Tomcat to configure HTTPS and access HTTP to automatically jump to HTTPS

HTTPS Introduction:
HTTPS (full name:hypertext Transfer Protocol over secure Socket Layer) is a security-targeted HTTP channel and is simply a secure version of HTTP. That is , the SSL layer is added under HTTP , thesecurity base of HTTPS is SSL, so the detailed content of encryption needs SSL. It is a URI scheme (abstract identifier system) with syntax similar to http: System. For secure HTTP data transfer. Https:url indicates that it uses HTTPS, but HTTPS has a different default port than HTTP and an encryption /authentication layer ( between HTTP and TCP). Originally developed by Netscape, the system provides an authentication and encryption method of communication, which is now widely used in secure, sensitive communications on the World Wide Web, such as transaction payments

Different from http:

First,the HTTPS protocol requires a certificate to the CA, the general free certificate is very small and requires a fee.

Second,HTTP is a Hypertext Transfer Protocol, the information is plaintext transmission,HTTPS is a secure SSL encryption Transfer Protocol.

Third,http and HTTPS use a completely different way of connection, with the same port, the former is 80, the latter is 443.

Four,HTTP connection is very simple, is stateless; theHTTPS protocol is a network protocol built by the SSL+HTTP protocol to encrypt the transmission and authentication, which is more secure than the HTTP protocol.

SSL protocol:

　　SSL Secure Sockets Layer protocol (Secure socket Layers)

developed for Netscape to secure data transmission over the Internet, the use of encryption (encryption) technology ensures that data is not intercepted and tapped during transmission over the network. At present, the general General specification is the safety standard of the double bit, but the United States has introduced the higher safety standard of the bit, but restricted the exit. As long as the 3.0 version of IE, or Netscape browser can support SSL.

The current version is 3.0. It has been widely used for authentication and encrypted data transfer between Web browsers and servers.

The

SSL protocol is located between TCP/IP protocol and various application layer protocols, and is an international standard for encryption and identity authentication communication protocol tcp provides a reliable end-to-end security service that provides confidentiality and integrity to two communication individuals ssl protocol can be divided into two tiers: ssl Recording protocol (ssl record Protocol): It is based on a reliable transport protocol (e.g. Span lang= "en-us" >tcp), providing support for basic functions such as data encapsulation, compression, and encryption for high-level protocols. ssl Handshake Protocol (ssl handshake Protocol): It is based on ssl record protocol, It is used to authenticate, negotiate encryption algorithm, Exchange encryption key and so on before the actual data transmission begins.

How to configure:
1. Generate server-side certificate files

can useWindows systems or Linux systems (1) Windows environment Condition: Already InstalledJDKSteps:L ENTER the %java_home%/bin directory L EXECUTE Command

Keytool-genkey-alias tomcat-keyalg Rsa-keystore F:\tomcat.keystore-validity 36500

A brief description of the parameter: "F:\tomcat.keystore "means to save the certificate file in the F-disk, the certificate file name is tomcat.keystore;"-validity 36500" means the certificate validity period, 36500 means 100 years, default is 90 days l fill in the necessary parameters at the command line:A, enter the KeyStore password: Here you need to enter a string greater than 6 characters B, "What is your first and last name?" "This is required and must be the domain name of the Tomcat deployment host or ip[such as:gbcom.com or 10.1.25.251], which is the access address you will enter in the browser C, "What is your organizational unit name?" "," What is your organization name? "," What is your city or region name? "," What is the name of your state or province? "," What is the two-letter country code for this unit? "Can be filled in as needed or can not fill in the direct return, the system asked" correct? , enter the letter "Y" with the keyboard if required,otherwise enter "N" to re-fill the information D, enter <tomcat> master password, this is more important, will be used in the Tomcat configuration file, the recommended input and keystore password consistent, set other password can also after completing the above input, the direct carriage return will find the generated file in the location you defined in the second step (2) Linux Environment Condition: Installation ofJDKSteps:L ENTER the $JAVA _home/bin directory L EXECUTE Command

./keytool-genkey-alias Tomcat-keyalg rsa-keystore/usr/local/ac/web/tomcat.keystore-validity 36500

A brief description of the parameter: "/etc/tomcat.keystore "means to save the certificate file under Path /usr/local/ac/web/, the certificate file name is tomcat.keystore;"-validity 36500 " meaning is the certificate validity period, 36500 means 100 years, the default value is 90 days l fill in the necessary parameters at the command line:As follows: Section Description:A,enter KeyStore password: A string greater than 6 characters is required here B, "What's your first and lastname?" This is required and must be the domain name of the Tomcat deployment host or ip[such as:gbcom.com or 10.1.25.251], which is the access address you will enter in the browser C, "What is thename of the Your organizational unit?", "What is thename of your organization?", "What is thena Me of your city or Locality?, "What's the name of theyour state or province?", "What's theTwo-letter country code F Or this unit? " Can fill in as required or can not fill in the direct return, the system asked "correct?" , enter the letter "Y" with the keyboard if required, otherwise enter"n" to re-fill the information above. D,enter key password for <TOMCAT>, this is more important, will be used in the Tomcat configuration file, it is recommended to enter the same password as the KeyStore, the other password can be set after completing the above input, the direct carriage return will find the generated file in the location you defined in the second step2. Configuring the Tomcat server (1) If you are generating a certificate file in a Windows environment, you will need to copy the generated certificate tomcat.keystore to the location Tomcat will reference, assuming that the path to the Tomcat's application certificate is "/ Etc/tomcat.keystore ", you will need to copy the certificate file to"etc/", and if the certificate file is generated in the Linux environment following the steps described above, the certificate file is nowunder" etc/". (2) Configure Tomcat, open $CATALINA _home/conf/server.xml, modify the following,

<port= "8080"  protocol= "http/1.1"               connectiontimeout  = "20000"               redirectport= "8443"/>

Modify parameters = =

<port= "  protocol"= "http/1.1"               connectiontimeout  = "20000"               redirectport= "443"/>

<!-- <connector port= "8443" protocol= "http/1.1" sslenabled= "true"              maxthreads= "all Scheme=" "https" secure= " True "              -

Remove comments and modify parameters = =

<ConnectorPort= "443"Protocol= "http/1.1"sslenabled= "true"MaxThreads= "Max"Scheme= "https"Secure= "true"ClientAuth= "false"Sslprotocol= "TLS"Keystorefile= "/etc/tomcat.keystore"Keystorepass= "www.gbcom.com.cn"/>

Note: Two parameters, identified as light blue, are the location of the certificate file and the master password of <tomcat>, which was set during the certificate file generation process.

<!--    <connector port= "8009" enablelookups= "false" protocol= "ajp/1.3" redirectport= "8443"/>-- >

modifying parameters=

<port= "8009"  enablelookups= "false"  protocol= " ajp/1.3 "  redirectport=" 443 "/>

3) Open $CATALINA _home/conf/web.xml and add at the end of the file:

2. Force HTTPS access

Add the following paragraph to the </welcome-file-list> in Tomcat\conf\web.xml:

<Login-config><!--Authorization setting for SSL -<Auth-method>Client-cert</Auth-method> <Realm-name>Client Cert users-only Area</Realm-name></Login-config>  <Security-constraint><!--Authorization setting for SSL -<web-resource-collection> <Web-resource-name>Ssl</Web-resource-name> <Url-pattern>/*</Url-pattern> </web-resource-collection> <User-data-constraint><Transport-guarantee>Confidential</Transport-guarantee></User-data-constraint></Security-constraint>

3. After the above configuration is complete, you can use SSL after restarting Tomcat . The IE Address bar can be entered directly into the address do not have to enter "http://" or "https://", or "/http" can be entered as "https://" to log /c13> 4. Precautions:(1) When the certificate is generated, ie will prompt "The security certificate has expired or has not been in effect" if the IE client is on a machine that is older than the certificate effective time or later than the valid time .

(2) If ie prompts "the name on the security certificate is invalid or does not match the site name", it is the domain name of the host on which the server was filled when the certificate was generated "what is your first and last name?" "/" What's your first and lastname? " caused by an incorrect

Tomcat to configure HTTPS and access HTTP to automatically jump to HTTPS