caucho
Resin
FAQ
Reference Guide
Demo
Tutorial

Getting Started
Configuration
IDE
Topics
JSP
XML/XSLT

Basic Config
Directory
Servlets
Filters
Resources
Databases
Messaging
Security Config
Log Config
Taglib Config
Misc resin.conf
Host resin.conf
Port resin.conf
App resin.conf
Summary
Glossary
Index

JSSE
 SSL Test Installation

Security Config
Security Config
Log Config

  1. Using OpenSSL on Unix
  2. Install JSSE from Sun
  3. Create a test server certificate
  4. resin.conf
  5. Testing

Using OpenSSL on Unix

On Unix systems, Resin's JNI libraries can support SSL using the OpenSSL libraries. Although the ./configure script will detect many configurations, you can specify the openssl location directly:

resin> ./configure --with-openssl=/usr/local/ssl

The SSL port is configured in the httpd.conf's <http> element by adding the ssl flag and configuring a key with the certificate-pem element:

...
<http-server>
  <http port='443' ssl>
    <certificate-file>/opt/resin/cert/ssl.crt>/certificate-file>
    <certificate-key-file>/opt/resin/cert/ssl.key>/certificate-key-file>
  </http>

  ...
</http-server>

Since OpenSSL uses the same certificate as Apache, you can get signed certificates using the same method as for Apache's mod_ssl or following the OpenSSL instructions.

OpenSSL's engine support is configured with crypto-device.

Install JSSE from Sun

If OpenSSL is not available, you can use Sun's JSSE to provide SSL. Sun's implementation of JSSE is significantly slower than OpenSSL, though.

This section gives a quick guide to installing a test SSL configuration using Sun's JSSE. It avoids as many complications as possible and uses Sun's keytool to create a server certificate.

Resin's SSL support is provided by Sun's JSSE. Because of export restrictions, patents, etc, you'll need to download the JSSE distribution from Sun or get a commercial JSSE implementation.

More complete JSSE installation instructions for JSSE are at http://java.sun.com/products/jsse/install.html.

  1. First download Sun's JSSE.
  2. Uncompress and extract the downloaded file.
  3. Install the JSSE jar files: jsse.jar, jnet.jar, and jcert.jar. You can either put them into the CLASSPATH or you can put them into $JAVA_HOME/jre/lib/ext. Since you will use "keytool" with the new jars, you need to make them visible to keytool. Just adding them to resin/lib is not enough.
  4. Register the JSSE provider (com.sun.net.ssl.internal.ssl.Provider). Modify $JAVA_HOME/jre/lib/security/java.security so it contains something like:

    security.provider.1=sun.security.provider.Sun
    security.provider.2=com.sun.net.ssl.internal.ssl.Provider
    
    Adding the JSSE provider allows "keytool" to create a key using the RSA algorithm.

Create a test server certificate

The server certificate is the core of SSL. It will identify your server and contain the secret key to make encryption work.

  • Sun's keytool
  • A self-signed certificate using open_ssl
  • A test certificate from Thawte
  • A production certificate from one of the certificate authorities (Verisign, Thawte, etc)

In this case, we're using Sun's keytool to generate the server certificate. Here's how:

resin1.2.b2> mkdir keys
resin1.2.b2> keytool -genkey -keyalg RSA -keystore keys/server.keystore
Enter keystore password:  changeit
What is your first and last name?
  [Unknown]:  www.caucho.com
What is the name of your organizational unit?
  [Unknown]:  Resin Engineering
What is the name of your organization?
  [Unknown]:  Caucho Technology, Inc.
What is the name of your City or Locality?
  [Unknown]:  San Francisco
What is the name of your State or Province?
  [Unknown]:  California
What is the two-letter country code for this unit?
  [Unknown]:  US
Is <CN=www.caucho.com, OU=Resin Engineering,
  O="Caucho Technology, Inc.", L=San Francisco, ST=California, C=US> correct?
  [no]:  yes

Enter key password for <mykey>
        (RETURN if same as keystore password):  changeit

Currently, the key password and the keystore password must be the same.

resin.conf

The Resin SSL configuration extends the http configuration with a few new elements.

<caucho.com>
  <http-server>

    <http port=8443>
     <ssl>true</ssl>
     <key-store-file>keys/server.keystore</key-store-file>
     <key-store-password>changeit</key-store-password>
    </http>

    ...

  </http-server>
</caucho.com>

Testing

With the above configuration, you can test SSL with https://localhost:8443. A quick test is the following JSP.

Secure? <%= request.isSecure() %>


Security Config
Security Config
Log Config
Copyright © 1998-2002 Caucho Technology, Inc. All rights reserved.
Resin® is a registered trademark, and HardCoretm and Quercustm are trademarks of Caucho Technology, Inc.