at the end
-
Variable name = PATH
Variable value = C:\Program Files\Java\jdk1.5.0_13\bin; //
mandatory
to terminatedthe path with semi-colon
Now, Open the command line(cmd) and then go inside
the folder where .p12 and Jetty are being copied
Then we have to type the following command in
windows:
-
java
–classpath .;jetty-6.1.25.jarorg.mortbay.jetty.security.PKCS12Import server.p12
output.jks
Step 3 : Configuring server.xml in Apache Tomcat 5.5
Go to the following path:
C:\Program Files\Apache Software
Foundation\Tomcat 5.5\conf
Now open the server.xml and copy
the below code at:
<!-- Define a SSL HTTP/1.1
Connector on port 8443 -->
<Connector
className="org.apache.coyote.tomcat5.CoyoteConnector"
port="8443"
maxHttpHeaderSize="8192"
// Here https port no. is 8443
maxThreads="150"
minSpareThreads="25" maxSpareThreads="75"
enableLookups="false"
disableUploadTimeout="true"
acceptCount="100"
scheme="https" secure="true"
clientAuth="false"
sslProtocol="TLS"
keystoreFile="C:\server.jks" // Place the server.jks file in C:\
Drive
keystorePass="1234567" // Here we use password of the server.jks
is 1234567
truststoreFile="C:\truststore.jks" // Place the truststore.jks file in C:\
Drive
truststorePass="1234567"
/> // Here we use password
of truststore.jks is 1234567
Now
to make specific page run on the https
We have to go to the Apache
Tomcat 5.5 folder which is installed in C Drive in program files.
In the web apps and in web.xml
file of the WEB-INF folder in the bottom we have to insert the code written
below:
<security-constraint>
<web-resource-collection>
<web-resource-name>test</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
If you omit the
<transport-guarantee>CONFIDENTIAL</transport-guarantee> tag (or the whole <security-constraint>) your application will be
available through both HTTP and HTTPS. If your web.xml contains <transport-guarantee>CONFIDENTIAL</transport-guarantee> Tomcat automatically redirects
the requests to the SSL port if you try to use HTTP.
Now in the place of “/*” in above
code, if we keep any web page then the specific web page will run on https.
If we don’t write anything in
that column, then by default all the web pages will be running on https or on
the specific port which will be mentioned there by us.
C:\Program
Files\Apache Software Foundation\Tomcat5.5\webapps\ROOT\WEB-INF
From the above folder copy “web.xml” and “lib” to C:\Program Files\Apache Software
Foundation\Tomcat 5.5\webapps\test
Here “test”
folder is created by us or admin in webapps folder in which all the web pages
and web.xml, lib files are kept.
Meanings
1.
.pem – Privacy Enhanced Mail Security
Certificate. In cryptography, a public key certificate is a certificate which
uses a digital signature to bind together a public key with an identity.
2.
.csr – Certificate Signing Request
File. Contains an encrypted block of text that identifies the applicant of the
certificate, includes encrypted data of all the fields user has entered.
3.
.p12 – It is used to store the
private key along with X.509 certificate. It is one of the family of standards
called Public key Cryptographic Standards.
4.
.crt – Certificate file. This file is
in pem format. It can be used with different programs and devices that use
certificates. This can be publically distributed.
5.
.cnf–Configuration
file type. It is associated with IBM.
6.
.crl –
certificate revocation list .This file can be publically distributed.
7.
.pkcs 12 – PKCS 12 defines an archive file format commonly
used to directly store a private key along with its X.509 certificate.
8. nul – It is a magic command that
always creates an empty file and throws anything you want that you type in it.
9. genrsa – This command generates an RSA
private key.
10. Des3
(Triple Data Encryption Standard ) – The original DES key size was 56 bits
which was generally sufficient, but was vulnerable to brute force attacks,
hence triple DES provides a relatively strong algorithm by increasing the key
size to protect against such attacks. Triple DES uses 168 bits of key but only
provides effective security of 112 bits. Ex – Microsoft Outlook, Electronic
Payment, Microsoft OneNote uses password to protect user content and system
data.
11. rootCA.key – It is the name of the key file
which we have created.
12. 1024 – It refers to 1024 bit long RSA
private key.
13. req – X.509 Certificate Signing Request (CSR) Management. By
default a certificate is expected on input. With this option a certificate
request is expected instead. It requires the bits to be used, key size, the
attributes of the file and the name of the file.
14. sha1
– Message digest.
15. -days 1825 –
The certificate is valid for 1825 days.
16. rootCA.pem
– A file which binds the public key and the RootCA private identity key.
17. ca
– Certificate Authority Management.
18. -days
365 – The certificate is valid for 365 days.
19. rand
– For generating the pseudo-random bytes.
20. -extensions v3 – The section to add to a
certificate from. If this option is not specified then the extension should
either be contained in the unnamed
section or the default section contain a variable called extensions which contains the sections to use.
21. -policypolicy_anything
– The fields about the country name, state, province, organization name and the
owners name is entered and is required to match to that of the CA certificate.
No comments:
Post a Comment