如何用JSSE配置Tomcat 9 HTTPS?

Tomcat

1 前言

一个问题,一篇文章,一出故事。
笔者需要在Tomcat生产环境启用Tomcat的HTTPS访问,因此整理本章。
由于Tomcat的JSSE的配置TLS最简单,因此本章使用该方法实现Tomcat HTTPS配置。

2 实操部分

2.1 Tomcat环境部署

如何基于RHEL 9.x部署TomCat之二?


需要注意的是,测试的实际环境为,
– openjdk-18.0.1.1
– apache-tomcat-9.0.5

2.2 配置Tomcat HTTPS

cp /usr/tomcat/apache-tomcat-9.0.5/conf/server.xml /usr/tomcat/apache-tomcat-9.0.5/conf/server.xml.default
vim /usr/tomcat/apache-tomcat-9.0.5/conf/server.xml

启用或添加如下配置,

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true">
        <SSLHostConfig>
            <Certificate certificateKeystoreFile="conf/wildcard.cmdschool.org.jks"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>

证书请自行准备,笔者建议你申请权威的腾讯云证书,使用申请Tomca JKS格式证书即可,
https://cloud.tencent.com/product/ssl
证书申请成功后,你需要使用如下命令提前将证书部署到目录,

cp wildcard.cmdschool.org.jks /usr/tomcat/apache-tomcat-9.0.5/conf/

2.3 配置Tomcat HTTPS

systemctl restart tomcat

重启服务后,你可以使用如下命令查看日志,

less /var/log/tomcat/catalina.out

如果遇到如下提示信息,

12-Mar-2024 16:04:08.759 SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize component [Connector[HTTP/1.1-84
43]]
 org.apache.catalina.LifecycleException: Protocol handler initialization failed
        at org.apache.catalina.connector.Connector.initInternal(Connector.java:935)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
        at org.apache.catalina.core.StandardService.initInternal(StandardService.java:530)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
        at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:852)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:633)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:656)
        at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)
        at java.base/java.lang.reflect.Method.invoke(Method.java:577)
        at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492)
Caused by: java.lang.IllegalArgumentException: Keystore was tampered with, or password was incorrect
        at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114)
        at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:85)
        at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:216)
        at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1043)
        at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:540)
        at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74)
        at org.apache.catalina.connector.Connector.initInternal(Connector.java:932)
        ... 11 more
Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
        at java.base/sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:813)
        at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:226)
        at java.base/java.security.KeyStore.load(KeyStore.java:1503)
        at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:139)
        at org.apache.tomcat.util.net.SSLHostConfigCertificate.getCertificateKeystore(SSLHostConfigCertificate.java:204)
        at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:184)
        at org.apache.tomcat.util.net.openssl.OpenSSLUtil.getKeyManagers(OpenSSLUtil.java:79)
        at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:112)
        ... 17 more
Caused by: java.security.UnrecoverableKeyException: Password verification failed
        at java.base/sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:811)
        ... 24 more

你需要增加“certificateKeystorePassword”属性向Tomcat提供证书的密码,详细的配置修改如下,

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true">
        <SSLHostConfig>
            <Certificate certificateKeystoreFile="conf/wildcard.cmdschool.org.jks"
                         certificateKeystorePassword="jksPassword"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>

解决以上错误提示之后,你可以使用如下命令确认https端口启动,

ss -antp | grep :8443

可见如下输出,

LISTEN 0      100                     *:8443            *:*     users:(("java",pid=29233,fd=40))  

2.4 开放防火墙端口

firewall-cmd --permanent --add-port 8443/tcp
firewall-cmd --reload
firewall-cmd --list-all

2.5 测试https的Tomcat

https://10.168.0.105:8443

参阅文档
====================
https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html

没有评论

发表回复

Tomcat
如何配置Tomcat的日志轮转?

1 前言 一个问题,一篇文章,一出故事。 笔者之前为Tomcat日志自动分割写过一个脚本,最近发现如 …

Tomcat
如何用OpenSSL SSL/TLS配置Tomcat 9 HTTPS?

1 前言 一个问题,一篇文章,一出故事。 笔者需要在Tomcat生产环境启用Tomcat的HTTPS …

Tomcat
如何编译安装Tomcat的Native库?

1 基础知识 Tomcat的Native库允许Tomcat使用OpenSSL作为JSSE的替代品来支 …