Tomcat8 configures Https protocol, Tomcat configures Https security access
==============================
©Copyright Sweet Potato Yao November 3, 2017
http://fanshuyao.iteye.com/
1. Use the tools that come with Jdk to generate a digital certificate, as follows:
keytool -genkey -v -alias tomcat -keyalg RSA -keystore D:\soft\apache-tomcat-8.0.47-9200\conf\key\tomcat.keystore -validity 36500
The keytool.exe command is located in the Java\jdk1.8.0_121\bin directory. If the Jdk environment variable is not configured, enter the directory and use it.
The command parameter section is explained:
D:\soft\apache-tomcat-8.0.47-9200\conf\key\tomcat.keystore : indicates the file path after the digital certificate is generated
36500 : Indicates the valid time, 36500 days, the default is 90 days
Then enter the information as prompted, as shown above.
have to be aware of is:
It is said on the Internet that "first name and last name" should be the domain name. If it is entered as a name, it does not match the domain name when it is actually running, and problems will occur. (unknown, to be tested)
But I can run it locally with Mr.Li. The specific situation is not clear, so I will record it first.
2. Modify Tomcat's server.xml file to support Https
1. The Https configuration of server.xml is commented out by default, as follows:
2. Remove the comment of the red box in the above figure to make the configuration take effect. The default port is 8443. Then add the attributes of the digital certificate, as follows:
keystoreFile="D:\soft\apache-tomcat-8.0.47-9200\conf\key\tomcat.keystore"
keystorePass="tomcat123",此密码就是生成证书时的密码。
| 属性 | 描述 |
| clientAuth | 如果设为true,表示Tomcat要求所有的SSL客户出示安全证书,对SSL客户进行身份验证 |
| keystoreFile | 指定keystore文件的存放位置,可以指定绝对路径,也可以指定相对于<CATALINA_HOME>(Tomcat安装目录)环境变量 的相对路径。如果此项没有设定,默认情况下,Tomcat将从当前操作系统用户的用户目录下读取名为“.keystore”的文件。 |
| keystorePass | 指定keystore的密码,如果此项没有设定,在默认情况下,Tomcat将使用“changeit”作为默认密码。 |
| sslProtocol | 指定套接字(Socket)使用的加密/解密协议,默认值为TLS,用户不应该修改这个默认值。 |
| ciphers | 指定套接字可用的用于加密的密码清单,多个密码间以逗号(,)分隔。如果此项没有设定,在默认情况下,套接字可以使用任意一个可用的密码。 |
三、然后就可以启动tomcat测试。
1、注意:Https访问的端口是8443,可以修改成别的端口。
效果如下:
IE Edge 浏览器:
Chrome内核浏览器:
==============================
©Copyright 蕃薯耀 2017年11月3日
http://fanshuyao.iteye.com/