Tomcat 6 Configuring two-way HTTPS access

Work using the Bank interface, need to deploy a separate Web server, receive HTTPS requests, study the Tomcat 6 for two-way HTTPS configuration, reference to the article on the Internet and constantly groping, finally small experience, here simple collation and record.

The same use of the JDK comes with the keytool, nonsense not much to say, directly, first into the Java_home\bin directory, execute the following command:

Keytool-genkey-v-alias tomcat-keyalg rsa-keystore e:\keystore\tomcat.keystore-validity 36500

The role of the command is to generate a certificate for the server, alias Tomcat, valid for 100 years, stored in the E:\keystore directory, after confirmation, you also need to fill in some information, generate KeyStore files,:

Note that: Here the first or last name, it is best to fill in the IP address or domain name, local can also fill in localhosy, fill in the other, you need to modify the Windows hosts configuration. The next client certificate generation is the same.

Similarly, execute the following command to generate the client's certificate, in order to export IE or Firefox, the certificate format is set to PKCS12:

keytool-genkey-v-alias realfighter-key alg rsa-storetype pkcs12-keystore e:\keystore\realfighter.p12

As with the server-side certificate generation, you need to fill in some information to generate the P12 file, as shown in:

    Next, convert the P12 to a CER file with the following command, as shown below, the red section sets the client certificate password for you:

C:\Program Files\java\jdk1.6.0_45\bin>keytool-export-alias realfighter-keysto   re e:\keystore\realfighter.p12  -storetype pkcs12-storepass urpwd-rfc-file  e:\keystore\realfighter.cer

After that, the generated client certificate needs to be imported to the server-side certificate library as follows:

C:\Program files\java\jdk1.6.0_45\bin>keytool-import-v-file e:\keystore\realf   ighter.cer - KeyStore e:\keystore\tomcat.keystore

Next, you need to configure Tomcat to support HTTPS access, by default 443 port, modify the Tomcat_home\conf\server.xml file, remove two connector, commented out, mainly prohibit access through http:8080, As follows:

<!--     <connector executor= "Tomcatthreadpool"                port= "8080" protocol= "http/1.1"               and nbsp;connectiontimeout= "20000"                redirectport= "8443"/>

<!-- <connector port= "8009" protocol= "ajp/1.3" redirectport= "443"/>-->

    Remove 84 rows or so connector , modify the following:

<connector port= "443" protocol= "Org.apache.coyote.http11.Http11Protocol" sslenabled= "true"         maxthreads= "scheme=" "https" secure= "true"         clientauth= "true" Sslprotocol= "TLS"         keystorefile= "E:/keystore/tomcat.keystore" keystorepass= "Urpwd"         truststorefile= "E:/keystore/tomcat.keystore" truststorepass= "urpwd "  />

The above keystorefile and Truststorefile correspond to the certificate library and the trusted certificate library file, where the same one is used, and the password corresponds to the service-side password and client password respectively.

Next, launch Tomcat, through HTTPS://127.0.0.1/access, the default access is 443 port, there will be an Access error page, as follows:

We need to import the client certificate P12 file, take Google Chrome as an example, in Settings--show advanced settings--Manage certificates--Personal

Directly next, select the P12 file, the next step, the middle of the need to fill in the certificate password, completed in the personal section will display the installed certificate:

Before refreshing the link, the Select certificate will be displayed, for example, click OK:

will show links unsafe, directly ignored, point continues to access:

This makes the access successful:

Other Links: http://www.xx566.com/detail/211.html

Tomcat 6 Configuring two-way HTTPS access