a亚洲精品_精品国产91乱码一区二区三区_亚洲精品在线免费观看视频_欧美日韩亚洲国产综合_久久久久久久久久久成人_在线区

首頁 > 編程 > JSP > 正文

tomcat配置https詳述(SSL)

2024-09-05 00:20:43
字體:
來源:轉載
供稿:網友

    一般的網頁傳輸都是基于http協議,在網絡中流通的信息都為明文,非常容易泄密。為保證網站信息不被中間服務器或者其它探測軟件捕獲,一般企業都使用 SSL對網頁內容加密,下面介紹tomcat中的SSL加密,詳細可參考鏈接:http://tomcat.apache.org/tomcat- 7.0-doc/ssl-howto.html

tomcat的加密根據自身的特色分兩種情況,一種為使用Java runtime(非APR),一種為OpenSSL library (through APR/Tomcat-Native). 這兩種的配置完全不同,下面分別介紹,讀者可以按自己應用的情況分別選擇。

一、Java runtime(非APR)情況
  1、產生client /server java key store

import java.io.FileOutputStream;import java.math.BigInteger;import java.security.InvalidKeyException;import java.security.KeyPair;import java.security.KeyStore;import java.security.NoSuchAlgorithmException;import java.security.NoSuchProviderException;import java.security.SecureRandom;import java.security.SignatureException;import java.security.cert.Certificate;import java.security.cert.CertificateEncodingException;import java.security.cert.X509Certificate;import java.util.Date;import javax.security.auth.x500.X500Principal;import javax.security.auth.x500.X500PrivateCredential;import org.bouncycastle.jce.provider.asymmetric.ec.KeyPairGenerator;import org.bouncycastle.x509.X509V3CertificateGenerator;/** *  * Tomcat HTTPS client/server key Certificate generator *  */public class TomcatKey { //Client Certificate static String TRUST_STORE_NAME = "client"; static char[] TRUST_STORE_PASSWORD = "test".toCharArray();  //Server Certificate  static String SERVER_NAME = "server"; static char[] SERVER_PASSWORD = "test".toCharArray(); static String SERVER_HOST = "localhost"; /**  * @param args  */ public static void main(String[] args) {  try {   // trustsotre, my root certificate   KeyStore store = KeyStore.getInstance("JKS");   // initialize   store.load(null, null);   KeyPair rootPair = generateKeyPair();   X500PrivateCredential rootCredential = createRootCredential(rootPair);   store.setCertificateEntry(TRUST_STORE_NAME, rootCredential     .getCertificate());   store.store(new FileOutputStream(TRUST_STORE_NAME + ".keystore"),     TRUST_STORE_PASSWORD);   // server credentials   store = KeyStore.getInstance("JKS");   store.load(null, null);   store.setKeyEntry(SERVER_NAME, rootCredential.getPrivateKey(),     SERVER_PASSWORD, new Certificate[] { rootCredential       .getCertificate() });   store.store(new FileOutputStream(SERVER_NAME + ".keystore"),     SERVER_PASSWORD);  } catch (NoSuchAlgorithmException e) {   e.printStackTrace();  } catch (NoSuchProviderException e) {   e.printStackTrace();  } catch (Exception e) {   e.printStackTrace();  } } //generate Key Pair public static KeyPair generateKeyPair() throws NoSuchAlgorithmException,   NoSuchProviderException {  // create the keys  java.security.KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA");  generator.initialize(1024, new SecureRandom());  return generator.generateKeyPair(); } //generate certificate public static X500PrivateCredential createRootCredential(KeyPair rootPair) throws Exception {  X509Certificate rootCert = generateX509V3RootCertificate(rootPair);  return new X500PrivateCredential(rootCert, rootPair.getPrivate()); }  public static X509Certificate generateX509V3RootCertificate(KeyPair pair)throws NoSuchAlgorithmException,  NoSuchProviderException, CertificateEncodingException, InvalidKeyException, IllegalStateException, SignatureException {    X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();    certGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis()));    certGen.setIssuerDN(new X500Principal("CN=" + SERVER_HOST+ ", OU=GoldenSF, O=SHA, C=cn"));    certGen.setNotBefore(new Date(System.currentTimeMillis() - 5000L));    certGen.setSubjectDN(new X500Principal("CN=" + SERVER_HOST+ ", OU=GoldenSF, O=SHA, C=cn"));    certGen.setPublicKey(pair.getPublic());    certGen.setSignatureAlgorithm("SHA1WithRSA");    certGen.setNotAfter(new Date(System.currentTimeMillis() + Integer.MAX_VALUE));    return certGen.generate(pair.getPrivate(), new SecureRandom());   }}

2、將產生的文件:client.keystore, and server.keystore放到apache-tomcat-7/conf下面

  3、修改/conf/server.xml如下:

<?xml version='1.0' encoding='utf-8'?><Server port="8005" shutdown="SHUTDOWN">    <!--<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />  -->  <Listener className="org.apache.catalina.core.JasperListener" />  <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />  <GlobalNamingResources>    <Resource name="UserDatabase" auth="Container"              type="org.apache.catalina.UserDatabase"              description="User database that can be updated and saved"              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"              pathname="conf/tomcat-users.xml" />  </GlobalNamingResources>  <Service name="Catalina">		<Connector port="443" SSLEnabled="true"                maxThreads="150" scheme="https" secure="true"                clientAuth="false" sslProtocol="TLS" 			                  keystoreFile="conf/server.keystore" keystorePass="test" 			  truststoreFile ="conf/client.keystore" truststorePass="test"/> 	<Connector port="8009" enableLookups="false" redirectPort="443" protocol="AJP/1.3" />    	    <Engine name="Catalina" defaultHost="localhost">          <Realm className="org.apache.catalina.realm.LockOutRealm">            <Realm className="org.apache.catalina.realm.UserDatabaseRealm"               resourceName="UserDatabase"/>      </Realm>      <Host name="localhost"  appBase="webapps"            unpackWARs="true" autoDeploy="true">        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"                 prefix="localhost_access_log." suffix=".txt"               pattern="%h %l %u %t &quot;%r&quot; %s %b" resolveHosts="false"/>      </Host>    </Engine>  </Service></Server>

4、啟動tomcat, 如果 https://localhost/ 能正常打開,說明配置成功。

一些注意:
  1)如果不使用JAVA文件生成keystore,也可以通過JDK自帶的命令生成,
    如生成服務器端證書 keytool -genkey -keyalg RSA -dname "cn=localhost,ou=test,o=test,l=hongkong,st=hk,c=hk" -alias server -keypass asdfzxcv23 -keystore server.jks -storepass asdfzxcv23 -validity 3650 客戶端的CN可以是任意值,具體的可以參考相關文章
  2)在修改server.xml時,需要將tomcat的默認APR配置刪除
  <!--<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />  -->
  3)如果之前有APR的配置,需要刪除文件bin/tcnative-1.dll
  4)注意JAVA文件生成的key和密碼一定要與配置中的一致,區分大小寫。


二、OPENSSL library (through APR/Tomcat-Native)情況
  1、首先需要到OPENSSL網站下載OpenSSL-Win32(或者Linux),安裝非常簡單
  2、利用OPENSSL生成公鑰
    D:/OpenSSL-Win32/bin>openssl
   genrsa -des3 -out key1.pem 2048

  enter pwd: test, to get a file : key1.pem

  3、繼續利用OPENSSL生成私鑰
   req -new -x509 -key key1.pem -out key1cert.pem -days 1095

   得到文件: key1cert.pem

  4、將這兩個文件放到apache-tomcat-7/conf目錄下,并修改server.xml為如下內容:

<?xml version='1.0' encoding='utf-8'?><Server port="8005" shutdown="SHUTDOWN">    <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />  <Listener className="org.apache.catalina.core.JasperListener" />  <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />  <GlobalNamingResources>    <Resource name="UserDatabase" auth="Container"              type="org.apache.catalina.UserDatabase"              description="User database that can be updated and saved"              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"              pathname="conf/tomcat-users.xml" />  </GlobalNamingResources>    <Service name="Catalina">		<Connector port="443" maxHttpHeaderSize="8192"			maxThreads="150" minSpareThreads="25" 			enableLookups="false" disableUploadTimeout="true"			acceptCount="100" scheme="https" secure="true"			clientAuth="false" 			SSLEnabled="true"			protocol="org.apache.coyote.http11.Http11AprProtocol"			SSLCertificateFile="D:/apache-tomcat-7/conf/key1cert.pem"			SSLCertificateKeyFile="D:/apache-tomcat-7/conf/key1.pem"			SSLPassword="test"		/>					 		<Connector port="8009" enableLookups="false" redirectPort="443" protocol="AJP/1.3" />    	    <Engine name="Catalina" defaultHost="localhost">          <Realm className="org.apache.catalina.realm.LockOutRealm">            <Realm className="org.apache.catalina.realm.UserDatabaseRealm"               resourceName="UserDatabase"/>      </Realm>      <Host name="localhost"  appBase="webapps"            unpackWARs="true" autoDeploy="true">        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"                 prefix="localhost_access_log." suffix=".txt"               pattern="%h %l %u %t &quot;%r&quot; %s %b" resolveHosts="false"/>      </Host>    </Engine>  </Service></Server>

  5、啟動tomcat ,https://localhost如果能正常打開,說明配置成功。

  幾點注意:
      1)、注意APR是否已經正常配置,
      2)、在啟動tomcat前需要確認任務管理器中沒有其它tomcat進程在執行(一般刪除所有javaw.exe即可),免得造成沖突,提示:java.lang.Exception: Socket bind failed;
      3)、密碼要一致,文件名不可寫混。

以上是我在tomcat環境下配置HTTPS的一點心得,歡迎大家指正。

http://zeallf.javaeye.com/blog/833250

 

發表評論 共有條評論
用戶名: 密碼:
驗證碼: 匿名發表
主站蜘蛛池模板: 嫩草午夜少妇在线影视 | 免费黄色污网站 | 亚洲欧洲精品一区二区三区 | 毛片特级 | 伊人狠狠干 | 综合久久综合 | 国产高清无密码一区二区三区 | 日产一区二区 | 日本精品区 | 可以在线观看的黄色 | 欧美亚洲国产精品 | 成人免费福利视频 | 毛片网站在线观看 | 欧美精品一区三区 | 亚洲激情av | 色综合久久久 | 成人在线免费 | 五月激情综合网 | 99热免费在线 | 国产免费看av大片的网站吃奶 | 99热首页| 中文字幕亚洲在线观看 | 成人18视频在线观看 | 蜜臀精品久久久久久蜜臀 | 欧美精品一区二区三区四区五区 | 国产精品久久久久久久裸模 | 一级篇 | 日韩一区在线观看视频 | 亚洲黄色大片在线观看 | 国产一区二区不卡 | 日韩99 | 九色在线观看视频 | 一区二区三区国产免费 | 久久免费国产 | 日本高清视频在线 | 三区在线| 91视频精选 | 国产一区二区三区在线免费观看 | 国产精品久久久久久久毛片 | 成人午夜影院 | 国产98色在线 |