Tomcat 开启 SSL

时间:2021-10-02 13:03:31

生成keystore

/usr/java/default/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore ~/tomcat.keystore -validity 

编辑 tomcat/conf/server.xml 启用ssl

<Connector
protocol="org.apache.coyote.http11.Http11Protocol"
port="9443"
enableLookups="true"
disableUploadTimeout="true"
acceptCount="100"
maxThreads="200"
scheme="https"
secure="true"
SSLEnabled="true"
keystoreFile="/home/tomcat/tomcat-runtime-2/conf/server.keystore"
keystorePass="111111"
clientAuth="true"
sslProtocol="TLS"
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"
URIEncoding="UTF-8"/>

sslEnabledProtocols 和 ciphers 不加的话, 在新版本的浏览器可能会因为加密算法太弱而拒绝访问

如果catalina.out中显示正常而无法访问8443端口的话, 查看一下iptables和semanage

iptables -L -n
semanage port -l