Tomcat set HTTP Auto jump to HTTPS access

One, build server-side certificate file can use Windows system or Linux system (1) Windows environmental conditions: The JDK has been installed step: 1, enter CMD in the run into the Command Window 2, into the JDK installation directory   such as D:/program files/ java/jdk1.6.0/bin3, execute command    keytool-genkey-alias tomcat-keyalg rsa-keystore E:\tomcat.keystore- Validity 36500 Parameter Brief description: "E:\tomcat.keystore" means to save the certificate file in the E-disk, the certificate file name is tomcat.keystore ; "-validity 36500" Meaning is the certificate validity period, 36500 means 100 years, the default value is 90 days 4, the command line to fill the necessary parameters: A, enter the KeyStore password: Here you need to enter a string greater than 6 characters B, "What is your first and last name?" "This is required and must be the domain name of the Tomcat deployment host or ip[such as:gbcom.com  or  10.1.25.251], which is the access address C you will enter in the browser," What is your organizational unit name? "," What is your organization name? "," What is your city or region name? "," What is the name of your state or province? "," What is the two-letter country code for this unit? "Can be filled in as needed or can not fill in the direct return, the system asked" correct? "When the input information is controlled, if the requirement is to enter the letter" Y ", otherwise enter" n "to re-fill the above information D, enter <tomcat> master password, this is more important, will be used in the Tomcat configuration file, the recommended input and KeyStore password consistent, Set other password can also 5, complete the above input, the direct return to the location you defined in the second step to find the generated file (2) Linux environment conditions: Installed JDK steps: 1, into the JDK installation directory   such as/root/oracle/middleware/ jdk160_11/bin2, execute command      ./keytool-genkey-alias tomcat-keyalg rsa-keystore/usr/local/ Tomcat.keystore-validity 36500 Parameter Brief description: "/etc/tomcat.keYstore "meaning is to save the certificate file under Path/usr/local/, the certificate file name is tomcat.keystore ;"-validity 36500 "means the certificate validity period, 36500 means 100 years, The default value is 90 days 3, fill in the necessary parameters at the command line: A, enter KeyStore password: Here you need to enter a string greater than 6 characters B, "What's your first and last name?" This is required and must be the domain name of the Tomcat deployment host or ip[such as:gbcom.com  or  10.1.25.251], which is the access address C that you will enter in the browser, "What is the name of the Your Organizational unit?, "What's the name of the your organization?", "What's the name of the your city or Locality?", "What's The N Ame of your state or province? "," What's the Two-letter country code for this unit? " Can fill in as required or can not fill in the direct return, the system asked "correct?" , enter the letter "Y" with the keyboard if required, otherwise enter "n" to re-fill the above information D, enter key password for &LT;TOMCAT&GT, this is more important, it will be used in the Tomcat configuration file, Recommended input and KeyStore password consistent, set other password can also 4,   complete the above input, the direct carriage return in the location you defined in the second step to find the generated file II, configure the Tomcat server (1)      If you are generating a certificate file in a Windows environment, you will need to copy the generated certificate Tomcat.keystore to the location Tomcat will reference, assuming that the path to the Tomcat's app certificate is "E:/tomcat.keystore", You need to copy the certificate file to the E drive; (2)      Configure Tomcat to open the Tomcat configuration file, such as: d:/apache-tomcat-6.0.29/conf/ Server.xml, modify as follows, <connector port= "8080" protocol= "http/1.1"                 connectiontimeout= "20000"                 redirectport= "8443"/> Modify parameters =><connector port= "8080" protocol= "HTTP/1.1"                 connectiontimeout= "20000"                 redirectport= "443"/>  <!--<connector port= "8443" protocol= "http/1.1" sslenabled= "true"                maxthreads= "Scheme=" "https" secure= "true"                clientauth= "false" sslProtocol= "TLS"/>  --> remove annotations and modify parameters =><connector port= "443" protocol= "http/1.1" sslenabled= "true"                 maxthreads= "Scheme=" "https" secure= "true"                 clientauth= "false" sslProtocol= " TLS "keystorefile=" E:/tomcat.keystore "keystorepass=" 123456789 "/> Notes: Two parameters identified as light blue, respectively, the location of the certificate file and the master password for <tomcat> In the certificate file generation process settings  <!--   <connector port= "8009" enablelookups= "false" protocol= "ajp/1.3" Redirectport= "8443"/>--> Modify parameters =><connector port= "8009" enablelookups= "false" protocol= "AJP/1.3" redirectport= "443"/>(3) Open D:/apache-tomcat-6.0.29/conf/web.xml, add the following paragraph to the file </welcome-file-list>:
<login-config>
<!--Authorization setting for SSL--and
<auth-method>CLIENT-CERT</auth-method>
<realm-name>client Cert users-only area</realm-name>
</login-config>
<security-constraint>
<!--Authorization setting for SSL--and
<web-resource-collection >
<web-resource-name >SSL</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>Third, after the above configuration is complete, you can use SSL after restarting Tomcat. IE Address bar can be directly entered the address "http:/" will automatically jump to become "https://" four, note: (1) The time when the certificate was generated, if the IE client is located on the machine before the time of the certificate, or later than the effective time, IE will prompt "The security certificate has expired or has not yet taken effect" (2) If IE prompts "the name on the security certificate is invalid or does not match the site name", it is the domain name of the host on which the server was filled when the certificate was generated "what is your first and last name?" "/" What's your first and last name? " Incorrect causes of the problem: (1) If the AC host can not be found through the domain name, IP must be used, but this IP can only be determined after configuration, so that the certificate must be in the AC to determine the IP address to generate (2) The certificate file can only bind an IP address, fake with 10.1.25.250 and 192.168.1.250 two IP addresses, when the certificate generation file, such as using 10.1.25.250, through IE can only use 10.1.25.250来 access ac-web,192.168.1.250 is inaccessible to Ac-web.

Tomcat set HTTP Auto jump to HTTPS access