Tomcat+HTTPS-实战

Tomcat-学习目录

1、keytool创建证书

生产环境是购买证书,这里纯属演示,手动创建一个证书,用于测试之用。
配置方面,可以参考阿里云

1.1、创建证书

mkdir /usr/local/tomcat/ssl && cd /usr/local/tomcat/ssl/

]# keytool -genkey -alias zrlog -keyalg RSA -validity 1000 -keystore 20230503.pfx
Enter keystore password:  # 输入密码
Re-enter new password:  # 再次输入密码
What is your first and last name?
  [Unknown]:  zrlog 【姓名】
What is the name of your organizational unit?
  [Unknown]:  cyc.com 【单位名字】
What is the name of your organization?
  [Unknown]:  cyc 【公司名称】
What is the name of your City or Locality?
  [Unknown]:  sz 【城市】
What is the name of your State or Province?
  [Unknown]:  gd  【省份】
What is the two-letter country code for this unit?
  [Unknown]:  cn 【国家】
Is CN=zrlog, OU=cyc.com, O=cyc, L=sz, ST=gd, C=cn correct?
  [no]:  yes

Enter key password for <zrlog>
        (RETURN if same as keystore password): # 输入上面的密码
Re-enter new password:  # 输入上面的密码

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore 20230503.pfx -destkeystore 20230503.pfx -deststoretype pkcs12".

1.2、转为格式pkcs12

# 转为格式pkcs12
]# keytool -importkeystore -srckeystore 20230503.pfx -destkeystore 20230503.pfx -deststoretype pkcs12

1.3、查询创建结果

tomcat01 ssl]# ll
-rw-r--r-- 1 root root 2541 May  3 23:28 20230503.pfx
-rw-r--r-- 1 root root 2199 May  3 23:28 20230503.pfx.old

2、配置tomcat支持https

2.1、配置tomcat

vi /usr/local/tomcat/conf/server.xml 
...
<Connector port="443"
    protocol="HTTP/1.1"
    SSLEnabled="true"
    scheme="https"
    secure="true"
    keystoreFile="/usr/local/tomcat/ssl/20230503.pfx"
    keystoreType="PKCS12"
    keystorePass="tomcat"
    clientAuth="false"
    SSLProtocol="TLSv1.1+TLSv1.2+TLSv1.3"
    ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256"/>
...

2.2、重启tomcat

 systemctl restart tomcat

2.3、配置hosts

192.168.10.5 zrlog.cyc.com

2.4、测试访问

https://zrlog.cyc.com/

3、开启http强制跳转https

3.1、配置web.xml

]# vi /usr/local/tomcat/conf/web.xml 
...
<login-config>
    <!-- Authorization setting for SSL -->
    <auth-method>CLIENT-CERT</auth-method>
    <realm-name>Client Cert Users-only Area</realm-name>
</login-config>
<security-constraint>
    <!-- Authorization setting for SSL -->
    <web-resource-collection >
        <web-resource-name>SLL</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>
...
</web-app>

3.2、配置server.xml

]# vi /usr/local/tomcat/conf/server.xml
...
# 主要修改redirectPort="443",https端口是443
    <Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="443"
               maxParameterCount="1000"
               />
...

3.3、重启tomcat

systemctl restart tomcat

3.4、访问测试

http://zrlog.cyc.com:8080 跳转至 https://zrlog.cyc.com/

 

posted @ 2023-05-04 09:22  小粉优化大师  阅读(26)  评论(0编辑  收藏  举报