Tomcat enables HTTPS protocol configuration process

Reprinted from:://http://blog.csdn.net/gane_cheng/article/details/53001846

Please indicate the source:

http://blog.csdn.net/gane_cheng/article/details/53001846

http://www.ganecheng.tech/blog/53001846.html (better browsing effect)

This article will explain how to configure the HTTPS protocol to be enabled in Tomcat.

Concept introduction

Tomcat server is a free and open source Web application server. It is a lightweight application server. It is widely used in small and medium-sized systems and occasions where there are not many concurrent users. It is the first choice for developing and debugging JSP programs.

HTTP (HyperText Transfer Protocol) is the most widely used network protocol on the Internet. All WWW documents must comply with this standard.

HTTPS (full name: Hyper Text Transfer Protocol over Secure Socket Layer) is a secure HTTP channel, in short, a secure version of HTTP.

Difference between HTTPS and HTTP

1. HTTP is a hypertext transfer protocol, information is transmitted in clear text, and HTTPS is a secure SSL encrypted transfer protocol.

2. The HTTPS protocol needs to go to the CA to apply for a certificate. Generally, there are very few free certificates and you need to pay a fee.

3. HTTP and HTTPS use completely different connection methods and use different ports. The former is 80 and the latter is 443 .

4. The connection of HTTP is very simple and stateless; the HTTPS protocol is a network protocol constructed by the SSL+HTTP protocol that can perform encrypted transmission and identity authentication, which is safer than the HTTP protocol.

Local simulation test opening process

HTTPS If the production environment is used on the domain name, it is necessary to directly or indirectly apply for a certificate from the CA to obtain the trust of the browser. Let's simulate and test this process locally , generate a certificate by ourselves, and then introduce the domain name to enable HTTPS.

① keytool tool to generate certificate

Open the keytool directory that comes with the JDK.

Hold down the Shift key while right-clicking an empty space.

At this point, enter the cmd window. Enter the following command.

keytool -genkeypair -alias "tomcat" -keyalg "RSA" -keystore "D:\tomcat.keystore" 

• 1

• 1

You will then be asked to fill in some basic information.

Below is a brief introduction.

密钥库口令:123456（这个密码非常重要）
名字与姓氏:192.168.0.110（以后访问的域名或IP地址，非常重要，证书和域名或IP绑定）
组织单位名称:anything（随便填）
组织名称:anything（随便填）
城市:anything（随便填）
省市自治区:anything（随便填）
国家地区代码:anything（随便填）

• 1
• 2
• 3
• 4
• 5
• 6
• 7

• 1
• 2
• 3
• 4
• 5
• 6
• 7

② Apply the certificate to Tomcat

Open the Tomcat configuration file conf\server.xml.

Uncomment it and add two properties keystoreFile, keystorePass.

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" keystoreFile="E:/tomcat.keystore" keystorePass="123456" />

• 1
• 2
• 3

• 1
• 2
• 3

Among them, keystoreFile is the address of the certificate file generated in the previous step, and keystorePass is the keystore password in the previous step.

③ Test HTTPS

Test links are similar to this https://192.168.0.110:8443/your_project_name.

Observing the Tomcat output log will reveal an exception.

严重: Failed to initialize end point associated with ProtocolHandler ["http-apr-8443"]  
java.lang.Exception: Connector attribute SSLCertificateFile must be defined when using SSL with APR
        at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:484)  
        at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:566)  
        at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:417)  
        at org.apache.catalina.connector.Connector.initInternal(Connector.java:956)  
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)  
        at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)  

• 1
• 2
• 3
• 4
• 5
• 6
• 7
• 8

• 1
• 2
• 3
• 4
• 5
• 6
• 7
• 8

The solution is to comment conf\server.xmlthe following line in the file.

<!--<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />-->

• 1

• 1

Restart Tomcat, then you can see that the browser can open the HTTPS link.

Real domain name opening process

There are several problems with using self-generated certificates.

1. Browsers will use dangerous signs for HTTPS.

The original intention of opening HTTPS is to be more secure and increase user confidence. But the use of danger signs by browsers can backfire and scare off users.

2. By default, browsers will not load JavaScript under non-HTTPS domain names

I wiped it, this is almost the same as disabling javascript in the early years. The normal operation of the website has been affected.

3. Mobile devices display blank pages

When the mobile browser opens the page, it will pop up whether to load the untrusted page like the desktop browser, and it will be blank when opened in WeChat .

---

Due to the above, the certificate generated by yourself cannot be used in the production environment.

To solve the above problems, you need to purchase a CA certificate. However, I saw that there is a free certificate application on Alibaba Cloud. https://www.aliyun.com/product/cas

① Apply for a certificate

The purchase process is not detailed. Just follow Alibaba Cloud's instructions step by step.

After the certificate is generated, a PFX type certificate will be obtained.

② Tomcat configures the PFX certificate

Open the Tomcat configuration file conf\server.xml.

Uncomment and add three properties keystoreFile, keystoreType, keystorePass.

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" keystoreFile="/你的磁盘目录/订单号.pfx"
    keystoreType="PKCS12"
    keystorePass="订单号" />

• 1
• 2
• 3
• 4
• 5

• 1
• 2
• 3
• 4
• 5

Among them, keystoreFile is the address of the PFX certificate file, keystorePass is the order number of Alibaba Cloud, and keystoreType directly writes PKCS12.

③ Test the real domain name

Restart Tomcat, access your own domain name, and you can use it normally. The browser will have a green domain name logo, and the mobile device will be normal. As for the javascript under the http domain name, it still needs to be replaced with https to load normally.

Whether or not to use https depends on the actual situation. https will be slower than http, but it will be more secure.

references

http://lixor.iteye.com/blog/1532655