@see https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html
//1:use jdk keytool
A:Generate Keystore
01:============================
C:\Users\User>keytool -genkey -alias tomcat -keyalg RSA -keystore d:/ks/tomcatKeyStore
//也可参考:keytool -genkeypair -alias "tomcat" -keyalg "RSA" -keystore "d:/ks/tomcatKeyStore"
Enter keystore password:123456
Re-enter new password:123456
What is your first and last name?
[Unknown]: name
What is the name of your organizational unit?
[Unknown]: org
What is the name of your organization?
[Unknown]: org
What is the name of your City or Locality?
[Unknown]: sh
What is the name of your State or Province?
[Unknown]: sh
What is the two-letter country code for this unit?
[Unknown]: 86
Is CN=name, OU=org, O=org, L=sh, ST=sh, C=86 correct?
[no]: yes
Enter key password for <tomcat>
(RETURN if same as keystore password):123456
Re-enter new password:123456
02:============================
C:\Users\User>keytool -list -keystore d:/ks/tomcatKeyStore
Enter keystore password:123456
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
tomcat, Dec 20, 2016, PrivateKeyEntry,
Certificate fingerprint (SHA1): 55:50:64:83:59:6F:71:70:C2:71:5F:0A:56:BF:E0:36:
41:45:3E:44
B:Connector in tomcat/config/server.xml
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keystorePass="123456"
keystoreFile="d:/ks/tomcatKeyStore">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"/>
<SSLHostConfig honorCipherOrder="false">
<Certificate certificateKeyFile="conf/ca.key"
certificateFile="conf/ca.crt" />
</SSLHostConfig>
</Connector>
keystorePass
keystoreFile
truststoreFile
truststorePass
SSLCertificateFile="conf/server.cer"
SSLCertificateKeyFile="conf/server.key"
SSLCertificateChainFile="conf/intermediate.cer"
https://localhost:8443/
若抛异常:Connector attribute SSLCertificateFile must be defined when using SSL with APR
Tomcat提供两个ssl实现:jsse实现(tomcat7默认)和apr实现(tomcat6默认),Tomcat将自动选择实现,
若安装apr则自动选择apr,否则选择jsse,也可禁用tomcat自动选择,那我们指定protocol即可
C:add in web.xml
/*:整个应用都要求是https访问,CONFIDENTIAL修改为NONE,则取消ssl支持*/
<security-constraint>
<web-resource-collection>
<web-resource-name>HttpsOnly</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>HttpOrHttps</web-resource-name>
<url-pattern>*.ico</url-pattern>
<url-pattern>/img/*</url-pattern>
<url-pattern>/css/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
Tomcat SSL/TLS Configuration
最新推荐文章于 2024-07-17 18:07:49 发布