Tomcat配置Https访问（1）

1. 生成证书

在命令行运行命令JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg
RSA -keystore C:\Tomcat\GMAE3.0Tomcat\tomcat.keystore(指定一个位置)
这样就生成了证书，将证书放到合适的地方（任意地方都可以）

2. 配置server.xml

找到关于ssl的相关段，去掉注释，添keystoreFile="C:\Tomcat\GMAE3.0Tomcat\tomcat.keystore"
keystorePass="tomcat"的属性

<Connector protocol="org.apache.coyote.http11.Http11Protocol" 
port="8443" maxHttpHeaderSize="8192" maxThreads="150" 
minSpareThreads="25" maxSpareThreads="75" 
enableLookups="false" disableUploadTimeout="true" 
acceptCount="100" scheme="https" secure="true" 
clientAuth="false" sslProtocol="TLS" 
keystoreFile="D:\TRS\TRSIDS3500_trunk_https\tomcat.keystore" 
algorithm="SunX509" keystorePass="trsadmin"/> 

tomcat不同版本配置是不同的

Tomcat5.5.9配置：

<Connector port="8443" maxHttpHeaderSize="8192" 
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
 enableLookups="false" disableUploadTimeout="true" 
acceptCount="100" scheme="https" secure="true" 
clientAuth="false" sslProtocol="TLS" keystoreFile="server.keystore" 
keystorePass="changeit"/> 

 

 

Tomcat5.5.20配置(此配置同样可用于Tomcat6.0)   

<Connector protocol="org.apache.coyote.http11.Http11Protocol" 
port="8443" maxHttpHeaderSize="8192" maxThreads="150" 
minSpareThreads="25" maxSpareThreads="75" 
enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" 
clientAuth="false" sslProtocol="TLS" keystoreFile="server.keystore" 
keystorePass="changeit"/> 

  

Tomcat6.0.10 配置：

<Connector protocol="org.apache.coyote.http11.Http11NioProtocol" 
port="8443" minSpareThreads="5" maxSpareThreads="75" 
enableLookups="true" disableUploadTimeout="true" 
acceptCount="100" maxThreads="200" scheme="https" 
secure="true" SSLEnabled="true" clientAuth="false" 
sslProtocol="TLS" 
keystoreFile="D:/tools/apache-tomcat-6.0.10/server.keystore" 
keystorePass="changeit"/> 

 

tomcat6支持3种，请参考以下文档：

http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html

3. 重启tomcat就能使用HTTPS访问

4. 强制https访问

在tomcat\conf\web.xml中的</welcome-file-list>后面加上这样一段：

  

<login-config>
    <!-- Authorization setting for SSL -->
    <auth-method>CLIENT-CERT</auth-method>
    <realm-name>Client Cert Users-only Area</realm-name>
</login-config>
<security-constraint>
    <!-- Authorization setting for SSL -->
    <web-resource-collection >
	<web-resource-name >SSL</web-resource-name>
	<url-pattern>/root_home</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
	<transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>