Use keytool to create ssl certificate – only for self-signed certificate
First, use following command to generate keystore file
keytool -genkey -alias tomcat -keyalg RSA -keystore $SavePath/KeyFile
$SavePath is the path you save the file.
Second, uncomment the “SSL HTTP/1.1 Connector” entry in server.xml;
Third, update server.xml to use the ssl configuration as above:
enableLookups=”true” disableUploadTimeout=”true”
acceptCount=”100″ maxThreads=”200″
scheme=”https” secure=”true” SSLEnabled=”true”
keystoreFile=”test.keystore” keystorePass=”123654″
clientAuth=”false” sslProtocol=”TLS”/>
The bold font is the keystore filename and password.
Here we use 443 as the ssl port.
Use openssl to make certificate and import to tomcat
Tomcat can use the Apache Portable Runtime to provide superior scalability, performance, and better integration with native server technologies.
Requirements:
APR 1.2+ development headers (libapr1-dev package)
OpenSSL 0.9.7+ development headers (libssl-dev package)
JNI headers from Java compatible JDK 1.4+
GNU development environment (gcc, make)
The wrapper library sources are located in the Tomcat binary bundle, in the bin/tomcat-native.tar.gz archive. Once the build environment is installed and the source archive is extracted, the wrapper library can be compiled using (from the folder containing the configure script, default is /usr/local/apr):
./configure && make && make install
After that,
export LD_LIBRARY_PATH = $ LD_LIBRARY_PATH:/usr/local/apr/lib
and then update Catalina.sh script file, add following line:
CATALINA_OPTS=”-Djava.library.path=/usr/local/apr/lib”
To make sure whether tomcat enabled apr, check tomcat log, if no apr enabled, the log file contains: org.apache.coyote.http11.Http11Protocol start, if apr enabled, the log should be org.apache.coyote.http11.Http11AprProtocol start.
And last, need update server.xml, add line like following:
address=”{tomcat.listen.address}” port=”443″
enableLookups=”true” disableUploadTimeout=”true”
acceptCount=”100″ maxThreads=”200″
scheme=”https” secure=”true” SSLEnabled=”true” SSLEngine=”on”
clientAuth=”false” sslProtocol=”TLS”
SSLProtocol=”-all +SSLv3 +TLSv1″
SSLCipherSuite=”HIGH:MEDIUM:!aNULL:!ADH:+SHA1:+MD5+HIGH:MEDIUM”
SSLCertificateFile=”{your certificate file}”
SSLCertificateKeyFile=”{your certificate key file}”
SSLPassword=”{your password of certificate}” />
And if we want tomcat only listen on the certen IP, then server.xml should be updated as following:
enableLookups=”true” disableUploadTimeout=”true”
acceptCount=”100″ maxThreads=”200″
scheme=”https” secure=”true” SSLEnabled=”true”
keystoreFile=”test.keystore” keystorePass=”123654″
clientAuth=”false” sslProtocol=”TLS”/>
Add address parameter, tomcat will only listen the IP you defined.
Jboss配置https可以完全按照tomcat来,如果使用apr配置,官方网站直接有相应的包下载,解压出来的lib目录加入到LD_LIBRARY_PATH,然后修改参照上面tomcat修改server.xml的方式修改all/deploy/jboss-web.deployer/server.xml即可,更加方便
[回复]