1、 创建证书
首先进入JAVA_HOME的bin目录下输入如下代码:
cd /usr/java/jdk1.7.0_79/bin/
keytool -genkey -alias tomcat -keyalg RSA -keystore /usr/local/tomcat/tomcat.keystore -validity 36500
Enter keystore password: #此处需要输入大于6个字符的字符串
Re-enter new password:
What is your first and last name? #“您的名字与姓氏是什么?”这是必填项,
[Unknown]: haha
What is the name of your organizational unit? #“你的组织单位名称是什么?”可以按照需要填写也可以不填写直接回车,实验中直接回车
[Unknown]:
What is the name of your organization? #“您的组织名称是什么?”,同上直接回车
[Unknown]:
What is the name of your City or Locality? #“您所在城市或区域名称是什么?,同上直接回车
[Unknown]:
What is the name of your State or Province? #“您所在的州或者省份名称是什么?”
[Unknown]:
What is the two-letter country code for this unit? #“该单位的两字母国家代码是什么?”
[Unknown]:
Is CN=10.15.24.254, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct? #系统询问“正确吗?”时,对照输入信息,如果符合要求则使用键盘输入字母“y”,否则输入“n”重新填写上面的信息
[no]: y
Enter key password for Tomcat
(RETURN if same as keystore password): #输入的主密码,这项较为重要,会在tomcat配置文件中使用,建议输入与keystore的密码一致,设置其它密码也可以
Re-enter new password:
2、修改tomcat的server.xml配置文件,使其支持https
cd /tomcat/conf/
vim server.xml
增加https的节点配置,下面这个节点在 server.xml中是存在的,但是被注释掉了,你将注释取消后,增加两个属性,一个是证书路径,一个是证书密码,并将原来的8443端口改为443即可。
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="conf/tomcat.keystore" keystorePass="19aw4j6hrjr020"/>
增加80、8009等端口的重定向
<Connector port="80" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="443" URIEncoding="UTF-8" useBodyEncodingForURI="true"/>
<Connector port="8009" protocol="AJP/1.3" enableLookups="false" redirectPort="443" URIEncoding="UTF-8" useBodyEncodingForURI="true"/>
3、修改Tomcat的web.xml文件,在</welcome-file-list>后,</web-app>前添加以下内容:
<login-config>
<!-- Authorization setting for SSL -->
<auth-method>CLIENT-CERT</auth-method>
<realm-name>Client Cert Users-only Area</realm-name>
</login-config>
<security-constraint>
<!-- Authorization setting for SSL -->
<web-resource-collection >
<web-resource-name >SSL</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
*(注):如果已购买HTTPS证书,只需将第二步中证书的路径与证书密码改为对应的路径与密码即可,具体可参照腾讯云Tomcat配置https文档。
首先进入JAVA_HOME的bin目录下输入如下代码:
cd /usr/java/jdk1.7.0_79/bin/
keytool -genkey -alias tomcat -keyalg RSA -keystore /usr/local/tomcat/tomcat.keystore -validity 36500
Enter keystore password: #此处需要输入大于6个字符的字符串
Re-enter new password:
What is your first and last name? #“您的名字与姓氏是什么?”这是必填项,
[Unknown]: haha
What is the name of your organizational unit? #“你的组织单位名称是什么?”可以按照需要填写也可以不填写直接回车,实验中直接回车
[Unknown]:
What is the name of your organization? #“您的组织名称是什么?”,同上直接回车
[Unknown]:
What is the name of your City or Locality? #“您所在城市或区域名称是什么?,同上直接回车
[Unknown]:
What is the name of your State or Province? #“您所在的州或者省份名称是什么?”
[Unknown]:
What is the two-letter country code for this unit? #“该单位的两字母国家代码是什么?”
[Unknown]:
Is CN=10.15.24.254, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct? #系统询问“正确吗?”时,对照输入信息,如果符合要求则使用键盘输入字母“y”,否则输入“n”重新填写上面的信息
[no]: y
Enter key password for Tomcat
(RETURN if same as keystore password): #输入的主密码,这项较为重要,会在tomcat配置文件中使用,建议输入与keystore的密码一致,设置其它密码也可以
Re-enter new password:
2、修改tomcat的server.xml配置文件,使其支持https
cd /tomcat/conf/
vim server.xml
增加https的节点配置,下面这个节点在 server.xml中是存在的,但是被注释掉了,你将注释取消后,增加两个属性,一个是证书路径,一个是证书密码,并将原来的8443端口改为443即可。
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="conf/tomcat.keystore" keystorePass="19aw4j6hrjr020"/>
增加80、8009等端口的重定向
<Connector port="80" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="443" URIEncoding="UTF-8" useBodyEncodingForURI="true"/>
<Connector port="8009" protocol="AJP/1.3" enableLookups="false" redirectPort="443" URIEncoding="UTF-8" useBodyEncodingForURI="true"/>
3、修改Tomcat的web.xml文件,在</welcome-file-list>后,</web-app>前添加以下内容:
<login-config>
<!-- Authorization setting for SSL -->
<auth-method>CLIENT-CERT</auth-method>
<realm-name>Client Cert Users-only Area</realm-name>
</login-config>
<security-constraint>
<!-- Authorization setting for SSL -->
<web-resource-collection >
<web-resource-name >SSL</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
*(注):如果已购买HTTPS证书,只需将第二步中证书的路径与证书密码改为对应的路径与密码即可,具体可参照腾讯云Tomcat配置https文档。