Generally, Tomcat is only used as a request processor on Web servers such as Apache and ngnix. However, it is okay to use Tomcat as a front-end server for small applications. The following is a summary of some Tomcat configurations.
SSL configuration in NIO mode:
Step 1 create keysore:
%JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA
If you need to configure the keytool for the first time, you also need to set the password for keytool. The keystore generated using this command contains an automatically generated key and self-signed certificate.
If you do not want keytool, but want to use OpenSSL to generate certificates, you can also. You need to generate a key file first
openssl genrsa -des3 -out server.key 4096
Use the following CSR file generated based on the key:
openssl req -config /path/to/openssl.cnf -new -key server.key -out server.csr
Note: The configuration file path of OpenSSL is followed by config, which is generally in the OpenSSL installation path.
Finally, we generate certificate.
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Of course, you can also send your key and CSR files to third-party certification organizations such as Verisign, and they generate a certificate file to you.
With our certificates and key files, how can we import them into our keystore? The idea is to first generate a PKCS12 file and then import or convert it to a keystore file.
openssl pkcs12 -export -in host.crt -inkey host.key > host.p12
keytool -importkeystore -srckeystore host.p12 -destkeystore host.jks -srcstoretype pkcs12
With the keystore file, you only need to add the configuration in the Tomcat server. xml file.
<Connector
Protocol = "org. Apache. Coyote. http11.http11nioprotocol"
Port = "443" maxthreads = "200"
Scheme = "HTTPS" secure = "true" sslenabled = "true"
Keystorefile = "-path/to/keystore" keystorepass = "XXXXXXXXX"
Clientauth = "false" sslprotocol = "TLS"/>
If you have configured port 8443, overwrite it. For protocol, please note that org. Apache. Coyote. http11.http11nioprotocol is used to process the connection to port 8443 in NIO mode.
SSL configuration in Apr mode:
The APR mode is relatively simple. With the key file and CRT file generated by OpenSSL above, we can directly add the Configuration:
<Connector
Protocol = "org. Apache. Coyote. http11.http11aprprotocol"
Port = "443" maxthreads = "200"
Scheme = "HTTPS" secure = "true" sslenabled = "true"
Sslcertificatefile = "C: // SSL/server. CRT"
Sslcertificatekeyfile = "C: // SSL/server. Key"
Sslpassword = "in4monitor"
Sslverifyclient = "false" sslprotocol = "tlsv1"/>
For protocol, please note that org. Apache. Coyote. http11.http11aprprotocol is used to process the connection to port 8443 In apr mode. When APR is configured on some machines, the fopen function cannot be found and the cause is not found. If you have any solutions, please let us know.
HTTP to https
Because our tomcat serves as a front-end web server, the default connection port 8080 needs to be changed to 80, and the redirectport needs to be changed to 443.
<Connector Port = "80" protocol = "HTTP/1.1"
Connectiontimeout = "20000"
Redirectport = "443" type = "regxph" text = "yourobjectname"/>
The configuration of SSL in Tomcat NiO and APR mode and the redirect from http to https