Introduction to Tomcat server https protocol configuration, tomcathttps

Introduction to Tomcat server https protocol configuration, tomcathttps
I. Digital signature certificate creation
1. Use the built-in jdk keytool to generate a certificate;

2. Export the certificate;

3. submit the certificate to the CA for signature authentication;

Note: For detailed steps and examples, see the appendix.

2. Modify the server. xml file

Modify conf/server. xml and add the following Configuration:

<Connector port = "8443" protocol = "HTTP/1.1" SSLEnabled = "true"

MaxThreads = "150" scheme = "https" secure = "true"

ClientAuth = "false" sslProtocol = "TLS"

KeystoreFile = "e:/csp_local/keys/keystoreA" (Digital Certificate inventory location)

KeystorePass = "changeit"/> (digital certificate library password)





Appendix

Example of creating a digital signature certificate

Assume that the certificate to be generated represents the domain name sso.digitalchina.com, the city of the certificate is beijing, the country CN, And the alias tomcat. The certificate to be generated is stored in the certificate library under the current directory, the certificate store name is keystoreA.

1. Generate the certificate to be signed

Keytool-genkey-alias tomcat-keyalg RSA-keystore keystoreA-storepass changeit

Run the preceding command and follow the prompts to enter:

What is your first name and last name (prompt): sso.digitalchina.com (input)

What is the name of your organization (prompt): digitalchina.com (input)

What is your organization name (prompt): sso (input)

What is the name of your city or region (prompt): beijing (input)

What is the name of your state or province (prompt): beijing (input)

What is the two-letter country code for this unit (prompt): CN (input)

CN = sso.digitalchina.com, OU = digitalchina.com, O = sso, L = beijing, ST = beijing, C = CN is correct? [No] (prompt): y (input)

Enter the <digitalchina> Primary password (Press enter if the password is the same as the keystore password): Press ENTER



After the preceding steps, the keystoreA file is generated in the current directory.

2. Export the certificate to be signed

Export to the cert directory in the current directory

Keytool-export-alias tomcat-file cert/tomcat. jks-keystore keystoreA-storepass changeit

After the preceding commands are executed, the certificate file tomcat. jks is generated in the cert Directory.

3. Import the certificate to be signed

To import the certificate to the default certificate library, that is, $ JAVA_HOME/jre/lib/security/cacerts. If the default password of the certificate library is changeit, run the following import command.

Keytool-import-alias tomcat-file cert/tomcat. jks-keystore $ JAVA_HOME/jre/lib/security/cacerts-storepass changeit



Run the preceding command to import the data to the virtual machine in the current environment.


Hello, let me ask you about how to configure https for tomcat.

Some tomcat server webpages use https protocol a. execute the following command line in the tomcat installation directory: keytool-genkey-alias tomcat-keyalg RSA-keypass changeit-storepass changeit-keystore server. keystore-validity 3600b. Modify server. xml configuration file <Connector port = "8443" protocol = "HTTP/1.1" SSLEnabled = "true" maxThreads = "150" scheme = "https" secure = "true" clientAuth =" false "sslProtocol =" TLS "keystoreFile =" server. keystore "keystorePass =" changeit "/> c. Restart tomcat and apply You can access d through http and https. If you only need to restrict access to some URLs through https, you need to add the following configuration items in web. xml. <Security-constraint> <web-resource-collection> <web-resource-name> must https </web-resource-name> <url-pattern>/test1/* </ url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee> CONFIDENTIAL </transport-guarantee> </user-data-constraint> </security-constraint> In this configuration, web. once the access url of the xml application starts with test1, it is forced to redirect to https access.
 
How to configure https for Tomcat access to the console, and http for accessing applications deployed in tomcat

In the Command Prompt window, go to the Tomcat directory and execute the following command:
Keytool-genkey-alias tomcat-keyalg RSA-keypass changeit-storepass changeit-keystore server. keystore-validity 3600
Use the preceding steps to generate the server. keystore Certificate file

Open the comments of servlet. xml (it is best to copy this segment)
<! -- Define a ssl http/1.1 Connector on port 8443 -->
<Connector protocol = "org. apache. coyote. http11.Http11Protocol"
Port = "8443" maxHttpHeaderSize = "8192"
MaxThreads = "150" minSpareThreads = "25" maxSpareThreads = "75"
EnableLookups = "false" disableUploadTimeout = "true"
AcceptCount = "100" scheme = "https" secure = "true"
ClientAuth = "false" sslProtocol = "TLS"
KeystoreFile = "server. keystore"
KeystorePass = "changeit"/>
In this step, access ip: 8443/

Generally, the default SSL port number of Tomcat is 8443, but the standard SSL port number is 443. In this way, you can directly access the web page by using https without entering the port number, such as ip/
To modify the port number, modify the Tomcat server. xml file:
1. Where non-ssl http/1.1 ctor Ctor is defined, it is generally as follows:
<Connector port = "80" maxHttpHeaderSize = "8192"
MaxThreads = "500" minSpareThreads = "25" maxSpareThreads = "75"
EnableLookups = "false" redirectPort = & q ...... the remaining full text>