Tomcat Configuration HTTPS mode

Summary record Main steps memo

1. Go to the bin directory under JDK

2. Enter the following instruction

Keytool-v-genkey-alias tomcat-keyalg rsa-keystore d:/tomcat.keystore-validity 36500

Report:

D:/tomcat.keystore is to place the generated tomcat.keystore under the D-Packing directory.

"-validity 36500" means the certificate validity period, 36500 means 100 years, the default value is 90 days

Note to place the C drive, under the Win7 system, you need to go to the command line as an administrator, otherwise you cannot create tomcat.keystore. This example is placed under the D disk.
How do I get to the command line as an administrator? Start-to-search box, enter cmd-> Wait (note do not enter), and cmd.exe-> right-click "Run as Administrator".

3. Enter KeyStore password

Password arbitrary, this is the case of 123456, to remember this password, and then in the Server.xml configuration to use.

4, enter the name, organizational unit, organization, city, province, country and other information

Note: A, enter KeyStore password: Here you need to enter a string greater than 6 characters B, "What are your first and last name?" This is required and must be the domain name of the Tomcat deployment host or ip[such as: Gbcom.com or 10.1.25.251], which is the access address you want to enter in the browser C, "What's the name of the Your organizational Unit?, "What is the name of your organization?", "What's the name of the your city or Locality?", "What's the name of the Your Sta Te or province? "," What's the Two-letter country code for this unit? " Can fill in as required or can not fill in the direct return, the system asked "correct?" , enter the letter "Y" with the keyboard if required, otherwise enter "n" to re-fill the above information D, enter key password for <TOMCAT&GT, this is more important, it will be used in the Tomcat configuration file, Recommended input and KeyStore password consistent, set other password can also l complete the above input, the direct return to the location you defined in the second step to find the generated file

5, after the input will appear the confirmation prompt

Enter yat this time, and enter. The complete KeyStore is created at this time.
Enter into the D-packing directory to see the generated tomcat.xml

6. Enter the Tomcat folder
Find the Sever.xml in the Conf directory and edit it

7. Editing
<connector port= "8443" protocol= "http/1.1" sslenabled= "true"
maxthreads= "Scheme=" "https" secure= "true"
Clientauth= "false" keystorefile= "D:/appserver/tomcat/apache-tomcat-6.0.32/conf/tomcat.keystore"
keystorepass= "Deleiguo" sslprotocol= "TLS"/>
Note:
The KeyStore password in the box is the "123456" we just set.

Close and save Sever.xml when editing is complete

8. After Tomcat starts successfully, use https://127.0.0.1:8443 to access the page (the first time in Chrome may be the following)

Solution Solutions

A. Right-click on the Chrome browser shortcut.

B. Add--cipher-suite-blacklist=0x0039,0x0033 after the original content of the target

Note that the added content is separated from the original content by a space.

C. Then click Apply and click Confirm

D. Close all chrome windows that are already open, and then re-open with this shortcut.

The page was successfully opened and the HTTPS configuration under Tomcat was successful.

9. Application HTTP automatically jumps to HTTPS

In the application, add the Web. xml:

<security-constraint>        <web-resource-collection >                < Web-resource-name >SSL</web-resource-name>                <url-pattern>/*</url-pattern>         </web-resource-collection>                                      <user-data-constraint>                <transport-guarantee>confidential</ transport-guarantee>        </user-data-constraint> < /security-constraint>  10. Generate the security certificate fileKeytool-export-alias tomcat-file d:/file.cer-keystore d:/tomcat.keystore-validity 36500 then enter d:/ The KeyStore password-file d:/file.cer in Tomcat.keystore is the generated CER file and can be directly clicked to install 11. Precautions:(1) When the certificate is generated, if the IE client is on a machine that is older than the certificate, or if it is later than the valid time, IE prompts "the security certificate has expired or is not in effect" (2) if IE prompts "the name on the security certificate is invalid or does not match the site name", is the domain name of the host on which the server was filled when the certificate was generated "what is your first and last name?" "/" What's your first and last name? " caused by an incorrect 12, Legacy issues:(1) If the AC host cannot be searched by the domain name, the IP must be used, but this IP can only be determined after configuration, so that the certificate must be in the AC to determine the IP address to generate (2) certificate file can only bind an IP address, fake with 10.1.25.250 and 192.168.1.250 Two IP addresses, when the certificate generates a file, such as using 10.1.25.250, through IE you can only use 10.1.25.250来 access ac-web,192.168.1.250 is inaccessible to Ac-web.

Tomcat Configuration HTTPS mode