Tomcat 实现HTTPS访问
1、安装Tomcat
1、安装JDK
[root@tomcat-web~]# rpm -ivh jdk-8u161-linux-x64.rpm
2、添加并加载Java系统环境变量
[root@tomcat-web ~]# cat /etc/profile.d/java.sh
export JAVA_HOME=/usr/java/latest
export PATH=$JAVE_HOME/bin:$PATH
[root@tomcat-web ~]# . /etc/profile.d/java.sh #加载环境变量
[root@tomcat-web ~]# java -version # 测试是否生效
3、安装Tomcat
[root@tomcat-web ~]# tar -zxf apache-tomcat-8.0.50.tar.gz -C /usr/local/
[root@tomcat-web ~]# ln -s /usr/local/apache-tomcat-8.0.50/ /usr/local/tomcat
4、添加并加载Tomcat系统环境变量
[root@tomcat-web ~]# cat /etc/profile.d/tomcat.sh
export CATALINA_HOME=/usr/local/tomcat
export PATH=$CATALINA_HOME/bin:$PATH
[root@tomcat-web ~]# . /etc/profile.d/tomcat.sh
[root@tomcat-web ~]# catalina.sh version # 测试是否生效
5、启动Tomcat服务
[root@tomcat-web ~]# catalina.sh start
6、浏览器测试访问
Tomcat默认端口为8080,使用IP+8080访问即可;
★ 到这里,Tomcat就安装完成了,但是只是默认环境,还需要根据需求自定义配置;
2、实现HTTPS访问
1、添加域名解析
到域名所属解析商处,添加一条A记录指向你的服务器IP即可;
2、申请或购买证书,上传证书
在tomcat目录新建一个cert目录,将证书文件上传到这个目录;
[root@tomcat-web ~]# cd /usr/local/tomcat/
[root@tomcat-web tomcat]# mkdir cert
[root@tomcat-web tomcat]# rz
3、证书安装
1、PFX证书安装
VIM打开server.xml,添加ssl连接器,在8080端口连接器下面添加如下配置:
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="/usr/local/tomcat/cert/你的证书文件.pfx"
keystoreType="PKCS12"
keystorePass="证书私钥密码"
clientAuth="false" sslProtocol="TLS" />
2、JKS证书安装
( 1 ) 使用java jdk将PFX格式证书转换为JKS格式证书(windows环境注意在%JAVA_HOME%/jdk/bin目录下执行)
keytool -importkeystore -srckeystore 你的证书文件.pfx -destkeystore 你的证书文件.jks -srcstoretype PKCS12 -deststoretype JKS
回车后输入一次PFX证书密码,然后输入两次要设置的JKS证书密码,并牢记此证书密码。
( 2 ) VIM打开server.xml,添加ssl连接器,在8080端口连接器下面添加如下配置:
<Connector port="8443" protocol="HTTP/1.1"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
keystoreFile="//usr/local/tomcat/cert/你的证书文件.jks"
keystorePass="证书私钥密码"
clientAuth="false" sslProtocol="TLS" />
4、修改HOST配置
<Engine name="Catalina" defaultHost="localhost">
## 这里指定的localhost是默认HOST的名称,修改为证书绑定的域名即可
<!--For clustering, please take a look at documentation at:
/docs/cluster-howto.html (simple how to)
/docs/config/cluster.html (reference documentation) -->
<!--
<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
-->
<!-- Use the LockOutRealm to prevent attempts to guess user passwords
via a brute-force attack -->
<Realm className="org.apache.catalina.realm.LockOutRealm">
<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Realm>
<Host name="localhost" appBase="webapps"
### 将这里的localhost修改为刚才添加解析的域名即可,且必须与证书的通用名称保持一致
unpackWARs="true" autoDeploy="true">
<!-- SingleSignOn valve, share authentication between web applications
Documentation at: /docs/config/valve.html -->
<!--
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />
-->
<!-- Access log processes all example.
Documentation at: /docs/config/valve.html
Note: The pattern used is equivalent to using pattern="common" -->
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log" suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" />
</Host>
5、重启Tomcat
[root@node1 tomcat]# /usr/local/tomcat/catalina.sh stop && catalina.sh start
5、浏览器测试访问
3、配置http自动跳转到https
1、修改web.xml
在后面,也就是倒数第二行里,加上如下配置:
<login-config>
<!-- Authorization setting for SSL -->
<auth-method>CLIENT-CERT</auth-method>
<realm-name>Client Cert Users-only Area</realm-name>
</login-config>
<security-constraint>
<!-- Authorization setting for SSL -->
<web-resource-collection>
<web-resource-name>SSL</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
2、修改server.xml
修改非SSL连接器的请求跳转到SSL连接器上,修改如下配置:
原来为:
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
修改为:
<Connector port="80" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" />
★将默认8080端口修改为80端口,访问时就不需要加8080端口了,因为HTTP协议默认走的是80端口;
★将8443端口修改为443端口,意思是来自80端口的请求都跳转至443端口;
3、重启Tomcat
[root@node1 tomcat]# /usr/local/tomcat/catalina.sh stop && catalina.sh start
浙公网安备 33010602011771号