[转] 2 ways to setup SSL on Tomcat 7
This post will demonstrate how to setup SSL on Tomcat 7 with and without Apache2 in Debian servers using self-signed certificates. This should work with Debian Squeeze and Wheezy servers. We assume you already have existing Apache 2 and Tomcat 7 installations.
With this method Tomcat apps are accessed securely and directly without referencing a Tomcat port.
1 https://yourdomain.com
Let us begin by installing mod_jk and enabling SSL modules. SSL module comes bundled with Apache2.
1 # installing jk will also enable it 2 apt-get install libapache2-mod-jk 3 a2enmod ssl
Create worker/connector
This is the connector that Apache2 uses to communicate with Tomcat.
1 # Choose a name desired 2 vi /etc/apache2/workers.properties
1 # Make sure this points to the correct path of Tomcat 2 # and your Java installations 3 # This corresponds to your JAVA_HOME and CATALINA_HOME 4 workers.tomcat_home=/opt/tomcat 5 workers.java_home=/opt/java7 6 7 ps=/ 8 9 worker.list=default 10 worker.default.port=8009 11 worker.default.host=localhost 12 worker.default.type=ajp13 13 worker.default.lbfactor=1
default in line 9 above is the name of the connector. This is the name used in our Virtual Host setup (we will come to this later).
Edit/Create a global Apache2 jk configuration
1 vi /etc/apache2/conf.d/jk.conf
1 <ifmodule mod_jk.c> 2 # This is the file workers file we created earlier 3 JkWorkersFile /etc/apache2/workers.properties 4 JkLogFile /var/log/apache2/mod_jk.log 5 JkShmFile /var/log/apache2/mod_jk.shm 6 JkLogLevel error 7 </ifmodule>
Create a virtual Host
Here we will be using certificates that come with ssl-cert package from Debian. This is only for this demonstration. You can generate you own self-signed certificates by using openssl. There is quite a lot of online guides you can visit on using openssl.
For now, we use a certificate that comes with ssl-cert, snakeoil.
We create 2 virtual hosts, one for unsecure and one for the secure https access. Both of them should mount our default jk connector we created in our workers.properties file. Here below is what it should look like. If you are already using mod_jk, you must have already created an unsecure virtual host, if you are, just copy them and insert the SSL sections/lines.
1 NameVirtualHost your-server-ip-address:80 2 NameVirtualHost your-server-ip-address:443 3 4 <virtualhost ip-or-yourdomain.com:80> 5 JkMount /* default 6 ServerName yourdomain.com 7 ServerAdmin admin@emil.com 8 DocumentRoot /opt/tomcat/webapps 9 ErrorLog /opt/tomcat/logs/error.log 10 CustomLog /opt/tomcat/logs/access.log common 11 <directory /opt/tomcat/webapps> 12 Options -Indexes 13 </directory> 14 # You other directives 15 </virtualhost> 16 17 <virtualhost ip-or-yourdomain.com:443> 18 SSLEngine on 19 SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem 20 SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key 21 JkMount /* default 22 ServerName yourdomain.com 23 ServerAdmin admin@emil.com 24 DocumentRoot /opt/tomcat/webapps 25 ErrorLog /opt/tomcat/logs/error.log 26 CustomLog /opt/tomcat/logs/access.log common 27 <directory /opt/tomcat/webapps> 28 Options -Indexes 29 </directory> 30 # You other directives 31 </virtualhost>
Now edit your Tomcat server.xml and uncomment the AJP connector.
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
Please note that you use only one jk connector for both secure and unsecure connections. Connector port (8009) should match to the port defined earlier in the workers.properties file we created.
Restart apache2 and tomcat and test.
1 http://yourdomain.com 2 https://yourdomain.com
Please be aware though that you will get a warning, from your browser, that you are using an untrusted certificate provider. Just ignore them.
In this setup you will have to specify the port to access Tomcat securely, like below. This bypasses Apache completely.
1 https://yourdomain:8443
We begin by generating a keystore using Java's keytool.
1 JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore /opt/tomcat7/keystore
The above command asks a few questions. When prompted for "first and last name", enter your domain name. Passwords will also be asked for the keystore and the certificate. The actual keystore is created in /opt/tomcat7/keystore with 1 certificate.
Verify your keystore.
1 JAVA_HOME/bin/keytool -list -keystore /opt/tomcat7/keystore
Change ownership and access permission to the file.
1 chown tomcat:tomcat /opt/tomcat7/keystore 2 chmod 755 /opt/tomcat7/keystore
We are assuming from the commands above that you have a user tomcat and group tomcat that owns the Tomcat process in your system.
Edit you Tomcat server.xml and uncomment the 8443 connector and then add our keystore details. See below.
1 <Connector port="8443" 2 protocol="HTTP/1.1" 3 maxThreads="150" 4 SSLEnabled="true" 5 scheme="https" 6 secure="true" 7 keystoreFile="/opt/tomcat7/keystore" 8 keystorePass="password" 9 keyAlias="tomcat" 10 clientAuth="false" 11 sslProtocol="TLS" />
The above connector uses a blocking HTTP/1.1 protocol. Use NIO or APR as may be desired. Replace "password" with the actual password of your keystore.
Save and restart Tomcat.
Like method #1, your browser will warn you of the untrusted certificate. Just ignore them.