本实验环境:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
[root@localhost conf]
# cd /usr/local/tomcat/bin/
[root@localhost bin]
# ./version.sh
Using CATALINA_BASE:
/usr/local/tomcat
Using CATALINA_HOME:
/usr/local/tomcat
Using CATALINA_TMPDIR:
/usr/local/tomcat/temp
Using JRE_HOME:
/usr/java/jdk1
.7.0_75
Using CLASSPATH:
/usr/local/tomcat/bin/bootstrap
.jar
Server version: Apache Tomcat
/6
.0.41
Server built: May 19 2014 11:49:25
Server number: 6.0.41.0
OS Name: Linux
OS Version: 2.6.32-431.el6.i686
Architecture: i386
JVM Version: 1.7.0_75-b13
JVM Vendor: Oracle Corporation
[root@localhost bin]
#
|
基于jdk的keytool工具生成key,
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
[root@localhost ~]
# find / -name keytool
/usr/java/jdk1
.7.0_75
/jre/bin/keytool
/usr/java/jdk1
.7.0_75
/bin/keytool
[root@localhost ~]
# cd /usr/java/jdk1.7.0_75/bin/
#/usr/local/tomcat/tomcat.keystore 证书存放位置; -validity 36500证书有效期,36500表示100年,默认值是90天
[root@localhost bin]
# ./keytool -genkey -alias tomcat -keyalg RSA -keystore /usr/local/tomcat/tomcat.keystore -validity 36500
Enter keystore password:
#此处需要输入大于6个字符的字符串
Re-enter new password:
What is your first and last name?
#“您的名字与姓氏是什么?”这是必填项,并且必须是TOMCAT部署主机的域名或者IP[如:pvbutler.blog.51cto.com 或者 10.15.24.254],就是你将来要在浏览器中输入的访问地址
[Unknown]: 10.15.24.254
What is the name of your organizational unit?
#“你的组织单位名称是什么?”可以按照需要填写也可以不填写直接回车,实验中直接回车
[Unknown]:
What is the name of your organization?
#“您的组织名称是什么?”,同上直接回车
[Unknown]:
What is the name of your City or Locality?
#“您所在城市或区域名称是什么?,同上直接回车
[Unknown]:
What is the name of your State or Province?
#“您所在的州或者省份名称是什么?”
[Unknown]:
What is the two-letter country code
for
this unit?
#“该单位的两字母国家代码是什么?”
[Unknown]:
Is CN=10.15.24.254, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
#系统询问“正确吗?”时,对照输入信息,如果符合要求则使用键盘输入字母“y”,否则输入“n”重新填写上面的信息
[no]: y
Enter key password
for
<tomcat>
(RETURN
if
same as keystore password):
#输入<tomcat>的主密码,这项较为重要,会在tomcat配置文件中使用,建议输入与keystore的密码一致,设置其它密码也可以
Re-enter new password:
[root@localhost bin]
# #此时会在/usr/local/tomcat中生成文件tomcat.keystore
|
修改配置tomcat服务器
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
|
[root@localhost bin]
# cd /usr/local/tomcat/conf/
[root@localhost conf]
# cp server.xml server.xmlbak
[root@localhost conf]
# cp web.xml web.xmlbak
[root@localhost conf]
# vim server.xml
69 <Connector port=
"80"
protocol=
"HTTP/1.1"
70 connectionTimeout=
"20000"
71 redirectPort=
"443"
/>
#将redirectPort="8443"修改为redirectPort="443"
83
#去掉注释<!--和-->;修改port="8443"为port="443";指定证书文件的位置和<tomcat>的主密码keystoreFile="/usr/local/tomcat/tomcat.keystore" key storePass="justin"
84 <Connector port=
"443"
protocol=
"HTTP/1.1"
SSLEnabled=
"true"
85 maxThreads=
"150"
scheme=
"https"
secure=
"true"
86 clientAuth=
"false"
sslProtocol=
"TLS"
keystoreFile=
"/usr/local/tomcat/tomcat.keystore"
key storePass=
"justin"
/>
87
#将redirectPort="8443"修改为redirectPort="443"
90 <Connector port=
"8009"
enableLookups=
"false"
protocol=
"AJP/1.3"
redirectPort=
"443"
/>
[root@localhost conf]
#
[root@localhost conf]
# vim web.xml
4634
4635 <welcome-
file
-list>
4636 <welcome-
file
>index.html<
/welcome-file
>
4637 <welcome-
file
>index.htm<
/welcome-file
>
4638 <welcome-
file
>index.jsp<
/welcome-file
>
4639 <
/welcome-file-list
>
#在文件</welcome-file-list>后面加上以下语句:
4640 <login-config>
4641 <!-- Authorization setting
for
SSL -->
4642 <auth-method>CLIENT-CERT<
/auth-method
>
4643 <realm-name>Client Cert Users-only Area<
/realm-name
>
4644 <
/login-config
>
4645 <security-constraint>
4646 <!-- Authorization setting
for
SSL -->
4647 <web-resource-collection >
4648 <web-resource-name >SSL<
/web-resource-name
>
4649 <url-pattern>/*<
/url-pattern
>
4650 <
/web-resource-collection
>
4651 <user-data-constraint>
4652 <transport-guarantee>CONFIDENTIAL<
/transport-guarantee
>
4653 <
/user-data-constraint
>
4654 <
/security-constraint
>
[root@localhost conf]
# service tomcat stop
Using CATALINA_BASE:
/usr/local/tomcat
Using CATALINA_HOME:
/usr/local/tomcat
Using CATALINA_TMPDIR:
/usr/local/tomcat/temp
Using JRE_HOME:
/usr/java/jdk1
.7.0_75
Using CLASSPATH:
/usr/local/tomcat/bin/bootstrap
.jar
[root@localhost conf]
# service tomcat start
Using CATALINA_BASE:
/usr/local/tomcat
Using CATALINA_HOME:
/usr/local/tomcat
Using CATALINA_TMPDIR:
/usr/local/tomcat/temp
Using JRE_HOME:
/usr/java/jdk1
.7.0_75
Using CLASSPATH:
/usr/local/tomcat/bin/bootstrap
.jar
[root@localhost conf]
#
|
上述配置完成后,重启TOMCAT后即可以使用SSL。IE地址栏中可以直接输入地址 “http://” 会自动跳转成为 “https://” ,windows环境类似,可参考修改对应文件。
注意事项:
(1)生成证书的时间,如果IE客户端所在机器的时间早于证书生效时间,或者晚于有效时间,IE会提示“该安全证书已到期或还未生效”
(2)如果IE提示“安全证书上的名称无效或者与站点名称不匹配”,则是由生成证书时填写的服务器所在主机的域名“您的名字与姓氏是什么?”/“What is your first and last name?”不正确引起的
(3)如果AC主机不能通过域名查找,必须使用IP,但是这个IP只有在配置后才能确定,这样证书就必须在AC确定IP地址后才能生成
(4)证书文件只能绑定一个IP地址,假设有10.1.25.250 和 192.168.1.250 两个IP地址,在证书生成文件时,如使用了10.1.25.250,通过IE就只能使用10.1.25.250 来访问AC-WEB,192.168.1.250是无法访问AC-WEB的
本文转自 justin_peng 51CTO博客,原文链接:http://blog.51cto.com/ityunwei2017/1650958,如需转载请自行联系原作者
