1. 生成证书
在命令行运行命令JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg
RSA -keystore C:\Tomcat\GMAE3.0Tomcat\tomcat.keystore(指定一个位置)
这样就生成了证书,将证书放到合适的地方(任意地方都可以)
2. 配置server.xml
找到关于ssl的相关段,去掉注释,添keystoreFile="C:\Tomcat\GMAE3.0Tomcat\tomcat.keystore"
keystorePass="tomcat"的属性
<Connector protocol="org.apache.coyote.http11.Http11Protocol" port="8443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="D:\TRS\TRSIDS3500_trunk_https\tomcat.keystore" algorithm="SunX509" keystorePass="trsadmin"/>
tomcat不同版本配置是不同的
Tomcat5.5.9配置:
<Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="server.keystore" keystorePass="changeit"/>
Tomcat5.5.20配置(此配置同样可用于Tomcat6.0)
<Connector protocol="org.apache.coyote.http11.Http11Protocol" port="8443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="server.keystore" keystorePass="changeit"/>
Tomcat6.0.10
配置:
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="8443" minSpareThreads="5" maxSpareThreads="75" enableLookups="true" disableUploadTimeout="true" acceptCount="100" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" clientAuth="false" sslProtocol="TLS" keystoreFile="D:/tools/apache-tomcat-6.0.10/server.keystore" keystorePass="changeit"/>
tomcat6支持3种,请参考以下文档:
3. 重启tomcat就能使用HTTPS访问
4. 强制https访问
在tomcat\conf\web.xml中的</welcome-file-list>后面加上这样一段:
<login-config> <!-- Authorization setting for SSL --> <auth-method>CLIENT-CERT</auth-method> <realm-name>Client Cert Users-only Area</realm-name> </login-config> <security-constraint> <!-- Authorization setting for SSL --> <web-resource-collection > <web-resource-name >SSL</web-resource-name> <url-pattern>/root_home</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>