| |
On Unix systems, Resin's JNI libraries can support SSL using the
OpenSSL libraries.
Although the ./configure script will detect many configurations,
you can specify the openssl location directly:
resin> ./configure --with-openssl=/usr/local/ssl
|
The SSL port is configured in the httpd.conf's <http> element by
adding the ssl flag and configuring a key with the
certificate-pem element:
...
<http-server>
<http port='443' ssl>
<certificate-file>/opt/resin/cert/ssl.crt>/certificate-file>
<certificate-key-file>/opt/resin/cert/ssl.key>/certificate-key-file>
</http>
...
</http-server>
|
Since OpenSSL uses the same certificate as Apache, you can
get signed certificates using the same method as for Apache's
mod_ssl or following the OpenSSL instructions.
OpenSSL's engine support is configured with crypto-device.
If OpenSSL is not available, you can use Sun's JSSE to provide
SSL. Sun's implementation of JSSE is significantly
slower than OpenSSL, though.
This section gives a quick guide to installing a test SSL
configuration using Sun's JSSE. It avoids as many complications as
possible and uses Sun's keytool to create a server certificate.
Resin's SSL support is provided by Sun's
JSSE. Because of
export restrictions, patents, etc, you'll need to download the JSSE
distribution from Sun or get a commercial JSSE implementation.
More complete JSSE installation instructions for JSSE are at
http://java.sun.com/products/jsse/install.html.
- First download Sun's JSSE.
- Uncompress and extract the downloaded file.
- Install the JSSE jar files: jsse.jar, jnet.jar, and jcert.jar. You can
either put them into the CLASSPATH or you can put them into $JAVA_HOME/jre/lib/ext. Since you will use "keytool" with the new jars, you need to make them
visible to keytool. Just adding them to resin/lib is not enough.
- Register the JSSE provider (com.sun.net.ssl.internal.ssl.Provider).
Modify $JAVA_HOME/jre/lib/security/java.security so it contains something like:
security.provider.1=sun.security.provider.Sun
security.provider.2=com.sun.net.ssl.internal.ssl.Provider
|
Adding the JSSE provider allows "keytool" to create a key using the RSA
algorithm.
Create a test server certificate |
The server certificate is the core of SSL. It will identify your server and
contain the secret key to make encryption work.
- Sun's keytool
- A self-signed certificate using open_ssl
- A test certificate from Thawte
- A production certificate from one of the certificate authorities (Verisign, Thawte, etc)
In this case, we're using Sun's keytool to generate the
server certificate. Here's how:
resin1.2.b2> mkdir keys
resin1.2.b2> keytool -genkey -keyalg RSA -keystore keys/server.keystore
Enter keystore password: changeit
What is your first and last name?
[Unknown]: www.caucho.com
What is the name of your organizational unit?
[Unknown]: Resin Engineering
What is the name of your organization?
[Unknown]: Caucho Technology, Inc.
What is the name of your City or Locality?
[Unknown]: San Francisco
What is the name of your State or Province?
[Unknown]: California
What is the two-letter country code for this unit?
[Unknown]: US
Is <CN=www.caucho.com, OU=Resin Engineering,
O="Caucho Technology, Inc.", L=San Francisco, ST=California, C=US> correct?
[no]: yes
Enter key password for <mykey>
(RETURN if same as keystore password): changeit
|
Currently, the key password and the keystore password must be the same.
The Resin SSL configuration extends the http configuration with a few new
elements.
<caucho.com>
<http-server>
<http port=8443>
<ssl>true</ssl>
<key-store-file>keys/server.keystore</key-store-file>
<key-store-password>changeit</key-store-password>
</http>
...
</http-server>
</caucho.com>
|
With the above configuration, you can test SSL with https://localhost:8443.
A quick test is the following JSP.
Secure? <%= request.isSecure() %>
|
Copyright © 1998-2002 Caucho Technology, Inc. All rights reserved.
Resin® is a registered trademark,
and HardCoretm and Quercustm are trademarks of Caucho Technology, Inc. | |
|