Tomcat的SSL(https)配置手顺
1. 如果是JDK1.3及以下版本,则需要从http://java.sun.com/products/jsse/下载
Java Secure Socket Extensions (JSSE) package, version 1.0.2 或更高版本。如果
是JDK1.4.x,则已经集成此包,无需再安装,可跳过此步,进行步骤2。
把三个Jar文件(jcert.jar, jnet.jar和jsse.jar)拷贝到$JAVA_HOME/jre/lib/ext目
录下。建立系统环境变量JSSE_HOME,指向这个目录。
2. 首先用jdk自带的工具keytool生成一个证书keystore
Windows下:
%JAVA_HOME%/bin/keytool -genkey -alias tomcat -keyalg RSA
-keystore /path/to/my/keystore
Unix(Linux)下:
$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA
-keystore /path/to/my/keystore
“/path/to/my/keystore”是你为生成的证书文件指定的全路径名,根据具体情况
修改,建议指定到tomcat的根目录中,如c:/tomcat/keystore。
上述命令运行过程中,会要求输入要设定的密码,组织名,单位等,随意输入,要
记住输入的密码,如mypassword。
3. 修改tomcat目录下的server.xml文件,把下列注释掉的段落解除注释。
<Factory>标签中可根据情况增加下列属性:
Attribute
Description
className
The fully qualified class name of the Java class that implements this socket factory. Do not change the default value.
clientAuth
Set this value to true if you want Tomcat to require all SSL clients to present a client Certificate in order to use this socket.
keystoreFile
Add this attribute if the keystore file you created is not in the default place that Tomcat expects (a file named .keystore in the user home directory under which Tomcat is running). You can specify an absolute pathname, or a relative pathname that is resolved against the $CATALINA_BASE environment variable.
keystorePass
Add this element if you used a different keystore (and Certificate) password than the one Tomcat expects (changeit).
protocol
The encryption/decryption protocol to be used on this socket. Do not change the default value.
根据上面步骤设定的密码和keystore证书文件放置的路径,把上面一段文字修改为:
其中keystorePass的值为生成keystore时输入的密码, keystoreFile的值为证书文件
keystore的全路径名。
4. 重新启动tomcat,不报错,OK! 访问https://localhost:8443看看效果。