本文详细介绍了如何在Tomcat服务器上配置HTTPS,包括生成自签名证书、配置server.xml文件及解决常见错误的方法。
转自:http://blog.youkuaiyun.com/supersky07/article/details/7407523
(1)进入到jdk下的bin目录
(2)输入如下指令“keytool -v -genkey -alias tomcat -keyalg RSA -keystore d:/tomcat.keystore”
d:/tomcat.keystore是将生成的tomcat.keystore放到d盘根目录下。注意若要放到c盘,在win7系统下,需要以管理员身份进入到命令行中进行操作,否则是无法创建tomcat.keystore的。本例放到d盘下。
如何以管理员身份进入到命令行下呢?开始->搜索框中输入cmd->等待(注意不回车)->出现cmd.exe->右键“以管理员身份运行”即可。
(3)输入keystore密码
密码任意,此处以123456为例,要记住这个密码,之后在进行server.xml配置时需要使用。
(4)输入名字、组织单位、组织、市、省、国家等信息
(5)输入之后会出现确认的提示
此时输入y,并回车。此时创建完成keystore。
进入到D盘根目录下可以看到已经生成的tomcat.xml
(6)输入tomcat的主密码
可以直接回车,默认为同keystore的密码一样。
之后,会显示正在存储即完成。
(7)进入tomcat文件夹
找到conf目录下的sever.xml并进行编辑
将所有以<Connector port="8443" 开头的connector注释。
(8)在sever.xml中添加加载keystore的代码
注意方框中的keystore的密码,就是刚才我们设置的“123456”.
编辑完成后关闭并保存sever.xml。
(9)启动tomcat。
若出现如下错误“Keystore was tampered with,or password was incorrect”,即第(8)步设的密码出错了。请核对密码,重新编写sever.xml。
(10)启动成功后,使用https://127.0.0.1:8443 访问页面
页面成功打开即tomcat下的https配置成功。
自己项目实际配置记录:
为服务器生成服务器证书:
keytool -genkey -v -alias glpt -keyalg RSA -keystore d:/glpt/serverKey/glpt.keystore -dname "CN=192.168.10.203,OU=abcdef,O=logis,L=beijing,ST=beijing,C=CN" -validity 3650 -storepass abcdef -keypass abcdef
为客户端生成证书:(为了确保能导入到ie/firefox 证书格式为PKSC12)
keytool -genkey -v -alias khd -keyalg RSA -storetype PKCS12 -keystore E:/serverKey/p12/khd.p12 -dname "CN=khd,OU=abcdef,O=venus,L=beijing,ST=beijing,ST=beijing,C=CN" -validity 3650 -st
orepass abcdef -keypass abcdef
导出客户端证书:(因为双向认证,所以服务器必须要信任客户端证书,因此必须把客户端证书添加为服务器的信任证书,由于不能直接将PKSC12格式的证书导入,所以必须现将客户端证书导出为一个单独的cer文件)
keytool -export -alias khd -keystore E:/serverKey/p12/khd.p12 -storetype PKCS12 -storepass abcdef -rfc -file E:/serverKey/cert/khd.cer
将客户端证书导入服务器证书库:
keytool -import -alias khd -v -file E:/serverKey/cert/khd.cer -keystore E:/serverKey/glpt.keystore -storepass abcdef
查看证书库包含证书:
keytool -list -keystore glpt.keystore
Tomcat目录/config/server.xml文件修改:
<?xml version='1.0' encoding='utf-8'?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!-- Note: A "Server" is not itself a "Container", so you may not
define subcomponents such as "Valves" at this level.
Documentation at /docs/config/server.html
-->
<Server port="8005" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.startup.VersionLoggerListener" />
<!-- Security listener. Documentation at /docs/config/listeners.html
<Listener className="org.apache.catalina.security.SecurityListener" />
-->
<!--APR library loader. Documentation at /docs/apr.html -->
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
<!-- Prevent memory leaks due to use of particular java/javax APIs-->
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
<!-- Global JNDI resources
Documentation at /docs/jndi-resources-howto.html
-->
<GlobalNamingResources>
<!-- Editable user database that can also be used by
UserDatabaseRealm to authenticate users
-->
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
<!-- A "Service" is a collection of one or more "Connectors" that share
a single "Container" Note: A "Service" is not itself a "Container",
so you may not define subcomponents such as "Valves" at this level.
Documentation at /docs/config/service.html
-->
<Service name="Catalina">
<!--The connectors can use a shared executor, you can define one or more named thread pools-->
<!--
<Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
maxThreads="150" minSpareThreads="4"/>
-->
<!-- A "Connector" represents an endpoint by which requests are received
and responses are returned. Documentation at :
Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
Java AJP Connector: /docs/config/ajp.html
APR (HTTP/AJP) Connector: /docs/apr.html
Define a non-SSL HTTP/1.1 Connector on port 8080
-->
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
<!-- A "Connector" using the shared thread pool-->
<!--
<Connector executor="tomcatThreadPool"
port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
-->
<!-- Define a SSL HTTP/1.1 Connector on port 8443
This connector uses the NIO implementation that requires the JSSE
style configuration. When using the APR/native implementation, the
OpenSSL style configuration is required as described in the APR/native
documentation -->
<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
-->
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
minSpareThreads="5"
maxSpareThreads="75"
enableLookups="true"
disableUploadTimeout="true"
acceptCount="100"
SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="D:/glpt/serverKey/glpt.keystore"
keystorePass="abcdef"
truststoreFile="D:/glpt/serverKey/glpt.keystore" truststorePass="abcdef"/>
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
<!-- An Engine represents the entry point (within Catalina) that processes
every request. The Engine implementation for Tomcat stand alone
analyzes the HTTP headers included with the request, and passes them
on to the appropriate Host (virtual host).
Documentation at /docs/config/engine.html -->
<!-- You should set jvmRoute to support load-balancing via AJP ie :
<Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
-->
<Engine name="Catalina" defaultHost="localhost">
<!--For clustering, please take a look at documentation at:
/docs/cluster-howto.html (simple how to)
/docs/config/cluster.html (reference documentation) -->
<!--
<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
-->
<!-- Use the LockOutRealm to prevent attempts to guess user passwords
via a brute-force attack -->
<Realm className="org.apache.catalina.realm.LockOutRealm">
<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Realm>
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<!-- SingleSignOn valve, share authentication between web applications
Documentation at: /docs/config/valve.html -->
<!--
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />
-->
<!-- Access log processes all example.
Documentation at: /docs/config/valve.html
Note: The pattern used is equivalent to using pattern="common" -->
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log" suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" />
</Host>
</Engine>
</Service>
</Server>
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
