[置顶] Linux服务器下Tomcat SSL 配置

时间:2021-04-28 19:14:06
 

文档内所有命令依据系统环境为:

JAVA: jdk1.6.0_30

System: CentOS release 5.7

Tomcat: apache-tomcat-6.0.26

KeyTool:jdk自带

 

1.生成认证文件:

1>.生成 server key :
keytool -genkey -alias nsp -keyalg RSA -validity 3650 -keystore /opt/apache-tomcat-6.0.26/keystore/nsp.keystore
Enter keystore password: ← 输入密码
Re-enter new password:  ← 输入确认密码
What is your first and last name?
[Unknown]: your name ← 输入用户
What is the name of your organizational unit?
[Unknown]: ← 不输入,直接回车
What is the name of your organization?
[Unknown]: your organization  ← 输入组织名
What is the name of your City or Locality?
[Unknown]: fs ← 输入城市
What is the name of your State or Province?
[Unknown]: gd ← 输入省份
What is the two-letter country code for this unit?
[Unknown]: ← 不输入,直接回车
Is CN=jeff, OU=jeff, O=nsp, L=fs, ST=gd, C=123 correct?
[no]: y

Enter key password for <nsp>
(RETURN if same as keystore password):
Re-enter new password:

2>.生成 pl2文件 :
keytool -genkey -v -alias nsp -keyalg RSA -storetype PKCS12 -keystore /opt/apache-tomcat-6.0.26/keystore/nsp.pl2 -dname "CN=admin, OU=nsp, O=nsp, L=foshan, ST=gd, C=cn" -storepass cdcgs123 -keypass cdcgs123
Generating 1,024 bit RSA key pair and self-signed certificate (SHA1withRSA) with a validity of 90 days        for: CN=admin, OU=nsp, O=nsp, L=foshan, ST=gd, C=cn[Storing /opt/apache-tomcat-6.0.26/keystore2/nsp.pl2]
3>导入过程分2步,第一步是导出证书,第二步是导入到证书信任库,命令如下:keytool -export -alias nsp -keystore /opt/apache-tomcat-6.0.26/keystore/nsp.pl2 -storetype PKCS12 -storepass cdcgs123 -rfc -file /opt/apache-tomcat-6.0.26/keystore/nsp.cer
Generating 1,024 bit RSA key pair and self-signed certificate (SHA1withRSA) with a validity of 90 days        for: CN=admin, OU=nsp, O=nsp, L=foshan, ST=gd, C=cn[Storing /opt/apache-tomcat-6.0.26/keystore2/nsp.pl2]keytool -import -v -file /opt/apache-tomcat-6.0.26/keystore/nsp.cer -keystore /opt/apache-tomcat-6.0.26/keystore/nsp.keystore -storepass cdcgs123


 

2.设置TOMCAT使其增加SSL支持,修改service.xml文件:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keystore="/opt/apache-tomcat-6.0.26/keystore/nsp.keystore" keystorePass="cdcgs123" />


 

3.如果要对单独工程的强制安全访问,对相应工程的web.xml文件加入如下代码:

<login-config>   
<!-- Authorization setting for SSL -->
<auth-method>CLIENT-CERT</auth-method>
<realm-name>Client Cert Users-only Area</realm-name>
</login-config>
<security-constraint>
<!-- Authorization setting for SSL -->
<web-resource-collection >
<web-resource-name >SSL</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>


 

4.如上配置好后便可以用 Https://domain:8443 方式直接访问.