Configuring HTTPS on Tomcat

cxs7225032 发表于 2017-1-23 06:26:45

Reference from http://confluence.atlassian.com/display/JIRA/Running+JIRA+over+SSL+or+HTTPS#RunningJIRAoverSSLorHTTPS-ImportCertificateIntoTheTruststore

Running
JIRA over SSL or HTTPS

[*]
Page restrictions apply
[*]
Attachments:
1

[*]
Added by Jeff Turner
,
last edited by Andrew
Lui
on May 16, 2010
(view
change
)
[*]
show
comment
hide
comment

Comment:
Reverted from v. 36

　　When web applications are being accessed across the
internet, there is always the possibility of usernames and passwords
being intercepted by intermediaries between your computer and the
ISP/company. It is often a good idea to enable access via HTTPS (HTTP
over SSL) and make this a requirement for pages where passwords are
sent. Note, however, that using HTTPS may result in slower performance.
In some cases where issue data is sensitive, all pages should be
accessed via HTTPS.

Please
note that Atlassian Support will refer SSL support to the institution
that issues the Certificate. We provide this documentation for
reference.

　　The process of enabling SSL access is specific to each application
server, but the process for specifying which pages require protection is
generic.

This
procedure is a general guide for the way to configure Tomcat
with HTTPS and only covers the common installation types of JIRA. It is
by no means a definitive or comprehensive guide to configuring HTTPS and
may not be applicable to your specific integration.

For
JIRA Windows Standalone installations

[*]Since JIRA 3.8, Java comes bundled with JIRA Windows Standalone. It
is this bundled JRE (Java Runtime Environment) that is used to run
Tomcat by default, and which must be updated with the SSL certificates.
[*]The term <install-dir> is used frequently in this document
which refers the the installation directory of JIRA. The JIRA Installation Directory
KB
shows you how to determine this for your particular installation.

　　On this page:

[*]
Running
JIRA over HTTPS

[*]
Configure
HTTPS in Tomcat
[*]
Generate
Self-Signed Certificate
[*]
Obtain
CA Certificate
[*]
Import
Certificate into the Trust-store
[*]
Redirecting
certain pages to HTTPS

[*]
Troubleshooting

[*]
SSL
+ Apache + IE problems
[*]
Can't
find the keystore
[*]
Incorrect
password
[*]
Passwords
don't match
[*]
Wrong
certificate

　　

Running
JIRA over HTTPS
　　The following flowchart shows the process involved in configuring
HTTPS on Tomcat. Click the links below this chart to go to the
instructions for that step.
　　

[*]
Configure
HTTPS in Tomcat
[*]
Generate
Self-Signed Certificate
[*]
Obtain
CA Certificate
[*]
Import
Certificate into the Trust-store
[*]
Requiring
HTTPS for certain pages (Redirecting certain pages to HTTPS)
　　

Configure
HTTPS in Tomcat
　　Edit conf/server.xml
, and at the bottom before the
</Service> tag, add this section (or uncomment it where you find
it) in Tomcat 6:

<script>
window.SyntaxHighlighter.config.clipboardSwf = '/s/1814/13/2/_/download/resources/com.atlassian.confluence.ext.newcode-macro-plugin:clipboard/clipboard.swf';
</script>
1.
<
Connector
port
=
"8443"
maxHttpHeaderSize
=
"8192"
SSLEnabled
=
"true"

2.
maxThreads
=
"150"
minSpareThreads
=
"25"
maxSpareThreads
=
"75"

3.
enableLookups
=
"false"
disableUploadTimeout
=
"true"
useBodyEncodingForURI
=
"true"

4.
acceptCount
=
"100"
scheme
=
"https"
secure
=
"true"

5.
clientAuth
=
"false"
sslProtocol
=
"TLS"
/>

　　This enables SSL access on port 8443 (the default for HTTPS is 443,
but just as Tomcat uses 8080 instead of 80 to avoid conflicts, 8443 is
used instead of 443 here).

JIRA
4.1 Standalone comes with Tomcat 6 which requires SSLEnabled="true" to
be added to the Connector tag above. We will include this by default
soon- http://jira.atlassian.com/browse/JRA-20963

　　^Back
to the flowchart

　　

Generate
Self-Signed Certificate

Self-signed
certificates are useful in cases where you require encryption but do
not need to verify the website identity.

They are commonly used for testing and on internal corporate networks
(intranets).　　Due to the certificate not being signed by a Certification Authority
(CA), users may get prompted that the site is untrusted and may have to
perform several steps to "accept" the certificate before they can access
the site. This usually will only occur the first time they access the
site.

　　The following approach to create the certificate uses Java's keytool
, and has been
formatted for use with Java 1.6.

There are other tools for generating certificates such as openSSL
which are not discussed in this procedure.

When
running the following keytool command you will be prompted with:

What is your first and last name?

　　Instead of entering your first and last name as specified, you must
enter the fully qualified hostname of the server running JIRA. This is
the same as the name you would type in your web browser after the
http:// section to access your JIRA installation. When the client web
browser examines the certificate, it checks this field, and makes sure
that it matches the hostname. If it doesn't, it may prevent access to
the site, and at the very least will generate pop-up messages saying
that there is a mismatch. An example of a qualified hostname is:
support.atlassian.com

The keytool utility will also prompt you for two passwords: the keystore
password and the key password for Tomcat. You must use the same value
for both passwords, and the value must be either:

[*]"changeit" (this is the default value Tomcat expects), or
[*]if you use a value other than "changeit", you must also specify it
in conf/server.xml
. You must add the following attribute to the
Connector tag described above:

keystorePass="<password value>"

　　Windows Standalone

"<install_dir>\jre\bin\keytool" -genkey -alias tomcat -keyalg RSA

　　Windows WAR/EAR

"%JAVA_HOME\bin\keytool" -genkey -alias tomcat -keyalg RSA

　　Unix/Linux

$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA

　　This will create (if it doesn't already exist) a new .keystore file
located in the home directory of the user you used to run the keytool
command.
　　You will now need to export the certificate to make it ready for
importing into the Trust-store with the following command:
　　Windows Standalone

"<install_dir>\jre\bin\keytool" -export -alias tomcat -file file.cer

　　Windows WAR/EAR

"%JAVA_HOME\bin\keytool" -export -alias tomcat -file file.cer

　　Unix/Linux

$JAVA_HOME/bin/keytool -export -alias tomcat -file file.cer

　　Next, import
the certificate into the Trust-store
.
　　^Back
to the flowchart

　　

Obtain
CA Certificate
　　Digital Certificate that are issued by trusted 3rd party CAs
(Certification Authority) provide verification that your Website does
indeed represent your company, thereby verifying your company's
identity. Many CAs simply verify the domain name and issue the
certificate, whereas other such as VeriSign
verifies the existence
of your business, the ownership of your domain name, and your authority
to apply for the certificate, providing a higher standard of
authentication.
　　A list of CA's can be found here
.

Some of the most well known CAs are:

[*]
Verisign
[*]
Thawte
[*]
CAcert
(relatively new CA, providing free CA
certificates)
　　Next, import
the certificate into the Trust-store
.
　　^Back
to the flowchart

　　

Import
Certificate into the Trust-store

Your
SSL Vendor may have different instructions, please refer to them for
proper certificate installation. Examples include GoDaddy
and VeriSign

　　Assuming your certificate is called "file.cer" whether obtained by a
CA or self-generated, the following command will add this certificate to
the Trust-store:
　　Windows Standalone

"<install_dir>\jre\bin\keytool" -import -alias tomcat -file file.cer -keystore "<install_dir>\jre\lib\security\cacerts"

　　Windows WAR/EAR

"%JAVA_HOME\bin\keytool" -import -alias tomcat -file file.cer -keystore "%JAVA_HOME%\jre\lib\security\cacerts"

　　Unix/Linux

This
step must be performed as the root user, or with the use of sudo

$JAVA_HOME/bin/keytool -import -alias tomcat -file file.cer -keystore $JAVA_HOME/jre/lib/security/cacerts

　　Next, proceed to the step on redirecting
certain pages to HTTPS
.
　　^Back
to the flowchart

　　

Redirecting
certain pages to HTTPS
　　Although HTTPS is now activated and available, the old HTTP URLs (http://localhost:8080
)
are still available. In most situations one wants these URLs to
continue working, but for some to redirect to their https equivalent.
This is done by editing WEB-INF/web.xml
, and adding the
following section at the end of the file, before the closing </web-app>
:

<script>
window.SyntaxHighlighter.config.clipboardSwf = '/s/1814/13/2/_/download/resources/com.atlassian.confluence.ext.newcode-macro-plugin:clipboard/clipboard.swf';
</script>
01.
<
security-constraint
>

02.
<
web-resource-collection
>

03.
<
web-resource-name
>all-except-attachments</
web-resource-name
>

04.
<
url-pattern
>*.js</
url-pattern
>

05.
<
url-pattern
>*.jsp</
url-pattern
>

06.
<
url-pattern
>*.jspa</
url-pattern
>

07.
<
url-pattern
>*.css</
url-pattern
>

08.
<
url-pattern
>/browse/*</
url-pattern
>

09.
</
web-resource-collection
>

10.
<
user-data-constraint
>

11.
<
transport-guarantee
>CONFIDENTIAL</
transport-guarantee
>

12.
</
user-data-constraint
>

13.
</
security-constraint
>

　　This means that all URLs except attachments
are redirected
from HTTP to HTTPS. IE has a bug
which prevents attachments like .doc files being
viewed via HTTPS if SSL protection is forced in web.xml
.
　　Once this change is made, restart JIRA and access http://localhost:8080
.
You should be redirected to https://localhost:8443/secure/Dashboard.jspa
.
The port it redirects to is determined by the redirectPort
value you specify in the server.xml
file in the HTTP Connector
stanza.

There does
not seem to be an easy way to make subsequent pages revert to HTTP after
logging in via HTTPS - see JRA-7250

Troubleshooting
　　Here are some troubleshooting tips if you are using a self-signed key
created by keytool, as described above.
　　When you enter "https://localhost:8443" in your browser, if you get a
message such as "Cannot establish a connection to the server at
localhost:8443", look for error messages in your logs/catalina.out log
file. Here are some possible errors with explanations:

SSL +
Apache + IE problems
　　Some people have reported errors when uploading attachments over SSL
using IE. This is due to an IE bug, and can be fixed in Apache by
setting:

<script>
window.SyntaxHighlighter.config.clipboardSwf = '/s/1814/13/2/_/download/resources/com.atlassian.confluence.ext.newcode-macro-plugin:clipboard/clipboard.swf';
</script>
1.
BrowserMatch
".MSIE."
\

2.
nokeepalive
ssl-unclean-shutdown \

3.
downgrade-
1.0
force-response-
1.0

　　Google
has plenty more on
this.

Can't
find the keystore

java.io.FileNotFoundException: /home/user/.keystore (No such file or directory)

　　This indicates that Tomcat cannot find the keystore. The keytool
utility creates the keystore as a file called .keystore
in the
current user's home directory. For Unix/Linux the home directory is
likely to be /home/<username>
. For Windows it is likely
to be C:\Documents And Settings\<UserName>
.
　　Make sure you are running JIRA as the same user who created the
keystore. If this is not the case, or if you are running JIRA on Windows
as a service, you will need to specify where the keystore file is in conf/server.xml
.
Add the following attribute to the connector tag you uncommented:

keystoreFile="<location of keystore file>"

Incorrect
password

java.io.IOException: Keystore was tampered with, or password was incorrect

　　You used a different password than "changeit". You must either use
"changeit" for both the keystore password and for the key password for
Tomcat, or if you want to use a different password, you must specify it
using the keystorePass
attribute of the Connector tag, as
described above.

Passwords
don't match

java.io.IOException: Cannot recover key

　　You specified a different value for the keystore password and the key
password for Tomcat. Both passwords must be the same.

Wrong
certificate

javax.net.ssl.SSLException: No available certificate corresponds to the SSL cipher suites which are enabled.

　　If the Keystore has more than one certificate, Tomcat will use the
first returned unless otherwise specified in the SSL Connector in conf/server.xml
.
　　Add the keyAlias
attribute to the Connector tag you
uncommented, with the relevant alias, for example:

<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true" useBodyEncodingForURI="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/opt/local/.keystore"
keystorePass="removed"
keyAlias="tomcat"/>


Labels parameters

页: [1]

运维网's Archiver

Configuring HTTPS on Tomcat