How to build a tomcat https server in Centos (original) and centoshttps

How to build a tomcat https server in Centos (original) and centoshttps

IInstall java jdk to configure Environment Variables

1. Uninstall the original openjdk

Yum-y remove java-1.7.0-openjdk *

Yum-y remove tzdata-java.noarch

2. Download and decompress the new jdk.

[Root @ localhost java] # curl-O http://download.oracle.com/otn-pub/java/jdk/7u79-b15/jdk-7u79-linux-x64.tar.gz

[Root @ localhost java] # tar-zxvf jdk-7u79-linux-x64.tar.gz

There are actually many ways to download jdk. You can use commands or ftp to download jdk locally and then upload it to centos.

3. Configure Environment Variables

Run the command vim/etc/profile to enter the java configuration file, press I to enter the editing status, and then enter the following code at the end of the file. Java environment variable configuration complete

# Set java environment

JAVA_HOME =/usr/java/jdk1.7.0 _ 79

JRE_HOME =/usr/java/jdk1.7.0 _ 79/jre

CLASS_PATH =.: $ JAVA_HOME/lib/dt. jar: $ JAVA_HOME/lib/tools. jar: $ JRE_HOME/lib

PATH = $ PATH: $ JAVA_HOME/bin: $ JRE_HOME/bin

Export JAVA_HOME JRE_HOME CLASS_PATH PATH

After the configuration is complete, exit [root @ localhost java] # source/etc/profile (for the modified configuration to take effect)

Then you can enter java-version to view the latest Environment Variables

 

2. Create an https access certificate and add the certificate to tomcat configuration

1. Create a certificate

Enter the following code in the bin directory of JAVA_HOME:

Cd/usr/java/jdk1.7.0 _ 79/bin/

Keytool-genkey-alias tomcat-keyalg RSA-keystore/usr/local/tomcat. keystore-validity 36500

Enter keystore password: # Enter a string greater than 6 Characters

Re-enter new password:

What is your first and last name? # "What is your first name and last name ?" This is required,

[Unknown]: haha

What is the name of your organizational unit? # "What is your organizational unit name ?" You can enter the required information or press enter without entering it. In the experiment, you can return to the car directly.

[Unknown]:

What is the name of your organization? # "What is your organization name ?", Press enter.

[Unknown]:

What is the name of your City or Locality? # "What is the name of your city or region ?, Press enter.

[Unknown]:

What is the name of your State or Province? # "What is the name of your state or province ?"

[Unknown]:

What is the two-letter country code for this unit? # "What is the two-letter country code for this unit ?"

[Unknown]:

Is CN = 10.15.24.254, OU = Unknown, O = Unknown, L = Unknown, ST = Unknown, C = Unknown correct? # Does the system ask "Is it correct ?" If the requirements are met, enter the letter "y" on the keyboard. Otherwise, enter "n" to fill in the above information.

[No]: y

Enter key password
(RETURN if same as keystore password): # enter the primary password. This is important and will be used in the tomcat configuration file. We recommend that you enter a password similar to the keystore password, you can set other passwords.

Re-enter new password:

2. Modify the tomcat server. xml configuration file to support https

Cd/tomcat/conf/

Vim server. xml

Add the https node configuration. The following node is on the server. xml exists, but is commented out. After you cancel the annotation, add two attributes, one is the certificate path and the other is the certificate password.

 

 

Iii. Firewall port configuration

Vim/etc/sysconfig/iptables: enter the port setting file editing status

Note that some versions of centos do not have the iptables file. If not, you need to create

Creation Method: cd/etc/sysconfig/

Run iptables-p output accept service iptables save service iptables restart.

After creation, run:Vim/etc/sysconfig/iptables

In tomcat, the http access port is set to 8080. I didn't set this port here, so the http access method is invalid. Only https is allowed. The default https port in tomcat is 8443.

However, since the default https port is 443, you can directly add https: // ip address to the front of the ip address to change tomcat 8443 to 443.

 

 

Iv. Difficulties encountered during construction

The centos server I use here is version 6.5, and the system comes with openjdk 1. 7. * The reason for uninstalling the built-in openjdk in step 1 is that the certificate generated by the toolkey under openjdk is invalid and cannot access https. You can use curl-v https: // After the ip runs for a while the error number, and then you can open: http://www-archive.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html for comparison query. This is because the openjdk enables me to repeat the Environment Multiple times. Then, I suddenly thought it might be the cause. Someone on the Internet said this.

Yum update nss upgrade nss, no matter which version of centos you are using, you finally execute this code. Otherwise you pass

When curl is accessed, an nss error-59990 ERROR occurs.