1.生成证书
1.1 服务器端生成证书
[root@systest1 bin]# hostname
systest1
[root@systest1 bin]# keytool -genkeypair -alias cas -keyalg RSA -storepass changeit -keystore /home/server.keystore
What is your first and last name?
[Unknown]: systest1
What is the name of your organizational unit?
[Unknown]: sys
What is the name of your organization?
[Unknown]: sys
What is the name of your City or Locality?
[Unknown]: sh
What is the name of your State or Province?
[Unknown]: sh
What is the two-letter country code for this unit?
[Unknown]: cn
Is CN=systest1, OU=sys, O=sys, L=sh, ST=sh, C=cn correct?
[no]: y
Enter key password for <cas>
(RETURN if same as keystore password):
1.2 服务器端导出证书,供客户端使用
keytool -exportcert -alias cas -file /home/cas.crt -storepass changeit -keystore /home/server.keystore
1.3 客户端导入证书到jvm(我这里是在同一台服务器上,所以直接导入)
keytool -importcert -alias cas -file /home/cas.crt -keystore "${JAVA_HOME}/jre/lib/security/cacerts" -storepass changeit -noprompt
2.tomcat支持https访问,conf/server.xml配置如下
<Server port="18005" shutdown="SHUTDOWN">
<!-- A "Connector" represents an endpoint by which requests are received
and responses are returned. Documentation at :
Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
Java AJP Connector: /docs/config/ajp.html
APR (HTTP/AJP) Connector: /docs/apr.html
Define a non-SSL HTTP/1.1 Connector on port 8080
-->
<Connector port="18080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="18443" />
<!-- Define a SSL HTTP/1.1 Connector on port 8443
This connector uses the BIO implementation that requires the JSSE
style configuration. When using the APR/native implementation, the
OpenSSL style configuration is required as described in the APR/native
documentation -->
<Connector port="18443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
keystoreFile="/home/server.keystore" keystorePass="changeit"
clientAuth="false" sslProtocol="TLS" />
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="18009" protocol="AJP/1.3" redirectPort="18443" />
3. cas 服务搭建
下载地址 http://developer.jasig.org/cas/;最新版本是4.0.0 ,下载后解压后,复制cas-server-4.0.0-release\cas-server-4.0.0\modules\cas-server-webapp-4.0.0.war到tomcat中,重命名为cas.war,启动tomcat
访问cas服务:https://systest1:18443/cas/login
打开文件 webapps/cas/WEB-INF/deployerConfigContext.xml
<bean id="primaryAuthenticationHandler"
class="org.jasig.cas.authentication.AcceptUsersAuthenticationHandler">
<property name="users">
<map>
<span style="color:#ff0000;"> <entry key="casuser" value="Mellon"/></span>
</map>
</property>
</bean>
这里配置了用户名/密码,
登录cas服务器 :用户名:casuser 密码:Mellon;登录成功画面如下
登出cas服务器:https://systest1:18443/cas/logout