linux下tomcat ssl配置

来源：互联网发布：sql语句执行顺序编辑：程序博客网时间：2024/05/21 11:13

1.配置的是Tomcat 7 的JSSE Connector

<Connector port="8443" protocol="HTTP/1.1"  SSLEnabled="true"               maxThreads="150" scheme="https" secure="true"               clientAuth="false"    keystoreFile="server.jks"   keystorePass="123456"    sslProtocol="TLS" />

2.配置的是Tomcat 7 的arp Connector

org.apache.catalina.core.AprLifecycleListener init 信息: The Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path:

* APR library
所需软件包：http://apr.apache.org/download.cgi
-- apr-1.5.1.tar.gz
-- apr-util-1.5.3.tar.gz
-- apr-iconv-1.2.1.tar.gz
-- tomcat-native.tar.gz //tomcat/bin 目录自带
* OpenSSL libraries openssl 可以用 yum install openssl-devel

所需软件包：http://apr.apache.org/download.cgi
-- apr-1.5.1.tar.gz
-- apr-util-1.5.3.tar.gz
-- apr-iconv-1.2.1.tar.gz
-- tomcat-native.tar.gz //tomcat/bin 自带
(1)安装apr

# tar zxvf apr-1.5.1.tar.gz # cd apr-1.5.1# ./configure --prefix=/usr/java/apr# make# make install

*apr 默认安装在 /usr/local/apr
(2)安装apr-iconv

# tar -zxvf apr-iconv-1.2.1.tar.gz# cd apr-iconv-1.2.1# ./configure --prefix=/usr/java/apr-iconv --with-apr=/usr/java/apr# make# make install

(3)安装apr-util

# tar zxvf apr-util-1.5.3.tar.gz# cd apr-util-1.5.3# ./configure --prefix=/usr/java/apr-util  --with-apr=/usr/java/apr --with-apr-iconv=/usr/java/apr-iconv/bin/apriconv# make# make install

(4)安装tomcat-native

# tar zxvf tomcat-native.tar.gz # cd tomcat-native/jni/native   # ./configure --with-apr=/usr/java/apr --with-java-home=/usr/java/jdk1.6.0_45# make  # make install

(5)设置 apr 的环境变量

# vi /etc/profile   #后面添加以下内容   export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/apr/lib   #. /etc/profile

* OpenSSL libraries openssl 可以用 yum install openssl-devel

Connector attribute SSLCertificateFile must be defined when using SSL with APR

tomcat6.0默认使用JSSE实现，而7.0默认使用APR实现，修改如下

<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"  SSLEnabled="true"               maxThreads="150" scheme="https" secure="true"               clientAuth="false"    keystoreFile="server.jks"   keystorePass="123456"    sslProtocol="TLS" />

启动 tomcat 后，看日志，有如下：

Sep 4, 2014 3:19:36 PM org.apache.catalina.core.AprLifecycleListener initINFO: Loaded APR based Apache Tomcat Native library 1.1.29 using APR version 1.5.1.Sep 4, 2014 3:19:36 PM org.apache.catalina.core.AprLifecycleListener initINFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true].Sep 4, 2014 3:19:36 PM org.apache.catalina.core.AprLifecycleListener initializeSSLINFO: OpenSSL successfully initialized (OpenSSL 1.0.1e-fips 11 Feb 2013)Sep 4, 2014 3:19:36 PM org.apache.coyote.AbstractProtocol initINFO: Initializing ProtocolHandler ["http-apr-80"]Sep 4, 2014 3:19:36 PM org.apache.coyote.AbstractProtocol initINFO: Initializing ProtocolHandler ["http-bio-443"]Sep 4, 2014 3:19:37 PM org.apache.coyote.AbstractProtocol initINFO: Initializing ProtocolHandler ["ajp-apr-8009"]Sep 4, 2014 3:19:37 PM org.apache.catalina.startup.Catalina loadINFO: Initialization processed in 1139 ms

将上述port="8443"配置改为port="443"，可以通过https://localhost/直接访问

应用程序HTTP自动跳转到HTTPS,在应用程序中web.xml中加入：

<login-config>        <!-- Authorization setting for SSL -->        <auth-method>CLIENT-CERT</auth-method>        <realm-name>Client Cert Users-only Area</realm-name>     </login-config><security-constraint><web-resource-collection >   <web-resource-name >SSL</web-resource-name>   <url-pattern>/*</url-pattern></web-resource-collection><user-data-constraint>  <transport-guarantee>CONFIDENTIAL</transport-guarantee></user-data-constraint></security-constraint>

0 0