1. Mr. Cheng's certificate
# First switch to the certificate file path: $ cd /app/tomcat-8.5.39/ # Generate certificate file: $ keytool -genkey -alias tomcat -keyalg RSA -keypass AAyxl123 -storepass AAyxl123 -keystore tomcat-https-server.keystore -validity 36500 # Certificate Authorization: $ chmod u+x tomcat-https-server.keystore
Generate certificate file description:
Certificate password: AAyxl123
Certificate file: tomcat-https-server.keystore, under the current Tomcat directory
Certificate validity: 36500, i.e. 100 years
[app@chezhi tomcat-8.5.39]$ pwd /app/tomcat-8.5.39 [app@chezhi tomcat-8.5.39]$ keytool -genkey -alias tomcat -keyalg RSA -keypass AAyxl123 -storepass AAyxl123 -keystore tomcat-https-server.keystore -validity 36500 What is your first and last name? [Unknown]: chezhi What is the name of your organizational unit? [Unknown]: xlwzj What is the name of your organization? [Unknown]: xlwzj What is the name of your City or Locality? [Unknown]: CHANGSHA What is the name of your State or Province? [Unknown]: HUNAN What is the two-letter country code for this unit? [Unknown]: CN Is CN=chezhi, OU=xlwzj, O=xlwzj, L=CHANGSHA, ST=HUNAN, C=CN correct? [no]: Y [app@chezhi tomcat-8.5.39]$ ls -ls tomcat-https-server.keystore 4 -rw-rw-r--. 1 app app 2224 Jan 11 11:04 tomcat-https-server.keystore [app@chezhi tomcat-8.5.39]$
Instructions for filling in questions:
"What is your first and last name?" This is required. It is the owner of the certificate. I entered "chezhi"
"What is the name of your organizational unit?"
"What is the name of your organization?"
"What is the name of your city or area?"
"What is the name of your state or province?"
"What is the two letter country code for this unit?"
You can fill in as required or you can enter directly without filling in, and ask "is it correct" in the system If it meets the requirements, use the keyboard to input the letter "y", otherwise input "n" to fill in the above information again.
2. Modify tomcat configuration file
Modify tomcat/conf/server.xml
# 1. Modify the port configuration of 8080: the port point is changed from 8443 to 443. Because the default port of http is 80, I changed the 8080 to 80, which is not necessary. If necessary, change it <Connector port="80" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="443" /> # 2. Modify 8443 port configuration, especially important: # Open the comment and change port 8443 to 443, because the default port of https is 443, <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="/app/tomcat-8.5.39/server.keystore" keystorePass="AAyxl123"/>
Explain:
keystoreFile: the certificate file previously generated in tomcat directory
keystorePass: the password of the previously generated certificate
scheme: change to "https"
# 3. Modify 8009 port configuration: # Change 8009 port to 8443 to 443 <Connector port="8009" protocol="AJP/1.3" URIEncoding="utf-8" redirectPort="443" />
Modify the screenshot:
For the first time, the certificate configuration path is written as "/ app/apache-tomcat-8.5.39/server.keystore", which reports an error. Just change it to "/ app/tomcat-8.5.39/server.keystore". Please don't make mistakes like me
2. Modify tomcat/conf/web.xml
Drag to the end of the document to add the following:
vim web.xml, tips: press and hold shift + g under vim editor to jump to the end of the document
<login-config> <!-- Authorization setting for SSL --> <auth-method>CLIENT-CERT</auth-method> <realm-name>Client Cert Users-only Area</realm-name> </login-config> <security-constraint> <!-- Authorization setting for SSL --> <web-resource-collection > <web-resource-name >SSL</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>
3. Restart tomcat service
tomcat is restarting...
4. Browser access test
Enter the access address test in the address field:
http://192.168.3.128/xlw_web/
https://192.168.3.128/xlw_web/
Whether you enter http or https in the address field, you will jump to the https set by us for access.
Well, there's no problem with the interview test.
Dare to explore and you will find that the original world is the magic...
Written in Changsha on January 11, 2020
Yu Che Zhi Published 28 original articles, won praise 2, visited 40000+ Private letter follow