Tomcat certificate deployment
1 Get a certificate
Apply for a free certificate from Tencent Cloud https://console.qcloud.com/ssl, and note the key address here, so that you can directly obtain the tomcat certificate when downloading the certificate. The following is an example of the Yousu Cloud website (not replaced with https for the time being)
2 Certificate Installation
Configure the SSL connector, store the www.yousuloud.com.jks file in the conf directory, and then configure the server.xml file in the same directory:
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" keystoreFile="conf\www.yousucloud.com.jks" keystorePass="password filled in when applying" clientAuth="false" sslProtocol="TLS" />
Note:
Parameter Description| clientAuth | If set to true, it means that Tomcat requires all SSL clients to present security certificates to authenticate SSL clients |
| keystoreFile | Specify the storage location of the keystore file. You can specify an absolute path or a relative path relative to the (Tomcat installation directory) environment variable. If this item is not set, by default, Tomcat will read a file named ".keystore" from the user directory of the current operating system user. |
| keystorePass | Keystore password, specifies the password of the keystore. (If the private key password is filled in when applying for a certificate, the keystore password is the private key password) |
| sslProtocol | Specifies the encryption/decryption protocol used by the socket. The default value is TLS |
3 Security configuration of http automatic jump to https
Go to web.xml in the conf directory. After </welcome-file-list>, </web-app>, which is the penultimate paragraph, add this paragraph
<security-constraint> <web-resource-collection > <web-resource-name >SSL</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>
The purpose of this step is to make the non-ssl connector jump to the ssl connector. So you also need to go to server.xml to configure:
<Connector port="80" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="443" />
Change redirectPort to port 443 of the ssl connector, which will take effect after restarting.
Notice:
File authentication is required when applying, please unzip the attachment [.well-known.zip] to ROOT, the structure: \tomcat-7.0.8_64\webapps\ROOT\.well-known\pki-validation\fileauth.txt
