Shulou(Shulou.com)06/02 Report--

Tomcat how to configure SSL, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain for you in detail, people with this need can come to learn, I hope you can gain something.

To generate the Server-side security certificate, you must first prepare a server-side security certificate that conforms to the X.509 standard locally. If possible, you can apply for a certified security certificate from the authoritative CA (which requires cumbersome procedures and money). If there are no conditions, you can use the certificate generation tool provided by JDK and do the following on the Windows command line:

C:\ > keytool-genkey-keyalg RSA-keysize 2048-sigalg SHA256withRSA-dname "cn=127.0.0.1,ou=product,o=uestc,c=CN"-validity 3650-storepass uestc@#123zp-keystore c:\ key.store enter the master password (press enter if the password is the same as storepass): (press enter) this generates the key.store on the server side under the C:\ directory.

Note:

When using the keytool tool with an earlier version of JDK (such as JDK 1.4) to generate a certificate, the following error "java.security.NoSuchAlgorithmException: SHA256WITHRSA Signature not available" will be reported because the SHA256withRSA algorithm is not supported; you must use the keytool with a higher version of JDK (such as JDK 1.6) to generate the certificate.

When you create a certificate under Linux, you only need to change the path information of the above command, and the rest remain unchanged.

Note:

The parameter validity of the tool keytool that generates the security certificate indicates the validity period of the certificate (in days), which needs to be configured according to the actual needs.

As a security certificate on the server side, the CN field must be consistent with the actual domain name of the WEB application, otherwise the name of the certificate reported by the client will be inconsistent.

Due to some web containers, keypass and storepass must be consistent.

For certificates issued by non-professional certificate authorities, if you want to remove the alarm of "untrusted certificate", you need to import the root certificate in the client's browser as follows:

1) access the https address and view the certificate:

2) Click copy to File to save the cert file

3) Open the IE toolbar and select tools-Internet options-content-Certificate

4) enter the trusted root certificate authority, click "Import", and import the cert file exported in the previous step into the trusted root certificate authority.

5) restart IE and revisit the https address as follows, which will not prompt the certificate to be untrusted

Add a server-side security certificate

Open the / conf/server.xml file in the Tomcat installation directory.

Modify the port on which http is redirected to https:

Note: different versions of tomcat may have different configuration items, please modify the blue section on the original configuration file.

Modify https parameters

[z3]

[Z1] needs to be added in the configuration. Only these two types are allowed.

[Z2] needs to be added in the configuration

[Z3] cannot be stored in plaintext

Note:

1) Please use the absolute path for the file name of the keystoreFile parameter. The password on the keystorePass parameter is the storepass password.

2) the above configuration may vary with different tomcat versions. If there is abnormal information in the log after startup, please add the above SSL-related configuration items to the original configuration file.

If SSL does not start properly, you can specify to use Java Secure Socket Extension (JSSE), that is, to change protocol= "HTTP/1" to protocol= "org.apache.coyote.http1Http11Protocol".

Configure directories or files that need to be forced to use SSL

For example, if you need to force the use of SSL for all files and / test/login.jsp in the / SSL directory, edit the WEB-INF/web.xml in the web application directory corresponding to Tomcat, and add the following configuration in the section:

SSL

/ SSL/*

/ test/login.jsp

CONFIDENTIAL

Note:

In Web applications, session is lost in the process of switching from https to http, which makes it impossible to keep the session continuous. The solution is to replace the https-http process with the http-https-http process to ensure the continuity of the conversation.

Restart Tomcat

Test suggestion

Enter https://xx.xx.xx.xx: 443 in the browser and you should be able to access it normally through SSL.

For https switching to the http page, you need to focus on testing to see if the session is interrupted after the switch.

Test on the mobile phone terminal to see if it can be used properly. (if there is a mobile phone end user).

After using SSL, it will have an impact on performance, and performance testing can be carried out. (optional)

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.