Linux服务器下Tomcat SSL 配置

最新推荐文章于 2023-07-20 20:13:08 发布

置顶山里小龙

最新推荐文章于 2023-07-20 20:13:08 发布

阅读量8.9k

点赞数

分类专栏：网络安全文章标签： tomcat 服务器 linux authorization ssl pair

本文链接：https://blog.csdn.net/zilong00007/article/details/7286005

版权

网络安全专栏收录该内容

2 篇文章 0 订阅

订阅专栏

文档内所有命令依据系统环境为：

JAVA: jdk1.6.0_30

System: CentOS release 5.7

Tomcat: apache-tomcat-6.0.26

KeyTool:jdk自带

１．生成认证文件:

1>.生成 server key ：
keytool -genkey -alias nsp -keyalg  RSA -validity 3650  -keystore /opt/apache-tomcat-6.0.26/keystore/nsp.keystore
Enter keystore password:  ← 输入密码
Re-enter new password: 　← 输入确认密码
What is your first and last name?
  [Unknown]:  your name　← 输入用户
What is the name of your organizational unit?
  [Unknown]:  ← 不输入，直接回车
What is the name of your organization?
  [Unknown]:  your organization　 ← 输入组织名
What is the name of your City or Locality?
  [Unknown]:  fs　← 输入城市
What is the name of your State or Province?
  [Unknown]:  gd　← 输入省份
What is the two-letter country code for this unit?
  [Unknown]: ← 不输入，直接回车
Is CN=jeff, OU=jeff, O=nsp, L=fs, ST=gd, C=123 correct?
  [no]:  y

Enter key password for <nsp>
        (RETURN if same as keystore password):
Re-enter new password:

２>.生成 pl2文件 ：
keytool -genkey -v -alias nsp -keyalg RSA -storetype PKCS12 -keystore /opt/apache-tomcat-6.0.26/keystore/nsp.pl2 -dname "CN=admin, OU=nsp, O=nsp, L=foshan, ST=gd, C=cn" -storepass cdcgs123 -keypass cdcgs123

Generating 1,024 bit RSA key pair and self-signed certificate (SHA1withRSA) with a validity of 90 days
        for: CN=admin, OU=nsp, O=nsp, L=foshan, ST=gd, C=cn
[Storing /opt/apache-tomcat-6.0.26/keystore2/nsp.pl2]

３>导入过程分2步，第一步是导出证书，第二步是导入到证书信任库，命令如下：
keytool -export -alias nsp -keystore /opt/apache-tomcat-6.0.26/keystore/nsp.pl2 -storetype PKCS12 -storepass cdcgs123 -rfc -file /opt/apache-tomcat-6.0.26/keystore/nsp.cer

Generating 1,024 bit RSA key pair and self-signed certificate (SHA1withRSA) with a validity of 90 days
        for: CN=admin, OU=nsp, O=nsp, L=foshan, ST=gd, C=cn
[Storing /opt/apache-tomcat-6.0.26/keystore2/nsp.pl2]

keytool -import -v -file /opt/apache-tomcat-6.0.26/keystore/nsp.cer -keystore /opt/apache-tomcat-6.0.26/keystore/nsp.keystore -storepass cdcgs123

2.设置TOMCAT使其增加SSL支持，修改service.xml文件:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true" 
               clientAuth="false" sslProtocol="TLS" keystore="/opt/apache-tomcat-6.0.26/keystore/nsp.keystore" keystorePass="cdcgs123" />

3.如果要对单独工程的强制安全访问，对相应工程的web.xml文件加入如下代码：

<login-config>   
		<!-- Authorization setting for SSL -->   
		<auth-method>CLIENT-CERT</auth-method>   
		<realm-name>Client Cert Users-only Area</realm-name>   
	</login-config>   
	<security-constraint>   
		<!-- Authorization setting for SSL -->   
		<web-resource-collection >   
			<web-resource-name >SSL</web-resource-name>   
			<url-pattern>/*</url-pattern>   
		</web-resource-collection>   
		<user-data-constraint>   
			<transport-guarantee>CONFIDENTIAL</transport-guarantee>   
		</user-data-constraint>   
	</security-constraint>

４．如上配置好后便可以用 Https://domain:8443 方式直接访问.