1. Mr. certificate to file
# 先切换到证书文件路径下:
$ cd /app/tomcat-8.5.39/
# 生成证书文件:
$ keytool -genkey -alias tomcat -keyalg RSA -keypass AAyxl123 -storepass AAyxl123
-keystore tomcat-https-server.keystore -validity 36500
# 证书赋执行权限:
$ chmod u+x tomcat-https-server.keystore
Generate a certificate file Description:
Certificate Password: AAyxl123
certificate file: tomcat-https-server.keystore, in the current directory tomcat
certificate is valid: 36500 or 100 years
Code:
[app@chezhi tomcat-8.5.39]$ pwd
/app/tomcat-8.5.39
[app@chezhi tomcat-8.5.39]$ keytool -genkey -alias tomcat -keyalg RSA -keypass AAyxl123 -storepass AAyxl123 -keystore tomcat-https-server.keystore -validity 36500
What is your first and last name?
[Unknown]: chezhi
What is the name of your organizational unit?
[Unknown]: xlwzj
What is the name of your organization?
[Unknown]: xlwzj
What is the name of your City or Locality?
[Unknown]: CHANGSHA
What is the name of your State or Province?
[Unknown]: HUNAN
What is the two-letter country code for this unit?
[Unknown]: CN
Is CN=chezhi, OU=xlwzj, O=xlwzj, L=CHANGSHA, ST=HUNAN, C=CN correct?
[no]: Y
[app@chezhi tomcat-8.5.39]$ ls -ls tomcat-https-server.keystore
4 -rw-rw-r--. 1 app app 2224 Jan 11 11:04 tomcat-https-server.keystore
[app@chezhi tomcat-8.5.39]$
Question Fill Description:
"What is your first and last name is?" This is required, the certificate owner, I entered a "chezhi"
"What is the name of your organizational unit?"
"What is the name of your organization?"
"You What is the name of your city or region? " "
What is the name of your state or province is? " "
What is the two-letter country code for this unit? "
can fill may not directly enter fill in as needed in the system to ask the" right you? ", the control input information, if you meet the requirements to use the keyboard to enter letters" y ", otherwise enter" n "re-fill the above information.
2. Modify the tomcat configuration file
to modify tomcat / conf / server.xml
# 1. 修改 8080端口配置:端口指向由原先的8443改成 443,因为http默认端口是80,所以我把 8080 改成了80 ,非必改,有需要则改
<Connector port="80" protocol="HTTP/1.1"
connectionTimeout="20000" redirectPort="443" />
# 2. 修改8443端口配置,特别重要:
# 把注释打开,8443端口改成 443, 因为https默认端口是443,
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150"
scheme="https" secure="true" clientAuth="false" sslProtocol="TLS"
keystoreFile="/app/tomcat-8.5.39/server.keystore"
keystorePass="AAyxl123"/>
# 3. 修改8009端口配置:
# 把8009端口指向8443改成443
<Connector port="8009" protocol="AJP/1.3" URIEncoding="utf-8"
redirectPort="443" />
Description:
keystoreFile: the certificate file previously generated in the tomcat directory
keystorePass: password for the certificate previously generated
scheme: change it into "https"
Modify Screenshot:
Since the first written certificate configuration path "/app/apache-tomcat-8.5.39/server.keystore" error, change "/app/tomcat-8.5.39/server.keystore" like, be careful not to wrong with me
2. Modify tomcat / conf / web.xml
add the following onto the front end of the document:
vim web.xml, tips: vim editor at the same time holding down the shift + g key to jump directly to the end of the document
<login-config>
<!-- Authorization setting for SSL -->
<auth-method>CLIENT-CERT</auth-method>
<realm-name>Client Cert Users-only Area</realm-name>
</login-config>
<security-constraint>
<!-- Authorization setting for SSL -->
<web-resource-collection >
<web-resource-name >SSL</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
3. Restart tomcat service
Restart the tomcat. . .
4. browser to access the test
input access address in the address bar inside were tested:
http://192.168.3.128/xlw_web/
https://192.168.3.128/xlw_web/
is http or https, will jump to https our set visit whether you type in the address bar inside.
Well, to access the test no problem.
The courage to explore you will find that the world is this magic. . .
2020-01-11 写于长沙
