实现Tomcat的https
1、申请证书,这里申请腾讯云的证书
https://www.qcloud.com/document/product/214/6989
在下载的证书里面,包含如下三个目录,在这里只需要用到nginx的目录
注:如果申请证书时有填写私钥密码,下载可获得Tomcat文件夹,其中有密钥库www.domain.com.jks;如果没有填写私钥密码,不提供Tomcat证书文件的下载,需要用户手动转换格式生成。可以通过 Nginx 文件夹内证书文件和私钥文件生成jks格式证书,转换工具:https://www.trustasia.com/tools/cert-converter.htm。使用工具时注意填写 密钥库密码 ,安装证书时配置文件中需要填写
2、转换证书
1)登录地址:https://www.trustasia.com/tools/cert-converter.htm
2)填写相关信息
3)提交之后,便会保存为一个jks文件,如下所示
3、配置tomcat
1)编译安装tomcat,这里过程省略
2)启动tomcat
[root@tomcat ~]# startup.sh
Using CATALINA_BASE: /usr/local/tomcat7
Using CATALINA_HOME: /usr/local/tomcat7
Using CATALINA_TMPDIR: /usr/local/tomcat7/temp
Using JRE_HOME: /usr/local/java
Using CLASSPATH: /usr/local/tomcat7/bin/bootstrap.jar:/usr/local/tomcat7/bin/tomcat-juli.jar
Tomcat started.
[root@tomcat ~]# netstat -anpt | grep 8080
tcp 12 0 0.0.0.0:8080 0.0.0.0:* LISTEN 12908/java
tcp 63 0 10.204.208.148:8080 10.59.162.40:29867 ESTABLISHED -
tcp 63 0 10.204.208.148:8080 10.53.70.111:18198 ESTABLISHED -
tcp 63 0 10.204.208.148:8080 10.53.82.77:44834 ESTABLISHED -
tcp 63 0 10.204.208.148:8080 10.53.80.145:15040 ESTABLISHED -
tcp 63 0 10.204.208.148:8080 10.53.82.76:53481 ESTABLISHED -
tcp 63 0 10.204.208.148:8080 10.53.80.144:38620 ESTABLISHED -
tcp 63 0 10.204.208.148:8080 10.53.70.47:11920 ESTABLISHED -
tcp 63 0 10.204.208.148:8080 10.53.70.46:39743 ESTABLISHED -
tcp 63 0 10.204.208.148:8080 10.59.162.43:40177 ESTABLISHED -
3)修改server.xml文件,修改如下内容(标红色的部分)
[root@tomcat ~]# vim /usr/local/tomcat7/conf/server.xml
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" /> #这里的redirectPort与后台的相关端口要对应
#下面这段内容需要手动添加
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https"
secure="true" clientAuth="false" sslProtocol="TLS"
keystoreFile="/usr/local/tomcat7/conf/nginx.zhouzhuorong.com.jks" keystorePass="123456"/>
注:
keystoreFile:证书文件存放位置
keystorePass:生成jks证书文件时输入的密码
<Connector port="8009" enableLookups="false" protocol="AJP/1.3" redirectPort="443" />
4)修改web.xml文件,在文件末尾添加如下内容,强制tomcat使用https方式访问
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>Client Cert Users-only Area</realm-name>
</login-config>
<security-constraint>
<web-resource-collection >
<web-resource-name >SSL</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
5)上传相关jks文件
[root@tomcat ~]# cd /usr/local/tomcat7/conf/
[root@tomcat conf]# ls nginx.xxx.com.jks
nginx.xxx.com.jks
6)重启tomcat服务
[root@tomcat ~]# shutdown.sh
Using CATALINA_BASE: /usr/local/tomcat7
Using CATALINA_HOME: /usr/local/tomcat7
Using CATALINA_TMPDIR: /usr/local/tomcat7/temp
Using JRE_HOME: /usr/local/java
Using CLASSPATH: /usr/local/tomcat7/bin/bootstrap.jar:/usr/local/tomcat7/bin/tomcat-juli.jar
[root@tomcat ~]# startup.sh
Using CATALINA_BASE: /usr/local/tomcat7
Using CATALINA_HOME: /usr/local/tomcat7
Using CATALINA_TMPDIR: /usr/local/tomcat7/temp
Using JRE_HOME: /usr/local/java
Using CLASSPATH: /usr/local/tomcat7/bin/bootstrap.jar:/usr/local/tomcat7/bin/tomcat-juli.jar
Tomcat started.
[root@tomcat ~]# netstat -anpt | grep java
tcp 11 0 0.0.0.0:8080 0.0.0.0:* LISTEN 12383/java
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 12383/java
tcp 0 0 0.0.0.0:8009 0.0.0.0:* LISTEN 12383/java
4、切换到主域名xxx.com并添加一个A记录
5、通过浏览器访问测试