Use HTTPS instead of HTTP

浏览数:48 / 时间:2015年06月09日
 
The following solutions use self-signed certificates. You can see more details about self-signed steps at http://xiaohuafyle.iteye.com/blog/1538719.
 
Certificate: self-signed (need Java keytool to generate certificates)
System: Linux
 
==== 1 Generate a Self-signed CA ====
Open a terminal and generate a self-signed CA by following:
1. CATALINA_HOME/conf/sslCertificate> keytool -genkey -v -alias tomcat -keyalg RSA -validity 365 -keystore tomcat.keystore
where 365 means the CA will be valid for 365 days, and the tomcat.keystore will be stored in the current directory. After pressing "Enter", you are required to input name, ..., password, ... Note that the name is domain name (e.g. www.siemens.com, more recommended) or IP address (e.g. 139.24.236.50). You have to rememebr the keystore password and tomcat password you set at this step, which will be needed later.
 
2. CATALINA_HOME/conf/sslCertificate> keytool -export -alias tomcat -keystore tomcat.keystore -file tomcat.cer
Enter the keystore password when required.
 
 
==== 2 Tomcat configuration ====
1. Make sure that the keystore file (i.e. tomcat.keystore) is under tomcat/conf/sslCertificate/
 
2. Open CATALINA_HOME/conf/server.xml and modify the corresponding connectors to:
    <Connector port="8888" protocol="HTTP/1.1"
        connectionTimeout="20000"
        redirectPort="8443"
    />
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true" 
        maxThreads="150" scheme="https" secure="true" 
        clientAuth="false" sslProtocol="TLS"
        keystoreFile="conf/sslCertificate/tomcat13.keystore" keystorePass="cas24MEGA"
    />
Note: 
(1) redirectPort is set because HTTP uses port 8888 and HTTPS uses port 8443. 
(2) Remember to set keystoreFile and keystorePass
(3) When you set path for keystoreFile, be carefull it is "conf/..." NOT "/conf/...". The difference is "/". This is important.
 
3. Open CATALINA_HOME/conf/web.xml, and add the following lines after <welcome-file-list>...</welcome-file-list>
    <login-config> 
        <!-- Authorization setting for SSL: set authentication method --> 
        <auth-method>CLIENT-CERT</auth-method> 
        <realm-name>Client Cert Users-only Area</realm-name> 
    </login-config> 
    <security-constraint> 
        <!-- Authorization setting for SSL: force HTTPS transmission --> 
        <web-resource-collection > 
            <web-resource-name >SSL</web-resource-name> 
            <url-pattern>/*</url-pattern> 
        </web-resource-collection> 
        <user-data-constraint> 
            <transport-guarantee>CONFIDENTIAL</transport-guarantee> 
        </user-data-constraint> 
    </security-constraint>
You can see more details at tomcat设置http自动跳转为https访问. Also, I recommend you to search more information about "CLIENT-CERT" to see the differences among different authentication methods.
 
4. Finally, restart tomcat service and test the page.
    e.g. http://xxx.xxx.xxx.xxx:portNumber/webApp

郑重声明:本站内容如果来自互联网及其他传播媒体,其版权均属原媒体及文章作者所有。转载目的在于传递更多信息及用于网络分享,并不代表本站赞同其观点和对其真实性负责,也不构成任何其他建议。

标签: style com java log http si it ha word style com java log http si it ha word

相关文章

随机文章

您可能还喜欢

您可能还喜欢