Tomcat8容器下SSL證書佈置及強制https

獲取並安裝服務器證書

公司是上線項目所以在CA機構申請了SSL證書，一次申請會有多個環境證書，apache,nginx,tomcat,IIS等。公司使用的是tomcat8做項目佈置

導入證書

通過工具將證書上傳到服務器目錄, 存放目錄爲 /www/server/tomcat/conf

修改配置文件server.xml

1. 找到以下代碼將訪問端口修改成80 把redirectPort修改成443

<Connector port="80" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="443" />

2. 再找到下面代碼將註釋去掉把證書路徑添加上去

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxThreads="150" SSLEnabled="true">
    <SSLHostConfig>
        <Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
                     type="RSA" />
    </SSLHostConfig>
</Connector>

修改爲

 <Connector port="443"
    protocol="org.apache.coyote.http11.Http11Nio2Protocol" maxThreads="150" SSLEnabled="true" defaultSSLHostConfigName="domain.net">
 <SSLHostConfig hostName="domain.net">
            <Certificate certificateKeystoreFile="conf/domain_net.jks"
                certificateKeystorePassword="a75wRsB7T837r7R7"
                type="RSA" />
        </SSLHostConfig>
</Connector>

保存退出重啓tomcat即可
查看日誌及端口看啓動情況

netstat -ntlp

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      4060/java           
tcp        0      0 127.0.0.1:8005          0.0.0.0:*               LISTEN      4060/java           
tcp        0      0 0.0.0.0:8009            0.0.0.0:*               LISTEN      4060/java           
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      4060/java           
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      1246/pure-ftpd (SER 
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      2080/sshd           
tcp        0      0 0.0.0.0:8888            0.0.0.0:*               LISTEN      1722/python         
tcp6       0      0 :::33060                :::*                    LISTEN      1907/mysqld         
tcp6       0      0 :::3306                 :::*                    LISTEN      1907/mysqld         
tcp6       0      0 :::21                   :::*                    LISTEN      1246/pure-ftpd (SER 

防火牆開放443 端口

firewall-cmd --list-all
firewall-cmd --permanent --add-port=443/tcp
firewall-cmd --reload

強制用戶訪問時爲https,用戶使用http時可以自動跳轉爲https

修改conf/web.xml文件，到文件最後

<welcome-file-list>
    <welcome-file>index.html</welcome-file>
    <welcome-file>index.htm</welcome-file>
    <welcome-file>index.jsp</welcome-file>
</welcome-file-list>

在下面添加如下代碼

<welcome-file-list>
    <welcome-file>index.html</welcome-file>
    <welcome-file>index.htm</welcome-file>
    <welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<login-config>
    <auth-method>CLIENT-CERT</auth-method> 
    <realm-name>Client Cert Users-only Area</realm-name> 
</login-config> 
<security-constraint> 
    <web-resource-collection > 
        <web-resource-name >SSL</web-resource-name> 
        <url-pattern>/*</url-pattern> 
    </web-resource-collection> 
    <user-data-constraint> 
        <transport-guarantee>CONFIDENTIAL</transport-guarantee> 
    </user-data-constraint> 
</security-constraint>

到此所有的配置完成，這樣就可以使用證書訪問並強制使用HTTPS了