标签:tomcat keytool http https java
本实验环境:
[root@localhost conf]# cd /usr/local/tomcat/bin/ [root@localhost bin]# ./version.sh Using CATALINA_BASE: /usr/local/tomcat Using CATALINA_HOME: /usr/local/tomcat Using CATALINA_TMPDIR: /usr/local/tomcat/temp Using JRE_HOME: /usr/java/jdk1.7.0_75 Using CLASSPATH: /usr/local/tomcat/bin/bootstrap.jar Server version: Apache Tomcat/6.0.41 Server built: May 19 2014 11:49:25 Server number: 6.0.41.0 OS Name: Linux OS Version: 2.6.32-431.el6.i686 Architecture: i386 JVM Version: 1.7.0_75-b13 JVM Vendor: Oracle Corporation [root@localhost bin]#
基于jdk的keytool工具生成key,
[root@localhost ~]# find / -name keytool /usr/java/jdk1.7.0_75/jre/bin/keytool /usr/java/jdk1.7.0_75/bin/keytool [root@localhost ~]# cd /usr/java/jdk1.7.0_75/bin/ #/usr/local/tomcat/tomcat.keystore 证书存放位置; -validity 36500证书有效期,36500表示100年,默认值是90天 [root@localhost bin]# ./keytool -genkey -alias tomcat -keyalg RSA -keystore /usr/local/tomcat/tomcat.keystore -validity 36500 Enter keystore password: #此处需要输入大于6个字符的字符串 Re-enter new password: What is your first and last name? #“您的名字与姓氏是什么?”这是必填项,并且必须是TOMCAT部署主机的域名或者IP[如:pvbutler.blog.51cto.com 或者 10.15.24.254],就是你将来要在浏览器中输入的访问地址 [Unknown]: 10.15.24.254 What is the name of your organizational unit? #“你的组织单位名称是什么?”可以按照需要填写也可以不填写直接回车,实验中直接回车 [Unknown]: What is the name of your organization? #“您的组织名称是什么?”,同上直接回车 [Unknown]: What is the name of your City or Locality? #“您所在城市或区域名称是什么?,同上直接回车 [Unknown]: What is the name of your State or Province? #“您所在的州或者省份名称是什么?” [Unknown]: What is the two-letter country code for this unit? #“该单位的两字母国家代码是什么?” [Unknown]: Is CN=10.15.24.254, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct? #系统询问“正确吗?”时,对照输入信息,如果符合要求则使用键盘输入字母“y”,否则输入“n”重新填写上面的信息 [no]: y Enter key password for <tomcat> (RETURN if same as keystore password): #输入<tomcat>的主密码,这项较为重要,会在tomcat配置文件中使用,建议输入与keystore的密码一致,设置其它密码也可以 Re-enter new password: [root@localhost bin]# #此时会在/usr/local/tomcat中生成文件tomcat.keystore
修改配置tomcat服务器
[root@localhost bin]# cd /usr/local/tomcat/conf/ [root@localhost conf]# cp server.xml server.xmlbak [root@localhost conf]# cp web.xml web.xmlbak [root@localhost conf]# vim server.xml 69 <Connector port="80" protocol="HTTP/1.1" 70 connectionTimeout="20000" 71 redirectPort="443" /> #将redirectPort="8443"修改为redirectPort="443" 83 #去掉注释<!--和-->;修改port="8443"为port="443";指定证书文件的位置和<tomcat>的主密码keystoreFile="/usr/local/tomcat/tomcat.keystore" key storePass="justin" 84 <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true" 85 maxThreads="150" scheme="https" secure="true" 86 clientAuth="false" sslProtocol="TLS" keystoreFile="/usr/local/tomcat/tomcat.keystore" key storePass="justin" /> 87 #将redirectPort="8443"修改为redirectPort="443" 90 <Connector port="8009" enableLookups="false" protocol="AJP/1.3" redirectPort="443" /> [root@localhost conf]# [root@localhost conf]# vim web.xml 4634 4635 <welcome-file-list> 4636 <welcome-file>index.html</welcome-file> 4637 <welcome-file>index.htm</welcome-file> 4638 <welcome-file>index.jsp</welcome-file> 4639 </welcome-file-list> #在文件</welcome-file-list>后面加上以下语句: 4640 <login-config> 4641 <!-- Authorization setting for SSL --> 4642 <auth-method>CLIENT-CERT</auth-method> 4643 <realm-name>Client Cert Users-only Area</realm-name> 4644 </login-config> 4645 <security-constraint> 4646 <!-- Authorization setting for SSL --> 4647 <web-resource-collection > 4648 <web-resource-name >SSL</web-resource-name> 4649 <url-pattern>/*</url-pattern> 4650 </web-resource-collection> 4651 <user-data-constraint> 4652 <transport-guarantee>CONFIDENTIAL</transport-guarantee> 4653 </user-data-constraint> 4654 </security-constraint> [root@localhost conf]# service tomcat stop Using CATALINA_BASE: /usr/local/tomcat Using CATALINA_HOME: /usr/local/tomcat Using CATALINA_TMPDIR: /usr/local/tomcat/temp Using JRE_HOME: /usr/java/jdk1.7.0_75 Using CLASSPATH: /usr/local/tomcat/bin/bootstrap.jar [root@localhost conf]# service tomcat start Using CATALINA_BASE: /usr/local/tomcat Using CATALINA_HOME: /usr/local/tomcat Using CATALINA_TMPDIR: /usr/local/tomcat/temp Using JRE_HOME: /usr/java/jdk1.7.0_75 Using CLASSPATH: /usr/local/tomcat/bin/bootstrap.jar [root@localhost conf]#
上述配置完成后,重启TOMCAT后即可以使用SSL。IE地址栏中可以直接输入地址 “http://” 会自动跳转成为 “https://” ,windows环境类似,可参考修改对应文件。
注意事项:
(1)生成证书的时间,如果IE客户端所在机器的时间早于证书生效时间,或者晚于有效时间,IE会提示“该安全证书已到期或还未生效”
(2)如果IE提示“安全证书上的名称无效或者与站点名称不匹配”,则是由生成证书时填写的服务器所在主机的域名“您的名字与姓氏是什么?”/“What is your first and last name?”不正确引起的
(3)如果AC主机不能通过域名查找,必须使用IP,但是这个IP只有在配置后才能确定,这样证书就必须在AC确定IP地址后才能生成
(4)证书文件只能绑定一个IP地址,假设有10.1.25.250 和 192.168.1.250 两个IP地址,在证书生成文件时,如使用了10.1.25.250,通过IE就只能使用10.1.25.250 来访问AC-WEB,192.168.1.250是无法访问AC-WEB的
本文出自 “我本不是菜鸟” 博客,请务必保留此出处http://pvbutler.blog.51cto.com/7662323/1650958
标签:tomcat keytool http https java
原文地址:http://pvbutler.blog.51cto.com/7662323/1650958