How to set up tomcat with server authentication and client certificate authentication enabled

最新推荐文章于 2025-06-25 08:26:40 发布
原创 最新推荐文章于 2025-06-25 08:26:40 发布 · 605 阅读 · 0 ·
CC 4.0 BY-SA版权
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
文章标签:

#server #tomcat #client certificate a

本文详细介绍如何在Tomcat服务器上设置服务器身份验证及客户端证书认证。步骤包括创建服务器和客户端证书、配置server.xml文件等,并提供具体命令及注意事项。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

How to set up tomcat with server authentication and client certificate authentication enabled?

When I  do my daily work, I need to set up a server with client certificate authentication enabled. Now I record all steps for further reference.

ENV: windows7/x86, tomcat-7.0.79, jdk1.7.0_151

Generally, the steps are as follows:

  1. Create a certificate for the tomcat server. The client has to trust this certificate.
  2. Create a keystore for the tomcat server, and import the server certificate into it.
  3. Create a certificate for the client. The server has to trust this certificate.
  4. Import the client certificate into the server keystore
  5. Update the tomcat server.xml file with the correct Connector XML.

Detail steps:

1. Create certificate/keysotre for server and client

# For the following commands, set the values in parenthesis to be whatever makes sense for your environment.  The parenthesis are not necessary for the command.

# This is an all-in-one command that generates a certificate for the server and places it in a keystore file, while setting both the certifcate password and the keystore password.
# The net result is a file called "tomcat.keystore".

keytool -genkeypair -alias servercert -keyalg RSA -dname "CN=oracle,OU=java,O=oracle,L=SC,ST=California,C=US" -keystore tomcat.keystore -keypass changeit -storepass changeit

# This is the all-in-one command that generates the certificate for the client and places it in a keystore file, while setting both the certificate password and the keystore password.
# The net result is a file called "client.keystore"

keytool -genkeypair -alias clientcert -keyalg RSA -dname "CN=client,OU=java,O=oracle,L=SC,ST=California,C=US" -keypass changeit -keystore client.keystore -storepass changeit

# This command exports the client certificate.  
# The net result is a file called "client.cer" in your home directory.

keytool -exportcert -rfc -alias clientcert -file client.cer -keypass changeit -keystore client.keystore -storepass changeit

# This command imports the client certificate into the "tomcat.keystore" file.

keytool -importcert -alias clientcert -file client.cer -keystore tomcat.keystore -storepass changeit -noprompt

2. Configure your connector in the tomcat server.xml:

<Connector port="8443"
    maxThreads="150"
    scheme="https"
    secure="true"
    SSLEnabled="true"
    truststoreFile="/full-path-to/tomcat.keystore"
    truststorePass="(password)"
    keystoreFile="/full-path-to/tomcat.keystore"
    keystorePass="(password)"
    clientAuth="true"
    keyAlias="servercert"
    sslProtocol="TLS"/>

Additionally, in the server.xml, ensure that you DO NOT have an AprLifecycleListner defined. The XML for that listener will look something like this:

<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />

That element should be delete/commented out. The AprLifecycleListener does not get configured the same way as described above, and will not work with these instructions.

3. Test your server configuration

Start tomcat server and load the following link in your browser

https://mytomcatdomain.com:8443
You should get the standard alert from Firefox or IE about an untrusted connection because we created a self-signed certificate for our Tomcat server. Accept to proceed. You should get a "Secure Connection Failed" message. The error code is "ssl_error_bad_cert_alert". This confirms that our Tomcat server is requesting authentication from the client. The request is failing because we have not configured browser to send our trusted client certificate yet.

4. Extract a key from the client.keystore

# This extracts the client key from the client keystore

java DumpPrivateKey client.keystore changeit clientcert > clientkey.pkcs8

# This creates a client.p12 file that can be used by Firefox

openssl pkcs12 -export -in client.cer -inkey clientkey.pkcs8 -password pass:changeit -out client.p12
5. Import client.p12 to browser

For Firefox, open preferences. Click on the "Certificates" tab. Click on the "View Certificates" button. Click on the "Your Certificates" tab. Click on the "Import" button and browse to the "client.p12" file that was created previously. You should be prompted to enter the password for the client certificate.

For IE, open Internet options-> Content->Certificates->Personal. Click on the "Import" button and browse to the "client.p12" file that was created previously. You should be prompted to enter the password for the client certificate.

6. Refresh your browser page, and you should get a successful response from your Tomcat server endpoint.


全网详细解决Client does not support authentication protocol requested by server;consider upgrading Mysql c
念兮为美
03-06 5170
全网详细解决1251 - Client does not support authentication protocol requested by server; consider upgrading Mysql client
Docker部署SonarQube代码质量检查平台+PostgreSQL数据库
万物皆可学
06-13 1391
指定拉取postgres11版本,不要postgres:latest,因为你部署sonarqube最新版本配置的时候会发现支持的版本是11,拉取最新版本会报错。配置如下,你也可以先启动一个无挂载的sonarqube用docker cp 把配置复制出来再干掉启动的sonarqube。检查代码的时候,仓库或者本地的代码会全部存储到postgresql数据里中,所以容量尽量大点,我这给个300G。运行postgres11并挂载存储目录,映射端口,同步宿主机时间,这里用户、密码、数据库都叫sonar。
Client does not support authentication protocol requested by server; consider upgrading MySQL client
生而为人我很抱歉
09-03 2821
这说明客户端连接数据库失败,是网络都连不上,不是密码错误连不上,需要检查ip、port是否填写正确,mysql server是否启动,其次检查是否被防火墙拦截。
SQLyog连接MYSQL时报错 Client does not support authentication protocol requested by server; consider upgra
qq_61825999的博客
12-11 2705
SQLyog连接MYSQL时报错 Client does not support authentication protocol requested by server; consider upgrading MYSQL clie以下错误翻译一下大致的意思为:客户端不支持服务器请求的身份验证协议;考虑升级MYSQL客户端这是因为MYSQL8.0之后更换了加密规则为,8.0之前则为,用语句来修改密码会使用8.0默认的规则来加密,而SQLyog中找不到新的身份验证插件,加载身0份验证插件错误,因此产生以上报错。
MySql错误 1251 - Client does not support authentication protocol requested by server 解决方案
悠悠寻燕语
06-25 211
MySql错误 1251 - Client does not support authentication protocol requested by server 解决方案。进入MYSQL命令行输入以下内容。
Mysql 报错问题—客户端不支持服务器请求的认证协议
Bing_Ye_Xue_Yan的博客
09-23 9255
问题报错信息:Client does not support authentication protocol requested by server; consider upgrading MySQL client 图中翻译:客户端不支持服务器请求的认证协议;考虑升级mysql客户端 造成解决这个问题的原因是:Mysql 8.0 以后的版本账号密码加密规则是caching_sha2_password Mysql 8.0之前的版本账号密码加密规则是mysql_native_password 所以解决方法为:
Mysql 解决1251- Client does not support authentication protocol requested by server...的问题
热门推荐
pengfeng111833的专栏
04-25 3万+
一、问题描述 使用Navicat客户端连接本地mysql,报错:1251- Client does not support authentication protocol requested by server;consider upgrading Mysql client。 二、查看用户信息 打开命令行小黑屏,进入MySQL的bin目录,然后输入mysql -u root -p,输入密码,登录成功 执行SQL查询用户信息 select host,user,plugin,authenticat.
SSL/TLS Configuration How-To 是一组指南,它详细说明了如何配置服务器以支持安全套接层(SSL)/传输层安全性(TLS)协议
BLOG域名:programb.blog.youkuaiyun.com
04-24 1571
SSL/TLS Configuration How-To 是一组指南,它详细说明了如何配置服务器以支持安全套接层(SSL)/传输层安全性(TLS)协议。如果你正在使用APR(Apache Portable Runtime)或JSSE(Java Secure Socket Extension)的OpenSSL实现,你可以配置替代引擎来增强或替换默认的SSL功能。其中一个关键点在于访问SSL会话ID,这有助于跟踪客户端与服务器之间的连接状态。
How to upgrade NBU cluster from 10.0.0.1 to 10.2.0.1
mandarin_meng的博客
03-18 1641
upgrade NBU from 10.0.0.1 to 10.2.0.1
Spring Boot入门教程(四):配置文件
人不风流枉少年
03-20 4690
配置方式 每个starter都有自己默认的配置,如果需要改变默认值,可以在其他地方配置来覆盖掉默认的值,覆盖默认的配置有多种方式,每种方式的优先级也不同,如果在多个地方配置则优先使用优先级高的值,其中命令行参数优先级最高, 其中大部分参数一般都配置在属性文件application.properties中,属性文件即可以覆盖starter中默认的值,也可以自定义值 在命令行行输入的参数 SPR...
单点登录(十三)-----实战-----cas4.2.X登录启用mongodb验证方式完整流程
直到世界的尽头
02-10 6110
我们在之前的文章中中已经讲到了正确部署运行cas server 和 在cas client中配置。在此基础上 我们去掉了https的验证,启用了http访问的模式。单点登录(七)-----实战-----cas server去掉https验证但是我们之前部署的cas server,用户登录时使用的是简单的文本配置方式。deployerConfigContext.xml中的配置方式是配置的帐号密码##
网站未经过服务器认证,SMTP服务器需要安全连接或客户端未经过身份验证
weixin_35642637的博客
08-10 2032
我收到了这个错误The SMTP server requires a secure connection or the client was not authenticated. The server response was: 5.7.0 Must issue a STARTTLS command first. e17sm974159fak.34Web.config文件from="emailac...
C# Hotmail SMTP not authenticated to send anonymous mail 解决方案
yangjiaosun的专栏
07-31 1797
错误日志:The SMTP server requires a secure connection or the client was not authenticated. The server response was: 5.7.57 SMTP; Client was not authenticated to send anonymous mail during MAIL FROM 问题原因:Microsoft 帐户认为有异常登录行为导致的 解决方案: 1、在个人中心-安全-登录活动-找到对应发送.
Mysql如何解决1251 client does not support问题
长缨缚苍龙
05-21 1179
plugin的作用之一就是处理后的密码格式和长度是不一样的,类似于使用MD5加密和使用base64加密一样对于同一个密码处理后的格式是不一样的。如果在修改插件的时候出现错误,可现将插件改为 mysql_old_password,然后再升级成mysql_native_password。mysql官方网站提供了从mysql_old_password升级到mysql_native_password,我们可以仿照这个。第一:修改root的密码为’root’,摒弃原来的旧密码。
mysql报错1251 client does not support问题解决
树袋熊的博客
12-22 2738
linux使用docker安装mysql,连接报错1251 client does no support authentic 通过navicat工具连接mysql报错1251 client does no support authentic, 1.docker exec -it mysql /bin/bash 2.mysql -uroot -proot 3.查看用户信息 select host,u...
【MySql】Navicat 连接数据库出现1251 - Client does not support authentication protocol ...... 问题的解决方法
早知晓的博客
01-13 2万+
Navicat 连接 mysql,连接时出现问题:1251 client does not support authentication protocol requested by server
【MySql】Navicat 连接数据库出现1251 - Client does not support authentication protocol 问题的解决方法
qq_51228618的博客
04-27 2299
【MySql】Navicat 连接数据库出现1251 - Client does not support authentication protocol 问题的解决方法
<?xml version="1.0" encoding="UTF-8"?> <!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. --> <!-- Note: A "Server" is not itself a "Container", so you may not define subcomponents such as "Valves" at this level. Documentation at /docs/config/server.html --> <Server port="8005" shutdown="SHUTDOWN"> <Listener className="org.apache.catalina.startup.VersionLoggerListener" /> <!-- Security listener. Documentation at /docs/config/listeners.html <Listener className="org.apache.catalina.security.SecurityListener" /> --> <!--APR library loader. Documentation at /docs/apr.html --> <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" /> <!-- Prevent memory leaks due to use of particular java/javax APIs--> <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" /> <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" /> <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" /> <!-- Global JNDI resources Documentation at /docs/jndi-resources-howto.html --> <GlobalNamingResources> <!-- Editable user database that can also be used by UserDatabaseRealm to authenticate users --> <Resource name="UserDatabase" auth="Container" type="org.apache.catalina.UserDatabase" description="User database that can be updated and saved" factory="org.apache.catalina.users.MemoryUserDatabaseFactory" pathname="conf/tomcat-users.xml" /> </GlobalNamingResources> <!-- A "Service" is a collection of one or more "Connectors" that share a single "Container" Note: A "Service" is not itself a "Container", so you may not define subcomponents such as "Valves" at this level. Documentation at /docs/config/service.html --> <Service name="Catalina"> <!--The connectors can use a shared executor, you can define one or more named thread pools--> <!-- <Executor name="tomcatThreadPool" namePrefix="catalina-exec-" maxThreads="150" minSpareThreads="4"/> --> <!-- A "Connector" represents an endpoint by which requests are received and responses are returned. Documentation at : Java HTTP Connector: /docs/config/http.html Java AJP Connector: /docs/config/ajp.html APR (HTTP/AJP) Connector: /docs/apr.html Define a non-SSL/TLS HTTP/1.1 Connector on port 8080 --> <Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" /> <!-- A "Connector" using the shared thread pool--> <!-- <Connector executor="tomcatThreadPool" port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" /> --> <!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443 This connector uses the NIO implementation. The default SSLImplementation will depend on the presence of the APR/native library and the useOpenSSL attribute of the AprLifecycleListener. Either JSSE or OpenSSL style configuration may be used regardless of the SSLImplementation selected. JSSE style configuration is used below. --> <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true"> <SSLHostConfig> certificateKeystoreFile="conf/keystore.jks" certificateKeystorePassword="changeit" type="RSA" /> </SSLHostConfig> </Connector> <!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2 This connector uses the APR/native implementation which always uses OpenSSL for TLS. Either JSSE or OpenSSL style configuration may be used. OpenSSL style configuration is used below. --> <!-- <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol" maxThreads="150" SSLEnabled="true" > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> <SSLHostConfig> <Certificate certificateKeyFile="conf/localhost-rsa-key.pem" certificateFile="conf/localhost-rsa-cert.pem" certificateChainFile="conf/localhost-rsa-chain.pem" type="RSA" /> </SSLHostConfig> </Connector> --> <!-- Define an AJP 1.3 Connector on port 8009 --> <!-- <Connector protocol="AJP/1.3" address="::1" port="8009" redirectPort="8443" /> --> <!-- An Engine represents the entry point (within Catalina) that processes every request. The Engine implementation for Tomcat stand alone analyzes the HTTP headers included with the request, and passes them on to the appropriate Host (virtual host). Documentation at /docs/config/engine.html --> <!-- You should set jvmRoute to support load-balancing via AJP ie : <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1"> --> <Engine name="Catalina" defaultHost="localhost"> <!--For clustering, please take a look at documentation at: /docs/cluster-howto.html (simple how to) /docs/config/cluster.html (reference documentation) --> <!-- <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/> --> <!-- Use the LockOutRealm to prevent attempts to guess user passwords via a brute-force attack --> <Realm className="org.apache.catalina.realm.LockOutRealm"> <!-- This Realm uses the UserDatabase configured in the global JNDI resources under the key "UserDatabase". Any edits that are performed against this UserDatabase are immediately available for use by the Realm. --> <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/> </Realm> <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true"> <!-- SingleSignOn valve, share authentication between web applications Documentation at: /docs/config/valve.html --> <!-- <Valve className="org.apache.catalina.authenticator.SingleSignOn" /> --> <!-- Access log processes all example. Documentation at: /docs/config/valve.html Note: The pattern used is equivalent to using pattern="common" --> <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log" suffix=".txt" pattern="%h %l %u %t "%r" %s %b" /> </Host> </Engine> </Service> </Server> 重启https还是连不上
最新发布
06-27
- `Loading keystore file /path/to/keystore.jks` - `SSL support is enabled` #### 2. 验证端口监听状态 ```bash # Linux/Mac netstat -tuln | grep 8443 # Windows netstat -ano | findstr 8443 ``` 应有类似...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值