Tomcat 8.5 添加https认证

因为不同版本 Tomcat 配置上可能有所不同，所以这里只介绍最新的 8.5 版本。

因为我是测试环境，我可以借用 JDK自带工具keytool生成一个测试用的证书。

参考文档：

https://www.cnblogs.com/xdp-gacl/p/3750965.html

https://tudan.blog.csdn.net/article/details/106257362

## 1、生成证书

[root@web01 tools]# $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore test.keystore

Enter keystore password:

Re-enter new password:

What is your first and last name?

[Unknown]: localhost

What is the name of your organizational unit?

[Unknown]: abc

What is the name of your organization?

[Unknown]: xyz

What is the name of your City or Locality?

[Unknown]: ZH

What is the name of your State or Province?

[Unknown]: cq

What is the two-letter country code for this unit?

[Unknown]: cc

Is CN=localhost, OU=abc, O=xyz, L=ZH, ST=cq, C=cc correct?

[no]: y

Enter key password for <tomcat>

(RETURN if same as keystore password):

Re-enter new password:

Warning:

The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore test.keystore -destkeystore test.keystore -deststoretype pkcs12".

## 2、查看证书内容

[root@web01 tools]# $JAVA_HOME/bin/keytool -list -keystore test.keystore

Enter keystore password:

Keystore type: jks

Keystore provider: SUN

Your keystore contains 1 entry

tomcat, Mar 12, 2021, PrivateKeyEntry,

Certificate fingerprint (SHA-256): C2:4C:52:D9:0B:22:7B:DC:DB:40:51:9D:AD:79:EA:50:08:89:A7:7E:B8:D0:3A:FC:7C:22:B0:29:2D:34:C3:26

Warning:

## 3、导出证书

[root@web01 tools]# $JAVA_HOME/bin/keytool -export -alias tomcat -file tomcat.crt -keystore test.keystore

Enter keystore password:

Certificate stored in file <tomcat.crt>

Warning:

[root@web01 tools]# ll

-rw-r--r-- 1 root root 2200 Mar 12 14:45 test.keystore

-rw-r--r-- 1 root root 849 Mar 12 14:50 tomcat.crt

## 4、查看证书信息

[root@web01 tools]# $JAVA_HOME/bin/keytool -printcert -file tomcat.crt

Owner: CN=localhost, OU=abc, O=xyz, L=ZH, ST=cq, C=cc

Issuer: CN=localhost, OU=abc, O=xyz, L=ZH, ST=cq, C=cc

Serial number: 3a9217f6

Valid from: Fri Mar 12 14:45:13 CST 2021 until: Thu Jun 10 14:45:13 CST 2021

Certificate fingerprints:

SHA1: 43:87:78:FD:83:B3:67:71:B8:BA:4A:BC:04:C7:11:BC:C9:E7:0F:DE

SHA256: C2:4C:52:D9:0B:22:7B:DC:DB:40:51:9D:AD:79:EA:50:08:89:A7:7E:B8:D0:3A:FC:7C:22:B0:29:2D:34:C3:26

Signature algorithm name: SHA256withRSA

Subject Public Key Algorithm: 2048-bit RSA key

Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false

SubjectKeyIdentifier [

KeyIdentifier [

0000: D3 0C 02 F1 67 15 60 97 71 5C 6D 93 AB 0F A3 85 ....g.`.q\m.....

0010: F0 83 86 35 ...5

]

## 5、导入证书

[root@web01 tools]# $JAVA_HOME/bin/keytool -import -keystore test_crt -file tomcat.crt

Enter keystore password:

Re-enter new password:

Owner: CN=localhost, OU=abc, O=xyz, L=ZH, ST=cq, C=cc

Issuer: CN=localhost, OU=abc, O=xyz, L=ZH, ST=cq, C=cc

Serial number: 3a9217f6

Valid from: Fri Mar 12 14:45:13 CST 2021 until: Thu Jun 10 14:45:13 CST 2021

Certificate fingerprints:

SHA1: 43:87:78:FD:83:B3:67:71:B8:BA:4A:BC:04:C7:11:BC:C9:E7:0F:DE

SHA256: C2:4C:52:D9:0B:22:7B:DC:DB:40:51:9D:AD:79:EA:50:08:89:A7:7E:B8:D0:3A:FC:7C:22:B0:29:2D:34:C3:26

Signature algorithm name: SHA256withRSA

Subject Public Key Algorithm: 2048-bit RSA key

Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false

SubjectKeyIdentifier [

KeyIdentifier [

0000: D3 0C 02 F1 67 15 60 97 71 5C 6D 93 AB 0F A3 85 ....g.`.q\m.....

0010: F0 83 86 35 ...5

]

Trust this certificate? [no]: y

Certificate was added to keystore

## 查看证书信息

[root@web01 tools]# $JAVA_HOME/bin/keytool -list -keystore test_crt

Enter keystore password:

Keystore type: jks

Keystore provider: SUN

Your keystore contains 1 entry

mykey, Mar 12, 2021, trustedCertEntry,

Certificate fingerprint (SHA-256): C2:4C:52:D9:0B:22:7B:DC:DB:40:51:9D:AD:79:EA:50:08:89:A7:7E:B8:D0:3A:FC:7C:22:B0:29:2D:34:C3:26

[root@web01 tools]# ll

-rw-r--r-- 1 root root 911 Mar 12 15:01 test_crt

-rw-r--r-- 1 root root 2200 Mar 12 14:45 test.keystore

-rw-r--r-- 1 root root 849 Mar 12 14:50 tomcat.crt

## 6、删除证书

[root@web01 tools]# $JAVA_HOME/bin/keytool -delete -keystore test_crt -alias mykey

Enter keystore password:

[root@web01 tools]# ll

-rw-r--r-- 1 root root 32 Mar 12 15:04 test_crt

-rw-r--r-- 1 root root 2200 Mar 12 14:45 test.keystore

-rw-r--r-- 1 root root 849 Mar 12 14:50 tomcat.crt

## 7、修改证书密码

[root@web01 tools]# $JAVA_HOME/bin/keytool -keypasswd -alias tomcat -keystore test.keystore

Enter keystore password:

New key password for <tomcat>:

Re-enter new key password for <tomcat>:

Warning:

开启 HTTPS 访问

生成证书

[root@web01 conf]# $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA

Enter keystore password:

Re-enter new password:

What is your first and last name?

[Unknown]: localhost

What is the name of your organizational unit?

[Unknown]: abc

What is the name of your organization?

[Unknown]: xyz

What is the name of your City or Locality?

[Unknown]: zh

What is the name of your State or Province?

[Unknown]: cq

What is the two-letter country code for this unit?

[Unknown]: aa

Is CN=localhost, OU=abc, O=xyz, L=zh, ST=cq, C=aa correct?

[no]: y

Enter key password for <tomcat>

(RETURN if same as keystore password):

Re-enter new password:

Warning:

The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /root/.keystore -destkeystore /root/.keystore -deststoretype pkcs12".

打开 conf 下的 server.xml，从中找到如下注释信息。

<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443

This connector uses the NIO implementation. The default

SSLImplementation will depend on the presence of the APR/native

library and the useOpenSSL attribute of the

AprLifecycleListener.

Either JSSE or OpenSSL style configuration may be used regardless of

the SSLImplementation selected. JSSE style configuration is used below.

--><!--

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"

maxThreads="150" SSLEnabled="true">

<Certificate certificateKeystoreFile="conf/localhost-rsa.jks"

type="RSA" />

</SSLHostConfig>

</Connector>

-->

去掉 Connector 的注释，修改 SSLHostConfig 为如下格式（PS：旧版本的 Tomcat 是直接配置在 Connector 属性上的，该写法以后将被弃用）。如果是更复杂的需求，则需要根据实际情况并参考官方文档来进行配置，这里不做深入研究。

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"

maxThreads="150" SSLEnabled="true">

<Certificate certificateKeystoreFile="conf/域名的 jks 文件"

certificateKeystorePassword="jks 文件密码"

certificateKeyAlias="jks 别名，一般为申请的证书域名"

type="RSA" />

</SSLHostConfig></Connector>

参数说明：

certificateKeystoreFile 指定 jks 文件所在，相对路径则是相对于 $CATALINA_BASE，一般为 Tomcat 所在目录。
certificateKeystorePassword jks 文件密码。
certificateKeyAlias jks 别名,一般为申请的证书域名，可通过 jdk 的 keytool –list –keystore jks文件 –storepass jks文件密码命令查看 jks 别名。

至此配置后，则能通过 HTTPS 访问了（默认端口为 8443），但同时也可以通过 HTTP 访问（默认端口为 8080）。

强制 HTTPS 访问

为了让网站强制使用 HTTPS，需要修改 Tomcat conf 目录下 web.xml，在文件末尾（一般情况）的 </web-app> 结束标签前添加如下代码。

<login-config>

<auth-method>CLIENT-CERT</auth-method>

<realm-name>Client Cert Users-only Area</realm-name></login-config>

<security-constraint>

<web-resource-collection>

<web-resource-name>SSL</web-resource-name>

<url-pattern>/*</url-pattern>

</web-resource-collection>

<user-data-constraint>

<transport-guarantee>CONFIDENTIAL</transport-guarantee>

</user-data-constraint></security-constraint>

该配置是我网上搜寻来的，用是可以用的，只是尚未完全理解。

其中 login-config 好像是配置 Tomcat users 登录认证方式为客户端证书认证，这个一般很少用到，具体如何认证没研究过，只是似乎和 HTTPS 没啥关系，疑似无用配置；security-constraint 是配置所有url请求为 HTTPS，这个配置才是主要的。

配置完后，通过 HTTP 访问的请求自动会重定向到 HTTPS。

需要注意的是，如果在部署项目时，如果项目的 web.xml 配置了 security-constraint 相关参数，则可能会覆盖掉在 Tomcat 的 web.xml 里配置的信息，导致该项目部分地址可通过HTTP访问。

HTTPS 默认端口

一般访问网站，不管是 HTTP 还是 HTTPS ，都不需要加端口号的，因为 HTTP 默认是 80，HTTPS 默认是 443，而在 Tomcat 中则是 8080 和 8443，为了访问方便、简洁，则需要修改 conf 下的 server.xml，将里面的 8080 都改成 80，8443 都改成 443 即可。

posted @ 2021-03-12 16:26 jianchen013 阅读(750) 评论(0) 编辑收藏举报

会员力量，点亮园子希望

刷新页面返回顶部

JACKZD

Tomcat 8.5 添加https认证

开启 HTTPS 访问

强制 HTTPS 访问

HTTPS 默认端口

公告