Tomcat配置https

简介:

SSL 协议的3个特性:

保密:通过SSL链接传输的数据是加密的

鉴别:通信双方的身份鉴别,通常是可选的,但至少有一方需要验证(通常是服务端)

完成性:传输数据的完整性检查

从性能角度考虑,加密是一项计算昂贵的处理,因此尽量不要讲整个Web采用SSL链接,实际部署中,选择有必要进行安全加密的页面(如存在敏感信息传输的页面)采用SSL通信。

接下来相信介绍一下如何在Tomcat中添加SSL 支持。

注意:

配置Tomcat以支持SSL通常只在其作为独立的web服务器时才有必要。当Tomcat作为servlet容器运行与Web服务器后端时,只需要配置前置的Web服务器支持SSL即可。Web服务器负载所有的SSL 相关处理,Tomcat 接收到的请求为解密后的数据,而且返回的响应也是明文,有Web 服务器完成加密。

Tomcat实现SSL两种方式:

一种是JSSE,另一种是APR(默认的OpenSSL引擎)。

JSSE适用于BIO、NIO、NIO2链接器(8.5版本之后,NIO、NIO2同时支持OpenSSL,以用于HTTP/2.0), APR适用于APR链接器。由于JSSE和APR配置有明显区别,因此我们最好在Connector的protocol属性中明确指定链接器的类名,而非协议名(如HTTP/1.1),否则,Tomcat会自动按照本地配置构造connector(如果安装了APR,则适用APR链接器,否则使用NIO链接器),这样可能导致SSL不可用。

方法一(简单粗暴)

在为Tomcat添加SSL配置之前,我们需要先创建一个秘钥库。Tomcat支持秘钥库有JKS、PKCS11和PKCS112。JKS是Java标准的秘钥库格式,由keytool命令行工具创建,该工具位于$JAVA_HOME/bin/目录下。

1创建秘钥库

执行命令如下:

Windows (文件存放于C:\cert目录,存放路径也可自己定义):

keytool -genkey -alias tomcat -keyalg RSA -keystore C:\cert\mykey.key.store

Linux(文件存放于/home/liugr/cert目录,存放路径也可自己定义):

keytool -genkey -alias tomcat -keyalg RSA -keystore /home/liuge/cert/mykey.keystore
Enter keystore password: 输入秘钥库口令
Re-enter new password: 再次输入新口令
What is your first and last name? 您的姓氏是什么
[Unknown]: Tomcat
What is the name of your organizational unit? 您的单位名称
[Unknown]: Apache
What is the name of your organization? 您的组织名称
[Unknown]: Apache
What is the name of your City or Locality?省份
[Unknown]: Beijing
What is the name of your State or Province?城市
[Unknown]: Beijing
What is the two-letter country code for this unit? 国家代码
 [Unknown]: CN
Is CN=Tomcat, OU=Apache, O=Apache, L=Beijing, ST=Beijing, C=CN correct? 信息是否正确
[no]: y
 
Enter key password for <tomcat>                输入Tomcat的秘钥口令
    (RETURN if same as keystore password): 如果和秘钥库口令相同,按回车
 Re-enter new password:

2 配置server.xml文件

秘钥库密码将在server.xml配置是用到,其他信息作为基本信息,客户端可以通过浏览器查看。命令执行成功后,将生成的mykey.keystore复制到Tomcat的conf目录下。将默认注释的SSL链接器取消注释

8.5版本配置如下(server.xml的88行)

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
              maxThreads="150" scheme="https" secure="true" SSLEnabled="true">
    <SSLHostConfig>
      <Certificate certificateKeystoreFile="conf/mykey.keystore"
              certificateKeystorePassword="123456" ##秘钥库口令
              type="RSA" />
    </SSLHostConfig>
</Connector>

链接器的protocol设置为org.apache.coyote.http11.Http11NioProtocol,以避免Tomcat自动选择HTTP链接器实现(当然,可以根据需要改为NIO2的实现,不能选择APR)

CertificateKeystorePassword为创建秘钥库是填写的秘钥库文件,port为SSL链接器端口,如果要修改为其他端口,必须确保与无SSL得HTTP链接器的redirectPort属性一致。

启动Tomcat,在浏览器中输入https://ip:8443,浏览器会弹出证书提示,接收后才会进入页面,而且通过浏览器还可以查看证书信息。 

方法二(婆婆妈妈)

除此以上方法之外,我们还可以通过OpenSSL创建证书并导入到秘钥库。

注意:绝大多数Linux系统以及默认安装了OpenSSL,Windows系统中,如果你安装了Apache服务器,那样也可以在安装目录的bin文件夹下找到openssl.exe可执行文件。

OpenSSL的命令格式都是 "openssl 命令 命令参数"的形式。

1 执行以下命名生成根秘钥:

[root@ ~]# openssl genrsa -out rootkey.pem 2048

输出如下:

Generating RSA private key, 2048 bit long modulus
..................+++
.....+++
e is 65537 (0x10001)

2 创建根证书(用根证书来签发服务器端请求文件):

[root@ ~]# openssl req -x509 -new -key rootkey.pem -out root.crt

输出如下:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:Apache
Organizational Unit Name (eg, section) []:Tomcat
Common Name (eg, your name or your server's hostname) []:Tomcat
Email Address []:tomcat@apache.com

根据提示,需要输入国家、省份、城市、以及公司信息等。

3 创建服务器秘钥:

[root@ ~]# openssl genrsa -out serverkey.pem 2048

输出如下:

Generating RSA private key, 2048 bit long modulus
............................................................+++
................................+++
e is 65537 (0x10001)

4 生成服务器端证书的请求文件:

[root@ ~]# openssl req -new -key serverkey.pem -out server.csr

输出如下:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:Apache
Organizational Unit Name (eg, section) []:Tomcat
Common Name (eg, your name or your server's hostname) []:Tomcat
Email Address []:tomcat@apache.com
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:Tomcat

同样,根据提示,需要输入国家、省份、城市等信息。

5用根证书来签发服务器端请求文件,生成服务器端证书:

[root@ ~]# openssl x509 -req -in server.csr -CA root.crt -CAkey rootkey.pem -CAcreateserial -days 3650 -out server.crt

输出如下:

Signature ok
subject=/C=CN/ST=Beijing/L=Beijing/O=Apache/OU=Tomcat/CN=Tomcat/emailAddress=tomcat@apache.comf\x08
Getting CA Private Key

以上我们创建的是自签名证书,多用于开发测试环境。在生产中,我们需要向数字证书颁发机构(CA)提交请求文件(server.csr),CA则返回给我们数字证书。这个过程一般是要收费的。 

6 将证书导出为pkcs12格式:

[root@ ~]# openssl pkcs12 -export -in server.crt -inkey serverkey.pem -out server.pkcs12

输出如下:

Enter Export Password:

Verifying - Enter Export Password:

根据提示输出一个导出密码

7 执行keytool命令生成服务端秘钥库:

[root@ ~]# keytool -importkeystore -srckeystore server.pkcs12 -destkeystore mykey.keystore -srcstoretype pkcs12

输出如下

Importing keystore server.pkcs12 to mykey.keystore...
Enter destination keystore password:
Enter source keystore password:
Entry for alias 1 successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled

根据提示输入秘钥库密码已经上一步的导出密码。

至此,我们创建了一个mykey.keystore秘钥库文件

这半天创建的相关文件如下

[root@ ~]# ll
total 36
-rw-r--r--. 1 root root 4461 Apr 16 16:41 mykey.keystore
-rw-r--r--. 1 root root 1407 Apr 16 16:21 root.crt
-rw-r--r--. 1 root root 1679 Apr 16 16:14 rootkey.pem
-rw-r--r--. 1 root root 17 Apr 16 16:31 root.srl
-rw-r--r--. 1 root root 1289 Apr 16 16:31 server.crt
-rw-r--r--. 1 root root 1110 Apr 16 16:28 server.csr
-rw-r--r--. 1 root root 1675 Apr 16 16:26 serverkey.pem
-rw-r--r--. 1 root root 2517 Apr 16 16:37 server.pkcs12

8 通过keytool的list命令,可以查看其包含的证书信息:

根据提示输入秘钥库密码后,既输出秘钥库包含的证书信息

[root@ ~]# keytool -list -v -keystore mykey.keystore

输出如下:

Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
Alias name: tomcat
Creation date: Apr 16, 2018
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Tomcat, OU=Apache, O=Apache, L=Beijing, ST=Beijing, C=CN
Issuer: CN=Tomcat, OU=Apache, O=Apache, L=Beijing, ST=Beijing, C=CN
Serial number: 5f59c5e3
Valid from: Mon Apr 16 15:36:30 CST 2018 until: Sun Jul 15 15:36:30 CST 2018
Certificate fingerprints:
     MD5: 0E:FB:D2:73:54:89:51:9A:20:96:E8:22:2B:92:36:B6
     SHA1: 2C:DF:97:E9:88:85:72:0E:15:68:B1:09:19:76:7E:67:FC:A7:F9:12
     SHA256: EE:42:E8:96:CE:E1:B5:A6:2C:EC:57:82:44:3A:A8:AD:A3:89:04:01:C8:E8:85:7D:CA:96:B4:E4:63:87:91:49
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 3A 8F 05 4C 85 6D 2F EE 1E E6 46 ED AD CC CA A6 :..L.m/...F.....
0010: 06 78 A7 CA .x..
]
]
*******************************************
*******************************************
Alias name: 1
Creation date: Apr 16, 2018
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: EMAILADDRESS=tomcat@apache.com, CN=Tomcat, OU=Tomcat, O=Apache, L=Beijing, ST=Beijing, C=CN
Issuer: EMAILADDRESS=tomcat@apache.com, CN=Tomcat, OU=Tomcat, O=Apache, L=Beijing, ST=Beijing, C=CN
Serial number: 84802670058ff7d5
Valid from: Mon Apr 16 16:31:46 CST 2018 until: Thu Apr 13 16:31:46 CST 2028
Certificate fingerprints:
     MD5: 46:F0:86:8A:FB:60:2E:AA:14:E5:AF:7F:8B:05:A2:F5
     SHA1: EF:3E:90:08:0D:9E:53:95:4E:4F:36:29:78:05:93:E1:DB:48:CB:A2
     SHA256: 8E:B7:51:6D:04:09:24:28:20:68:4F:C3:2A:2E:47:1E:B8:F6:C2:87:D1:55:30:8C:B0:2A:EA:2A:02:8B:09:76
Signature algorithm name: SHA1withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 1

*******************************************
*******************************************

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore mykey.keystore -destkeystore mykey.keystore -deststoretype pkcs12".
View Code

9 将mykey.keystore 秘钥库文件按照前文说明的方式部署到Tomcat中(非APR链接器)。通过浏览器可查看证书信息。

10 如果在APR链接器配置SSL,首先需要在server.xml的<Server>下添加监听器AprLifecycleListener:

<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on"

SSLRandomSeed="builtin" userAprConnector="true" />

说明:userAprConnector 为8.5版本新属性,用于启用Apr Connector,8.5版本之前不必配置,默认自动启用

然后,添加SSL链接器配置如下(Tomcat8.5):

<Connector port="8443"
        protocol="org.apache.coyote.http11.Http11NioProtocol"
        maxThreads="150" scheme="https" secure="true" SSLEnabled="true">
  <SSLHostConfig>
       <Certificate certificateKeystoreFile="${catalina.base}/conf/serverkey.pem"
               certificateFile="${catalina.base}/conf/serverkey.crt"
               type="RSA" />
  </SSLHostConfig>
</Connector> 

certificateKeystoreFile 用于配置服务器端秘钥

certificateFile用于配置服务器端证书

至此配置完成

posted @ 2018-04-17 11:23  Sunzz  阅读(4567)  评论(0编辑  收藏  举报