Your SlideShare is downloading. ×

Tomcat ssl 設定

714

Published on

1 Comment
1 Like
Statistics
Notes
No Downloads
Views
Total Views
714
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
7
Comments
1
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. TOMCAT SSL SETTING 1. Environment 1.1 Tomcat 6.0.16 1.2 JDK 1.6.0_11 1.3 Windows Vista Home Premium SP1 2. Define Visual Host 2.1 至 C:WindowsSystem32driversetc 修改 hosts 檔,加入虛擬站台 例如: 192.168.102.77 slantkang-hp.iks.com.tw 2.2 開啟 %CATALINA_HOME%conf 編輯 server.xml 找這一行 <Engine name="Catalina" defaultHost="localhost"> 把 localhost 改成你剛剛設的,例如 slantkang-hp.iks.com.tw 找這一行 <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true" xmlValidation="false" xmlNamespaceAware="false"> 把 localhost 改成你剛剛設的,例如 slantkang-hp.iks.com.tw 存檔,重啟湯姆貓後,試試看 http:// slantkang-hp.iks.com.tw:8080 3. 切換 Console 模式並切換到 % CATALINA_HOME % 下,執行下列步 驟 Step 1. Generate an RSA key pair and a self-signed certificate JDK 1.6: keytool -genkeypair -alias tomcat -keyalg RSA -keystore server.keystore JDK 1.5: keytool -genkey -alias tomcat -keyalg RSA -keystore server.keystore -keypass changeit -storepass changeit -keysize 1024 //KEY SIZE -validity 365 //certificate valid for 365 days before expiring
  • 2. * password:changeit * the web browser will check the value of this field against the fully qualified hostname of your server. If the CN field value does not match the server’s hostname, the web browser will warn the user that they do not match.
  • 3. Step 2 Generate a certificate signing request (CSR) from the key pair keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore server.keystore
  • 4. * password:changeit Step 3 Send the CSR to the CA. Again 到 https://www.thawte.com/ucgi/gothawte.cgi?a=w14100158767049000 用 CSR 檔案申請憑證,將憑證檔案命名為 tomcat.cer
  • 5. 到 http://www.thawte.com/roots/index.html Step 4 下載 Root Certificate 並且把它 import 到 keystore 裡面 keytool -import -alias root -keystore server.keystore -trustcacerts -file GCA.cer OR keytool -import -alias root -keystore server.keystore -trustcacerts -file “Thawte Test CA Root.cer”
  • 6. Step 5.將 tomcat.cer import 到 keystore keytool -import -alias tomcat -keystore server.keystore -trustcacerts -file tomcat.cer
  • 7. 4. 配置 TOMCAT 修改 %TOMCAT_HOME%confserver.xml <Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="8443" minSpareThreads="5" maxSpareThreads="75" enableLookups="true" disableUploadTimeout="true" acceptCount="100" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" clientAuth="false" sslProtocol="TLS" keystoreFile="D:/tools/apache-tomcat-6.0.16/server.keystore" keystorePass="changeit"/> 5. 配置 Webapp 的 Web.xml(紅色區塊) <security-constraint> <web-resource-collection> <web-resource-name>DisabledMethods</web-resource-name> <url-pattern>/*</url-pattern> <http-method>DELETE</http-method> <http-method>PUT</http-method> <http-method>TRACE</http-method> <http-method>OPTIONS</http-method> </web-resource-collection>
  • 8. <auth-constraint/> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>OrdinaryUserAction</web-resource-name> <url-pattern>/index-in.jsp</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>*</role-name> </auth-constraint> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>Purchase</web-resource-name> <url-pattern>/test.jsp</url-pattern> </web-resource-collection> <auth-constraint> <role-name>*</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/login1.jsp</form-login-page> <form-error-page>/errorpage.jsp</form-error-page> </form-login-config> </login-config> 6. 輸入網址 https://slantkang-
  • 9. hp.iks.com.tw:8443/CMS/test.jsp PS. https 的 S 要記得打,因為我都會忘記 >< PS. 就算你打 http://slantkang-hp.iks.com.tw:8080/CMS/test.jsp 還是會強制導到 https://slantkang-hp.iks.com.tw:8443/CMS/test.jsp

×