tomcat - SSL证书安装-jks(阿里云)
1.下载证书
2.下载下来有两个文件,一个是.fpx 一个是.txt密码
3.将.fpx转化成.jks文件
将.fpx文件复制到jdk的bin目录下,命令输入
keytool -importkeystore -srckeystore mydomian.pfx -srcstoretype pkcs12 -destkeystore domains.jks -deststoretype JKS
-mydomian.pfx你的文件的名字 domains.jks你希望输出的文件的名字
得到了domains.jks文件
4.将文件domains.jks复制到你的tomcat的conf目录下
5.配置server.xml文件
在<service>节点下添加: keystoreFile属性是你的jks文件的路径 keystorePass是密码,就是生成domains.jks时设置的密码
<Connector protocol="org.apache.coyote.http11.Http11Protocol"
port="443" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="/usr/local/tomcat/apache-tomcat-7.0.57/conf/domains.jks" keystorePass="B4ow22Ob"
clientAuth="false" sslProtocol="TLS"
ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256" />
配置输入域名默认https协议,找到另外的<Connector>节点,redirectPort默认跳转至上面设置的端口443
<Connector port="80" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="443" /> <Connector port="8009" protocol="AJP/1.3" redirectPort="443" />
完整的
<?xml version="1.0" encoding="UTF-8"?> <Server port="8005" shutdown="SHUTDOWN"> <Listener className="org.apache.catalina.startup.VersionLoggerListener" /> <!-- Security listener. Documentation at /docs/config/listeners.html <Listener className="org.apache.catalina.security.SecurityListener" /> --> <!--APR library loader. Documentation at /docs/apr.html --> <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" /> <!-- Prevent memory leaks due to use of particular java/javax APIs--> <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" /> <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" /> <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" /> <GlobalNamingResources> <Resource name="UserDatabase" auth="Container" type="org.apache.catalina.UserDatabase" description="User database that can be updated and saved" factory="org.apache.catalina.users.MemoryUserDatabaseFactory" pathname="conf/tomcat-users.xml" /> </GlobalNamingResources> <Service name="Catalina"> <!-- redirectPort默认跳转至上面设置的端口443 --> <Connector port="80" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="443" /> <!-- jks文件路径和密码 --> <Connector protocol="org.apache.coyote.http11.Http11Protocol" port="443" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" keystoreFile="/usr/local/tomcat/apache-tomcat-7.0.57/conf/mycert2021.jks" keystorePass="5UopKDWU" clientAuth="false" sslProtocol="TLS" ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256" /> <Engine name="Catalina" defaultHost="www.baitech.cn"> <!-- www.baitech.cn 域名 --> <Realm className="org.apache.catalina.realm.LockOutRealm"> <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/> </Realm> <!-- www.baitech.cn 域名 --> <Host name="www.baitech.cn" appBase="webapps" unpackWARs="true" autoDeploy="true"> <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log" suffix=".txt" pattern="%h %l %u %t "%r" %s %b" /> </Host> </Engine> </Service> </Server>
6.编辑web.xml文件,在<welcome-file-list>节点下加入
<welcome-file-list>
<welcome-file>index.html</welcome-file>
<welcome-file>index.htm</welcome-file>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<!-- 下面是需要加入的内容 -->
<login-config> <!-- Authorization setting for SSL --> <auth-method>CLIENT-CERT</auth-method> <realm-name>Client Cert Users-only Area</realm-name> </login-config> <security-constraint> <!-- Authorization setting for SSL --> <web-resource-collection > <web-resource-name >SSL</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>