tomcat jmx ssl 配置
测试tomcat版本 9.0.62
先生成服务端keystore和证书
keytool -genkeypair -keystore serverkeystore -alias serverkey -validity 180 -storepass serverpass -keypass serverpass
keytool -exportcert -keystore serverkeystore -alias serverkey -storepass serverpass -file server.cer
生成客户端keystore和证书
keytool -genkeypair -keystore clientkeystore -alias clientkey -validity 180 -storepass clientpass -keypass clientpass
keytool -exportcert -keystore clientkeystore -alias clientkey -storepass clientpass -file client.cer
将客户端证书导入到服务端truststore
keytool -importcert -file client.cer -keystore servertruststore -storepass servertrustpass
将服务端证书导入到客户端truststore
keytool -importcert -file server.cer -keystore clienttruststore -storepass clienttrustpass
keystore和证书生成之后,需要修改bin\service.bat
在jvmOptions中添加如下:
-Djava.rmi.server.hostname=192.168.2.116;-Dcom.sun.management.jmxremote.port=8090;-Dcom.sun.management.jmxremote.rmi.port=8090-Dcom.sun.management.jmxremote.authenticate=false;-Dcom.sun.management.jmxremote.ssl=true;-Dcom.sun.management.jmxremote.ssl.need.client.auth=true;-Dcom.sun.management.jmxremote.registry.ssl=true;-Djavax.net.ssl.keyStore=%CATALINA_BASE%\conf\jmx-ssl\serverkeystore;-Djavax.net.ssl.keyStorePassword=serverpass;-Djavax.net.ssl.trustStore=%CATALINA_BASE%\conf\jmx-ssl\servertruststore;-Djavax.net.ssl.trustStorePassword=servertrustpass;
jmxremote.port可以和jmxremote.rmi.port一样
注意:如果不指定-Dcom.sun.management.jmxremote.rmi.port , 就会使用随机端口,如果服务器不开放这个端口,那么jconsole就会无法访问的
service.bat修改之后,需要重新安装tomcat服务
jconsole ssl连接方式:
jconsole -J-Djavax.net.ssl.keyStore=C:\Users\zch\clientkeystore
-J-Djavax.net.ssl.keyStorePassword=clientpass
-J-Djavax.net.ssl.trustStore=C:\Users\zch\clienttruststore
-J-Djavax.net.ssl.trustStorePassword=clienttrustpass