Tomcat configures HTTPS, authenticates unilaterally, and automatically turns HTTP requests to HTTPS

The first time to write a blog, I hope you have a lot of support. If you feel wrong, please correct me, this blog to write only for their own convenience to find.

Generate a digital certificate using the Keytool that comes with your JDK.

First step: Generate a key file

Before that, let's take a look at Keytool's help.

Enter cmd via Win+r and enter the following command

Keytool-genkey-help, it will appear as follows:

D:\>keytool-genkey-help
Keytool-genkeypair [OPTION] ...

Generate key Pair

Options:

-alias <alias> aliases of the entries to be processed
-keyalg <keyalg> Key algorithm name
-keysize <keysize> Key bit size
-sigalg <sigalg> Signature Algorithm name
-destalias <destalias> Target Aliases
-dname <dname> Unique Distinguished Name
-startdate <startdate> Certificate validity start date/time
-ext <value> Extensions
-validity <valDays> Effective Days
-keypass <arg> Key Password
-keystore <keystore> KeyStore Name
-storepass <arg> keystore Password
-storetype <storetype> KeyStore Types
-providername <providername> Provider Name
-providerclass <providerclass> Provider class name
-providerarg <arg> Provider Parameters
-providerpath <pathlist> Provider class path
-V Verbose output
-protected Pass the password of the protected mechanism

Use "Keytool-help" to get all available commands

The key is generated here

Keytool-genkey-alias alias-keyalg rsa-keysize 2048-keypass 123456-validity 36600-keystore E:\key\m.jks-storepass 1 23456

Here are the various parameters corresponding to the above help, do not introduce each.

Entering the command above will show the following information:

What is your first and last name?
[Unknown]: Enter your IP here, if the server, then enter the domain name, the following information can be entered casually
What is the name of your organizational unit?
[Unknown]:
What is your organization's name?
[Unknown]:
What is the name of your city or region?
[Unknown]:
What is the name of your state/province?
[Unknown]:
What is the two-letter country/region code for this unit?
[Unknown]:
cn=172.168.11.188, Ou=x, O=x, L=x, st=x, c=x right?
[No]: Y Enter the value here is to let you confirm that the above information is correct, if not correct, except for the other y can. The above action is repeated after the input.

After execution, a key can be generated under the key folder under the E-drive M.jks

Step two: Export the certificate

Command: Keytool-export-alias alias-keystore E:\key\m.jks-file E:\key\m.crt-storepass 123456

After execution, you will receive the following prompt: certificate stored in file <E:\key\m.crt>

Here you can see the exported certificate m.crt

　　　　

Step Three: Client import certificate

Command:

Keytool-import-keystore%java_home%\jre\lib\security\cacerts-file E:\key\m.crt-alias Alias

After execution

Enter the KeyStore password: the password entered here must be Changeit, the following information will appear when the input is complete, if the%java_home%\jre\lib\security\ directory is not cacerts, but also to enter a Changeit;
Owner: cn=172.168.11.188, Ou=unknown, O=unknown, L=unknown, St=unknown, C=unknown
Posted by: cn=172.168.11.188, Ou=unknown, O=unknown, L=unknown, St=unknown, C=unknown
Serial Number: 402163BD
Validity start Date: Fri 16:53:06 CST 2017, due date: Tue may 16:53:06 CST 2117
Certificate thumbprint:
Md5:a8:ed:c3:13:24:f5:d9:7e:e1:af:b0:bb:b4:8c:ea:ea
Sha1:6b:69:79:1a:b0:ad:46:e2:98:74:ff:79:22:e6:a4:7b:7f:4e:9d:19
Sha256:b3:23:f5:dd:6e:42:a4:14:cf:6a:9d:83:43:7a:9e:fa:b1:69:24:e5:15:dd:a5:97:bb:94:a5:a9:29:8d:2d:be
Signature Algorithm Name: Sha256withrsa
Version: 3

Extended:

#1: objectid:2.5.29.14 criticality=false
Subjectkeyidentifier [
KeyIdentifier [
0000:62 1F B0 5C 94, BF D3 C5, D3 D0 CB bb...\.w.4. B...
0010:ce A1 94 D1 ....
]
]

Do you trust this certificate? [No]: Y enter Y to
The certificate has been added to the KeyStore

Fourth Step:

Locate the Server.xml under the Conf file in the Tomcat directory;

Found it

<connector port= "8080" protocol= "http/1.1"
connectiontimeout= "20000"
redirectport= "8443"/>

Join in the back

<connector port= "8443" protocol= "Org.apache.coyote.http11.Http11NioProtocol"
maxthreads= "200"
Sslenabled= "true"
Scheme= "https"
Secure= "true"
Clientauth= "false"
Sslprotocol= "TLS"
Keystorefile= "E:\key\m.jks" Here is the path where you generate the key
Keystorepass= "123456" Here is the password when you generate the key
Keyalias= "Alias" Here is the alias you set (remember to keep it consistent)
Keystoretype= "JKS"/>

You're done here, then start Tomcat, enter https://your first and last name: 8443/The following screen will appear

Click Continue to browse this site will appear Tomcat homepage

Next, configure HTTP to automatically switch to https:

1.<connector port= "8443" protocol= "Org.apache.coyote.http11.Http11NioProtocol"
maxthreads= "$"
Sslenabled= "true"
Scheme= "https"
Secure= "true"
Clientauth= "false"
Sslprotocol= "TLS"
Keystorefile= "E:\key\selfissue.jks"
keystorepass= "123654"
keyalias= "selfissue"
keystoretype= "JKs"/
Modify to
<connector port= "443" protocol= "Org.apache.coyote.http11.Http11NioProtocol"
maxthreads= "200 "
Sslenabled=" true "
Scheme=" https "
Secure=" true "
Clientauth=" false "
Sslprotocol=" TLS "
Keystorefile= "E:\key\selfissue.jks"
keystorepass= "123654"
keyalias= "selfissue"
keystoretype= "JKs"/
2. <connector port= "8009" protocol= "ajp/1.3" redirectport= "8443"/>
modified to <connector port= "8009" Protocol= "ajp/1.3" redirectport= "443"/>

3.<connector port= "8080" protocol= "http/1.1"
connectiontimeout= "20000"
redirectport= "8443"/>
Revision changed to
<connector port= "protocol=" http/1.1 "
connectiontimeout= "20000"
redirectport= "443"/>
4. In your Apache/conf/web.xml, add such a paragraph to the file </web-app> front side:
<login-config>
<!--Authorization setting for SSL--and
<auth-method>CLIENT-CERT</auth-method>
<realm-name>client Cert users-only area</realm-name>
</login-config>
<security-constraint>
<!--Authorization setting for SSL--and
<web-resource-collection >
<web-resource-name >SSL</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

The following interface appears in carriage return

Tomcat configures HTTPS, authenticates unilaterally, and automatically turns HTTP requests to HTTPS