HTTPS

2017/7/30 posted in  运维
  • 配置自签发证书

    1. 运行如下命令,生成keystore文件

       keytool -genkey -alias tomcat -keyalg RSA
      

      这样就可以在用户家目录下生成一个.keystore文件。在生成过程中需要设置一些必要的信息,其中密码信息一定要记住。

    1. 修改server.xml,配置证书。

      找到如下配置部分

       <!--
      <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
          maxThreads="150" scheme="https" secure="true"
          clientAuth="false" sslProtocol="TLS" />
      -->
      

      取消注释,修改成如下内容

       <Connector SSLEnabled="true" 
                  acceptCount="100" 
                  clientAuth="false"
                  disableUploadTimeout="true"         
                  enableLookups="false"
                  maxThreads="25"
                  port="8443" 
                  keystoreFile="~/.keystore"
                  keystorePass="password"
                  protocol="org.apache.coyote.http11.Http11NioProtocol" 
                  scheme="https"
                  secure="true" 
                  sslProtocol="TLS" 
       />
      

      注: password请设置成上一步输入的密码

    2. 重启apache-tomcat,访问 https://localhost:8443 查看效果。

    根据url配置https

    编辑web.xml文件

    1. 设置所有路径都走https

          <security-constraint>
              <web-resource-collection>
                  <web-resource-name>HTTPSOnly</web-resource-name>
                  <url-pattern>/*</url-pattern>
              </web-resource-collection>
              <user-data-constraint>
                  <transport-guarantee>CONFIDENTIAL</transport-guarantee>
              </user-data-constraint>
          </security-constraint>
      
    2. 设置部分路径走https

          <security-constraint>
              <web-resource-collection>
                  <web-resource-name>HTTPSOnly</web-resource-name>
                  <url-pattern>/api/*</url-pattern>
              </web-resource-collection>
              <user-data-constraint>
                  <transport-guarantee>CONFIDENTIAL</transport-guarantee>
              </user-data-constraint>
          </security-constraint>
          <security-constraint>
              <web-resource-collection>
                  <web-resource-name>HTTPSOrHTTP</web-resource-name>
                  <url-pattern>*.ico</url-pattern>
                  <url-pattern>/img/*</url-pattern>
                  <url-pattern>/css/*</url-pattern>
              </web-resource-collection>
              <user-data-constraint>
                  <transport-guarantee>NONE</transport-guarantee>
              </user-data-constraint>
          </security-constraint>
      
      

    生成cer证书文件

    1. 查看keystore信息

       april@client:~$ keytool -list -v -keystore .keystore -storepass 123456
      Keystore type: JKS
      Keystore provider: SUN
      Your keystore contains 1 entry
      Alias name: tomcat
      Creation date: Jan 16, 2017
      Entry type: PrivateKeyEntry
      Certificate chain length: 1
      Certificate[1]:
      Owner: CN=Z, OU=4YT, O=Unknown, L=hz, ST=zj, C=CN
      Issuer: CN=Z, OU=4YT, O=Unknown, L=hz, ST=zj, C=CN
      Serial number: 1822278c
      Valid from: Mon Jan 16 16:44:46 CST 2017 until: Sun Apr 16 16:44:46 CST 2017
      Certificate fingerprints:
               MD5:  14:6B:D9:2B:90:D7:AA:E7:5A:CC:8E:9A:A1:FD:0E:7B
      

      可以看到我们需要导出的证书alias=tomcat

    2. 生成cer文件

      april@client:~$   keytool -export -alias tomcat -keystore .keystore -storepass 123456 -rfc -file client.cer
      Certificate stored in file <client.cer>
      

      这样我们就生成了一个cer文件,可以内置到app中,实现app开启https访问。

    参考链接:5分钟内搞定Tomcat的SSL配置
    参考链接:SSL/TLS Configuration HOW-TO
    参考链接:A Simple Step-By-Step Guide To Apache Tomcat SSL Configuration
    参考链接:How to configure Tomcat to always require HTTPS