How to build a tomcat https server in Centos (original) and centoshttps
IInstall java jdk to configure Environment Variables
1. Uninstall the original openjdk
Yum-y remove java-1.7.0-openjdk *
Yum-y remove tzdata-java.noarch
2. Download and decompress the new jdk.
[Root @ localhost java] # curl-O http://download.oracle.com/otn-pub/java/jdk/7u79-b15/jdk-7u79-linux-x64.tar.gz
[Root @ localhost java] # tar-zxvf jdk-7u79-linux-x64.tar.gz
There are actually many ways to download jdk. You can use commands or ftp to download jdk locally and then upload it to centos.
3. Configure Environment Variables
Run the command vim/etc/profile to enter the java configuration file, press I to enter the editing status, and then enter the following code at the end of the file. Java environment variable configuration complete
# Set java environment
JAVA_HOME =/usr/java/jdk1.7.0 _ 79
JRE_HOME =/usr/java/jdk1.7.0 _ 79/jre
CLASS_PATH =.: $ JAVA_HOME/lib/dt. jar: $ JAVA_HOME/lib/tools. jar: $ JRE_HOME/lib
PATH = $ PATH: $ JAVA_HOME/bin: $ JRE_HOME/bin
Export JAVA_HOME JRE_HOME CLASS_PATH PATH
After the configuration is complete, exit [root @ localhost java] # source/etc/profile (for the modified configuration to take effect)
Then you can enter java-version to view the latest Environment Variables
2. Create an https access certificate and add the certificate to tomcat configuration
1. Create a certificate
Enter the following code in the bin directory of JAVA_HOME:
Cd/usr/java/jdk1.7.0 _ 79/bin/
Keytool-genkey-alias tomcat-keyalg RSA-keystore/usr/local/tomcat. keystore-validity 36500
Enter keystore password: # Enter a string greater than 6 Characters
Re-enter new password:
What is your first and last name? # "What is your first name and last name ?" This is required,
[Unknown]: haha
What is the name of your organizational unit? # "What is your organizational unit name ?" You can enter the required information or press enter without entering it. In the experiment, you can return to the car directly.
[Unknown]:
What is the name of your organization? # "What is your organization name ?", Press enter.
[Unknown]:
What is the name of your City or Locality? # "What is the name of your city or region ?, Press enter.
[Unknown]:
What is the name of your State or Province? # "What is the name of your state or province ?"
[Unknown]:
What is the two-letter country code for this unit? # "What is the two-letter country code for this unit ?"
[Unknown]:
Is CN = 10.15.24.254, OU = Unknown, O = Unknown, L = Unknown, ST = Unknown, C = Unknown correct? # Does the system ask "Is it correct ?" If the requirements are met, enter the letter "y" on the keyboard. Otherwise, enter "n" to fill in the above information.
[No]: y
Enter key password
(RETURN if same as keystore password): # enter the primary password. This is important and will be used in the tomcat configuration file. We recommend that you enter a password similar to the keystore password, you can set other passwords.
Re-enter new password:
2. Modify the tomcat server. xml configuration file to support https
Cd/tomcat/conf/
Vim server. xml
Add the https node configuration. The following node is on the server. xml exists, but is commented out. After you cancel the annotation, add two attributes, one is the certificate path and the other is the certificate password.
Iii. Firewall port configuration
Vim/etc/sysconfig/iptables: enter the port setting file editing status
Note that some versions of centos do not have the iptables file. If not, you need to create
Creation Method: cd/etc/sysconfig/
Run iptables-p output accept service iptables save service iptables restart.
After creation, run:Vim/etc/sysconfig/iptables
In tomcat, the http access port is set to 8080. I didn't set this port here, so the http access method is invalid. Only https is allowed. The default https port in tomcat is 8443.
However, since the default https port is 443, you can directly add https: // ip address to the front of the ip address to change tomcat 8443 to 443.
Iv. Difficulties encountered during construction
The centos server I use here is version 6.5, and the system comes with openjdk 1. 7. * The reason for uninstalling the built-in openjdk in step 1 is that the certificate generated by the toolkey under openjdk is invalid and cannot access https. You can use curl-v https: // After the ip runs for a while the error number, and then you can open: http://www-archive.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html for comparison query. This is because the openjdk enables me to repeat the Environment Multiple times. Then, I suddenly thought it might be the cause. Someone on the Internet said this.
Yum update nss upgrade nss, no matter which version of centos you are using, you finally execute this code. Otherwise you pass
When curl is accessed, an nss error-59990 ERROR occurs.