On Unix systems, Resin's JNI libraries can support SSL using the
Although the ./configure script will detect many configurations,
you can specify the openssl location directly:
resin> ./configure --with-openssl=/usr/local/ssl
The SSL port is configured in the httpd.conf's <http> element by
flag and configuring a key with the
<http port='443' ssl>
Since OpenSSL uses the same certificate as Apache, you can
get signed certificates using the same method as for Apache's
mod_ssl or following the OpenSSL instructions.
OpenSSL's engine support is configured with crypto-device.
If OpenSSL is not available, you can use Sun's JSSE to provide
SSL. Sun's implementation of JSSE is significantly
slower than OpenSSL, though.
This section gives a quick guide to installing a test SSL
configuration using Sun's JSSE. It avoids as many complications as
possible and uses Sun's keytool to create a server certificate.
Resin's SSL support is provided by Sun's
JSSE. Because of
export restrictions, patents, etc, you'll need to download the JSSE
distribution from Sun or get a commercial JSSE implementation.
More complete JSSE installation instructions for JSSE are at
- First download Sun's JSSE.
- Uncompress and extract the downloaded file.
- Install the JSSE jar files: jsse.jar, jnet.jar, and jcert.jar. You can
either put them into the CLASSPATH or you can put them into $JAVA_HOME/jre/lib/ext. Since you will use "keytool" with the new jars, you need to make them
visible to keytool. Just adding them to resin/lib is not enough.
- Register the JSSE provider (com.sun.net.ssl.internal.ssl.Provider).
Modify $JAVA_HOME/jre/lib/security/java.security so it contains something like:
Adding the JSSE provider allows "keytool" to create a key using the RSA
|Create a test server certificate|
The server certificate is the core of SSL. It will identify your server and
contain the secret key to make encryption work.
- Sun's keytool
- A self-signed certificate using open_ssl
- A test certificate from Thawte
- A production certificate from one of the certificate authorities (Verisign, Thawte, etc)
In this case, we're using Sun's
to generate the
server certificate. Here's how:
Enter keystore password:
What is your first and last name?
What is the name of your organizational unit?
What is the name of your organization?
What is the name of your City or Locality?
What is the name of your State or Province?
What is the two-letter country code for this unit?
Is <CN=www.caucho.com, OU=Resin Engineering,
O="Caucho Technology, Inc.", L=San Francisco, ST=California, C=US> correct?
Enter key password for <mykey>
(RETURN if same as keystore password):
Currently, the key password and the keystore password must be the same.
The Resin SSL configuration extends the http configuration with a few new
With the above configuration, you can test SSL with https://localhost:8443.
A quick test is the following JSP.
Secure? <%= request.isSecure() %>
|Copyright © 1998-2002 Caucho Technology, Inc. All rights reserved.|
Resin® is a registered trademark,
and HardCoretm and Quercustm are trademarks of Caucho Technology, Inc.