IntroductionIntroductionName – Tanuj AgrawalName – Tanuj Agrawal

Class – IT-I VI SemClass – IT-I VI Sem

Topic – Implementation Of SSL In Topic – Implementation Of SSL In Java (Tomcat) And In PHPJava (Tomcat) And In PHP

Web Server And Web Web Server And Web ContainerContainer Web Server is the application that Web Server is the application that

understand the HTTP request only (it does understand the HTTP request only (it does not process the request) and give the not process the request) and give the request to the appropriate container for request to the appropriate container for processing.processing.

Web Container-Web Container is the actual Web Container-Web Container is the actual one that processes the request and one that processes the request and generate the response.generate the response.

Types of containersTypes of containers A-Context (Application)A-Context (Application) B-Engine (Service)B-Engine (Service) C-Host (Virtual Host)C-Host (Virtual Host) D-Cluster (Set of Application)D-Cluster (Set of Application) There can be multiple containers within the There can be multiple containers within the

single server.single server.

What is TomcatWhat is Tomcat Tomcat is not a web server it is a package Tomcat is not a web server it is a package

which contains web server and web container.which contains web server and web container. Actually when we install the Tomcat application Actually when we install the Tomcat application

named as HtttpConnector is installed with it named as HtttpConnector is installed with it which works as the Web Server.which works as the Web Server.

Tomcat uses the Apache Portable Runtime (APR) Tomcat uses the Apache Portable Runtime (APR) it provides some functionality.it provides some functionality. A-Advanced i/O functionalityA-Advanced i/O functionality

B-Support for OpenSSLB-Support for OpenSSL C-OS level functionalityC-OS level functionality It includes three connectorsIt includes three connectors A-HTTPA-HTTP B-HTTPSB-HTTPS C-AJP (Apache Java Protocol)C-AJP (Apache Java Protocol) Tomcat uses the JSSE configuration and uses Tomcat uses the JSSE configuration and uses

the open SSL style configuration.the open SSL style configuration.

What is SSL (Secure Socket What is SSL (Secure Socket Layer)Layer)

SSL, or Secure Socket Layer, is a SSL, or Secure Socket Layer, is a technology which allows web browsers technology which allows web browsers and web servers to communicate over a and web servers to communicate over a secured connection. This means that the secured connection. This means that the data being sent is encrypted by one side, data being sent is encrypted by one side, transmitted, then decrypted by the other transmitted, then decrypted by the other side before processing. This is a two-way side before processing. This is a two-way process, meaning that both the server process, meaning that both the server AND the browser encrypt all traffic AND the browser encrypt all traffic before sending out data. before sending out data.

Another important aspect of the SSL protocol Another important aspect of the SSL protocol is Authentication. This means that during your is Authentication. This means that during your initial attempt to communicate with a web initial attempt to communicate with a web server over a secure connection, that server server over a secure connection, that server will present your web browser with a set of will present your web browser with a set of credentials, in the form of a "Certificate", as credentials, in the form of a "Certificate", as proof the site is who and what it claims to be. proof the site is who and what it claims to be. In certain cases, the server may also request a In certain cases, the server may also request a Certificate from your web browser, asking for Certificate from your web browser, asking for proof that proof that youyou are who you claim to be. This is are who you claim to be. This is known as "Client Authentication," although in known as "Client Authentication," although in practice this is used more for business-to-practice this is used more for business-to-business (B2B) transactions than with business (B2B) transactions than with individual users. Most SSL-enabled web individual users. Most SSL-enabled web servers do not request Client Authentication.servers do not request Client Authentication.

What is certificate ?What is certificate ? In order to implement SSL, a web server must In order to implement SSL, a web server must

have an associated Certificate for each external have an associated Certificate for each external interface (IP address) that accepts secure interface (IP address) that accepts secure connections. The theory behind this design is connections. The theory behind this design is that a server should provide some kind of that a server should provide some kind of reasonable assurance that its owner is who you reasonable assurance that its owner is who you think it is, particularly before receiving any think it is, particularly before receiving any sensitive information sensitive information

For sites involved in e-commerce, or any other For sites involved in e-commerce, or any other business transaction in which authentication of business transaction in which authentication of identity is important, a Certificate is typically identity is important, a Certificate is typically purchased from a well-known purchased from a well-known Certificate Certificate AuthorityAuthority (CA) such as VeriSign or Thawte. (CA) such as VeriSign or Thawte. Such certificates can be electronically verified -- Such certificates can be electronically verified -- in effect, the Certificate Authority will vouch for in effect, the Certificate Authority will vouch for the authenticity of the certificates that it grants, the authenticity of the certificates that it grants, so you can believe that that Certificate is valid if so you can believe that that Certificate is valid if you trust the Certificate Authority that granted you trust the Certificate Authority that granted it.it.

Configuring tomcat for Configuring tomcat for running SSLrunning SSL

It has been Done In Three Easy It has been Done In Three Easy Steps.Steps.

1-Generating A self signed 1-Generating A self signed certificate.certificate.

2-Configuring The Tomcat For 2-Configuring The Tomcat For enabling SSL enabling SSL

3-Configuring your application to 3-Configuring your application to run on SSL run on SSL

Step-1Step-1 Java provides a relatively simple command-line Java provides a relatively simple command-line

tool, called keytool , which can easily create a tool, called keytool , which can easily create a "self-signed" Certificate. Self-signed Certificates "self-signed" Certificate. Self-signed Certificates are simply user generated Certificates which have are simply user generated Certificates which have not been officially registered with any well-known not been officially registered with any well-known CA, and are therefore not really guaranteed to be CA, and are therefore not really guaranteed to be authentic at all.It generates the keystore file authentic at all.It generates the keystore file which would store the details of the which would store the details of the certificatescertificates necessary to make the protocol secured. necessary to make the protocol secured.

First we create a keystore fileFirst we create a keystore file (.jks) (.jks) keytool -genkey -alias tomcat -keyalg RSA -keytool -genkey -alias tomcat -keyalg RSA -

keystore C:\keystore.jks keystore C:\keystore.jks When we give this command it will ask for some When we give this command it will ask for some

information about your name,organization,locality information about your name,organization,locality etc.etc.

Certificate signing request (.csr)Certificate signing request (.csr)

keytool -certreq -keyalg RSA -alias keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore c:\tomcat -file certreq.csr -keystore c:\keystore.jks keystore.jks

This (.csr) can be sent to certifying This (.csr) can be sent to certifying authority for certification.authority for certification.

After getting back the authenticated After getting back the authenticated certificate from the vendor it can be certificate from the vendor it can be imported into the keystore of your imported into the keystore of your server.server.

Step-2Step-2 Configuring the server.xml for enabling the Configuring the server.xml for enabling the

SSL support in Tomcat that server.xml will be SSL support in Tomcat that server.xml will be found in the found in the

C:\Program Files\Apache Software Foundation\C:\Program Files\Apache Software Foundation\Tomcat 6.0\conf\Tomcat 6.0\conf\

Find this tag in this fileFind this tag in this file <!-- <!-- <Connector port="8443" ……………. /><Connector port="8443" ……………. /> -->--> By default it is commented remove the By default it is commented remove the

comments and place an additional attribute comments and place an additional attribute keystore in this tag keystore in this tag

keystoreFile="C:keystore.jks"keystoreFile="C:keystore.jks"

Step-3Step-3 Configuring your application’s web.xmlConfiguring your application’s web.xml open the open the web.xmlweb.xml of that application and just add this of that application and just add this

XML fragment XML fragment beforebefore web-app ends i.e web-app ends i.e </web-app></web-app> <security-constraint><security-constraint>

<web-resource-collection><web-resource-collection><web-resource-name>securedapp</web-resource-<web-resource-name>securedapp</web-resource-name>name><url-pattern>/*</url-pattern><url-pattern>/*</url-pattern></web-resource-collection></web-resource-collection><user-data-constraint><user-data-constraint><transport-guarantee><transport-guarantee>CONFIDENTIALCONFIDENTIAL</transport-</transport-guarantee>guarantee></user-data-constraint></user-data-constraint></security-constraint></security-constraint>

/* /* indicates that now, any resource in your application indicates that now, any resource in your application can be accessed only with can be accessed only with httpshttps be it Servlets or JSP’s be it Servlets or JSP’s

The term The term CONFIDENTIAL CONFIDENTIAL is the term which tells the is the term which tells the server to make the application work on SSL. If you server to make the application work on SSL. If you want to turn the SSL mode for this application off then want to turn the SSL mode for this application off then just turn don’t delete the fragment. Just put the value just turn don’t delete the fragment. Just put the value as as NONENONE instead of instead of CONFIDENTIALCONFIDENTIAL

Now your server and application both has been Now your server and application both has been configured to run on SSL . Typeconfigured to run on SSL . Type https://localhosthttps://localhost:8443:8443

URL in browser. A page opens with a warning .This URL in browser. A page opens with a warning .This warning comes due to the self signed certificates warning comes due to the self signed certificates because browser can not auhenticate these certificates because browser can not auhenticate these certificates so we have to add an exception.so we have to add an exception.

SSL on PHPSSL on PHP We use the We use the XAMPPXAMPP server for running server for running PHPPHP.it .it

is a complete package with all the required is a complete package with all the required tools.tools.

Apache serverApache server PHPPHP MySQLMySQL It have many extensions already installed with It have many extensions already installed with

it and it and openSSLopenSSL is also one of them. So we is also one of them. So we need not to do anything with need not to do anything with XAMPPXAMPP for for running running SSLSSL on on PHPPHP. We should type the URL . We should type the URL https://localhosthttps://localhost in your browser and need to in your browser and need to add an exception and it will run.add an exception and it will run.

Thank YouThank You TANUJ AGRAWALTANUJ AGRAWAL

(tanuj.agrawal@hotmail.com)(tanuj.agrawal@hotmail.com)