• Tomcat 8.5 添加https认证


    因为不同版本 Tomcat 配置上可能有所不同,所以这里只介绍最新的 8.5 版本。
     
    因为我是测试环境,我可以借用 JDK自带工具keytool生成一个测试用的证书。
     
    参考文档:
     
    ## 1、生成证书
    [root@web01 tools]# $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore test.keystore
    Enter keystore password:  
    Re-enter new password:
    What is your first and last name?
      [Unknown]:  localhost
    What is the name of your organizational unit?
      [Unknown]:  abc
    What is the name of your organization?
      [Unknown]:  xyz
    What is the name of your City or Locality?
      [Unknown]:  ZH
    What is the name of your State or Province?
      [Unknown]:  cq
    What is the two-letter country code for this unit?
      [Unknown]:  cc
    Is CN=localhost, OU=abc, O=xyz, L=ZH, ST=cq, C=cc correct?
      [no]:  y
     
    Enter key password for <tomcat>
        (RETURN if same as keystore password):  
    Re-enter new password:
     
    Warning:
    The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore test.keystore -destkeystore test.keystore -deststoretype pkcs12".
     
     
    ## 2、查看证书内容
    [root@web01 tools]# $JAVA_HOME/bin/keytool -list -keystore test.keystore
    Enter keystore password:  
    Keystore type: jks
    Keystore provider: SUN
     
    Your keystore contains 1 entry
     
    tomcat, Mar 12, 2021, PrivateKeyEntry,
    Certificate fingerprint (SHA-256): C2:4C:52:D9:0B:22:7B:DC:DB:40:51:9D:AD:79:EA:50:08:89:A7:7E:B8:D0:3A:FC:7C:22:B0:29:2D:34:C3:26
     
    Warning:
    The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore test.keystore -destkeystore test.keystore -deststoretype pkcs12".
     
     
    ## 3、导出证书
    [root@web01 tools]# $JAVA_HOME/bin/keytool -export -alias tomcat -file tomcat.crt -keystore test.keystore
    Enter keystore password:  
    Certificate stored in file <tomcat.crt>
     
    Warning:
    The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore test.keystore -destkeystore test.keystore -deststoretype pkcs12".
    [root@web01 tools]# ll
    -rw-r--r-- 1 root root      2200 Mar 12 14:45 test.keystore
    -rw-r--r-- 1 root root       849 Mar 12 14:50 tomcat.crt
     
     
    ## 4、查看证书信息
    [root@web01 tools]# $JAVA_HOME/bin/keytool -printcert -file tomcat.crt
    Owner: CN=localhost, OU=abc, O=xyz, L=ZH, ST=cq, C=cc
    Issuer: CN=localhost, OU=abc, O=xyz, L=ZH, ST=cq, C=cc
    Serial number: 3a9217f6
    Valid from: Fri Mar 12 14:45:13 CST 2021 until: Thu Jun 10 14:45:13 CST 2021
    Certificate fingerprints:
         SHA1: 43:87:78:FD:83:B3:67:71:B8:BA:4A:BC:04:C7:11:BC:C9:E7:0F:DE
         SHA256: C2:4C:52:D9:0B:22:7B:DC:DB:40:51:9D:AD:79:EA:50:08:89:A7:7E:B8:D0:3A:FC:7C:22:B0:29:2D:34:C3:26
    Signature algorithm name: SHA256withRSA
    Subject Public Key Algorithm: 2048-bit RSA key
    Version: 3
     
    Extensions:
     
    #1: ObjectId: 2.5.29.14 Criticality=false
    SubjectKeyIdentifier [
    KeyIdentifier [
    0000: D3 0C 02 F1 67 15 60 97   71 5C 6D 93 AB 0F A3 85  ....g.`.qm.....
    0010: F0 83 86 35                                        ...5
    ]
    ]
     
     
    ## 5、导入证书
    [root@web01 tools]# $JAVA_HOME/bin/keytool -import -keystore test_crt -file tomcat.crt
    Enter keystore password:  
    Re-enter new password:
    Owner: CN=localhost, OU=abc, O=xyz, L=ZH, ST=cq, C=cc
    Issuer: CN=localhost, OU=abc, O=xyz, L=ZH, ST=cq, C=cc
    Serial number: 3a9217f6
    Valid from: Fri Mar 12 14:45:13 CST 2021 until: Thu Jun 10 14:45:13 CST 2021
    Certificate fingerprints:
         SHA1: 43:87:78:FD:83:B3:67:71:B8:BA:4A:BC:04:C7:11:BC:C9:E7:0F:DE
         SHA256: C2:4C:52:D9:0B:22:7B:DC:DB:40:51:9D:AD:79:EA:50:08:89:A7:7E:B8:D0:3A:FC:7C:22:B0:29:2D:34:C3:26
    Signature algorithm name: SHA256withRSA
    Subject Public Key Algorithm: 2048-bit RSA key
    Version: 3
     
    Extensions:
     
    #1: ObjectId: 2.5.29.14 Criticality=false
    SubjectKeyIdentifier [
    KeyIdentifier [
    0000: D3 0C 02 F1 67 15 60 97   71 5C 6D 93 AB 0F A3 85  ....g.`.qm.....
    0010: F0 83 86 35                                        ...5
    ]
    ]
     
    Trust this certificate? [no]:  y
    Certificate was added to keystore
     
     
    ## 查看证书信息
    [root@web01 tools]# $JAVA_HOME/bin/keytool -list -keystore test_crt
    Enter keystore password:  
    Keystore type: jks
    Keystore provider: SUN
     
    Your keystore contains 1 entry
     
    mykey, Mar 12, 2021, trustedCertEntry,
    Certificate fingerprint (SHA-256): C2:4C:52:D9:0B:22:7B:DC:DB:40:51:9D:AD:79:EA:50:08:89:A7:7E:B8:D0:3A:FC:7C:22:B0:29:2D:34:C3:26
     
    [root@web01 tools]# ll
    -rw-r--r-- 1 root root       911 Mar 12 15:01 test_crt
    -rw-r--r-- 1 root root      2200 Mar 12 14:45 test.keystore
    -rw-r--r-- 1 root root       849 Mar 12 14:50 tomcat.crt
     
     
    ## 6、删除证书
    [root@web01 tools]# $JAVA_HOME/bin/keytool -delete -keystore test_crt -alias mykey
    Enter keystore password:  
    [root@web01 tools]# ll
    -rw-r--r-- 1 root root        32 Mar 12 15:04 test_crt
    -rw-r--r-- 1 root root      2200 Mar 12 14:45 test.keystore
    -rw-r--r-- 1 root root       849 Mar 12 14:50 tomcat.crt
     
     
    ## 7、修改证书密码
    [root@web01 tools]# $JAVA_HOME/bin/keytool -keypasswd -alias tomcat -keystore test.keystore
    Enter keystore password:  
    New key password for <tomcat>:
    Re-enter new key password for <tomcat>:
     
    Warning:
    The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore test.keystore -destkeystore test.keystore -deststoretype pkcs12".
     
     
     

    开启 HTTPS 访问

    生成证书
    [root@web01 conf]# $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA
    Enter keystore password:  
    Re-enter new password:
    What is your first and last name?
      [Unknown]:  localhost
    What is the name of your organizational unit?
      [Unknown]:  abc
    What is the name of your organization?
      [Unknown]:  xyz
    What is the name of your City or Locality?
      [Unknown]:  zh
    What is the name of your State or Province?
      [Unknown]:  cq
    What is the two-letter country code for this unit?
      [Unknown]:  aa
    Is CN=localhost, OU=abc, O=xyz, L=zh, ST=cq, C=aa correct?
      [no]:  y
     
    Enter key password for <tomcat>
        (RETURN if same as keystore password):  
    Re-enter new password:
     
    Warning:
    The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /root/.keystore -destkeystore /root/.keystore -deststoretype pkcs12".
     
    打开 conf 下的 server.xml,从中找到如下注释信息。
    <!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
    This connector uses the NIO implementation. The default
    SSLImplementation will depend on the presence of the APR/native
    library and the useOpenSSL attribute of the
    AprLifecycleListener.
    Either JSSE or OpenSSL style configuration may be used regardless of
    the SSLImplementation selected. JSSE style configuration is used below.
    --><!--
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
    maxThreads="150" SSLEnabled="true">
    <SSLHostConfig>
    <Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
    type="RSA" />
    </SSLHostConfig>
    </Connector>
    -->
    去掉 Connector 的注释,修改 SSLHostConfig 为如下格式(PS:旧版本的 Tomcat 是直接配置在 Connector 属性上的,该写法以后将被弃用)。如果是更复杂的需求,则需要根据实际情况并参考官方文档来进行配置,这里不做深入研究。
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
    maxThreads="150" SSLEnabled="true">
    <SSLHostConfig>
    <Certificate certificateKeystoreFile="conf/域名的 jks 文件"
    certificateKeystorePassword="jks 文件密码"
    certificateKeyAlias="jks 别名,一般为申请的证书域名"
    type="RSA" />
    </SSLHostConfig></Connector>
    参数说明:
    1. certificateKeystoreFile 指定 jks 文件所在,相对路径则是相对于 $CATALINA_BASE,一般为 Tomcat 所在目录。
    2. certificateKeystorePassword jks 文件密码。
    3. certificateKeyAlias jks 别名,一般为申请的证书域名,可通过 jdk 的 keytool –list –keystore jks文件 –storepass jks文件密码命令查看 jks 别名。
    至此配置后,则能通过 HTTPS 访问了(默认端口为 8443),但同时也可以通过 HTTP 访问(默认端口为 8080)。
     
     

    强制 HTTPS 访问

    为了让网站强制使用 HTTPS,需要修改 Tomcat conf 目录下 web.xml,在文件末尾(一般情况)的 </web-app> 结束标签前添加如下代码。
    <login-config>
    <auth-method>CLIENT-CERT</auth-method>
    <realm-name>Client Cert Users-only Area</realm-name></login-config>
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>SSL</web-resource-name>
    <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint></security-constraint>
    该配置是我网上搜寻来的,用是可以用的,只是尚未完全理解。
    其中 login-config 好像是配置 Tomcat users 登录认证方式为客户端证书认证,这个一般很少用到,具体如何认证没研究过,只是似乎和 HTTPS 没啥关系,疑似无用配置;security-constraint 是配置所有url请求为 HTTPS,这个配置才是主要的。
    配置完后,通过 HTTP 访问的请求自动会重定向到 HTTPS。
    需要注意的是,如果在部署项目时,如果项目的 web.xml 配置了 security-constraint 相关参数,则可能会覆盖掉在 Tomcat 的 web.xml 里配置的信息,导致该项目部分地址可通过HTTP访问。
     
     

    HTTPS 默认端口

    一般访问网站,不管是 HTTP 还是 HTTPS ,都不需要加端口号的,因为 HTTP 默认是 80,HTTPS 默认是 443,而在 Tomcat 中则是 8080 和 8443,为了访问方便、简洁,则需要修改 conf 下的 server.xml,将里面的 8080 都改成 80,8443 都改成 443 即可。
     

     

     

     

     
     
  • 相关阅读:
    智能安全实验室-全能优化(Guardio) 3.8.0.493:系统默认字体大小
    智能安全实验室-杀马(Defendio) 2.6.0.453 :系统整合/增强隔离
    智能安全实验室-全能优化(Guardio) 3.8.0.498:新增3种恶意软件的清理
    智能安全实验室-杀马(Defendio) 2.5.0.425-自定义快捷方式
    智能安全实验室-全能优化(Guardio) 3.9.0.523:大量改进!
    智能安全实验室-全能优化(Guardio) 3.9.0.525:进程管理树状显示
    智能安全实验室-杀马(Defendio) 2.5.0.435 :改进系统扫描
    智能安全实验室-全能优化(Guardio) 3.8.0.495:新增15种恶意软件的清理
    智能安全实验室-杀马(Defendio) 2.6.0.466 :行为分析
    智能安全实验室-杀马(Defendio) 2.5.0.430 :自定义上报威胁
  • 原文地址:https://www.cnblogs.com/jianchen013/p/14524732.html
Copyright © 2020-2023  润新知