如果希望 Tomcat 支持 https,主要的工作是配置 SSL 协议
https
- 生成安全证书
- 配置tomcat
配置环境:
- Centos 7.6
- Java1.8
- Tomcat 9.0.20
下载软件
Tomcat 9
[root@localhost ~]# wget http://mirrors.tuna.tsinghua.edu.cn/apache/tomcat/tomcat-9/v9.0.20/bin/apache-tomcat-9.0.20.tar.gz
JDK 1.8
[root@localhost ~]# wget https://download.oracle.com/otn/java/jdk/8u211-b12/478a62b7d4e34b78b671c754eaaf38ab/jdk-8u211-linux-x64.tar.gz?AuthParam=1557925466_c1e8a4be89edbd8384205f446081b390
(该下载地址已失效 请自行在官网复制下载地址)
链接: https://pan.baidu.com/s/1Ezh2Y8fx7EcBMuSURwabgQ 提取码: ux3a
生成安全证书
1. 配置java环境
因为SUN公司提供了制作证书的工具keytool, 在JDK 1.4以后的版本中都包含了这一工具,它的位置为<JAVA_HOME>/bin/keytool
[root@localhost software]# tar -zxvf jdk-8u211-linux-x64.tar.gz -C /usr/src/
[root@localhost software]# vim /etc/profile
#Java Env
export JAVA_HOME=/usr/src/jdk1.8.0_211
export CLASSPATH=.:$JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/tools.jar
export PATH=$PATH:$JAVA_HOME/bin
使环境变量立即生效,查看JDK的版本;
[root@localhost software]# source /etc/profile
[root@localhost software]# java -version
java version "1.8.0_211"
Java(TM) SE Runtime Environment (build 1.8.0_211-b12)
Java HotSpot(TM) 64-Bit Server VM (build 25.211-b12, mixed mode)
2.安装Tomcat
解压Tomcat软件包;
[root@localhost software]# tar -zxvf apache-tomcat-9.0.20.tar.gz -C /usr/src
3.生成证书
keytool -genkeypair -alias [user] -keyalg [认证类型] -keystore [file]
常用参数介绍:
-
keytool -genkey:自动使用默认的算法生成公钥和私钥
-
-alias[名称]:给证书取个别名
-
-keyalg:制定密钥的算法,如果需要制定密钥的长度,可以再加上keysize参数,密钥长度默认为1024位,使用DSA算法时,密钥长度必须在512到1024之间,并且是64的整数倍
-
-keystore:参数可以指定密钥库的名称。密钥库其实是存放迷药和证书文件,密钥库对应的文件如果不存在会自动创建。
-
-validity:证书的有效日期,默认是90天
-
-keypass changeit:不添加证书密码
-
-storepass changeit:不添加存储证书的密码
[root@localhost ~]# keytool -genkey -alias tomcat -keyalg RSA -keystore /usr/src/apache-tomcat-9.0.20/conf/.keystore
Enter keystore password: #123456
Re-enter new password:
What is your first and last name?
[Unknown]: yue
What is the name of your organizational unit?
[Unknown]: yue
What is the name of your organization?
[Unknown]: CNCF
What is the name of your City or Locality?
[Unknown]: ShangHai
What is the name of your State or Province?
[Unknown]: SH
What is the two-letter country code for this unit?
[Unknown]: cn
Is CN=yue, OU=yue, O=CNCF, L=ShangHai, ST=SH, C=cn correct?
[no]: yes
Enter key password for <tomcat> #123456
(RETURN if same as keystore password):
Re-enter new password:
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /usr/src/apache-tomcat-9.0.20/conf/.keystore -destkeystore /usr/src/apache-tomcat-9.0.20/conf/.keystore -deststoretype pkcs12".
[root@localhost ~]#
配置tomcat
定位到tomcat的安装目录,找到 /usr/src/apache-tomcat-9.0.20/conf 下的server.xml 文件
修改 server.xml 文件,配置https连接器;
注释掉http连接器
<!--
<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" />
-->
释放掉https连接器
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
type="RSA" />
</SSLHostConfig>
</Connector>
修改为如下:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="conf/.keystore"
type="RSA" certificateKeystorePassword="123456" />
</SSLHostConfig>
</Connector>
浏览器访问8443端口的连接器时,会以加密的方式来访问web服务器,连接器收到浏览器的请求后,会向浏览器出示一份数字证书,浏览器再用数字证书里面的公钥来加密数据, certificateKeystoreFile="conf/.keystore"用来指明密钥库文件的所在路径,服务器从密钥库中提取证书时需要密码,certificateKeystorePassword="123456"指明密钥库的访问密码。(tomcat8及8以下的版本配置的是keystoreFile="conf/.keystore"和keystorePass="123456")
启动Tomcat测试
https
网友评论