Tomcat配置Https访问(1)
1. 生成证书在命令行运行命令JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg
RSA -keystore C:\Tomcat\GMAE3.0Tomcat\tomcat.keystore(指定一个位置)
这样就生成了证书,将证书放到合适的地方(任意地方都可以)
2. 配置server.xml
找到关于ssl的相关段,去掉注释,添keystoreFile="C:\Tomcat\GMAE3.0Tomcat\tomcat.keystore"
keystorePass="tomcat"的属性
<Connector protocol="org.apache.coyote.http11.Http11Protocol"
port="8443" maxHttpHeaderSize="8192" maxThreads="150"
minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="D:\TRS\TRSIDS3500_trunk_https\tomcat.keystore"
algorithm="SunX509" keystorePass="trsadmin"/>
tomcat不同版本配置是不同的
Tomcat5.5.9配置:
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keystoreFile="server.keystore"
keystorePass="changeit"/>
Tomcat5.5.20配置(此配置同样可用于Tomcat6.0)
<Connector protocol="org.apache.coyote.http11.Http11Protocol"
port="8443" maxHttpHeaderSize="8192" maxThreads="150"
minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keystoreFile="server.keystore"
keystorePass="changeit"/>
Tomcat6.0.10配置:
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443" minSpareThreads="5" maxSpareThreads="75"
enableLookups="true" disableUploadTimeout="true"
acceptCount="100" maxThreads="200" scheme="https"
secure="true" SSLEnabled="true" clientAuth="false"
sslProtocol="TLS"
keystoreFile="D:/tools/apache-tomcat-6.0.10/server.keystore"
keystorePass="changeit"/>
tomcat6支持3种,请参考以下文档:
http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html
3. 重启tomcat就能使用HTTPS访问
4. 强制https访问
在tomcat\conf\web.xml中的</welcome-file-list>后面加上这样一段:
<login-config>
<!-- Authorization setting for SSL -->
<auth-method>CLIENT-CERT</auth-method>
<realm-name>Client Cert Users-only Area</realm-name>
</login-config>
<security-constraint>
<!-- Authorization setting for SSL -->
<web-resource-collection >
<web-resource-name >SSL</web-resource-name>
<url-pattern>/root_home</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
页:
[1]