参考文档
6 c% N* z! x0 d8 \) L4 i
" H/ L) f# x9 ^, @/ ?0 B& y: n& @Keytool使用指南:
' E1 C" q/ I8 r" K1 i3 d
http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html
# o: e- h. |/ Y: _; s1 v" m) q; c: i9 a1 B V4 ~
Tomcat-ssl配置指南:
$ p0 y0 H" [% c0 [6 [! G2 X
. l& s+ C. t9 f' x# Z
http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html
' Z9 d j9 j6 g1 `- T' i! ?7 b1 O% K3 G! |
0 |3 I3 S5 y+ S2 D8 L' q! q
配置过程
. Y# ^2 a9 [ @- D$ c# M3 C
; Z7 [" t8 s. j& ?! x% W. _
. F& |( P( f3 F. n8 B1.
f/ o3 a1 H( }' P生成 server key :
, k4 I: c! z5 B' u4 U2 M- M% g6 @5 a
以命令行方式切换到目录%TOMCAT_HOME%,在command命令行输入如下命令(jdk1.4以上带的工具): : c) B8 y$ c1 }/ M2 |3 E# [6 @4 `
keytool -genkey -alias tomcat -keyalg RSA -keypass changeit -storepass changeit -keystore server.keystore -validity 3600 1 ?4 v! T+ M( G5 C% V
用户名输入域名,如localhost(开发或测试用)或hostname.domainname(用户拥有的域名),其它全部以 enter 跳过,最后确认,此时会在%TOMCAT_HOME%下生成server.keystore 文件。" u1 L* U4 v" s8 [
注:参数 -validity 指证书的有效期(天),缺省有效期很短,只有90天。
4 r' e* ]5 P: P
0 Y% |6 T7 J/ i5 Q. V2. 将证书导入的JDK的证书信任库中:
; \6 |7 g( g' H- }3 ], F这步对于Tomcat的SSL配置不是必须,但对于CAS SSO是必须的,否则会出现如下错误:
* }) a& q% U/ I f/ `$ medu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate ProxyTicketValidator。。。
3 z% t# E& U* `. e& I4 Y9 _8 W6 [ d% D
* a5 o2 g' p+ n! k导入过程分2步,第一步是导出证书,第二步是导入到证书信任库,命令如下:
* x* i/ x! q% P" k( kkeytool -import -trustcacerts -alias tomcat -file server.cer -keystore cacerts -storepass changeit
% g; a+ u; E; I1 O$ }keytool -import -trustcacerts -alias tomcat -file server.cer -keystore D:/sdks/jdk1.5.0_11/jre/lib/security/cacerts -storepass changeit U. M& o$ B4 z4 W B
^3 H. w; ?# [% @+ l其他有用keytool命令(列出信任证书库中所有已有证书,删除库中某个证书):3 N+ ?3 L" c+ U0 E4 j
keytool -list -v -keystore D:/sdks/jdk1.5.0_11/jre/lib/security/cacerts
4 I( p# Y+ ?- M/ ]1 z, \7 A" n( dkeytool -delete -trustcacerts -alias tomcat -keystore D:/sdks/jdk1.5.0_11/jre/lib/security/cacerts -storepass changeit
, s9 S6 a% U/ ]" m2 [8 U' I _. |) C e- c
3. 配置TOMCAT :
; F+ m9 V3 }: F6 e修改%TOMCAT_HOME%\conf\server.xml,以文字编辑器打开,查找这一行:
# h# |- p% D" |+ T/ n2 N复制内容到剪贴板
代码:
<!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
0 L; f( f3 B& @) B, D& g将之后的那段的注释去掉,并加上 keystorePass及keystoreFile属性。# g; s* `; N) x7 y) S
5 P( _8 q) l3 ^ ~" c
, X. j0 K$ @- b2 g) k' W; S# N6 {注意,tomcat不同版本配置是不同的:9 N: n; w: p* [2 i" S: |
2 V5 y: E8 o9 X) @% X8 E8 F4 Q g0 U# c) K6 u1 E7 m
Tomcat4.1.34配置:4 m$ [2 t8 C4 K6 M0 Z- o: C: m9 H1 X
* @; B) v& V, }# D, [复制内容到剪贴板
代码:
<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
port="8443" enableLookups="true" scheme="https" secure="true"
acceptCount="100"
useURIValidationHack="false" disableUploadTimeout="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="server.keystore"
keystorePass="changeit"/>
- h" a! U' i6 {' ?Tomcat5.5.9配置:& l. N: v' N' A6 N2 h
! j* ~- y6 J0 S$ K& p$ P
复制内容到剪贴板
代码:
<!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="server.keystore"
keystorePass="changeit"/> Tomcat5.5.20配置(此配置同样可用于Tomcat6.0):复制内容到剪贴板
代码:
<!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
<Connector protocol="org.apache.coyote.http11.Http11Protocol"
port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="server.keystore"
keystorePass="changeit"/> Tomcat6.0.10配置:复制内容到剪贴板
代码:
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443" minSpareThreads="5" maxSpareThreads="75"
enableLookups="true" disableUploadTimeout="true"
acceptCount="100" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="D:/tools/apache-tomcat-6.0.10/server.keystore"
keystorePass="changeit"/> 
