Tomcat SSL certificate deployment issues encountered in the process

Problems encountered in CentOS7 deployed in Tomcat SSL Certificates

1. Configure servlet.xml

Configuring tomcat / conf / server.xml adding the following code

<Connector port="8443"
    protocol="HTTP/1.1"
    SSLEnabled="true"
    scheme="https"
    secure="true"
    keystoreFile="证书路径"   
    keystoreType="PKCS12"
    keystorePass="这里写密码"   
    clientAuth="false"
    SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"
    ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256"/>

tomcat non-root users can only use more than 1024 ports,

Port below 1024 set will be reported the following errors, such as 443 port :( do not have permission)

Permission denied <null>:443

root users to start tomcat has a serious problem, and that is tomcat with root privileges.

This means that any one of your script page (html / js) have root privileges, so you can easily modify the entire hard disk files with page script!

So it is best not to use root to start tomcat.

Since when have encountered before configuring port 80, so expect a direct port forwarding

iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8443

There is a small dip in the configuration pfx certificate must write address path when Yes, at a root path relative path tomcat conf / servlet.xml of

Not conf (This finding can not access the site after the tomcat start, before we know after reading logs ..)

Password direct copy up on it

2.http强转https

Adding the following at the conf / web.xml:

#在</welcome-file-list>后添加以下内容：
<login-config>  
    <!-- Authorization setting for SSL -->  
    <auth-method>CLIENT-CERT</auth-method>  
    <realm-name>Client Cert Users-only Area</realm-name>  
</login-config>  
<security-constraint>  
    <!-- Authorization setting for SSL -->  
    <web-resource-collection >  
        <web-resource-name >SSL</web-resource-name>  
        <url-pattern>/*</url-pattern>  
    </web-resource-collection>  
    <user-data-constraint>  
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>  
    </user-data-constraint>  
</security-constraint>

Configuring strong turn, I found time to visit http 8443 I forwarded to the port, preventing access to https, http port is configured as follows

<Connector port="8080"
 protocol="HTTP/1.1"
 connectionTimeout="20000"
 redirectPort="8443"
 maxThreads="1000"
 minSpareThreads="20"
 acceptCount="1000"
 maxHttpHeaderSize="65536"
 debug="0"
 disableUploadTimeout="true"
 useBodyEncodingForURI="true"
 enableLookups="false"
 URIEncoding="UTF-8"/>

Later will be changed to the following redirectPort like, should mean that the redirection port (white guess)

 redirectPort="443"

3. Restart tomcat service

Do not forget to Ali cloud firewall open port 443 !!!

Do not worry this time, even after you restart the server compile files, you may have to wait a few minutes to visit your site.