centos7.2下tomcat7实现https

来源：互联网发布：个人简介html源码编辑：程序博客网时间：2024/06/02 00:34

实现Tomcat的https

1、申请证书，这里申请腾讯云的证书

https://www.qcloud.com/document/product/214/6989

在下载的证书里面，包含如下三个目录，在这里只需要用到nginx的目录

注：如果申请证书时有填写私钥密码，下载可获得Tomcat文件夹，其中有密钥库www.domain.com.jks；如果没有填写私钥密码，不提供Tomcat证书文件的下载，需要用户手动转换格式生成。可以通过 Nginx 文件夹内证书文件和私钥文件生成jks格式证书，转换工具：https://www.trustasia.com/tools/cert-converter.htm。使用工具时注意填写密钥库密码，安装证书时配置文件中需要填写

2、转换证书

1）登录地址：https://www.trustasia.com/tools/cert-converter.htm

2）填写相关信息

3）提交之后，便会保存为一个jks文件，如下所示

3、配置tomcat

1）编译安装tomcat，这里过程省略

2）启动tomcat

[root@tomcat ~]# startup.sh

Using CATALINA_BASE: /usr/local/tomcat7

Using CATALINA_HOME: /usr/local/tomcat7

Using CATALINA_TMPDIR: /usr/local/tomcat7/temp

Using JRE_HOME: /usr/local/java

Using CLASSPATH: /usr/local/tomcat7/bin/bootstrap.jar:/usr/local/tomcat7/bin/tomcat-juli.jar

Tomcat started.

[root@tomcat ~]# netstat -anpt | grep 8080

tcp 12 0 0.0.0.0:8080 0.0.0.0:* LISTEN 12908/java

tcp 63 0 10.204.208.148:8080 10.59.162.40:29867 ESTABLISHED -

tcp 63 0 10.204.208.148:8080 10.53.70.111:18198 ESTABLISHED -

tcp 63 0 10.204.208.148:8080 10.53.82.77:44834 ESTABLISHED -

tcp 63 0 10.204.208.148:8080 10.53.80.145:15040 ESTABLISHED -

tcp 63 0 10.204.208.148:8080 10.53.82.76:53481 ESTABLISHED -

tcp 63 0 10.204.208.148:8080 10.53.80.144:38620 ESTABLISHED -

tcp 63 0 10.204.208.148:8080 10.53.70.47:11920 ESTABLISHED -

tcp 63 0 10.204.208.148:8080 10.53.70.46:39743 ESTABLISHED -

tcp 63 0 10.204.208.148:8080 10.59.162.43:40177 ESTABLISHED -

3）修改server.xml文件，修改如下内容（标红色的部分）

[root@tomcat ~]# vim /usr/local/tomcat7/conf/server.xml

<Connector port="8080" protocol="HTTP/1.1"

connectionTimeout="20000"

redirectPort="443" /> #这里的redirectPort与后台的相关端口要对应

#下面这段内容需要手动添加

<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https"

secure="true" clientAuth="false" sslProtocol="TLS"

keystoreFile="/usr/local/tomcat7/conf/nginx.zhouzhuorong.com.jks" keystorePass="123456"/>

注：

keystoreFile：证书文件存放位置

keystorePass：生成jks证书文件时输入的密码

4）修改web.xml文件，在文件末尾添加如下内容，强制tomcat使用https方式访问

<login-config>

<auth-method>CLIENT-CERT</auth-method>

<realm-name>Client Cert Users-only Area</realm-name>

</login-config>

<security-constraint>

<web-resource-collection >

<web-resource-name >SSL</web-resource-name>

<url-pattern>/*</url-pattern>

</web-resource-collection>

<user-data-constraint>

<transport-guarantee>CONFIDENTIAL</transport-guarantee>

</user-data-constraint>

</security-constraint>

5）上传相关jks文件

[root@tomcat ~]# cd /usr/local/tomcat7/conf/

[root@tomcat conf]# ls nginx.xxx.com.jks

nginx.xxx.com.jks

6）重启tomcat服务

[root@tomcat ~]# shutdown.sh

Using CATALINA_BASE: /usr/local/tomcat7

Using CATALINA_HOME: /usr/local/tomcat7

Using CATALINA_TMPDIR: /usr/local/tomcat7/temp

Using JRE_HOME: /usr/local/java

Using CLASSPATH: /usr/local/tomcat7/bin/bootstrap.jar:/usr/local/tomcat7/bin/tomcat-juli.jar

[root@tomcat ~]# startup.sh

Using CATALINA_BASE: /usr/local/tomcat7

Using CATALINA_HOME: /usr/local/tomcat7

Using CATALINA_TMPDIR: /usr/local/tomcat7/temp

Using JRE_HOME: /usr/local/java

Using CLASSPATH: /usr/local/tomcat7/bin/bootstrap.jar:/usr/local/tomcat7/bin/tomcat-juli.jar

Tomcat started.

[root@tomcat ~]# netstat -anpt | grep java

tcp 11 0 0.0.0.0:8080 0.0.0.0:* LISTEN 12383/java

tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 12383/java

tcp 0 0 0.0.0.0:8009 0.0.0.0:* LISTEN 12383/java

4、切换到主域名xxx.com并添加一个A记录

5、通过浏览器访问测试

0 0