文档内所有命令依据系统环境为:
JAVA: jdk1.6.0_30
System: CentOS release 5.7
Tomcat: apache-tomcat-6.0.26
KeyTool:jdk自带
1.生成认证文件:
1>.生成 server key :
keytool -genkey -alias nsp -keyalg RSA -validity 3650 -keystore /opt/apache-tomcat-6.0.26/keystore/nsp.keystore
Enter keystore password: ← 输入密码
Re-enter new password: ← 输入确认密码
What is your first and last name?
[Unknown]: your name ← 输入用户
What is the name of your organizational unit?
[Unknown]: ← 不输入,直接回车
What is the name of your organization?
[Unknown]: your organization ← 输入组织名
What is the name of your City or Locality?
[Unknown]: fs ← 输入城市
What is the name of your State or Province?
[Unknown]: gd ← 输入省份
What is the two-letter country code for this unit?
[Unknown]: ← 不输入,直接回车
Is CN=jeff, OU=jeff, O=nsp, L=fs, ST=gd, C=123 correct?
[no]: y
Enter key password for <nsp>
(RETURN if same as keystore password):
Re-enter new password:
2>.生成 pl2文件 :
keytool -genkey -v -alias nsp -keyalg RSA -storetype PKCS12 -keystore /opt/apache-tomcat-6.0.26/keystore/nsp.pl2 -dname "CN=admin, OU=nsp, O=nsp, L=foshan, ST=gd, C=cn" -storepass cdcgs123 -keypass cdcgs123
Generating 1,024 bit RSA key pair and self-signed certificate (SHA1withRSA) with a validity of 90 days for: CN=admin, OU=nsp, O=nsp, L=foshan, ST=gd, C=cn[Storing /opt/apache-tomcat-6.0.26/keystore2/nsp.pl2]
3>导入过程分2步,第一步是导出证书,第二步是导入到证书信任库,命令如下:keytool -export -alias nsp -keystore /opt/apache-tomcat-6.0.26/keystore/nsp.pl2 -storetype PKCS12 -storepass cdcgs123 -rfc -file /opt/apache-tomcat-6.0.26/keystore/nsp.cer
Generating 1,024 bit RSA key pair and self-signed certificate (SHA1withRSA) with a validity of 90 days for: CN=admin, OU=nsp, O=nsp, L=foshan, ST=gd, C=cn[Storing /opt/apache-tomcat-6.0.26/keystore2/nsp.pl2]keytool -import -v -file /opt/apache-tomcat-6.0.26/keystore/nsp.cer -keystore /opt/apache-tomcat-6.0.26/keystore/nsp.keystore -storepass cdcgs123
2.设置TOMCAT使其增加SSL支持,修改service.xml文件:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keystore="/opt/apache-tomcat-6.0.26/keystore/nsp.keystore" keystorePass="cdcgs123" />
3.如果要对单独工程的强制安全访问,对相应工程的web.xml文件加入如下代码:
<login-config>
<!-- Authorization setting for SSL -->
<auth-method>CLIENT-CERT</auth-method>
<realm-name>Client Cert Users-only Area</realm-name>
</login-config>
<security-constraint>
<!-- Authorization setting for SSL -->
<web-resource-collection >
<web-resource-name >SSL</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
4.如上配置好后便可以用 Https://domain:8443 方式直接访问.