- Configuring jdk environment (self-made Baidu) is very simple without statement
- Unzip the downloaded tomcat in the linux environment
- Configure java environment variables
The specific path is determined according to the java installation path - Execute sh startup.sh in the bin directory of the tomcat installation directory.
If this error is reported, the permission problem is insufficient.
Solution: Execute chmod +x *.sh in the bin directory and restart it.
7. If you do the above four steps, tomcat test whether the connection is successful. If there are multiple tomcats, please refer to
https://www.cnblogs.com/ kingsonfu/p/9778516.html
Configure https below
1. Prepare
The first thing that needs to be done to establish a WEB server that supports HTTPS is to obtain a digital certificate. Digital certificates can be obtained in any of the following ways.
- Self-signed certificates are recommended for testing purposes and personal projects. Self-signed certificates can also be used for service providers, but generally apply to situations where users trust each other. In addition, self-signed certificates do not cost money to purchase.
- Certificates can be provided by community-based certification providers such as StartSSL and CACERT. These certificates also cost nothing, but are recommended for personal projects.
- For global business websites, it is recommended to purchase a certificate from a trusted and well-known certificate authority. These certificates cost money, but they increase the credibility of the ISP.
2. Generate a certificate for the server
Use keytool to generate a certificate for Tomcat, assuming that the domain name of the target machine is "localhost", the keystore file wants to be stored in "/tmp1/tomcat.keystore", and the password is "123456", use the following command to generate:
keytool -genkey -v -alias tomcat -keyalg RSA -keystore /tmp1/tomcat.keystore -validity 36500
(A brief description of the parameters: "/tmp1/tomcat.keystore" means the storage path of the certificate file (where /tmp1 is created by yourself, while tomcat.keystore is automatically generated, so it must be stored in a certain path in advance Create a new folder to store the automatically generated files. The name can be chosen by yourself, and this folder will be used to store the automatically generated files later). The name of the certificate file is tomcat.keystore; "-validity 36500" means the validity period of the certificate. 36500 means 100 years, the default value is 90 days "tomcat" is the custom certificate name).
Note: If tomcat is enabled on the window system, these commands need to be executed in the bin directory of jdk.
Fill in the necessary parameters on the command line:
A. Enter the keystore password: here you need to enter a string of more than 6 characters.
B. "What is your first and last name?" This is a required item, and it must be the domain name or IP of the TOMCAT deployment host [such as: gbcom.com or 10.1.25.251] (that is what you will enter in the browser in the future access address), otherwise the browser will pop up a warning window, prompting that the user certificate does not match the domain. When developing and testing locally, fill in "localhost". (This is very important)
C. What is the name of your organizational unit? ”, “What is the name of your organization? ", "What is the name of your city or region? ", "What is the name of your state or province? ", "What is the two-letter country code for this unit?" "You can fill in as required or press Enter without filling in, and the system will ask "Is it correct?" ", compare the input information, if it meets the requirements, use the keyboard to enter the letter "y", otherwise enter "n" to re-fill the above information. D. The entered master password is
more important and will be used in the tomcat configuration file. It is recommended to enter the same password as the keystore, and you can also set other passwords. After completing the above input, press Enter directly to find the generated file at the location you defined in the second step.
3. Generate a certificate for the client
Generate a certificate for the browser to allow the server to verify it. In order to import the certificate to IE and Firefox smoothly, the certificate format should be PKCS12, therefore, use the following command to generate:
keytool -genkey -v -alias mykey -keyalg RSA -storetype PKCS12 -keystore /tmp1/mykey.p12
(mykey is customized).
The corresponding certificate library is placed in "/tmp1/mykey.p12", (the explanation of this part is the same as the first step) the CN of the client can be any value. Double-click the mykey.p12 file to import the certificate to the browser (client) (I checked the trust in this computer including the fourth part below).
4. Let the server trust the client certificate
Due to the two-way SSL authentication, the server must trust the client certificate, so the client certificate must be added as the server's trusted certificate. Since the certificate library in PKCS12 format cannot be imported directly, the client certificate must be exported as a separate CER file first, using the following command:
keytool -export -alias mykey -keystore /tmp1/mykey.p12 -storetype PKCS12 -storepass 123456 -rfc -file /tmp1/mykey.cer
(mykey is the same as the mykey defined by the client, and 123456 is the password you set). Through the above command, the client certificate is exported to the "/tmp1/mykey.cer" file by us.
The next step is to import the file into the server's certificate store and add it as a trusted certificate using the following command:
keytool -import -v -file /tmp1/mykey.cer -keystore /tmp1/tomcat.keystore
View the server's certificate store through the list command, and you can see two certificates, one is the server certificate and the other is the trusted client certificate:
keytool -list -keystore /tmp1/tomcat.keystore
(tomcat sets the server-side certificate name for you).
At this point, you can see that the two certificates are called mykey and tomcat, which correspond to the corresponding names behind the alias created by the server and client respectively.
5. Let the client trust the server certificate
Since it is a two-way SSL authentication, the client must also verify the server certificate, so the server certificate must be added to the "Trusted Root Certification Authority" of the browser. Since the certificate library in keystore format cannot be imported directly, the server certificate must be exported as a separate CER file first, using the following command:
keytool -keystore /tmp1/tomcat.keystore -export -alias tomcat -file /tmp1/tomcat.cer
(tomcat sets the server-side certificate name for you).
Through the above command, the server certificate is exported to the "/tmp1/tomcat.cer" file by us. Double-click the tomcat.cer file on the Windows interface, follow the prompts to install the certificate, and fill in the certificate in "Trusted Root Certification Authorities".
5. Configure the Tomcat server
a. (1) Open the tomcat configuration file, such as: /tmp1/apache-tomcat-6.0.29/conf/server.xml, modify as follows,
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
Modify parameters =>
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" />
(2)
<!--
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"/>
-->
Remove the comment and modify the parameters => (Of course, you can also not remove the comment, directly add the following paragraph after the above comment, remember to change the two parameters of keystoreFile and keystorePass inside)
Notes:
The two parameters keystoreFile and keystorePass are the location of the certificate file and the master password (the location is the storage location of the automatically generated file just now, and the password is the password just set), which are set during the certificate file generation process
(3)
<Connector port="8009" enableLookups="false" protocol="AJP/1.3" redirectPort="8443" />
Modify parameters =>
<Connector port="8009" enableLookups="false" protocol="AJP/1.3" redirectPort="443" />
(I don't have the item enableLookups="false" in it, I also added this sentence according to the above method)
b. Open D:/apache-tomcat-6.0.29/conf/web.xml, and add this paragraph after the file:
<login-config>
<!-- Authorization setting for SSL -->
<auth-method>CLIENT-CERT</auth-method>
<realm-name>Client Cert Users-only Area</realm-name>
</login-config>
<security-constraint>
<!-- Authorization setting for SSL -->
<web-resource-collection >
<web-resource-name >SSL</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
After I finished this tutorial, I ran https://localhost and found that there was still an error. After looking for a few more tutorials, I found that the following line in the conf\server.xml file needs to be commented.
<!--<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />-->
So far, Tomcat configuration https is complete.
But will find:
1. The browser will use a dangerous logo for HTTPS. (The lower part is reproduced from https://blog.csdn.net/gane_cheng/article/details/53001846)
It is different from the normal logo. It can be very uncomfortable to watch.
2. The browser will not load javascript under non-HTTPS domain names by default
This is almost the same as disabling javascript in the early years. It has affected the normal operation of the website.
3. The mobile device displays a blank page
When the mobile browser opens the page, it will pop up whether to load an untrusted page like a desktop browser, and it will be blank when it is opened in WeChat.
All of the above make the certificate generated by itself unable to be used in the production environment.
To solve the above problems, you need to purchase a CA certificate. But I saw a free certificate application on Alibaba Cloud. https://www.aliyun.com/product/cas
① Apply for a certificate
The purchase process is not described in detail. Just follow Alibaba Cloud's prompts and do it step by step.
After the certificate is generated, a PFX type certificate will be obtained.
② Tomcat configuration PFX certificate
Open the Tomcat configuration file conf\server.xml.
Uncomment and add three attributes keystoreFile, keystoreType, keystorePass.
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keystoreFile="/你的磁盘目录/订单号.pfx"
keystoreType="PKCS12"
keystorePass="订单号" />
Among them, keystoreFile is the address of the PFX certificate file, keystorePass is the order number of Alibaba Cloud, and keystoreType is directly written as PKCS12.
③ Test the real domain name
Restart Tomcat, visit your own domain name, it can be used normally. The browser will have a green domain name logo, and the mobile device will be normal. As for the javascript under the http domain name, it still needs to be replaced with https to load normally.
As for whether to use https, you need to consider it according to the actual situation. https will be slower than http, but it will be more secure.
When configuring tomcat, when setting the port number, for example, the difference between setting 8080 and 80 is that when you access the server, if you add the port number 8080, you can access it, but if you set it to 80 in server.xml, you can not use the port It is better to directly access items such as the difference between 172.18.31.1:8080/example and 172.18.31.1/example, and the same is true for setting 8443 and 443.